These Parents Built a School App. Then the City Called the Cops

Stockholm's official app was a disaster. So annoyed parents built their own open source version -- ignoring warnings that it might be illegal. From a report: Commissioned in 2013, Skolplattform was intended to make the lives of up to 500,000 children, teachers, and parents in Stockholm easier -- acting as the technical backbone for all things education, from registering attendance to keeping a record of grades. The platform is a complex system that's made up of three different parts, containing 18 individual modules that are maintained by five external companies. The sprawling system is used by 600 preschools and 177 schools, with separate logins for every teacher, student, and parent. The only problem? It doesn't work. The Skolplattform, which has cost more than 1 billion Swedish Krona, SEK, ($117 million), has failed to match its initial ambition. Parents and teachers have complained about the complexity of the system -- its launch was delayed, there have been reports of project mismanagement, and it has been labelled an IT disaster. The Android version of the app has an average 1.2 star rating.

On October 23, 2020, Landgren, a developer and the CEO of Swedish innovation consulting firm Iteam, tweeted a hat design emblazoned with the words "Skrota Skolplattformen" -- loosely translated as "trash the school platform." He joked he should wear the hat when he picks his children up from school. Weeks later, wearing that very hat, he decided to take matters into his own hands. "From my own frustration, I just started to create my own app," Landgren says. He wrote to city officials asking to see the Skolplattform's API documents. While waiting for a response, he logged into his account and tried to work out whether the system could be reverse-engineered. In just a few hours, he had created something that worked. "I had information on my screen from the school platform," he says. "And then I started building an API on top of their lousy API." The work started at the end of November 2020, just days after Stockholm's Board of Education was hit with a 4 million SEK GDPR fine for "serious shortcomings" in the Skolplattform. Integritetsskyddsmyndigheten, Sweden's data regulator, had found serious flaws in the platform that had exposed the data of hundreds of thousands of parents, children, and teachers. In some cases, people's personal information could be accessed from Google searches. (The flaws have since been fixed and the fine reduced on appeal.) In the weeks that followed, Landgren teamed up with fellow developers and parents Johan Obrink and Erik Hellman, and the trio hatched a plan. They would create an open source version of the Skolplattform and release it as an app that could be used by frustrated parents across Stockholm. Building on Landgren's earlier work, the team opened Chrome's developer tools, logged into the Skolplattform, and wrote down all the URLs and payloads. They took the code, which called the platform's private API and built packages so it could run on a phone -- essentially creating a layer on top of the existing, glitchy Skolplattform.

The result was the Oppna Skolplattformen, or Open School Platform. The app was released on February 12, 2021, and all of its code is published under an open source license on GitHub. Anyone can take or use the code, with very few limitations on what they can do with it. If the city wanted to use any of the code, it could. But rather than welcome it with open arms, city officials reacted with indignation. Even before the app was released, the City of Stockholm warned Landgren that it might be illegal. In the eight months that followed, Stockholms Stad, or the City of Stockholm, attempted to derail and shut down the open source app. It warned parents to stop using the app and alleged that it might be illegally accessing people's personal information. Officials reported the app to data protection authorities and, Landgren claims, tweaked the official system's underlying code to stop the spin-off from operating at all.

News Flash

[DesScorp]

Government doesn't like competition for power or authority, even in the smallest things. Especially from the people it rules over.

Re:News Flash

[bill_mcgonigle]

Dig deeper and you'll find some politician's cousin holds the contract for the shitty app. The goal was never to help children - that was the excuse.

It's a big club and you ain't in it.

Re:News Flash

[magarity]

The contracts are spread around FIVE companies. The entire city council has a relative to one degree or another involved.

Re:

[F.Ultra]

Well please dig and try to find that. Basically that is not how public procurements works over here, and the project have changed contractors at least once when the first one selected couldn't deliver what they promised on the terms that they agreed to.

Re:

[Miles_O'Toole]

"Government doesn't like competition for power or authority, even in the smallest things."

If what you assert is true, how do you account for the fact that the government of the United States constantly and enthusiastically submits to the authority of Corporate America?"

Re:News Flash

[GlennC]

how do you account for the fact that the government of the United States constantly and enthusiastically submits to the authority of Corporate America?

Simple...employees generally submit to the will of their employer.

Re:

[DesScorp]

"Government doesn't like competition for power or authority, even in the smallest things."

If what you assert is true, how do you account for the fact that the government of the United States constantly and enthusiastically submits to the authority of Corporate America?"

The government could shut corporations down in a heartbeat if it wanted to. Crush them like a bug.

The government finds corporations useful for their purposes. Simply put. Especially tech corps.

Re: News Flash

[Åke Malmgren]

They can't if the majority of the Gov't is in the pockets of the corporations.

People with Power

[endus]

I have come to the conclusion that a lot of the types of people who seek leadership roles, especially in government, are the exact people who should never be allowed leadership roles. It attracts egotistical pigheaded sociopaths who are utterly incapable of Making Good Decisions or understanding what is going on around them.

It's not that I don't understand having concerns about this, I do. However, the reaction should be, "Wow, the old system was so bad you spent all this time writing your own? And it's open source? And it's working better? We've had all these problems with the system since it was rolled out, let's get together and start figuring out a way forward to leverage the work you've done". Instead it's, "You did something that I haven't controlled since it's inception and which undermines the perception of my own competence? I'm calling the police".

Re:People with Power

[Voyager529]

"Anyone who is capable of getting themselves made President should on no account be allowed to do the job.." --Douglas Adams

Re:

[scamper_22]

I don't know how old you are, but I went through a similar thing and then it went a bit further.

I was probably 20, when I realized that people who seek leadership roles are the exact people who should not be allowed in leadership. Went down a reasonably libertarian path.

Today, I'm 40. My outlook has changed to recognize that we need leadership to function. Our goal as regular people who generally don't seek leadership is to choose the best sociopath to be our leader :)

I use that word sociopath on purpose. N

They're easy to spot

[rsilvergun]

with a quick google search of their history, but you need to vote in your primary election to keep them out. It's hard enough to get people to show up for a mid term, let alone a primary.

Re:

[dddux]

I couldn't agree more. Thank you for posting such insightful post. d-;)

Natural reaction

[Dog-Cow]

The natural reaction to being shown one's own incompetence is to bury the messenger in legal shit.

I see it is the same in many places

[oldgraybeard]

world wide. The education cartels rarely share power, they rule/profit from on high. And no one else is invited to the party.

Very similar situation

[yerex]

A very similar situation happened at the University of Alberta in the early 2000s.
They spent millions on a new registration system that turned out to have a completely crap web interface. So a student wrote his own, which rapidly became the only one used by anyone.

I believe the university eventually just bought it, and hired the student⦠rather than trying to shut it down.

https://www.itbusiness.ca/news/u-of-alberta-gets-behind-student-developed-it-system/5587

Re:

[Gravis Zero]

That's the sane solution: cut your loses and embrace what works.

Reality check

[Wolfrider]

--Time to remind these indignant city officials of who they actually work for, and whose taxes are paying their salary.

Re:

[thegarbz]

--Time to remind these indignant city officials of who they actually work for, and whose taxes are paying their salary.

LOL. When has that ever worked? What you gonna do? Vote for someone who pledges to lead an inquiry into what went wrong? Ooooh I'm sure those incompetent public servants are absolutely quaking in their boots. /s

I have so many questions

[technomom]

So, first off, were the school APIs (I assume they are either REST or GraphQL queries) at least secured? That is, did you require at least some kind of access token that regularly expires? If so, how is that token acquired? Does it require at least 2 factors?

If they were not at least secured, then the school system itself has a shitload of explaining to do.

Re:

[ahoffer0]

I do not know if the Stockholm school APIs are secured. However, I am almost certain that authentication is required. That is not the same as the application being secure. My children's school district has a web app for parents, and it uses authentication. Once I have authenticated to the app, I can view information by putting any student ID in the URL's query string. This would be OK if the student ID was a UUID, but student IDs are sequentially assigned numbers. It would be easy to write a script that che

Re:

[zarr]

If your school district is anywhere in the EU, they're in for a fine. The GDPR has been in force for a while, so there is plenty of precedent covering exactly this situation by now.

Re:

[F.Ultra]

They are using BankID which is the standard way to digitally authenticate a person in Sweden for banks and stores.

Huge post

[methano]

Is it my imagination or has Slashdot started posting much longer "synopses" on the front page? This one is long enough that you just read it and ignore the original. Is this just to fill up more space? Does it allow more ads on the side? Why is this happening? Inquiring minds want to know.

Re:Huge post

[gnapster]

I'm pretty sure they are getting longer, but let's get one thing straight: there has never been a synopsis on slashdot that was so short you couldn't ignore the original!

Re:

[jenningsthecat]

It's not your imagination - it's become the new Slashdot "style", or lack thereof. I complained about it a while ago and IIRC was modded down for doing so. It used to be that summaries were just that - the writer summarized the article, largely in his or her own words. Now TFS is just a copy-and-paste of a substantial portion of TFA - in some cases the 'summary' contains close to half the article.

Maybe we brought it on ourselves because we seldom RTFA - now we read it whether we want to or not.

The city reversed that a month ago

[F.Ultra]

Actually the City of Stockholm turned around on the 9th of September and decided to purchase the Open Sourced version in order to hand it out for free to everyone: https://www.nyteknik.se/digita... [nyteknik.se]

Re:

[mrthoughtful]

Good link and update. But it seems that /. editors are resolutely and systemically English-biased and, moreover, many would think that the acceptance and adoption of OSS is less newsworthy than the attempt to shut it down. I’m concerned that the city chose to buy it. Is this actually about buying to close it down? (Not an uncommon strategy used by many big name IT companies - one does not have to have oracular powers to find them).

Re:The city reversed that a month ago

[F.Ultra]

The reason that the city is wanting to buy the app is so that they can hand it out for free to parents, schools and teachers of the city. At the moment the "Open App" costs $1.40 so it's open but not free as in free beer while the official city app (that cost the city millions) are free as in beer. So they simply want to make the better version as available as the original.

Re:

[GuB-42]

Mod parent up.

Considered this way, the city reaction is understandable (it doesn't mean I approve). The have no control over the open source app, and it may indeed contain malware or vulnerabilities, introduce bugs by using the private API incorrectly, maybe even DDOS the platform.
It is not clear if they changed the API in order to block the open source app or to fix some issue or upgrade, but it highlights one of the reason you may not want to allow 3rd party apps: controlling both the client and server al

A telltale sign of politically motivated design

[Wrath0fb0b]

The platform is a complex system that's made up of three different parts, containing 18 individual modules that are maintained by five external companies

This here is a key sign that the process of a bullshit political process for technical design. There is no sensible reason that I can fathom (but of course, I would be happy to hear sensible claims otherwise) that any component needs to be a consortium of 5 different firms. This inflates costs, messes up timelines and makes every problem a recursive dumpste

Re:

[F.Ultra]

It's because they have segmented it into 5 different services (which is not to say that this way is dumb or smart) and then they (and here comes the real problem) that interoperability would be handled by the city itself and the individual contractors should not focus on that.

The five different services are

• 1. Children and student register

• 2. Management of absence / presence

• 3. Handling of student documentation

• 4. Educational material (Digital creation and handling of material)

• 5. Pedagogical implementation (Pla

Re:

[Wrath0fb0b]

I think you missed the point. Yes it was segmented -- I believe this is a terrible idea from an engineering perspective because it begets a lack of responsibility and ownership.

I also suspect that this was motivated to allow 5 different companies to get government contracts and "share the bounty" as it were rather than just picking a firm to deliver it end-to-end.

Not Invented Here

[karlandtanya]

This ain't just a problem with the city or the incompetents they hired to do their coding for them. This is a problem with human psychology--if it didn't come from their in-group it's suspect. Especially if it makes their in-group look bad.

The most important part about solving someone else's problem is making them think the solution was their idea in the first place. This goes double if they hired you to solve their problem.

Stockholm Syndrome?

[nealric]

The good news, is if anybody is arrested, they will eventually come to identify with and even love their captors.

Canvas...

[jpellino]

was started as a grad student project answer to the almost universal frustration with "the only game in town" Blackboard.
Moodle was similarly started as an alternative to WebCT.

Re:fuck vigilante coders

[jfdavis668]

He's calling the system's API. If it allows users to screw up the data, maybe you should fix those issues. They shouldn't have been there in the first place.

Re:

[ceoyoyo]

The article goes pretty hard on the "OMG, poor parent just helping out" angle, but I think the issue was probably that he's made an app that asks parents for their login credentials. You can probably imagine how that might be a problem?

The city probably could have been less dickish about it and gotten there sooner, but they eventually arrived at the right decision and implemented a licensing system so there's some accountability.

Re:

[bickerdyke]

Well, an email client app will ask you for your email credentials.

So an app accessing your school account data will ask for your school account.

Yes, of course you should use something like OAuth instead of giving out your password, but you can't blame that on the client if as long as the server API doesn't support that.

Re:

[ceoyoyo]

Yes, and if you use an e-mail program you don't have reason to trust, you're an idiot. Your bank will probably also look dimly on you using some random app to access your account. Same thing here.

If you think otherwise, I have an app you should try....

Re:

[bickerdyke]

Well, not many better ways to not use "some random app" than an open source community app. Not perfect, but worked well so far with email apps, and even banking apps (e.g. Gnucash, hibiscus)

Re:

[ceoyoyo]

Excellent. Go to the Android or Apple store and download "{MISSPELLED BANKING APP}". It's totally open source, you can verify yourself what it does on Github. It's totally the same app, honest. And all your banking sign in stuff runs in an internal browser it can't access anyway. Honest.

Just put in your banking information. It'll be great. Honest. Oh, and it can check your STD screening results too if you like. Totally secure. Honest.

Re:

[saloomy]

This thread ripping on the trustworthyness of the app shows who the fuck didnt read TFS. It says right there the entire codebase is open source. You can see if he is harvesting your school credentials (hint: he likely isnt). What I bet is going on, is the official app harvests data on use that is likely a revenue generator for the school system, that his app does not incorporate. I have no way of knowing if that is true, but there is likely some other reason for the harsh reception to his altruism. He open

Re:

[PCM2]

You might be able to look at what he claims is the source code of his app, but most people won't be able to compile the app themselves or sideload it. So they still have to trust that a binary they download from the app store is secure.

Re:

[ewibble]

That is true of any app, if his app is harvesting username passwords then they should prosecute him for that, what their real problem is they look like fools spending 100 million dollars on a badly written app that somebody wrote better in a few weeks.

Really I see this happen all the time, applications that seem to cost billions that I don't see why I couldn't write in a year. I don't even get paid 1 million dollars a year. I also see this other areas, painting houses, roadworks https://crux.org.nz/communit [crux.org.nz]

Re:

[ceoyoyo]

Don't your toes get tired, clinging to the edge out there all the time?

Re:

[lsllll]

I see the point of OAuth2 and the way it works, but I hate the idea behind the return URL being fixed. It effectively renders 3rd party clients useless, unless you copy-paste the return URL into the client after every authentication, which is a pain in the ass.

Re:

[lsllll]

At least on Azure MS appears to provide an easy way to get the authentication ID and token. That's how DavMail [sourceforge.net] allows Thunderbird to talk to Office 365 Mail.

Re:

[Gravis Zero]

I think the issue was probably that he's made an app that asks parents for their login credentials.

The program is open source, so it would be trivial to determine if the credentials were being misused.

Re:fuck vigilante coders

[Petersko]

"The program is open source, so it would be trivial to determine if the credentials were being misused."

Provided the shared code matches the deployed binary, which means access right to the file level for auditing.

Re:

[Immerman]

And?

You get the binary file delivered, and easily intercepted, with every app download. And typically you know the compiler version and settings that were used for an OSS project - so compile the code and see if you get the exact same binary as is being distributed. If they don't match, someone is up to something. That's OSS auditing 101.

Re:

[ceoyoyo]

Sure. And that's what they did.

Re:fuck vigilante coders

[theshowmecanuck]

Trivial if you are a programmer and know how to program mobile apps. Ask the accountant or store clerk to check the code out. It's open source. This is one of the lamest arguments around open source that I constantly hear. I like open source, especially real open source licenses like Apache, MIT, BSD, etc. But this whole "anyone can review the code" is pure bullshit. Only a very small percent of the population has the skill, and most of them don't want to because they are arguing about how shitty the other guy's code is and forking projects to be able to concentrate on a smaller population of code in order to make it work better (including security checks).

Re:

[The Evil Atheist]

But this whole "anyone can review the code" is pure bullshit.

Again with the fucking strawmen.

No one has ever said that literally anyone can review the code. It just means anyone who wants to can review the code - that there is no barrier to anyone who wants to review it.

Fucking fauxtistic nerds never understand that things are said in CONTEXT. You can't just take a single sentence and strawman the fuck out of it.

Re:

[F.Ultra]

Show me say a DDOS that doesn't use the official API to access the site/system.

Re:fuck vigilante coders

[Cassini2]

All web API's are fundamentally public. "Private" APIs on public servers can become public at any time with no notice. It's like sending an email and later arguing that it shouldn't have been made public. Once the message is sent, it can no longer be secured.

If you want an API that only talks to one specific client, then every API request must be authenticated. Traffic must be encrypted too.

Otherwise the security system devolves into either:
a) An open API that relies on no-one other than a particular custom-written client knowing about it.
b) The limited-combination remote garage car-keys and garage door openers. They are a effective at preventing your neighbor from accidentally starting your car. However, any serious thief can get past the "private" API in seconds.

Re:

[Immerman]

Absolutely. Any internet-facing API is inherently public.

You forgot a bit in the "alternatives" though. It should be:

a) An open API that relies on no-one other than a particular custom-written client (and any malicious actors that care to pay attention) knowing about it.

Re:fuck vigilante coders

[MobyDisk]

If the API is intended to be used by a non-public audience, then it's reasonable to assume it's not going to include all the safeguards expected for a public API.

Absolutely not.

That kind of reasoning is exactly what leads to hacks and data leaks. When Facebook had an API that allowed anyone to lookup someone's personal details just based on their phone number, we didn't say "Ohh, that's okay - it was only *intended* to be used by the Facebook app when finding people's friends. It's not reasonable to include all the safeguards expected for a public API." Hackers don't care that you didn't intend the API to be public. If the API is available on the internet it is a public API and it must be secured. That's not "high minded principle" that's the basics.

Re:fuck vigilante coders

[serviscope_minor]

1. If the API is intended to be used by a non-public audience, then it's reasonable to assume it's not going to include all the safeguards expected for a public API.

No this is security 101. If it is possible for the public to get at the API then it must be secured as if a malicious member of the public will attack it. It's not "not best practices" to secure an outward facing API it's negligence. Nefarious actors don't generally politely ignore things that they're not meant to see.

People here are treating this kind of hacking as "good" simply because it's to workaround something that's "bad", without realizing you can believe both things are "bad", and in this case, yes, both things probably are bad.

Well in this case the city eventually did an about-face and welcomed third parties. Seems like it did make things better.

Third parties with no documentation shouldn't be reverse engineering access to someone else's database without permission.

I don't see why not. This makes at least 3 systems I know of which were reverse engineered by a frustrated user and eventually got adopted in place of the original to the great appreciation of the users.

Re:

[Pinky's Brain]

Is it really too much to ask to have government have an independent party do a security audit for a service which exposes personal information before it's pushed live? They don't have competitors breathing down their necks, only an electorate who is used to delays. The software won't become irrelevant because of a competitor.

Re:

[FictionPimp]

I'd argue that any API endpoint that starts with https is a public URL and as such should be treated as one.

https://mysite.com/users [mysite.com] vs https://mysite.com/api/v1/user... [mysite.com] should be treated identically as accessible by the internet. It's a web page, just one that takes some json/xml/whatever and spits back the data.

If you don't like it, do your rendering server side. Otherwise, expect it to be hit by anyone with half a brain and a web browser.

Re:

[Anubis IV]

If the API is intended to be used by a non-public audience

...then the API should be made private in practice via user authentication, putting it behind a firewall, or otherwise making it securely unavailable to the public. A failure to do so means that—regardless of what you intended—what you actually did was stand up a publicly available API, and what you should have done was secure it as such. End of story.

then it's reasonable to assume it's not going to include all the safeguards expected for a public API

Only if it was secured appropriately, otherwise, no, that is not at all a reasonable assumption.

Moreover, this is so much bigger than simply abid

Re:

[Darinbob]

If it's not intended for a public audience then it should either not be on the internet, or have a professional grade level of security. A basic rule is that you don't put shit on the internet if you don't want the entire world to see it.

Re:

[Opportunist]

You mean more than the shitty app already costed?

Oh, right, it may have to go to an actual company that can clean up the mess instead of someone who curiously happens to be somehow related to whoever gets to assign that billion Krona. It just ain't pork if it doesn't go to the right pig.

Re:

[Pascoea]

They need to turn AC posting off again. It was actually nice in here for a little while.

Re:

[lsllll]

I was very unhappy when they turned AC posting off for those couple of weeks. We still got spam during those weeks. If you don't like AC posts, read at +1.

Re:fuck vigilante coders

[Anubis IV]

It sounds as if you don’t know what an API is. By definition, it’s the interface you program against when you want to interact with an application. If their API is so poorly implemented that it permits the behavior you suggest, it shouldn’t be publicly available to begin with. Publicly available APIs, of which this is an example, are supposed to be designed with the assumption that they will be receiving communication from untrusted devices and should handle it accordingly.

Re:

[Immerman]

It's designed to be accessed by un-validated clients over the open internet. It's public.

It can only be "private" in the same sense that the out-of-the-way make-out spots in the public park are "private". I.e. it's out of the way and doesn't get a lot of traffic.

Except for the fact that you've widely published an app that demonstrates *exactly* how to get to that "private" spot to anyone who cares to watch it. Like having regular bus service directly to the make-out spot.

If you want a private internet-fa

Re:

[Anubis IV]

Thing is, isn't really a 'public' API. They reverse engineered a private API.

I very specifically said "publicly available", not "public", because the "public API" vs. "private API" distinction simply doesn't matter here. Someone can call an API "private" all they want, but it doesn't change reality: if an Internet-reachable API isn't otherwise secured, it is, by definition, a publicly available API and should have been hardened in the manner that you and I are both talking about. After-the-fact declarations that a publicly available API was intended to be private are a typical prote

Re:

[Zak3056]

This is the same argument as "we didn't expect anyone to use 'view source'" which is used by idiots whose shitty websites leak personal information on the regular.

There is no such thing as a "non-public" API when that API is internet facing and unsecured.

Re:

[deKernel]

As far as I know, there are only two ways to make an AP "private. The first is that the API itself only allows particular IPs to call it, or the server sits behind a firewall that does the IP checking, and neither appears to be the case so by default, the API should be considered public. Just because the school system wants to all the API private does not make it so.

Re:

[FictionPimp]

If you are hosting a API publicly on the internet it is just undocumented, yet public.

If you don't want it to be public either

a) don't make it available over the internet
b) use an auth scheme that allows you to verify it's your client.

Otherwise it's just an undocumented public api.

Re:fuck vigilante coders

[nitehawk214]

What a shitty take for Slashdot, of all places.

Some of the greatest code has been "vigilante" code. Which is one of the dumbest terms I have ever heard.

Fuck you, and fuck your closed source.

It's not a take

[rsilvergun]

it's a troll. He just wanted you to respond to him. And you did. He won this exchange.

Re:

[NFN_NLN]

By that logic I win almost all my exchanges. And the less I actually say anything logical or coherent the more I win!?
Wait, this is giving me complete insight into the social justice warriors internal "logic"... and it's fucked.

www.fart.com/politics

Re:

[thegarbz]

And the less I actually say anything logical or coherent the more I win!?

If your goal is purely to create outrage then yes. Remember Slashdot has banned Anonymous Cowards, so everyone posting as AC has an account. If they aren't leaking sensitive information in their post you know you're responding to someone who doesn't actually believe their own bullshit, they are just trying to ignite rage through trolling.

Clearing Up Others' Mess

[Roger W Moore]

Just because you can write an app doesn't mean you should.

Perhaps, but when you definitely cannot write an app - apparently like the people originally hired - you definitely should not and, if you go ahead and do it anyway, then someone is going to have to come along and clear up the mess you have left.

Indeed, you clearly seem to admit what a rubbish job the original people did if you think that they wrote a public API that is capable of causing damage to the database even when used by good actors trying to work with the system. If the API is that bad imagine what a malicious hacker could do!

Re:

[q_e_t]

Just because you can write an app doesn't mean you should.

Perhaps, but when you definitely cannot write an app - apparently like the people originally hired - you definitely should not and, if you go ahead and do it anyway, then someone is going to have to come along and clear up the mess you have left.

We don't know, from TFS, what the remit for the original writers was. Perhaps it was poorly specified and they were paid peanuts.

Re:

[q_e_t]

Apologies, the amount is in the TFS, but I hadn't registered the conversion from Krona to Euro. Ignore my previous comment!

Re:

[Wolfier]

It's the result of someone who can't even write an app properly, goes on and attempt to create an API.
I mean, what else can be expected other than a disaster?

Re:

[vlad30]

What he did was embarrass them a single person with few resources (i.e. $) did what their billion krona system couldn't can you imagine that person trying to explain why they spent a billion krona when a single person could make something in a few hours that worked with no documentation ?

Re:

[NFN_NLN]

> What he did was embarrass them a single person with few resources (i.e. $) did what their billion krona system couldn't

The entire world is turning into a equity driven welfare state. Their plan probably wasn't to make a working system. It was to create a mess that requires thousands of jobs to keep contained. That way thousands of low IQ idiots are inside working on problems they can't solve instead of smashing windows and looting stores because they have nothing better to do.

Re:

[TranquilVoid]

instead of smashing windows

Interesting choice of words when you've just accused them of implementing the broken window fallacy!

But I doubt this inefficiency is deliberate. The overhead of management, communication and QA can be insane, and especially so in government.

Re:

[jvkjvk]

You seem to forget the part where he is calling all their API's.

He made a client shell, not the entire app, and certainly none of the back end.

So your claim is specious.

Please play again.

Re:

[thegarbz]

You don't actually mean that. If you did you wouldn't post AC. Go troll somewhere else.

Re:

[jellomizer]

Online it seems like everyone is this master security focused coder who make bullet proof code. While when ever I get a job someplace (Big company, small Company, government, Not for profit, Startup, well established...) They are filled with programmers who are just trying to make their next paycheck, and follow the specs given to them. If a vulnerability is pointed out, they will often just lest their bosses talk their way around it, such as saying the user shouldn't have been granted access to where th

Re: fuck vigilante coders

[Raistlin77]

What you do with the data once you have it is one thing - obviously they would have no control over that. But they absolutely have control over what can be done via their API, and if the excuse is that someone could break things via API, then it is their system and API that is broken. They should be giddy that this was done by someone just looking to make things work and publicly sharing their code rather than a malicious actor. They should be ashamed that someone was able to build a better app without bein

Re:

[Immerman]

If you can't be bothered to make your internet-facing API bulletproof, then there are really only two options:

1) Restrict all API access to an encrypted channel that only your own front-end can access. This is pretty easy, lots of OSS and even public domain examples on how to do it using robust and well-tested encryption.

2) Accept that everyone + evil dog will have complete access to your API, and that your system will be strip-mined and/or demolished by the first malicious actor who is so inclined.

Re:

[serafean]

> They are filled with programmers who are just trying to make their next paycheck, and follow the specs given to them

Data validation. Never trust anything incoming through a file descriptor to be properly formatted? Really, this doesn't get applied?
I will admit I skipped a few checks in my parsers too, but it very quickly caught up with me.

> Besides the API can have the best security, and still cause misuse, because what you do with the data after you get it, is where the problems happen.
That's where

Re: fuck vigilante coders

[natd]

While I believe you that all your workplaces have had low standards of developing, I can equally say that itâ(TM)s not like that everywhere. Iâ(TM)m not a developer as such, but my role exposes me to plenty of them and I am responsible for solutions getting delivered. For the last 15 years or so I have seen strong practices around secure design. The good old OWASP Top-.10, peer review, inline/automatic code scanning then vulnerability scanning, pen tests. And then it needs to be deployed in a fit

Re:Utopia

[nehal3m]

1. Sweden is not socialist, they're free market capitalists with a social democratic government 2. They're not 100% perfect, but still leagues above most other countries regarding overall citizen happiness. Lunch school debt is something they've never heard of, I've had exchange programs with Swedish schools and their lunches are not only free, but fucking amazing. You've managed to straw man and non sequitur at the same time. For the record, I do not nor have I ever lived in Scandinavia.

Re:Utopia

[93 Escort Wagon]

1. Sweden is not socialist, they're free market capitalists with a social democratic government

There’s a certain breed of modern Neanderthal that believes any government which does more than operate a military qualifies as “socialist”.

Re:

[dromgodis]

Correction: The school lunch, at least for years 1-9, is decidedly not amazing (but it is free). It is in most instances horrible (there are known deviations), and is allowed to cost around 1/5 of a lunch for a prison inmate.

Re:

[F.Ultra]

The quality is highly different from school to school. I had great terrible lunch at my school back in the 80:ies but all my children (that went to different schools) had amazing lunches.

Re:

[F.Ultra]

And small correction, the cost is not 1/5 for that of a prison inmate, to get to that number you have to ignore that inmates gets 3 meals a day while school lunch is one meal. The amount of money to spend on school lunch is set by each municipality and thus varies a lot across the country, in 2019 the cheapest was Partille that spent only 3.1K SEK per student and year while Berg spent 14.7K SEK. Meanwhile the lunch for inmates is set nation wide and was 6.2K SEK in 2016 (and is for 365 days while the number

Re:

[Alsn]

No way. First of all, "right" leaning parties of Sweden are by global standards on the left side of the spectrum in many respects. Second of all, the Social Democrats (centre-left by Swedish measurements) have been in power either on their own or in coalition for at least 70 of the last 100 years, so your statement could almost not be more wrong. Source: I am a Swede

Re:

[jythie]

It is almost like things can be better or worse without going to extremes.

Re:

[Luke has no name]

"People want an organization to do a job and do it correctly; Get mad when organization sometimes fails; Demands improvement"

What a fucking *radical* concept.

Re: Let's delegate more authority to governments

[RightwingNutjob]

If the same *person* keeps fucking up a series of tasks assigned to them, is it sensible to expect competence on the n+1th task, or is it sensible to assign it to another, less demonstrably-incapable, individual?

One definition of insanity is doing the same thing but expecting a different result. An equally radical idea, I'm sure.

Re:

[Entropius]

This is profoundly simple compared to the bullshit "course management systems" that we are stuck with in American universities.

And then, separate from the CMS, I have to submit end-of-term grades on PeopleSoft...