Hey fellow tech folks. We might get asked to do something terrible. I'd like to start a bit of an open discussion about how to deal with such requests.
The first thing I might recommend is enthusiastically agree to do whatever it is then forget about it and do something else. If asked about it in the future, pretend this is the first you've heard about it. Play as dumb as you can for as long as you can.
Now, if you can't get away with delaying by not doing anything anymore then find the absolute most complicated way to do whatever it is. This is actually a great time to use an LLM. Have an LLM write all your code then just run it. Ask the LLM to fix anything that's broken. Take some extra steps to force downgrade or upgrade libraries to incompatible versions. Write all of your own interfaces by hand. Write your own date parsing library. Write all of your own SQL without any abstractions. Add an LLM in the middle some how. Use libraries that haven't been supported for 15 years. Ever want to write code in Python 2.0? Now's your chance! Debug everything with Wireshark, no matter what it is. I bet there's a VB script library to do what you need to do, and if you can just write a C wrapper around that it'll interface perfectly with perl, as soon as you can get that old FoxPro program running in wine. I bet it would be easier without that commit hook that changes every zero to a capital letter O. "I'm getting the craziest error. It works on my system!"
There are a million ways to make things insanely complicated, and most of us have seen people legitimately do these things out of pure incompetence.
Now, if you end up against the wall and think you might get fired package everything up and hand it off to someone else, but make sure you make it clear that you're almost done and it should be super easy to finish. Leave behind some fun puzzles for the next person to figure out.
"How strange...the output changes when I change the whitespace, but not when I change the text. What is that?"
Who's got some other fun suggestions for extremely malicious compliance?
Edit: Since the post I was riffing on is no longer the top trending on my instance, I'm gonna bump it again. We've all been thinking about all kinds of malicious compliance in the case of a hypothetical (or perhaps some of us real) evil. This is a *specific* evil that *is* being asked for right now.
It's worth reading the original post that got me thinking about this, it you hadn't yet:
https://sauropods.win/@futurebird/113866093397576803
Also, get randomized. If you have anything else, do that instead. Only work on whatever evil thing if you are explicitly asked to prioritize it above everything else. Then, if you're asked for anything after that point, drop the evil thing and take whatever new request. Add several days of delay for "task switching" when asked to come back.
One reason to feign compliance is so that the task doesn't get assigned to someone who might actually do it.
@Hex
Schedule meetings to discuss requirements. Assign difficult tasks to known incompetents, or people known to be over-worked. Put every subroutine in its own container linked with the most difficult networking possible. Demand IPv6 for the entire project.
Document nothing. No comments in code, use obscure function and variable names, which you can reuse for different purposes from one routine to the other.
Schedule another meeting where you revisit and question past decisions.
@Hex
Did I forget security? It's important! Make sure SELinux is set on Max. Make ip table rules for specific ports from specific ip addresses. If you require certs, make sure they expire every month (or less) and require a difficult process to renew. SSH by key only, which are force rotated every two weeks, and of course only from certain ip addresses.
@Okanogen I've heard certs should expire every 15 minutes, so it's important to have your own PKI to vend new certs.
@Hex
No wild cards, and each expires at a different time or day.
Here's another, underprovision EVERYTHING. Especially storage, and then turn off logrotate. Oh the fun when nothing works because it can't write to disc.
If you create logs for your process, make sure they are as useless as possible (oh my God I'm living my own #Sysadmin trauma) also, no dates or times, or if you do, choose one that is different from the system setting (aggghhhhhhh).
@Hex
Even better, make sure some log files save a time in local, one in UTM, and one, NOT AT ALL.
If you ever do have to deliver "Evil Product" these elements will make it almost impossible to use or admin.
Also? These containers. Make some Debian Sid, some Fedora, some Centos, some Ubuntu, if you can cram some process on Windows server, even better. Hopefully scraping input from an Excel spreadsheet with tons of links.
@dmarti oh my, that's beautiful...
@Hex make undocumented assumptions about what Unicode encoding a file is in—you’re probably going to do some of that by mistake anyway, just fix it up so it works but different files are in as many different encodings as possible
@riley @Hex @Okanogen I have seen whole projects being scrapped after years of work on them because someone locked the statistics in an Oracle DB right after it was truncated and before restoring the data. When I discovered this the project was already replaced with a shiny new product.
https://stackoverflow.com/questions/25012636/why-are-table-statistics-locked
@mdione @Okanogen I don't know, if the colleague can defend depriperizing it then they're perfect. If the colleague can't defend depriperizing it, then it could sit on their plate for a while before shifting to someone else. If they're enthusiastic about the project, then keep giving them work until they quit.
@sabrinaweb71 @Okanogen @Hex
I kinda do that by accident sometimes.
@sabrinaweb71 @Okanogen @Hex
Best time to relearn latin. But bad Latin.
(No translators, only dictionarys exist)