Skip to content
DevMeme
The siren call of the quick and dirty hack
TechDebt Post #55, on Feb 6, 2019 in TG

The siren call of the quick and dirty hack

Why is this TechDebt meme funny?

Level 1: The Backyard Flying Machine

A man builds a helicopter out of wooden boards in his backyard. It has everything a helicopter should have — propellers, windows, even little stairs — except the ability to fly. Then he invites a passenger aboard, and the passenger happily waves for the camera, trusting it completely. That's the whole joke: the passenger is your secret password, the wooden contraption is a safety system someone built by themselves instead of using a real one, and everyone looking at the photo can see the crash coming — except the two people in it.

Level 2: Hash, Don't Stash

The vocabulary you need for this photo:

  • Encryption scrambles data so it can be unscrambled later with a key. Good for messages; wrong for passwords, because anyone who steals the key gets everything back.
  • Hashing is a one-way scramble: easy to compute, practically impossible to reverse. To check a login, you hash what the user typed and compare hashes — the original password is never stored.
  • Salt is random data added to each password before hashing so two users with the password hunter2 don't produce identical hashes, and precomputed "rainbow tables" become useless.
  • bcrypt / Argon2 are battle-tested, deliberately slow hashing functions built exactly for this job. Using them is a few lines of library code.

The junior-developer trap this meme warns about: early on, writing your own version of something feels like the path to understanding (and it is — in a sandbox). The mistake is promoting the learning exercise to production. The first time you see a real codebase where someone "encrypted" passwords with a reversible function and a key stored in the same repo, you'll recognize this helicopter immediately — ramp, rotors, weeds and all.

Level 3: It Compiles, Therefore It Flies

Look at the actual aircraft: plywood fuselage, hand-cut rotors, a boarding ramp made of scrap lumber, the whole thing parked in weeds — and the passenger labeled "User Password" waving cheerfully as he boards "My selfwritten encryption algorithm." That wave is the meme's cruelest detail. The password doesn't get a vote. Users hand over their credentials assuming the operator bought a real helicopter, and they find out about the plywood only in the breach disclosure email, eighteen months later, with the phrase "we take security seriously."

Veterans have watched this exact flight plan repeatedly. The pattern is always the same: a developer decides the established tools are bloated or boring, that their clever XOR-and-shuffle scheme is unbreakable because they personally can't break it, and that crypto libraries are just other people's code with extra steps. The industry's blunt commandment — don't roll your own crypto — exists because the graveyard is full: Adobe's 2013 breach exposed 150 million records partly because passwords were encrypted (3DES, ECB mode, no salt) instead of hashed, and the password hints sat next to them in plaintext like a crossword answer key. LinkedIn's unsalted SHA-1 hashes from 2012 were largely cracked within days. None of these were exotic failures; they were homemade helicopters with a fresh coat of paint.

The organizational dynamics keep the hangar busy. Writing your own crypto feels like engineering — it produces code, it passes the tests its author wrote, it demos fine. Using libsodium feels like admitting the problem was already solved. Nobody gets a promotion packet line item for "did not invent a cipher this quarter." And because crypto fails silently — the wooden helicopter sits in the grass looking aircraft-shaped right up until someone needs it to fly — the feedback loop that punishes the decision arrives years after the engineer who made it has changed jobs.

Level 4: Schneier's Law and the Physics of Plywood

The deep reason this helicopter can't fly is the same reason homebrew ciphers can't survive contact with an adversary: in both domains, your own inability to find the flaw is not evidence the flaw doesn't exist. Cryptographers call this Schneier's Law — anyone, from the rankest amateur upward, can design a scheme that they themselves cannot break. Security is not a property you can test into existence; it's a property established by decades of failed public attacks. Kerckhoffs's principle (1883!) formalizes the corollary: a cryptosystem must remain secure even when everything about it except the key is public knowledge. A self-written algorithm inverts this — its only real defense is that nobody has looked at it yet, which is security by obscurity wearing a flight suit.

The failure modes are not hypothetical and they are rarely in the math itself. Real ciphers die in the implementation layer: timing side channels that leak key bits through how long a comparison takes; padding oracles (the entire class of attacks that broke SSL 3.0 via POODLE); nonce reuse turning a stream cipher into a transparent window; non-constant-time string comparison on a MAC. AES survived because it endured a multi-year open competition and twenty-plus years of academic siege. Your xor_with_secret_sauce() function has endured one code review, performed by its author, at 6 PM on a Friday.

And there's a category error lurking in the labels: passwords shouldn't be encrypted at all. Encryption is reversible by design — anyone with the key can recover every password. Correct password storage uses slow, salted, one-way hashing (bcrypt, scrypt, Argon2), deliberately tuned to be expensive so that offline brute-force at billions of GPU guesses per second becomes economically miserable. The man boarding the helicopter isn't just flying a bad aircraft; he's flying it to the wrong destination.

Description

A classic 'Distracted Boyfriend' meme format. The boyfriend, labeled 'The Developer,' is looking over his shoulder at a passing woman labeled 'A quick and dirty hack that works for now.' His girlfriend, looking disgusted, is labeled 'The well-architected, scalable solution.' This meme perfectly illustrates the constant struggle for developers between implementing a proper, robust solution and succumbing to the temptation of a quick fix to meet deadlines. For senior engineers, it’s a familiar and painful reminder of how technical debt is born, often out of necessity and pressure from management

Comments

8
Anonymous ★ Top Pick That quick hack is a high-interest loan from the Bank of Technical Debt. The principal is small, but the refactoring penalties are brutal
  1. Anonymous ★ Top Pick

    That quick hack is a high-interest loan from the Bank of Technical Debt. The principal is small, but the refactoring penalties are brutal

  2. Anonymous

    AES survived twenty years of public cryptanalysis; your plywood cipher barely survived linting

  3. Anonymous

    Spent three months implementing a custom AES variant with "improvements" only to watch it get defeated by a user whose password was their kid's name followed by the current year

  4. Anonymous

    Schneier's Law in one photo: anyone can build an encryption scheme they themselves can't break - or a helicopter they themselves are willing to board. Once

  5. Anonymous

    This perfectly captures every security audit's nightmare: the junior dev who read one Wikipedia article on XOR operations and decided they could outdo decades of peer-reviewed cryptographic research. Meanwhile, bcrypt is sitting there like 'I've survived 25 years of cryptanalysis, but sure, your weekend project with nested for-loops is definitely more secure.' The real kicker? They probably stored the 'algorithm' in a public GitHub repo with a comment saying 'TODO: make this more random.'

  6. Anonymous

    Rolling your own cipher to “encrypt” passwords is a plywood helicopter - looks airborne until the first pen‑test crosswind; use a salted KDF (Argon2/scrypt/PBKDF2) and a real library

  7. Anonymous

    Rolled my own crypto because 'it's just symmetric ciphers' - now it's autorotating straight into the user's 'p@ssw0rd'

  8. Anonymous

    Rolling your own crypto is flying prod passwords in a plywood helicopter - use vetted libs and Argon2id, and keep Kerckhoffs off the incident bridge

Use J and K for navigation