"Should we do this independently?" asked Fred.
"We should each check everything," said Samantha. "Mike's right about that. That doesn't mean we can't talk, though."
"...but you don't want to 'talk' with Kramer..."
Samantha's forced a hollow little smile.
"No," she said.
"What's going on?"
"I don't know," said Samantha. "It's not adding up. Everything that goes wrong...he's at the center of it."
Fred half-chuckled. "You don't think he's doing this on purpose, do you?"
Samantha shook her head. "Don't know," she said. "I do not know, but the first thing I'm going to do is go over everything he's done having to do with our backend data stores in PriceMax."
"Everything?"
"Everything. He doesn't do much. It shouldn't take long."
Fred sighed. "Alright," he said. "I guess I'm breaking out the fine-toothed comb. I'm going to start looking at samples from the database."
Samantha went over every check-in put in by Kramer that affected the database. It was tedious work but she was correct in that it didn't take too long.
It was all innocuous stuff... Widening some fields. Changing some data types from fixed-length strings to unlimited text fields. That sort of thing.
Next, Samantha started going through Kramer's changes to the PriceMax server code. There were only five of them, counting his infamous security-disabling change.
Samantha shook her head and muttered "Moron" under her breath.
All Kramer seemed to do in the PriceMax server was eliminate constraints.
One change removed any validation a form field named user_age and passed it straight through to the database as a string. Another change was a convoluted network of nested ifs and switches that seemed completely useless because the outermost condition could never be met. The other two were changes to branches in the dead if-tree, so Samantha ignored them.
Kramer's changes in the client libraries were just as meaningless.
Samantha twisted her mouth to one side and scrunched her nose as she leaned back in her chair. She fiddled with a pen she was holding, slowing turning it end over end.
"That's exactly what I should have expected," she whispered.
"Hmm?" Fred's voice broke through the silence, reminding Samantha that she wasn't alone.
"Nothing," she said. "You finding anything?"
"Can't see anything in the database that would be cause for alarm. A lot of customers are going to be angry that someone stole their data but I'm not seeing anything that could be used for identity theft."
"Nothing unusual?"
"Nothing I can see."
Samantha brought the butt of the pen up to her mouth and softly chewed at it.
"Huh," she said.
They traded jobs, Fred began combing through Kramer's changes and Samantha looked at the data.
Hours passed, as she pored through countless many rows in search of something...anything unusual.
She couldn't tell what, but something seemed off to Samantha. She was designing a query to help her figure out what was wrong when she noticed what was bothering her: The signature fields had way too much data.
They were only supposed to hold a 512-bit salted hash of a document that was stored locally on clients. That was one of the fields that Kramer had inexplicably changed to an unlimited text field and now, many of the rows contained a "signature" that was several megabytes long.
"Samantha?" asked Fred.
"Just a sec," answered Samantha.
Samantha jotted down a few row ids, then spun in her chair to face Fred. His cheeks were ghost white.
"What is it?" she asked.
"I looked at his client code. It's collecting personally-identifying data, where it can be found."
"He's putting it in the database? Where?"
"No. It's being stored locally, and it's not him."
Samantha's eyebrows popped up about an inch, then she furrowed her brow. "What's that, now?"
"You were only looking at his changes, weren't you?"
"Yeah."
"I'm looking at the code where he made changes."
That got Samantha's attention.
"It could be innocent," Fred continued. "Maybe there was a real requirement for it. Maybe it's used by another service...legitimately. It's not being posted to PriceMax but the PriceMax client libraries are capturing those data when they can find them."
"Who added it?"
"I think it's someone from one of our European offices. 'Zmitser Žylinski' That's with a little crown-y thing over the second "Z". I don't recognize the name."
"Me either. Let's figure who it is and then talk to Mike."
Hours later, Samantha and Fred had covered the half-walls and desktops of their shared cubicle with little bunches of paper.
"Can this be real?" asked Fred.
"It seems like it has to be," answered Samantha.
Each group had three parts: A printout of a diff from a change made by Kramer, a printout of a diff made by their new friend, and a sticky note affixing the two together. Each such sticky note had a list of dates and incidents on it.
"So, the pattern," said Fred, "What does it mean?"
"I don't know."
"Every time Kramer screws up, ZZ Top slips in a change right after that which goes unnoticed but somehow leverages what Kramer did."
"Spooky action at a distance," murmured Samantha.
"Or a spider following vibrations in its web."
"Either way. Time to bring in security."
