Ask HN: What is the most unethical thing you've done as a programmer?

I created software that was used by call center agents to bid on “bathroom” break time slots and kept track of who was on break and actively punished those who didn’t follow the rules. It rewarded those that had higher performance and who took less breaks with higher priority. If an agent didn’t come back from their break a security guard would automatically be dispatched to find them. For the same company I also made software that reduced the same call agents to numbers and effectively automated the layoff&#x2F;termination process. It would contact security with orders to have people escorted out, and had a sinister double verification process that would check to verify the agent was actually fired, or else the responsible security guard would be punished via the same point system. Everything was done via e-mail and would come from “System” and at the time used fancy HTML e-mail templates that looked official. I would frequently hear people talk about how they received a “System e-mail” with a chill in their voice, not knowing I was the one responsible. People who I ate lunch with sometimes didn’t even really know. Embedded in each e-mail was a count-down timer to create a sense of urgency to do whatever was being asked before a “punishment” was applied.<p>After an agent had been terminated, their punishment points would decay over time until such a time they reached zero (or another configurable threshold depending on how desperate the company was for warm bodies), at which time they would be sent an e-mail to their personal e-mail (which was collected during the application process), inviting them to “re-apply”. Being an early telephony company we also would send them a robo-call with the “good news”. This process was known as a “life-cycle” and it was common in certain labor markets for employees to have many such lifecycles. Another way employees could stave off automated termination was to work for unpaid overtime, which offered to reduce their point values per unit of overtime worked. Everything was tracked to second granularity thanks to deep integration with phone switches and the adoption of the open source Asterisk CTI.<p>This orwellian automation terrorized the poor employees who worked there for years, long after I left, before it was finally shut down by court order. I had designed it as a plug-in architecture and when it was shut down there were many additional features, orders, and punishment_types.

Not a programmer at the time, but a system administrator. I won&#x27;t mention the company. This was 2011-2012 -ish.<p>We hosted dedicated servers and most of the time, they were mostly Plesk or cPanel servers run by people selling email and or web hosting to hundreds of clients from a single server.<p>This one time a client joins the network, buys a server from us, and migrates from Rackspace. We wondered why he&#x27;d move from Rackspace given they were better than us, and it turns he was kicked off of their network because he basically submitted tens of support tickets daily asking for all kinds of optimisations, improvements, and silly stuff not covered by the support contract. Rackspace had decided he wasn&#x27;t worth it and booted him.<p>We ended up with him and boy was he a pain in the backside. Anyway...<p>Long story short, he cost us more in engineering time than he paid us and this irritated the owner of our business. The owner had my team leader find someone on his team willing to do the following: dump the guy&#x27;s Plesk database containing all of his customers and make a copy of it on our network. I took on the task and was told it was simply a backup. I was young and didn&#x27;t really think things through. I feel bad about it now because...<p>The customer was booted from the network a month later and all of his customers were offered free email and or web hosting for the year, including migrating them over to our network... the owner absolutely annihilated the guy. He contacted all his customers and simply wiped him out.<p>That same owner is now a highly respected business man and an MBE.<p>You might be able to do some digging and find out who this company and owner is, if you look hard enough.

So my dad told me this story once,<p>He was working on a large, industrial construction project and they were nearing the end of it, so a QA engineer was scheduled to do a walk-through, and before that happened a higher-up purposefully damaged finished work, dented a pipe with wrench, unscrewed a bolt, etc... That way when the QA engineer did his checks, he&#x27;d find these obvious, easily fixable defects and mark them, whereas if he had found no problems, he would end up digging deeper, since he&#x27;ll feel like he has to find something, and then he might potentially uncover some major, catastrophic problem that&#x27;d be impossible to fix and still hit the customer&#x27;s deadline.<p>Theoretically everyone&#x27;s happier at the end of it... QA because they did their job and found stuff wrong, the client cause the project was finished on time, and all that for an afternoon of extra work.<p>I worked for a company with an extensive QA process and on occasion I found myself being less then thorough before handing the code off. I knew there were bugs, but just left them in there, because they had bug quotas they had to meet, and we had a tight deadline, etc... At least that&#x27;s what you tell yourself to justify the behavior.<p>Sometimes I wonder just how much of this kind of greasing-the-wheels goes on in other industries...

Not me personally, but the company I started my career with (was an intern there for a few months).<p>ERM software. When a new client comes onboard, install the product and database, but make sure not to make any optimizations, not even the basic indexes in the DB. Depending on the usage, the DB will get slower and slower in a few months. Then send a &quot;consultant&quot; who will simply run a script and add indexes etc and test a bit (no more than an afternoon worth of effort) and charge a high fee for it.<p>We had a project once for conversion (not getting into details). My team found a tool online. Boss bought it, finished the entire project in one day. Boss bills for month (which was the original estimate), puts the team to work on another project for the next 29 days, gets paid for that too. The only decent thing in this story is that we didn&#x27;t know <i>before</i> the quote, that such a tool was available. Some would say this is smart way to do business, it felt shitty for me though.

I worked on a penny-bidding site. These guys &quot;auctioned&quot; items like PlayStation, tvs, cars to the user who placed the final bid on an item after 60 seconds of no further bids. Each bid would increase the final price by 1 pence&#x2F;cent, but each bid would cost 50 pence&#x2F;cents. You could &quot;win&quot; a $20,000 car for $500.37 and the house would have taken 50,037*50 cents. It might be okay if that was it -- but I was asked to code some &quot;house bidders&quot; who would outbid players until a certain threshold was met. I left that job shortly afterwards.

I suspect you&#x27;re not going to get many personal stories here because it would be self-incriminating. But I have a couple from some people I know in tech.<p>1. I know the guy who, pre-Snowden, actually designed many of the pieces of network gear needed for the dragnet. His perspective was basically: Yes it&#x27;s wrong, but what do I know? I just design electronic circuits.<p>2. Same guy also mentioned how at another company he worked at they used DNS tricks to exfiltrate data out of their enterprise clients. Nothing crazy, mostly just analytics to aid in things like product design. They got caught though. First Intel went out, then a couple hours later 4 other big tech companies (including Apple and Microsoft). Then a huge swath of devices stopped reporting. They got acquired shortly afterwards for a large, but sub-billion dollar amount.<p>3. I know a couple people that crack into devices and sell the 0days to the highest bidder. I consider this practice for anything cyber-physical (self-driving cars, etc) to be so unreasonably unethical that it should be against international law. It&#x27;s one thing to sell these things to an allied government, it&#x27;s quite another to have them on the open market.

Was fed up with Quake Live not providing any matchmaking, so I tried to make my own. Of course they didn&#x27;t have any API, so I needed to scrape their website to get the match results. I sent a lot of requests.<p>So when they blogged about their web site becoming occasionally very slow, I sheepishly emailed them, and asked if this might be due to my scripts. I assumed that of course they&#x27;d have some sort of IP based limiter in place in case I got to greedy. Well, they didn&#x27;t. They requested that I send them my scripts, which I happily did. They also banned my account, which I thought was quite petty.<p>They might have unbanned me a couple weeks after that, but I quickly lost interest in Quake Live.

There was an ongoing prank in my high school (late 70&#x27;s) to insert John Holmes&#x27; name whenever&#x2F;wherever possible. For example, one trick was to ask someone in the front office to add to the end-of-day announcements &quot;{popular girl}, John Holmes won&#x27;t be able to give you a ride today&quot;. Eventually the front office caught on, and it got riskier and more difficult to do.<p>I was asked to write an Applesoft BASIC program to help the front office collate and remove duplicates from attendance lists taken first and second period. At some point, I added some obfuscated code that would add John&#x27;s name in when the total number of names was over some threshold.<p>Believe me, I&#x27;m very very ashamed of myself...

Worked for a company that was contracted by DOW to make an app promoting some extremely toxic agrochemicals, such as Forefront. They talked about this being so poisonious that if animals eat grass sprayed with it, then crops grown with their manure will be unsuitable for human consumption. Was also asked to fake (&quot;round up&quot;) the calculations of how much money you&#x27;d save if by those chemicals.<p>Read up a bit about DOW and the Bopal disaster and started to feel horrible about my work.<p>Tried to gently bring concerns up with the management, and was laid off immediately.<p>I feel really bad about doing that work, but trying to make up for it by not eating animal products anymore.

I&#x27;ve done a lot of work involving scraping, data analysis and reversing private API access from mobile applications. A lot of this work is legally defensible (if you do it correctly) and not particularly unethical. After doing a bunch of this type of work I started to accrue subject matter expertise in the area that led other companies to come to me with more questionable projects in mind. I turned down many of these, but two projects stand out to me as unethical or borderline. In fact, this was the reason I eventually stopped working with these companies.<p>The first project was for a large, (now) well-known fintech company. They needed to develop login integrations with consumer banks to acquire customer account information for verification purposes. But many such banks didn&#x27;t particularly want to grant them any special API access. More importantly, these banks typically forbid scraping and made it explicitly difficult by implementing JavaScript-based computational measures required on the client in order to successfully login. I helped this company develop methodologies for bypassing the anti-scraping measures on several banking websites. However, I stopped working on this because 1) I felt uncomfortable with the cavalier way they were ignoring banks&#x27; refusals, then using the reversed integrations and onboarded customers as a bargaining chip for more formal partnerships, and 2) performing huge amounts of analytics on customer data acquired as part of the account verification process.<p>The second project was for a tech startup working on insurance and credit analytics. This company is one of several that popped up in recent years to use machine learning and social data in order to develop a more &quot;complete&quot; credit score (in their eyes). They had an impressive team of machine learning researchers but their data acquisition team was comparatively mediocre. So I worked with them to improve their acquisition methodologies for a variety of social media websites. I stopped working with them for three reasons: 1) fundamentally, I lost faith that their product was actually generating a meaningful signal over traditional means, 2) I was worried that the data they were collecting might introduce spurious correlations or illegal biases, and 3) if any team was going to do this correctly, I didn&#x27;t think this particular team was the qualified one to do it.

After Jared Kushner originally bought the New York Observer, I was hired to lead the tech team, which I did for a year and a half in house then for three more as a vendor. He asked me, out of band, to blackhole articles critical of his commercial real estate colleagues and I complied.

I made software 15 years ago to automatically buy concert and sports tickets from Ticketmaster and other websites. At the moment tickets went on sale we used hundreds of computers to buy up the good tickets.<p>I&#x27;m sorry your daughter didn&#x27;t get Nsync tickets.

I once got pulled into an arbitration hearing to explain how certain code functions operated. While not necessarily unethical it was a moral moment because I knew the inquiry came with the loaded intent to twist whatever explanation I gave into the worst possible extreme.<p>Sure enough that&#x27;s exactly what happened and a really hard working and honest developer lost their job so an executive could save face.<p>Left that company a month later but I still feel horrible

I built my computer graphics final project in Haskell so that the TA wouldn&#x27;t be able to run it and grade it. Then for our presentation, I babbled on and on about the math and went over time so we wouldn&#x27;t have to give a really crappy demo.

During the Ashley Madison incident, a partner and I put up what was either the first or one of the first online tools for checking to see if a particular email address or phone number had been exposed.<p>I&#x27;m still not sure whether or not that was net good&#x2F;bad. I&#x27;m sure that the tool has caused some real familial stress. We could fall back on the &quot;well if not us someone else would have&quot; but that&#x27;s a cop-out.<p>Our site was checkashleymadison.com. Later on we got rid of the domain. We had a ton of interest from advertisers, but we thought it best not to try and make money off of the exposition of others. Overall we took in something like 1.2mm uniques over 24 hours. It was a pretty crazy day, and my first time speaking with the media. Looking back, I&#x27;m glad that I didn&#x27;t say anything too dumb.<p>Originally we intended to stay anonymous, but I forgot to tell a The Hill reporter of that wish and my name was published. After that I spoke on the record to whatever journalists were still interested.

At a previous employer we used the data referenced in the question. We bought the &quot;anonymised&quot; telecom data from one of the big providers in the USA. We would then analyse that data to figure out where the phone spent 6-8 hours during the night to determine where the phone owner lived. Then we&#x27;d pull the USA consensus data(free!) so the system would know what demographic the user probably belongs to. We got a surprising amount of data from the consensus, we had things like ethnicity, income, age.<p>Then we&#x27;d loaded all this in google maps and let users of the app figure out what demographics frequent particular locations on the map. For example a use-case of this would be a coffee company figuring out where to open a new coffee shop.

(I didn&#x27;t go through with this, but considered) While I was a student I worked for a small shop that sold online services. I was something between an intern and a junior developer&#x2F;security guy.<p>The boss (non technical) privately asked me one day to do some research about automating some data entry processes, basically reading from excel files, some databases, formatting and putting it all in another database.<p>I found out later that if that script is made it would lay off a number of people doing data-entry. I didn&#x27;t go through with it for many reasons.

I once used curl to continuously upvote a family member&#x27;s art submission to some national contest. The contest site did <i>no</i> validation so continuously sending POSTs with was almost too easy to game it. They won and got a free trip across the country (among other things).

In my first job out of college i worked at a big consulting company on a project at a company that used interwoven teamsite cms. Teamsite was a cms written in Perl, JavaScript, and Java with lots of xml sprinkled in. It was a horrible system.<p>I blogged about it on my personal blog. All the posts were about how to solve issues I had using it. This was before stack overflow.<p>After I had about 10 such posts I wrote a post titled &quot;interwoven teamsite sucks&quot; and linked all the other posts there.<p>I started noticing traffic to that post from specific ips accross the country.<p>A week later I was pulled into a meeting with the top see directors and told to remove my blog. Interwoven was an Accenture client.<p>I removed it.

Worked quite a while for an &quot;Internet Cafe&quot; SAAS company. If you&#x27;re confused by the quotes, these internet cafe companies basically sell internet time to users and with each minute purchased, you also get an entry into a sweepstakes where the prize is a jackpot. The sweepstakes entries would be redeemed electronically by way of slot machines, video poker, etc. They&#x27;re basically legalized gambling. I suppose that in and of itself isn&#x27;t unethical, but we didn&#x27;t exactly operate by by the book.<p>In order for this to be legal, the sweepstakes games have to have a defined number of entries as well as a defined number of winners and losers. None of our games did, it was just too prohibitive. We did provide to our customers, by law, our average payouts and our games did adhere to those through averages over time. But there were many occasions where the games didn&#x27;t pay out jackpots regularly or paid them out too frequently, hurting stores that were using our software. Our recourse was to provide them more &quot;entries&quot; to distribute to sell to their players, which of course cost us nothing.<p>Business was good for quite a while, but stricter laws and states cracking down really killed profits. I just feel like any type of gambling in unethical, it seems to really pray on people&#x27;s dopamine addictions. And these internet cafes, in particularly, are largely occupied by retires who, I&#x27;d wager, can&#x27;t really afford to be throwing their money way.<p>Years later, my Aunt and Uncle became addicted to gambling on those casino boats and have now lost the house my Grandmother left to them when she passed. I don&#x27;t necessarily believe in karma, but that certainly made me rethink it.

Didn&#x27;t do it, but I was asked to &quot;pre-package&quot; the results of a piece of test equipment. Basically, we didn&#x27;t have a clue what we were doing, and we were in way over our heads on the project. The customer was coming in to do the final approval and we were nowhere near complete. The boss told me to make sure the test results matched the specification &quot;no matter what&quot;.<p>I quit instead.

Circumvented browser features to force autoplay on videos with high volume on our websites. While not a morally bankrupt thing to do especially compared to some of the other examples, we all felt dirty doing it.

As a gentle satire of a much-hated London-based design company we were working with during a project for a major brand, I added something called &#x27;disco mode&#x27; to the customer&#x27;s site if you crafted the correct query string. It progressively added more and more random jQuery effects to the page on a timer, while the customer&#x27;s logo jumped to a beat.

Most unethical?<p>Probably pre checking one of those cookie policy checkboxes or what not. Wasn&#x27;t too happy about that, especially when the software used removed the feature before for exactly the reason you may expect.<p>I also previously used a mod to read personal messages on a forum once, though that&#x27;s one of those things which is heavily, heavily debated about on community management sites, with about half the audience saying its an unethical breach of privacy and the other half saying either that it&#x27;s their site and property deal with it or that it&#x27;s a good way to stop poaching and abusers.<p>But that one wasn&#x27;t exactly coded by myself, so eh, it&#x27;s an edge case for this question.<p>So probably a tie between those two, depending on what you count by &#x27;as a programmer&#x27;. Fortunately, everything else I&#x27;ve been asked to do in my career has been pretty normal&#x2F;ethical.

There was this Australian company that had this fly-by-night looking empty office near South Park, San Francisco... I&#x27;m serious, and not exaggerating, when I say it was a few bare metal folding chairs&#x2F;tables bare walls, and way too much open space for the 1&#x2F;2 dozen people working there...<p>In any case, the startup I worked for previous was split up and sold&#x2F;aqui-hired out to two different companies, and myself and the technology I&#x27;d created, and the million+ email addresses we&#x27;d collected went to this one.<p>I went along with it because they were one of the few companies I knew of with access to the twitter fire hose feed, which interested me, and they had dept. of defense contacts - which ( in my mind ) legitimized their presence in the U.S.A. at the time.<p>Out of the many shady-feeling project, the one that made my skin crawl the most was an automated fuzzy matching system I was ordered to create, that tried its best to match users on Twitter to users on Facebook, using nothing beyond the normal publicly available meta data ( name, age, icon, the regular profile stuff ) and the followers&#x2F;people followed on the twitter side, and friends and likes on the Facebook side.<p>It was surprisingly easy to match people, and felt more than a little wrong to me when I really thought about it... but the tech&#x2F;challenge was just too fun to work on to routinely give it more than a perfunctory thought.

I was subcontracted as development resource to a short terms loan company. They had me implement a piece of software that lets people enter their online banking details (yes their name and password, that thing that the bank says if you reveal to anybody you have no protections on your account), store them in a database, and then use those credentials to scrape their bank records so that their loans could be approved without the user having to send their bank statements in.<p>I wasn&#x27;t comfortable working for a company that preys on the fiscally challenged, so I found another job and quit the contracting company I worked for.

One of my employees was contracting out his entire job. His performance was great and then fell off a cliff. Turns out he stopped paying the contractor and the contractor stopped doing his work for him. When he had to do it himself it was horrible.

I did some contract work for an online “payday loan” company for a bit. It didn’t take me long to realize I was ashamed of working with such a terrible industry, but my professionalism kept me there until I finished the job. Definitely a low point.

Its an entirely standard thing, but I feel it is unhappy knowing that my paycheque depends upon thousands of mobile game players watching advertising, and feel that it is ethically dubious that my job is to try to cram more ads down their throats.

I helped build Grindr, which of course I don&#x27;t think was unethical. But I&#x27;ve been surprised by some people&#x27;s reaction to it. It generally comes up in some conversation where someone asks &quot;what have you worked on that I might have heard of?&quot; Occasionally they follow up with (paraphrasing) &quot;how do you sleep at night?&quot;

I may have created and taught others how to create phishing pages and in high school and then used those generic pages in spear-phishing campaigns. Also I may have come up with some really good growth-hacks to gather credentials which resulted in a some inappropriate messages sent by a kid to another that he denied while he was suspended. No idea who actually sent them because maybe the phishing group was too large.<p>I may have infected my classmates with RATs in school with another partner and uncovered a large number of class romances.<p>I may have been an asshole as a kid. I&#x27;m just glad I grew up.

In high school, I got a summer job at this local accounting firm. I don&#x27;t even remember what I was hired for —probably paperwork— but pretty soon I was doing some programming for them. The owner was rich, but cheap, so he asked me to write a simple invoicing tool for their smallest clients. That way, he avoided a costly upgrade for his existing software, at a fraction of the price. I knew I was being underpaid big time, so I would make a mental note of the bugs I&#x27;d find, but avoid fixing some of the minor ones. I did not plant deliberate ones. Invariably, when school started, they would call me to go in once or twice a year to fix something. I&#x27;d chat with the guys most of the afternoon, change the code over a few minutes, then collect my &quot;tip&quot;. I didn&#x27;t feel too guilty because the owner was paying me a pittance, but acted like he was showering me with millions and treating me very well. I was young, but not naive. I could and would have done a lot more if only he hadn&#x27;t been so condescending. Plus, some of his business and clients sounded a bit sketchy, although I had no proof.<p>In another occasion, I cracked the copy protection on one of their applications. They had a full license, but the protection relied on a magic 5¼ floppy disk and their new machine only had a 3½ drive.<p>I promised myself I&#x27;d never work on accounting software again. Later, I ignored the owner&#x27;s questions about what kind of internet businesses to invest in. He was dangling some of his money in front of me, but I didn&#x27;t fall for it. Which was a good call, because a few years afterwards, he got in trouble for aiding his sketchy clients I mentioned above.

When a deadline had passed sent blank tapes to clients and then claimed the postal services had wiped them when scanning with xrays, asking the clients to send back the tapes so we bought a few more days

Worked on an automated system to skim tips from crowdsourced &#x27;contractors&#x27; without them realizing it was being done. Don&#x27;t worry, legal says it wasn&#x27;t technically against the law and the fine print of the contracts said we could do it.

I live in a dictatorial country with 90%+ of the tech, industrial, and service sector owned directly by the president&#x27;s family. So I kinda feel like whatever work I take on in this country is evil in one way or another.<p>I haven&#x27;t had to hack independent media agencies and opposition parties yet and I plan to keep it that way.

Used some of the more advanced features in git to delete commit history and cover up bunch of illegal activity shortly before an acquisition.<p>I used to feel really bad about this, but apparently there are whole teams dedicated to this sort of &quot;cleanup&quot; in M&amp;A nowadays. Now I just feel bad about everything!

I was once assigned a task that had been estimated at 8 hours of development time, but only required the modification of a single line of code.<p>I finished it in 5 minutes. My boss asked what happened, I told him, and he told me to revert the code, work on other tasks, and redo it at the end of the day so he could bill for 8 hours (in addition to billing for the other tasks I worked on).<p>I did it and didn’t say anything. This was just a few weeks into my career.<p>I’m surprised this kind of thing doesn’t happen more often, to be honest. The people handling the business and writing the checks never seem to know anything about software. You could probably get away with telling them just about anything.<p>I’ve only ever seen it happen once, though. Software industry has been pretty honest in my experience (at least as far as billing goes...)

I wrote telemarketing software. Not sure if I&#x27;ll go into the same circle of hell as telemarketers, or something worse. But it is an incentive to live as long as possible before going to my reward.

Anonymous account for obvious reason.<p>We&#x27;re a software contractor for: DHS, ICE, CBP and more. Took the job knowing that was some of our clientèle.<p>Was in a tough spot. That job was hiring. Didn&#x27;t have other bites. Food and living expenses is nice to have (and so is not living in a car).<p>I also have a clean criminal record, and nothing exciting in my history.

I present security research in big conferences. This means that I find a serious security threat that affects many systems, and then I do not say anything to anyone for 6 months so that, when I do, I can get more publicity.

Interesting the comments are all &quot;The companies business model sucked&quot; and nothing from<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Programming_ethics" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Programming_ethics</a><p>Also WRT ageism and changing ethics over time, &quot;we don&#x27;t have automated testing infrastructure&quot; was BAU in the 80s&#x2F;90s yet today would be an ethical WTF moment.<p>Something that probably still happens today is the old &quot;address ... economic .. issues related to work projects&quot; Pointing out this thing is never going to run a net profit just means I&#x27;ll get downsized first; everyone who&#x27;s numerate could run the numbers if they wanted to and they&#x27;re all theoretically responsible adults at the meeting table, so ... If you mean address the fundamental economic issue, as in make sure my resume is updated while avoiding a meaningless fight with execs, sure...<p>Oh and edited to add, WRT taking responsibility, a couple of times I&#x27;ve optimized and improved processes to the point its a one line shell script wrapping a grep or echo and that&#x27;s kinda queasy taking responsibility for &quot;writing&quot; that. Replace half the job responsibilities (and presumably employee slots) of a department with a one line sql query in a cronjob, that kind of thing.

When I was in college I finished a couple of programming projects late. My professor said if we could prove that it was done on time he wouldn’t penalize us so I found a program that would let me alter windows time stamps.<p>I’m sure he knew and accepted it anyway because he was a great teacher that seemed to enjoy letting us creatively solve problems more than sticking to specific curriculum. Was my favorite class in school.<p>I still feel a little guilty about that though.

Exposed private chat messages...<p>It was a small 30 person company with an overbearing founder.<p>We ran a chat program called Pandion to allow non-IT staff to quickly ask each other work questions.<p>The boss had already asked us in IT to set up journaling in Outlook so he was getting a copy of every email sent and received by his staff.<p>Next he turned his attention to Pandion and I was tasked with setting up a regular report containing all chat messages that were logged on the server.<p>I knew everyone in the company personally and didn&#x27;t care to read their private messages...but the boss wanted to get a copy right away before it was announced to staff.<p>So I send a copy to him, containing the last few days of messages that had been sent.<p>Of course a couple of staff were dating. Apparently Glen* and Amy* used Pandion for personal messages to each other.<p>I&#x27;m sitting with the boss explaining how the staff don&#x27;t know their messages are being reported on and we can start publishing the report after the next team meeting, but the boss wanted none of that...<p>So we start going through it together. One of the first messages is from Glen telling Amy that she&#x27;s as tight as the seal on his lunchbox. The boss had a good sense of humor and we both pissed ourselves laughing, but it still goes against my values.

Implemented ads to be served to customers who had specifically paid for an “ad-free experience.”

On one of my previous jobs they asked to implement WebRTC session recording without recording indicator. I didn&#x27;t do that.

I was asked to generate fake data from renewable energy sources. Solar panels, wind turbines, heat pumps, all in EU project. Company needed to prove that estimations (about energy production provided in application) were correct in order not to return money. I was pulling data from weather api and &quot;scaling it to power&quot;, and making monthly reports of energy balance (electricity, heat which was bought, produced, lost) Fun part was when guys from committee saw those reports, they told: &quot;Finally somebody made right reports. Let us make a copy and show it to others as example&quot; :)

Back in the day I wrote some &quot;AOHell style&quot; apps for AOL and Yahoo chat.<p>Also trolled my non-programming friends who had computers by installing a personally developed backdoor that allowed me to open and close their cd-rom tray remotely. That was really fun.

I wrote the initial SEO optimizations for reddit.

Ad retargeting analytics would be one. The ability to track even anonymous users in an attempt to “nudge” users towards purchase behavior felt especially wrong. I didn’t work at Facebook but this was definitely a selling point for their hiring team. The tough part about this is that most of the internet is funded by this single business model. Collect data and behavior about users and non users.

not mine, but someone programmed The Drop <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=pCOCKS5AJI8" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=pCOCKS5AJI8</a>

Throwaway account.<p>In high school (2010-ish), I was on the student council so I had insider access of sorts to a lot of the inner workings of the school administration. One day, during a short meeting with them, the principal told us on the council that the IT department was installing wifi for personal device use. Since we had difficulties with getting school bonds passed by voters at the time, the wifi was supposed to enable us students to bring our laptops from home and use them in the classroom (since most classrooms only had 3-4 computers, with older schools only having 1-2 computers per classroom for staff use only). Naturally, we were all on board since it would enable us to finish our schoolwork without fighting over computer space.<p>Fast forward two months and I notice that the wifi seemingly hasn&#x27;t been installed yet. I ask the principal and was told that it was supposed to be installed and working perfectly. So I did some digging on one of the school computers. This is where I found out how the school district&#x27;s IT department submitted updates.<p>The IT department ran an old Novell Netware server for account login, Faronics Deep Freeze on the end user machines to protect against student abuse, and a Windows network share for unattended updates. Since the Windows Netware client cannot assign local Windows permissions (or it wasn&#x27;t configured properly in my case), everything inside Windows was ran with admin privileges (you were logged into Netware but ran under a local admin user account in Windows). Since Deep Freeze reverted changes to the file system on reboot, the assumption was that the students could completely wreck the install all they wanted with a simple reboot being all that was needed to effectively reset the machines to the default configuration.<p>This strategy worked well, but there is a huge flaw. Because you had local admin rights, you had full access to whatever resources you wanted under Windows XP Professional (the OS of choice back then). This includes the ability to install software or games (we had some epic district-wide Halo CE LAN parties), see network information (MAC address, IP octet configuration, etc), and everything else you could do to a local computer. The only caveat is that whatever changes you made would be erased on reboot. I guess the assumption with this is that the average inner city high school student wouldn&#x27;t have the technical expertise to know how to read this information, let alone access it. But, with me being gifted with tech skills at an early age, I could do some damage.<p>Back to the wifi story. I noticed in my digging that my Novell account credentials would let me into their update share. I was able to mount the share as a network drive and look through it. I saw everything from MS Office VLKs, the Faronics uninstaller, network diagrams, etc. I did have <i>some</i> ethics back then, so I didn&#x27;t touch anything related to a license key. But I did find the wifi deployment timetable document.<p>It turns out that the IT department had already deployed the wifi to my school and was fully functional...for them only. They had made it as a hidden network only accessible to them for &quot;maintenance purposes&quot;. (Keep in mind that most of the school and administration was under the impression that it was going to be for student use.) The timetable document also listed the wifi password for the hidden network. With that information and the MAC&#x2F;IP pattern I swiped from one of the school machines, I was able to log onto the &quot;maintenance&quot; wifi with my own personal laptop. This made me the talk of the student body ironically, with even one of the assistant principals asking me for help because the IT department had stopped communicating with the administration regarding the rollout.<p>Anyways, I used my newfound wifi powers to do my work and prep for college. Never used any of the serials or anything, just wanted to stop fighting over computer use. Ended up keeping the timetable document on a thumb drive until graduation before sticking it in my desk for a few more years. When I moved to Seattle for work, I ended up tossing the drive into the ship canal under the Fremont Bridge. (If someone finds it, I&#x27;ll buy them a beer.)<p>Anyways, that&#x27;s my unethical story.<p>TL;DR: Hacked into a network share to get wifi access in high school because the IT department embezzled funds.

I used to work for a company that used a provision in the tax code - I can&#x27;t remember if it was a California state or US tax break - for training their employees. They used to count meetings as training sessions and would make attendees sign attendance sheets to present that as &quot;proof of training&quot;.

I’ve fired people on behalf of more senior managers too cowardly to do it themselves.

It&#x27;s not really unethical but in that vein: I made a program on the TI83 that you could punch numbers into in order to get results on an electronics exam (this was in high school).<p>I made it for fun, not really to cheat or anything, but once other students found out about it they asked for copies of it. Within a day or two the whole class had a copy of this program.<p>I didn&#x27;t understand operator precedence, nor did I bother to test the program. Everyone used it in the exam and the whole class flunked due to BODMAS shenanigans.

Not really as a programmer but I&#x27;ve hacked an online cooking competition to win a kitchen aid. It was just extremely poorly setup.

Worked in a company making internet scams.<p>My first project was an &#x27;X-Ray&#x27;: for a fee user could upload a photo of person and see them naked. The website just applied a picture of naked body to the uploaded face. We collected all of the resulting pictures and displayed them in a slideshow on a TV in the office for laughs.<p>The big project was &#x27;download anything&#x27;. We had an affiliate program where partners were driving traffic to us and received 70% of profit. All the traffic was coming with ?search=keyword URL parameter and our landing page looked like a file sharing website with search results for &#x27;keyword&#x27;. It was 2012, downloading shit from file shares was a big thing these days. Depending on the USER_AGENT, the visitor downloaded keyword.exe or keywork.apk. On Windows, it was an &#x27;installer&#x27; that asked user to send an SMS to premium number in order to &#x27;activate the download&#x27;. On Android, it was an app that just sent the premium SMS by itself — easy money!<p>We had a lot of fun and profit doing that, and I left that job not because of guilt, but because I burned out. Only after I left I was able to look at it from a different perspective.

Our crappy ActiveX object was made for the windows xp era. When it started to glitch, my boss told me to &#x27;just disable UAC&#x27; on our customers pcs (instead of fixing the issues). Did not do it and instead told him what to fix and fix some things myself...<p>Another one is installing basically trackware on the website, from an external party, that recorded certain input fields so it could mail you later when you didnt buy the product...

I once mixed tabs and spaces.

I lied to the C-levels at a previous company about how hard it would be to monitor and log the instant messaging traffic of everyone at the office. Everyone was using AIM and there was no encryption, so it would have been trivially easy (I verified this, which was scary).<p>I then lied and told the CFO and CEO that it would be prohibitively hard to do and they dropped it. :P

Very short backstory: I was very severely punished for breaking security on our pcs at school (utilizing interactive startup on windows 95 to not start the &quot;fortress&quot; process.)<p>For a final project presented which was ostensibly a limited auto-translation application, I made an application which just popped up an alert, &quot;program unable to run due to security&quot;<p>Got an A!

While working at a services &#x2F; consulting company, I&#x27;ve been privy to cases where we put our own interests over the client&#x27;s, essentially getting them to pay us to screw them over.

I worked for a major gambling tech company. There was almost no oversight and I pretended to work when I really didn&#x27;t.

I wrote a ton of IRC war bots and scripts back when I was a teenager including something called the &quot;Sumo nick collider&quot; and the textbox.irc script. The latter was a general client enhancement script but had tons of extensions for &quot;war.&quot;<p>For you spring chickens &quot;war&quot; was exploiting the IRC protocol to take over channels, kill users, etc. The protocol was pretty vanilla back then and was vulnerable to a lot of those things. This was back in the 1990s.<p>This included inventing &quot;DCC RAW&quot; based &quot;clonebot&quot; code in the old Unix ircII client. I figured out you could just open a socket with the client so you could write a simple client script to create huge numbers of sock puppets. I&#x27;m not 100% sure but I <i>think</i> I was the first one to do this.<p>I learned a lot from that stuff but these days I wouldn&#x27;t wreck a public volunteer chat network.

The one example I am willing to share is in high school economics class there was a stock market simulation. The person with the highest portfolio balance at the end of the year received a substantial amount of extra credit.<p>First of all, this was 1999, and the market (tech-stocks) were in peak ridiculous bubble mode. The hack was that the software used to simulate trades and track portfolios used delayed quotes. So, I simply used real-time quotes looked for gains in a short period and bought held for a bit, then sold. Essentially I had a time machine. I think at the end of year my account had over $500 million in it. The teacher knew I was &quot;cheating&quot; but still gave me the extra credit along with another student who didn&#x27;t &quot;cheat&quot;. An extra perk is the cutest girls in that class constantly asked me how I had so much in my portfolio.

Worked at Ticketmaster.

The story mentioned: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=17081684" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=17081684</a>

Hard to believe there&#x27;s no mention of working on projects for the NSA.

I wrote a tampermonkey script that automates this:<p><a href="https:&#x2F;&#x2F;blog.bench.co&#x2F;blog&#x2F;how-to-hack-priceline" rel="nofollow">https:&#x2F;&#x2F;blog.bench.co&#x2F;blog&#x2F;how-to-hack-priceline</a>

When I finished my studies I was sold as a trainer for Microsoft training When I was assigned a course, I had about 2 days to a week to discover the technology and prepare the course. Often I didn&#x27;t even know the name of the technology I was supposed to be an expert on.<p>When you looked at the official conditions of the training, you had to have 10 years of experience just to have the right to follow it, I was supposed to have passed diplomas to have the right to line up. I finally realized that my company had to produce fake degrees with a fake resume or I must have been 10 years older developpers.<p>It is obvious afterwards that employees, or even managers of training centers were in the scheme, there is indeed in my country a law that obliges companies to spend money in training every year. The company was doing this scheme on a large scale, we were 40 The worst part was that most of my colleagues were younger trainees than me, only three or four of us were officially employed and had real diplomas, so we were sent to the most difficult cases.<p>The advice we received was to be aggressive with the students to prevent them from asking too many questions, to be impeccably dressed and to be &quot;handsome&quot;. It was not easy to teach to 15 years older So that my classes were not too pathetic and to make a minimum illusion I often prepared my courses the day before until 5 o&#x27;clock in the morning.<p>The trainees who gave the training deemed easier were recruited on the line, preferably if they were foreign, they were sent to give a test training and if it went badly they were sent back on the spot without remuneration. I don&#x27;t know how or why, but I did about nine months of this before I left.

Not necessarily unethical but certainly annoying, reply all has an episode about the creation of the popup[<a href="https:&#x2F;&#x2F;www.gimletmedia.com&#x2F;reply-all&#x2F;3-i-didnt-mean-to-break-the-internet" rel="nofollow">https:&#x2F;&#x2F;www.gimletmedia.com&#x2F;reply-all&#x2F;3-i-didnt-mean-to-brea...</a>] From the show notes: “Twenty years ago, Ethan Zuckerman did something terrible on the internet. And he&#x27;s still living with the consequences. “

Ran an illegal live streaming site for a few months. Had a lot of fun with it and used the experience to transition to a legitimate job in that space, but I probably cost some people some money, and for no other reason than &quot;I could&quot;.<p>I also worked at a startup briefly that was run by a convicted con man. The business was legit but it was immediately clear he was using the same confidence techniques on everyone - clients, employees, etc. Not a good scene.

I reviewed allegedly infringing code for plaintiffs who might be described as patent trolls.

Implemented APIs for clients that were based on scraping data from other competitor sites that did not give permission, it&#x27;s some kind of service hi-jacking. Similarly, implemented some clone sites that just rip off other people&#x27;s work #zuckerberging Some bug bounties ask pentesters not to hit their production servers hard with automated tools... I&#x27;ve ignored this to find some bugs in production servers on occasion.

I used to help out at a bed company selling matresses in their WooCommerce store. The owner was obsessed with „metadata“ and SEO.<p>He regularely told me I should copy and paste the meta title and descriptions into a Word document (ugh) so he could edit on them. When he was done I was supposed to put them back in, manually of course.<p>Now, normally I‘d tell a client that such a task could be easily automated. However he was a very shitty boss and I was getting paid hourly.<p>So I simply built a crawler that analyzed every site and pulled its metadata, put it in an Excel table (I convinced him it was easier for me to copy&#x2F;paste) and sent it to him via email. He then gave me the updated table, for which I simply wrote a script to execute some SQL queries to put them in.<p>This turned what what’s effectively 2 hours of work each time into 20-30 because of the number of pages.<p>One time I remember I forgot to update the metadata one of the pages. When he complained and I realized, I quickly ran the script and told him he‘d have to „refresh his cache“ or something. He never noticed any of this.

Once I&#x27;ve developed a tool that replaced a couple of employees for a (client) company.<p>In another occasion, I was assigned to a project that I didn&#x27;t find motivating at all, so my plan was to &quot;slack off&quot; and work on my own stuff as much as possible. The only question was how much did I have to work to make the management believe I was giving it my 100%. There was another member in the team, who was a great guy but an average dev, and I realized that I could easily make 2x more progress than him in the eyes of the managers and still have almost half of the day &quot;free&quot;, so that is exactly what I did. Later I got a bonus for my &quot;hard work&quot;.<p>But the one I regret the most is installing keyloggers on several computers in high school (msn era) and obtained passwords for most of my classmates. At least I was careful enough and didn&#x27;t tell anyone at the time.

Give positive references for developers who I know are crap because they are nice guys and I feel sorry for them.

A few years back at my last job, I was approached by a senior guy on a product team asking me to game some tests so we could get our Windows certification.<p>I just kind of brushed him off at the time. I&#x27;m still sorry I didn&#x27;t collect evidence and then report him. He was a real dirt bag.

When I was in highschool there was an online competition every week.<p>So one week there was this very hard problem. I didn&#x27;t knew how to solve this but I figured out that there is one answer per 10 tests.<p>I bruteforced easy tests and send program with different answers std::cout&lt;&lt;30&lt;&lt;endl; ... So I send like 500 different programs. Then I just combined correct result with size of test ;p. I use while true to figure size for every test ;p<p>I passed every test. Week later my solution was removed and I got very nice e-mail about what I did and how wrong It was to exploit platform.<p>I still managed to be in top 10 at then end of competition but It was mistake huge mistake<p>Ps. Competition was with very good prizes but still I am ashamed of myself for that.

I wrote code to automate my 15 hour per week grad assistant job.<p>One or two clicks and some php magic.

I let a brash, know-it-all, developer shoot himself in the foot instead of pointing out that the things he was doing would lead to a catastrophic data loss.<p>I was pretty young so it&#x27;s not something I would do today.

Not going to incriminate myself with any of my own stories, but a friend did work for a phishing take down company that was paid per site they removed. Of course the people who sign off on these things are never that technical, so the company was paid a non-trivial amount (say $1,000) for taking down each subdomain.<p>Think, contact.bankna.me, support.bankna.me, aus.bankna.me, customer-support.bankna.me, login.bankna.me etc etc.<p>They would often take down the subdomain and leave the parent name intact so they could keep cutting off the individual heads of hydra, if you will.

Amazing there’s nothing here about crypto.

Take people&#x27;s content and put ads on it. TOS compliant but shady.

While working with a client as a contractor in US, I was told by him, that my Manager had promised to get PhD&#x2F;MS with 5 to 10 years experience. I had 4 years experience after my after Bachelors from another country. The client appreciated my work and kept my contract as long as possible. In the three years that I worked, I saw 10 people come and go. It hurts me every time I think about it.<p>What hurts most is that it is still in a common practice in that company and industry.

I built campaign sites for the automotive industry. Always felt wrong. Was asked to pitch for a client in the petroleum industry and declined. That felt great.

I wrote (copy pasted &#x2F; edited) a cheat for an online game that was in beta, when I was around 13. I released it (with no anti cheat protection), probably got a few thousand cheaters banned...<p>I then sold the cheat source code to a forum of cheaters, who integrated it into their own offering and paid me a small royalty. The source code was pretty much copy pasted from a guide with minimal changes to work on the correct memory addresses.

I worked on dating websites. The codebase was awful but more importantly, 99.9% of female profiles were fake, poor guys were trying to get a date when in fact they were chatting with some other guy in Africa... It was really depressing doing a job that wasn&#x27;t adding any value to the world and being part of a parasite economy. I had to this for financial reasons but left as soon as I could.

I had to migrate a site for a well know fitness personality many years ago and their database contained plaintext passwords and! Credit card information. Didn’t bother to really fight it at the time. More reason to never give your credit information out if you don’t have to.<p>Also helped build a site that tricked google into ranking us higher.

Took liberties with our interpretation of a third party TOS so that we could utilize a product. I surfaced this to leadership when I realized we were not in compliance, but we kept the outcome of what we needed from it, although we did cease to use the tool. I chose less career friction over fighting further.

I used to crack games just for fun, in fact the fun was in cracking the game and not in actually playing the game.

I worked for a company, which had insiders at Google steal various data to improve their SEO. I don&#x27;t know the details, but I think it may have involved some cute girls. I built systems to work with the stolen data to improve their SEO. They are one of the most popular websites on the internet.

My boss asked me to log a user&#x27;s credentials in cleartext so he can connect to his account and get confidential data... I resigned the next day after

I built a toolbar ad network for about 200k users and would do inline ads on every page and replace all search results with ad api feeds

Moral questions come up surprisingly often in product development. Especially for smaller companies looking to grow fast or things like how aggressive to get with opt-ins and other &#x27;dark patterns&#x27;.<p>Online lending, for example, is a pretty tricky area. You have to subscribe to a pretty hardcore version of a capitalist moral philosophy to justify the %xxx percent interest those places charge. Especially as the &#x27;ideal&#x27; customer isn&#x27;t the one who pays you back, it&#x27;s the desperate population who continually re-up their ridiculously expensive loans.

<i>silence from our fellow engineers in the &quot;defense&quot; industry</i>

Made a regular cms-based website as an SPA. Using Angular.

Call centers are on a lower ring of hell.

Is this a trap?

Let me answer on behalf of programmers employed by Facebook.<p><i>The most unethical thing I have done as a programmer is going to work everyday.</i>

I was a graduate student living off a stipend and working for the university teaching math and CS courses. It wasn&#x27;t enough money, especially with my wife&#x27;s medical bills, so I got desperate and...taught for ITT Tech.<p>If you&#x27;ve never had the displeasure of being a student or teacher at ITT Tech, I&#x27;d describe it as a cross between community college and vocational school but where everyone is pretending it&#x27;s a 4-year college. It felt like a place where dreams go to die, and no where did I see that more in the way they set me up to teach classes.<p>Now, first I should say I have a lot of sympathy for my students there. They were generally folks who honestly wanted to make better lives for themselves and got duped by ITT Tech into thinking it was a place where they could do that. Those students are now stuck with a lot of crappy debt they can&#x27;t easily get out of and also didn&#x27;t learn much, because as I learned from teaching there, the goal was not really to teach anyone anything.<p>I taught two classes: software engineering principles and Linux system administration. I had not special qualifications to teach either of those classes, but they needed someone to teach them, I had an MS in CS, and I had some idea of what to do. The SE class consisted of two students and we&#x27;d meet for 4 hours every Saturday for 3 months. We&#x27;d sit together and read the textbook, then do some problem sets out of the textbook (&quot;how would <i>you</i> design this system or organize this work?&quot;). Nothing truly objectionable, just the same shit the passes for &quot;education&quot; in most school. I think I gave both of the students As at the end of the semester.<p>The Linux system administration class was another story. I had three students, although one showed up maybe 3 times all semester, and they had all in theory already taken a class teaching them Linux&#x2F;Unix basics, but as became immediately apparent none of them had actually <i>used</i> Linux before, just read about it in a book. So began our awful semester of them pretending to learn and me increasingly transitioning from teaching to pretending to teach.<p>They started out needing to install Linux on their laptops. This was around 2010, so not quite as easy as today but already very easy (the worst case scenario was you failed to get hardware acceleration for graphics or something like that, not non-functional input devices). Yet somehow every week for the first month we had to reinstall Linux. I don&#x27;t know what was happening in the week between classes, but somehow Linux disappeared from their computers and we had to go through it all over again. This obviously put us way behind.<p>Once we got Linux running on their computers we started to try to do some basic system admin stuff (there was a syllabus telling me what stuff they should be able to do by the end). I don&#x27;t think we ever really made it past creating users and installing packages (is installing packages even still sys admin work?). They constantly got stuck on basic things, forgetting how to `ls` and `cd`. By the end of the semester I think they still couldn&#x27;t reliably `sudo` on the first try.<p>I knew this was bad and had been talking to my supervisor about it, but he kept telling me it was fine just do my best and work with them where they were. When the end of the semester came I didn&#x27;t know what to do about grades because they had tried but were just unprepared for the class. At university I would have failed them, but ITT Tech insisted I give them Cs. I was pretty unhappy about that whole situation but what could we do.<p>When they offered me classes for the next semester I declined. I didn&#x27;t want to be part of a system that was all about pretending to teach people things while also charging them a bunch of money. But for one terrible semester I was complicit to a system of exploiting desperate folks (some of my students had been in prison and were trying to get their lives back together and giving up a lot to pay for classes to be there).

While I haven&#x27;t done anything nefarious other than putting a few tracking&#x2F;analytics frameworks into our product, I have heard a few stories from my colleagues...<p>E.g. at a contractor company, a client wanted to lease 5 developers for a project. We didn&#x27;t have enough free developers, so they assigned a single guy to the project, who was making commits from 5 different accounts. The client was paying for 5 devs of course.<p>There was also a client who was building slot machines, and we wrote the software for it. We ran experiments to figure out the best way to rip off gambling addicts.<p>The first company I worked for took EU innovation grants and when the deadline came, they simply copied their existing product, replaced the logo and showcased it as something they used the grant for.

Me and a friend setup a fake electronics store on the dark web and ended up making a lot of money when bitcoin spiked in value.

Did a project using Cold Fusion.

Nice try, FBI.

Alright, i know this guy from NYC - he would offer payment processing to companies who could not get payment processing in their own country.<p>Initially, everyone will be paid out on time and later he will refuse to pay holding 500-1M from each company.<p>He made 10s of millions doing that you&#x27;ll be surprised that everyone threatened with a lawsuit but never reached the court.<p>Now, he has a lot of real estate in NYC.

Worked with PHP for four years.