As someone who wrote software for over 20 years, here's how easy it is to see the max bid.
Let's assume that the max bid is an encrypted field (similar to passwords).
No doubt, it can be proved that virtually no one can "figure out" what the
true value in the field is. That's why if you lose your password they always
ask you to create a new one.
However, with just 1 or 2 lines of "hidden" code someone can take the value entered in the online screen and store it in another field, let's say the field is
called: User Comments. With a little more code they can move some #'s around so it's not so obvious that it is really the max bid (maybe even store it in another database).
Now if auditors come in to review the code you could easily copy the original (non-tampered with) program object code back to "production". So when they review it, everything looks perfect. The auditors I've worked with would not known how to look for stuff like this and even if they did, it's so easy to move programs around with no audit history of what happened.
I find it hard to believe that this couldn't happen in any environment. Unless the programs are stored in a 3rd party environment (i.e. the auditors) and they are responsible for releasing programs to production (even then unless they're programmers they may not know how to look for "hidden code").
I would never trust a MAX BID because I really believe if any of these companies wanted to know bad enough, they could find out what they are.
Dan
Last edited by DanP; 02-14-2010 at 11:07 AM.
|