Client: We have a HUGE security problem.

Me: *thinks about any possible vulnerabilities* What is it?

Client: A user can take a picture of our website and steal our content.

I’m done for today.

They call it $5/gb hotel wifi, i call it free uncapped 100meg fibre because your security sucks

Oh and they host their entire POS (and database with backups) on the same network accessible to every TV in the hotel

"You should use Windows server!"

It was a high security project which needed to run very stable. Even the windows sysadmin looked at that guy like 'dude what the actual fuck'.

Me wanting to board Plane,
Goes through security Check...
"Sorry sir Laptops are not allowed."
Me
"Why?"
Security
"It could be a modified bomb"
Me
"But this is a Tablet!"
Security
"No sir, it has a Keyboard and Trackpad attached to it, its also running Windows..."
Me
"Excuse me, but this is clearly a Tablet"
*Detatches Keyboard from Surface Book*
"See? Tablet."
Security,
"Sorry sir, but no. You cant board the plane with this, only Tablets and Smartphones"
Me
"WTF? you dont allow Laptops because they could be bombs but A FUCKING SMARTPHONE IS ALLOWED? AND TABLETS TOO?!"
Security
"Yes, because the Battery is not removable..."
Me
"But my Laptop Battery is also not Removable..."
Security
"I dont have anymore Time for an Argument"
Me
"So I can board the Plane?"
Security
"No, the Ticket will be refunded"

WHO THE FUCK CAME UP WITH THIS BULLSHIT? LIKE RLY? WHO!!
I MEAN WHAT THE FUCK IS ALLOWED?!

So there was an inspection from government for our bank's IT security. I gave a tour to our server and security systems. I threw all possible acronyms as much as I could remember. Inspector nodded and noted down never uttered a word.

Finally, he breaks his silence, looking at a device he points out and says "What's that ?"

I look at the device then stare at his face back again at the device and to his face I reply "That's AC, Air Conditioner".

This guy at an internship who only wanted to use anything Microsoft.

It was fine for his own use but he also wanted it for a high security prod environment and tried to push that through.

Luckily, the (very competent) team lead refused to use closed source stuff for high security environments.

"listen (team lead to that guy), it's not going to happen. We're simply not using software from a US based company which is closed source for high security stuff.
Why? The US is one of the biggest surveillance powers in this world, we just can't be sure what's in the software if it's US based. Now you can say that that's paranoid but whether or not it is, the surveillance part is a fact, deal with it. That you want to use it, fine, but NOT. IN. HIGH. SECURITY. PROD. (or prod at all really).

He continued to try and convert colleagues to windows and other Microsoft stuff for the rest of his internship.

Me: how's your password security?

Them: of course we value security very highly, our passwords are all hashed before being stored.

Me: what hashing algorithm?

Them: oh we hash it with sha and then place that in a table indexed by the password.

Indexed. By. The fucking. Password.

Got caught using linux terminal by school security. They took my laptop away and drove me across campus in their security carts to take me to the office.

It took a long time to explain that I wasn't maliciously hacking the school.

This is the third time I've been in trouble for tech-related activity.

On the bright side, one of the security guards said, "I'm done dealing with teenagers. Next time I won't work for a high school."

I think he's going to quit. :)

At the airport.

Security: Please put all your electronics in the bin, including your watch.

Me: No problem

<goes through scanner>

Me: there was an Apple Watch in here and now it is gone.

Security: Oh, you lost your Apple Watch?

Me: No! I put my Apple Watch in the bin like you instructed and YOU lost my Apple Watch.

Security: It must be in the spinners.

Me: So my $500 Watch is in the spinners being run over by bins?

Security: you have to put the small things on the bottom.

Me: It was on the bottom and I did as you asked, this is entirely on you. Do not try to shift the blame to me again please.

Security: As I said...

Me: As I said, Do not try to shift the blame to me again. This is entirely your responsibility once you separate me from my electronics so you can perform security theatre. Have a nice day.

—————

Fuck this god damn security theatre. Fuck the dumbasses they hire. Fuck your country. Fuck your god damn feeling of insecurity. Fuck Your ineffective security theatre.

Sick my fucking dick until you choke and gag you worthless pieces of shit. Homeless people the street provide more security than you incompetent, under-educated assholes. Fuck you

And yes, I have 2 fucking laptops. I have a real fucking job where I provide actual value and for that I need a work laptop. I don’t come to work in a stupid looking outfit with a chip on my shoulder looking to inconvenience people. I come to work to provide real value to someone.

Fuck you and your worthless bullshit

Bulma framework, thanks for existing!

Lightweight, CSS only, very fucking easy to use and understand and a beautiful!

As a backend/server/security guy, front end is hell on earth for me. I understand the basics but that's it.

This fucker makes it so simple!

When your security on your server is so good that you can't access it yourself

My boss has a camera in the office for "security" reasons and I happen to be just right under it, exposing my computer screens to it. So I wrote a script that sends me an email whenever the camera port is accessed.

Are you serious? Are you afraid of an SQL injection or something, and instead of properly sanitizing your queries you disallow characters? Or is your software and database so outdated that you're afraid special characters will break it? Goodbye security

My little brother (still in school , learning security and pen testing): i found a bug in a website , it returns an xml file instead of the web page , i reported it to them and i think i'm gonna get rewarded like 2k $ for it .
Me : cool ! Show me .
Him : shows me his phone ...
Me : wait , gotta rant this .

"I really love the new $3k Fortigate firewall switch you bought for the office after our chat about security but it doesn't change the fact that you can access any computer in the company using Password123" - me

I met my boss in a bar...
He said that he needs someone testing their security. I said that I was in security.
He emailed me.
That's it. 😂

I've been asked to do some investigation at work regarding an IT security incident. Thankfully I've watched plenty of CSI so I'm just working on building a GUI with VB to track the IP...

Tv gold on NCIS: Los Angeles tonight.

Summarised:

Need access to laptop
Laptop has unhacksble security protocols
Laptop gets shot
Damage from being shot allowed them to hack it

Morale of the story. Bullets can damage code.

Presenting my paper on PHP Security in IEEE conference today... Wish me luck. I hope it gets published 😃🤞

A while ago (few months) I was on the train back home when I ran into an old classmate. I know that he's a designer/frontend/wordpress guy and I know that he'll bring anyone down in order to feel good. I also know that he knows jack shit about security/backend.
The convo went like this:

Me: gotta say though, wordpress and its security...
Him: yeah ikr it's bad. (me thinking 'dude you hardly know what the word cyber security means)
Me: yeah, I work at a hosting company now, most sites that get hacked are the wordpress ones.
Him: yeah man, same at my company. I made a security thing for wordpress though so we can't get hacked anymore.
Me; *he doesn't know any backend NOR security..... Let's ask him difficult stuff*
Oh! What language did you use?
Him: yeah it works great, we don't get hacked sites anymore now!
Me: ah yeah but what language did you use?
Him: oh it's not about what language you use, it's about whether it works or not! My system works great!
Me: *yeah.....right.* oh yeah but I'd like to know so I can learn something. What techniques did you use?
Him: well obviously firewalls and shit. It's not about what techniques/technology you use, it's about whether it works or not!

That's the moment I was done with it and steered the convo another way.

You don't know shit about backend or security, cocksucker.

Just for fun I am making an RPG Maker game called "IT Quest" where you go on a 40 hour long quest just to get the security team to modify a user. The game will feature tons of mandatory side quests and a convoluted plot that requires descending into the depths of the server room to find a virgin followed by a sacrificial ritual over the broken fax machine. And ultimately the security team just closes your request without telling you why and you have to fight the final boss of the game, Zeromus who runs security. When you defeat him you get the golden CAT5 cable of time which you beat the person who closed your request with until he reopens it and does his damned job.

Security tester: Injects XSS into a rich text editor and flags it for a vulnerability.

"Oh that's fine, let's just disable right click on our page so no one can inspect the page and inject anything."

...

My boss ladies and gentlemen.

Product: Hey, this screwdriver feature I never requested isn’t there. Why? Can you fix it? It’s kinda urgent.

Product: @Root please jump on the ticket above … fairly urgent.

Root: It’s Friday, I’m out next week, and I’m working on finishing <urgent comma ticket> right now.

Boss: Work on the screwdriver instead. But make sure you finish the comma ticket too!

Boss: By the way, I volunteered you for eight security reviews next month!

Security: You’re on call for AWS audits next month, too!

haveibeenpwned: MASSIVE SECURITY BREACH AT COMPANY X, MILLIONS OF RECORDS EXPOSED AND SOLD, YOUR DATA IS AT RISK, please change your password!

Company X website: Hey your password expired! Please change it. Everything's fine, wanna buy premium? The sun is shining. Great day.

Best: actually getting something working out there and having it visited by devRanters! (security/privacy blog)

Worst: rewriting entire applications because my code often fucking sucks

Got invited to a "roundtable", where we will discuss email security and the future and direction of where it is going.
Only 10 people in Sweden got a chair

I feel exclusive but also scared that they will find out what a noob I am lol

Today it was revealed that the dutch government doesn't even fucking use SPF records for their email. Someone found out by sending an email in the dutch's govt name and it actually fucking worked.

I hope they fire the people responsible for NOT implementing the most BASIC FUCKING EMAIL SECURITY/VALIDITY MEASURES IN FUCKING HISTORY.

Incompetent cocksucking motherfucking fucks.

Guuuys! I made it! I just got my first job in IT as a Junior Sys Admin at a Security/Pen Testing company. So happy right now. Just wanted to share with you. :D

It’s official. I’m dating a girl.

She’s damn smart, tasteful, hot and really into tech.

Honest, talkative, a real keeper.

Studying IT-Security. Fuckkk I’m dropping spit out my mouth. ALL. DAY.

The amount of thinking and programming that goes into writing a secure backend is fucking high but I love it!

It helps to think like someone who'd want to hack a user or the application so you know most security measures you have to take :)

Example #1 of ??? Explaining why I dislike my coworkers.

[Legend]
VP: VP of Engineering; my boss’s boss. Founded the company, picked the CEO, etc.
LD: Lead dev; literally wrote the first line of code at the company, and has been here ever since.
CISO: Chief Information Security Officer — my boss when I’m doing security work.

Three weeks ago (private zoom call):
> VP to me: I want you to know that anything you say, while wearing your security hat, goes. You can even override me. If you need to hold a release for whatever reason, you have that power. If I happen to disagree with a security issue you bring up, that’s okay. You are in charge of release security. I won’t be mad or hold it against you. I just want you to do your job well.

Last week (engineering-wide meeting):
> CISO: From now on we should only use external IDs in urls to prevent a malicious actor from scraping data or automating attacks.
> LD: That’s great, and we should only use normal IDs in logging so they differ. Sounds more secure, right?
> CISO: Absolutely. That way they’re orthogonal.
> VP: Good idea, I think we should do this going forward.

Last weekend (in the security channel):
> LD: We should ONLY use external IDs in urls, and ONLY normal IDs in logging — in other words, orthogonal.
> VP: I agree. It’s better in every way.

Today (in the same security channel):
> Me: I found an instance of using a plain ID in a url that cancels a payment. A malicious user with or who gained access to <user_role> could very easily abuse this to cause substantial damage. Please change this instance and others to using external IDs.
> LD: Whoa, that goes way beyond <user_role>
> VP: You can’t make that decision, that’s engineering-wide!

Not only is this sane security practice, you literally. just. agreed. with this on three separate occasions in the past week, and your own head of security also posed this before I brought it up! And need I remind you that it is still standard security practice!?

But nooo, I’m overstepping my boundaries by doing my job.

Fucking hell I hate dealing with these people.

Education courses nowadays be like,

- Website Development Course @ $49.99
- Security in website Development @ $45.99

Combo offer @ $60.99
=> Hurry up, LIMITED PERIOD OFFER!!!!!

// Like for real??? Why don't you include Security in website Dev course, it's a part of it.

Got bored at work today and tried to write a program to do my job for me. Security and compliance saw it in the logs (trying to run unauthorized program) and came to give me a hug.

Got a call from a recruiter today. (Keep in mind that using WhatsApp is about a requirement over here.)

R: so can I app you (I hate that word to the fucking point) with further details?
Me: *oh fuck this is gonna get me fucked again* uhm I don't use it so yah...
R: ohhh okay, security reasons?
Me: *slight relief* yes indeed, sir
R: oh fair enough, you can always just text and call me!

*very relieved feeling*

It's for either a cyber security or linux job by the way.

Someone replied to the Christmas party invitation using REPLY ALL... his family personal details sent to hundreds of people. Wait, it gets even worse: he works in the SECURITY DEPARTMENT.

Dear Prof,

One does not simply encrypt the exam tips and give it to the students in a computer security introductory module.

Sincerely,
Disgruntled Undergraduate

I am doing a test on security on my server. I need people to hack it and report the findings.

My server IP is 127.0.0.1

So this chick has been super nice to me for the past few months, and has been trying to push me towards a role in security. She said nothing but wonderful things about it. It’s easy, it’s not much work, it’s relaxing, etc.

I eventually decided I’m burned out enough that something, anything different would be good, and went for it. I’m now officially doing both dev and security. The day I started, she announced that she was leaving the security team and wouldn’t join any other calls. Just flat-out left.

She trained me on doing a security review of this release, which basically amounted to a zoom call where I did all of the work and she directed me on what to do next, ignored everything I said, and treated me like an idiot. It’s apparently an easy release. The work itself? Not difficult, but it’s very involved, very time consuming, and requires a lot of paper trail — copying the same crap to three different places, tagging lots of people, copying their responses and pasting them elsewhere, filing tickets, linking tickets, copying info back and forth to slack, signing off on things, tagging tickets in a specific way, writing up security notes in a very specific format etc. etc. etc. It’s apparently usually very hectic with lots of last-minute changes, devs who simply ignore security requests, etc.

I asked her at the end for a quick writeup because I’m not going to remember everything and we didn’t cover everything that might happen.

Her response: Just remember what you did here, and do it again!

I asked again for her to write up some notes. She said “I would recommend.. you watch the new release’s channel starting Thursday, and then review what we did here, and just do all that again. Oh, and if you have any questions, talk to <security boss> so you get in the habit of asking him instead of me. Okay, bye!”

Fucking what.
No handoff doc?
Not willing to answer questions after a day and a half of training?

A recap
• She was friendly.
• She pushed me towards security.
• She said the security role was easy and laid-back.
• I eventually accepted.
• She quit the same day.
• The “easy release” took a day and a half of work with her watching, and it has a two-day deadline.
• She treated (and still treats) me like a burden and ignores everything I said or asked.
• The work is anything but laid-back.
• She refuses to spend any extra time on this or write up any notes.
• She refuses to answer any further questions because (quote) “I should get in the habit of asking <security boss> instead of her”

So she smiled, lied, and stabbed me in the back. Now she’s treating me like an annoyance she just wants to go away.

I get that she’s burned out from this, but still, what a fucking bitch. I almost can’t believe she’s acting this way, but I’ve grown to expect it from everyone.

But hey, at least I’m doing something different now, which is what I wanted. The speed at which she showed her true colors, though, holy shit.

“I’m more of a personal motivator than anything,” she says, “and I’m first and foremost a supporter of women developers!” Exactly wrong, every single word of it.

God I hate people like this.

Gotta say, I find it awesome that I can connect with some devRanters through encrypted channels.

It's awesome to talk to devRanters with the same mindset through channels that offer a very high level of security/privacy.

Thanks!

Not sure if this would be true since I find it very hard to judge this one myself but I hope that some people on here see me as some kind of mentorish person when it comes to either Linux, privacy of security.

Parenthesis on "hope"😅

A colleague and I spent a month building a Shopify app that allows merchants to give customers store credit.

Since Shopify's API is so limited, we were forced to augment it's functionality with a Chrome extension.

Now before you go throwing full wine bottles at your screen because of how wrong and disgusting that is, note that Shopify's official documentation recommends 5 different extensions to augment functionality in their admin panel, so as gross as it is, it seems to be the Shopify way...

Today we got a reply from their review team. They won't accept the app because it requires a Chrome extension to work properly and that is a security risk.

Are you fucking kidding me? So I guess Shopify is exempt from their own security standards. Good to know.

Not to mention the plethora of published apps that require a staff account's username and password to be provided in plain text upon setup so it can spoof a login and subsequent requests to undocumented endpoints.

Fuck you and your "security standard" Shopify!

During a random meeting for a project:

PM: We'll need you to learn Go for this project. It says you know python in your job skills, so it should be easy.
Me: Uh, hiiii. I'm in security, not development. Can't help you, I really shouldn't even be here.
PM: I think Go has security built-in, does that help?
Me: ... I don't know, you need a developer.
PM: Do you know any Go people?
Me: I think that's something you should know.
- Silence enters the room -
PM: Yes perhaps, but you don't know anyone?

Fucking wat?

As a firm supporter of information security, it really "irks" me to see people get up and walk away form their desks without locking their machines... Anyone else with me on this?!

a stored XSS vuln in a banner-like component, visible in ALL the pages in the portal. Anyone can attack anyone.

HOWEVER this was not discovered by 3rd-party security specialists during latest security audit. I have escalated this to my manager and got replied that unless client actively requests this to be fixed should I do anything about it.

FFS.. it's only 2 lines of code.. And there's nothing I can do about it.

Eventualy I was transfered to another project. Now it's not my problem anymore.

As it turend out, just after ranting about increasing my online security, I had an unapproved sign-in from Russia into my Netflix account about an 3h ago.

The security blog is up again, I fixed the bug.

Just wondering, why did it work in the first place? I simply required a composer autoloader twice but I've been doing that from the beginning and it didn't play up until last night...

I guess it shall remain a mistery 😞

I really have this fucking love/hate relationship with application security.

For a lot of stuff that I write, user input has to be validated, authentication is required and so on and I do love looking into that, pentesting my own applications to death and thinking about the security architecture of the application itself.

But, sometimes, I just want to focus on the fucking features and then it annoys the living hell out of me that securing an application can take so much time and brain power.

Yay and grrrr, I guess.

Adventures in security land, part II:

I’m getting pulled off the security review team and instead relegated to part-time security tickets alongside my usual dev work. (So, someone else finds them, i fix them.)

Guess I found and debated too many problems with the lead dev’s code. 🙄

Scammer calls claiming to be windows security expert.

Them: "sir, your windows computer is sending error code. Please turn it on so I cam Fix it. "

Me: "windows? I have a mac."

Them: "um.... " *hangs up*

Me: gotcha

My IT team installed Antivirus on my 5 year old Mac Mini due to company security policy after the recent Ransomware attacks.
Now my Mac is slow as fuck. They are not even providing me new Mac, due to budget constraints. Totally fucked.
Fuck Ransomware. Fuck security policies. Fuck my company. Fuck everyone. Fuck everything. 😤

Made the mistake of mentioning ISO27001 security standard near management.

- "What?? Why don't we have that certificate?! Why are you not thinking about this?"
- "We don't need it."
- "Of course we do! we must have the highest standards!! Lets hire some lawyers and security consultants to help us get certified!"

A week later:
"Ok, turns out we don't need it."

Satan give me strength...

Because the RSS feed is still down, hereby.

The post about what I personally take for security and privacy measures is up.

Hopefully you can learn something from it or even email me some tips!

This guy has a weird sense of system security if he thinks an SSH MOTD will keep unauthorised people away. Because you know, setting SSH permissions would be too sensible.

We recently took over development of an app. Upon inspection the API had no security, and passwords were stored in plain text. While the manager was slightly concerned, it wasn't a big deal....

That was until, using only a browser, I found the bosses account and personal email address.

Minutes later I was in his gmail, Facebook and credit cards account.

Improving security is now concern #1, and my boss is "suffering" 2 factor authy on everything.

Wrost security fix ever seen?

encode that passwords in base64 is safe enough.

And keep the password.txt accessible from internet it's safe because nobody know that it exists...

PM ordered me to not use encryption for customer authentication links because we want to be able so send same link if the user loose it. "we have to prioritize usability over security". At least I can tell future hackers it's not my fault..

*Extreme security measures on the backend, it must be failsafe, every db is as redundant as possible, generated salt, 2fa, everything*

*Forgets to add a case for {"key":""}*

I would blame it on the team but i built the entire backend myself.

Stewart doing his routine security brief:
"Please put your phone on airplane mode.
If you own a Galaxy Note 7, please turn it off."
*Half of passengers cracked up*

I think I ranted about this before but fuck it.

The love/hate relation I have with security in programming is funny. I am working as a cyber security engineer currently but I do loads of programming as well. Security is the most important factor for me while programming and I'd rather ship an application with less features than with more possibly vulnerable features.

But, sometimes I find it rather annoying when I want to write a new application (a web application where 90 percent of the application is the REST API), writing security checks takes up most of the time.

I'm working on a new (quick/fun) application right now and I've been at this for.... 3 hours I think and the first very simple functionality has finally been built, which took like 10 minutes. The rest of the 3 hours has been securing the application! And yes, I'm using a framework (my own) which has already loads of security features built-in but I need more and more specific security with this API.

Well, let's continue with securing this fucker!

Have a client that has a very, very large format printer (think billboards). It's on their network as just another printer, with no special security because everyone "knows" never to print to it....except the new employee who printed her direct-deposit info to it. Got about ten feet(!) into the job before someone realized it wasn't an authorized job.

God damn it.. Yet another night lost to the exciting world of cryptography and Internet security. Why is this shit so damn interesting?

Taking IT classes in college. The school bought us all lynda and office365 accounts but we can't use them because the classroom's network has been severed from the Active Directory server that holds our credentials. Because "hackers." (The non-IT classrooms don't have this problem, but they also don't need lynda accounts. What gives?)

So, I got bored, and irritated, so I decided to see just how secure the classroom really was.

It wasn't.

So I created a text file with the following rant and put it on the desktop of the "locked" admin account. Cheers. :)

1. don't make a show of "beefing up security" because that only makes people curious.
I'm referring of course to isolating the network. This wouldn't be a problem except:

2. don't restrict the good guys. only the bad guys.
I can't access resources for THIS CLASS that I use in THIS CLASS. That's a hassle.
It also gives me legitimate motivation to try to break your security.

3. don't secure it if you don't care. that is ALSO a hassle.
I know you don't care because you left secure boot off, no BIOS password, and nothing
stopping someone from using a different OS with fewer restrictions, or USB tethering,
or some sort malware, probably, in addition to security practices that are
wildly inconsistent, which leads me to the final and largest grievance:

4. don't give admin priveledges to an account without a password.

seriously. why would you do this? I don't understand.
you at least bothered to secure the accounts that don't even matter,
albeit with weak and publicly known passwords (that are the same on all machines),
but then you went and left the LEAST secure account with the MOST priveledges?
I could understand if it were just a single-user machine. Auto login as admin.
Lots of people do that and have a reason for it. But... no. I just... why?

anyway, don't worry, all I did was install python so I could play with scripting
during class. if that bothers you, trust me, you have much bigger problems.

I mean you no malice. just trying to help.

For real. Don't kick me out of school for being helpful. That would be unproductive.
Plus, maybe I'd be a good candidate for your cybersec track. haven't decided yet.

-- a guy who isn't very good at this and didn't have to be
have a nice day <3

oh, and I fixed the clock. you're welcome.

I fucking hate CORS. I mean yeah I get that it's for security and all but fucking COCKSUCKER is it ever fucking getting annoying dealing with this shit…

I opened a post starting with a "NO TOFU" logo and I was wondering what relationship existed between the SSH protocol and anti-vegan people.

After some paragraphs it explained that TOFU stands for Trust On First Use (a security anti-pattern).

At my previous job we had to complete an online security training exercise. It shows you how to behave secure in the work place, to not open unknown links etc. The scary part was that the entire training thing was BUILT IN FUCKING FLASH. So I'm suppose to listen to some god damn virus shitting flash application on how to do online security?! Get your shit together before teaching others.

Published a new blog article last weekend (finally) and had the idea to make a privacy/security Q&A one this weekend.

I'd make an email address for it to which you can email (a) question(s).

What do you people think?

A follow up from my previous rant about a dev colleague in the security company we work for consistently forgetting to lock his screen...he's done it again, so I made him a dickbutt loop this time

Security rant ahead, you have been warned!
As part of a scholarship application, our government requires a scan/copy of the applicant's credit card. Since the IBAN is now on the back, you have to send both sides.
The back is also where the CVC (security code) is. Any bank will strictly tell you NOT TO EVER SHARE IT - not even with them!
To make things even more fun, you now have the option to send this over email which is, of course, NOT ENCRYPTED!!!!!
I'm basically sending all the info needed to steal all my money over an unencrypted connection to an underpaid secretary, who will print it out and leave it on their desk for anyone with decent binoculars to see.
These people are fucking insane!!!!

The company that I currently work for has a strict clean-desk policy. So strict, there's even have a little booklet that they have about 1000 copies of lying around the office everywhere. In the booklet is a playful description (with cartoons!) of what can go wrong when sensitive information is lying around, or shared with outsiders through careless talk, etcetera. Employees are encouraged to take a copy of the booklet home.

Also in the booklet is a description of the importance of having a good password. It mentions the required minimum (x) and maximum (x+1) length of passwords, mandatory character classes, and how often the passwords have to be changed.

Who's at fault for the recent Wanna Cry virus: The companies affected or Microsoft/NSA?

Personally, I think it's the companies affected. This is what happens when you try and be cheap when it comes to cyber security​.

Important Abbreviations In IT security.

Got a math exam tomorrow but learning about it-security and pen-testing is a lot more interesting.

Building a remote for the projectors in your school can also be a source of fun :P

Years of mandatory corporate IT security training has taught me not to open this car, its probably a virus.

My security knowledge is so bad. But I don't know where should I start.😖
My coworkers know about this, so I don't get involved on related topics.🤤
Last time I asked same question, someone gave me link, and it all about DIY welding metal tubes into a security door.🤦‍♂️
Any better suggestion?

WTF!!!!! I officially have someone trying to extort me just had this in my email box this morning!

--------

Hello,

My name is [name removed], I'm an IT security expert and I found a security issue on your website.
This email is personal and in no way related to any of my employers.

I was able to access to a lot of files which contains sensitive data.
I attached a screenshot of the files I found to this email.

I would be happy to give you the method I used to access these files in order to let you fix it.
Would be a monetary compensation possible?

Please forward this email to the right person, if your are not responsible for the security of the website.

Best Regards,
[name removed]

---

He can basically see the contents of my wp-config.php. How has he managed this?

First year at university, prepared to set up multiple electronics.
rPi, arduino Ethernet shield, laptop, and desktop.
Brand new netgear switch to satisfy my internet surfing needs....

After setting up my devices, I realized none of them have internet. Hm. The feed port on my switch wasn't blinking either. So I tell the front desk, and a short 7 days later the port is back on. Yay, problem solved.

One morning I arise to see the port dark and inactive. Furious I use my laptop to share an internet connection while my actual port is "broken".

Support ticket is reopened and this time I get an email saying the port was disabled due to a security issue.

Me: what's the issue?
IT: there was more than two devices connected to the port

(OnLy TwO dEvIcEs PeR port???)

Me: oh okay I will only connect two.

The next day the port is disabled, again.

Me: can you tell me why it was disabled?
IT: a switch was detected being used, security error.
Me: how do I connect more than one device to the port without a switch???
IT: ...
IT: Please only connect one device.

🤔

This is a server in my school and I was wondering... Is it okay to have a server everyone can access? There's no key or other security need to the room needed.

My boss just came to me and demanded that we drop the first layer of security from our new servers so that the snake oil salesmen he used can open test it. I did try to explain that you don't remove security to test security.

I think what would help is to teach them these things:
- awareness for security in code
- how to use a fucking VCS like Git and how it works

Getting comfortable in one place for too long and stagnating. It can be easy to automate your job until you can just milk it, but sit still too long and your skills will be irrelevant.

People talk about ageism in development... don't let your mind get old and you'll always have job security.

After designing the new server architecture for our software and the security to go with it, the boss decides we should ask our provider’s solutions architects to see if it is okay, they came back and said it all looks good apart from one part which my manager did and I always said was bad practice.

So I need to "fix" a false-positive security warning (mass-assignment of a foreign key). Do I "fix" it by...

A) Setting it manually and double-saving the object?
B) Rewriting the mass-assignment so the linter doesn't realize what I'm doing?

Both options suck.
But security is going to complain if I don't do it.

Guess what?
I'm not doing it.

SMD you ducks.

Working in security for many years only granted me world-class paranoia about taking pictures of myself and my family. It even made it hard to keep in touch with my friends as we don’t live in the same country anymore.

The good side is that it pays well enough to grant me a platinum foil hat.

Boss: We need to disable CSRF and any other form of security, because that shitty, insignificant client has a website that is abomination anyone's eyes, can't pay because of the iframe thingy.

Me: I'd advice against it. This is a significant security issue that just screams to be exploited and there has to be a solution, but idk much about this situation.

Boss: Idk we need to kiss every clients ass till they come. Remove all the security

Me: *Just wants to get home, last one in the office besides the boss* fine
*removes it, deploys and gets the fuck home*

...2 weeks later

Payment gateway: Yeah, we blocked your account, because someone was trying to purchase 30k product in a span of 1h

I'm not even mad about that, but rather about the fact I fucking called it.

* Achievement unlocked: Targeted by scammers

P.s. no major damages, cause the guys from the payment gate understand shit about security.

Someone at work asking me about whether the controller system for our door security can access the Internet. I'm explaining that the reason they can't access Google on it is that it is on an isolated network for security. They wanted to install some remote desktop software on it that some idiot had recommended.
Then I actually get asked: "If it can't see Google... Maybe can it see Firefox?"
*headdesk*

In an age of GitHub and cloud computing, how can a freelance dev using their own laptop be classed as a security risk?

These crude rules laid down by corporate IT depts just make companies look silly.

This has saved my life! Though makes me wonder isn't it a security risk for on premise access?

watching the online course for CEH... dude used the Death Star as a tangible example of how exploits work.
IDK if I should love it for the nerdiness, or be slightly sad that someone needs that type of example of what a vulnerability vs an exploit is, when they're going for the Certified Ethical Hacker certification...
Might be better in an introduction to Network Security class?

Also, while discussing the security, usability, and functionality triangle, he reference the Staples "Easy Button" - does one thing, not very secure, and not very functional (in that it has more than one function)...

"We should probably fix that security issue, but the application already works, so it does not matter" - My boss

!rant Security training at work comes in the form of a serialized TV show where each episode concerns some security topic kind of tangentially and ends with a “REMEMBER… “ followed by the lesson you were supposed to get from the episode.

I kind of love it. A lot. I actually look forward to security training, and I’m not the only one. They stagger the release so you can’t binge watch all the seasons at once and you get three episodes at a time. 😂

Signed up for Cyber Security Nordic this september. It looks interesting.

Why do people like non typed languages like php or javascript? Besides from a giant pile of possible security problems what do you get out of it?

Uhm. I don't like this

IT security calls to tell me my new password, because it is poor practice to send it over encrypted message.

New password = password

I'm glad we are taking security so seriously!

I swear, the next time I hear a web developer say to me: "Yeah let's pretend as if the security hole in the website isn't there, because truth be told, i cannot be bothered to fix it."

Ever lose a laptop? I did. 13 days ago. at the airport in security. left it behind because I had two with me, which I don’t usually do. i just realized YESTERDAY that it was missing. someone come to my house and shoot me. because i’m too stoopid to live.

Doing compulsory cyber security training and it's like "if you click a malicious link report it to the IT helpdesk" I and I click agree knowing full well the closest thing to IT we have is me...

This is not fucking security, it's obscurity! What the fuck is a memorable word without any context! It drives me up the fucking wall. This doesnt help anyone it just promotes people to put silly shit like password or something so they won't forget but it just makes their account weaker.

"Wait, we're logging all web traffic now?"
Me: You're the security engineer, you asked him to do it!
"I know but I didn't think he would actually do it!"

🙄😑

Nothing like taking a company IT security training that requires Flash.

The first step to be able to run the training?
Override your browser's security setting to allow Flash to be able to run.

Anyone else see the irony here?

I fucking hate frontend development
>updates three dependencies for security reasons
>entire thing falls apart
>spends whole week to fix it
>its literally just two lines to fix it but those lazy mfs had to ask a QA to rewrite it
>mfw

IF YOU DONT WANT ME TO INSTALL SOMETHING WITHOUT UPDATING THEN FUCKING SAY SO INSTEAD OF SAYING MY PASSWORD IS WRONG.

Whoever it was that thought that MAC address spoofing/randomization for "muh network security" was a good idea, I'm gonna violently fucking murder them. It doesn't solve jack shit for security, doesn't magically make your network device "anonymous" or whatever and it never fails to confuse my DHCP servers that use those fucking things. Whoever it was, hang yourself or I'll fucking do it for you. Filthy incompetent motherfucker!!

Me : "I need to stop geeking out about security because I have exams and need to write a report"

Me 2 hours later : "Ooooo.. what's this cool article about?Let's check it out 😎"

Security!

Offensive and defensive at both code and infrastructure levels.

So many times I see devs not give a flying pancake about security. Whether it be rolling integers for sql injection or permission guarding to prevent someone executing something they shouldn't.

Why is security in this industry always the last thing to be concerned about when it's the first thing that's going to kill your business.

😓

Zoom was dead before it even took grip.

Fml. Use jitsi or some other real stuff.

<deity>, I don't care, choose Skype, there we know that security is well established and it's watching workers are well payed (US Court case for proper work classification).

"Don't waste time on security, just make it work" heard this from a "security head manager" at a 1 million eval. company 3 years ago

Security startup...
'Which football team do you support?'
'Not sure how that is relevant.'
'It is very relevant'

So after 6 months of asking for production API token we've finally received it. It got physically delivered by a courier, passed as a text file on a CD. We didn't have a CD drive. Now we do. Because security. Only it turned out to be encrypted with our old public key so they had to redo the whole process. With our current public key. That they couldn't just download, because security, and demanded it to be passed in the fucking same way first. Luckily our hardware guy anticipated this and the CD drives he got can burn as well. So another two weeks passed and finally we got a visit from the courier again. But wait! The file was signed by two people and the signatures weren't trusted, both fingerprints I had to verify by phone, because security, and one of them was on vacation... until today when they finally called back and I could overwrite that fucking token and push to staging environment before the final push to prod.

Only for some reason I couldn't commit. Because the production token was exactly the same as the fucking test token so there was *nothing to commit!*

BECAUSE FUCKING SECURITY!

Probably the worst security I've ever seen is a website I used to visit that had their "Forgot your password?" system change the password of the account to the user's username and didn't even send an email confirmation before doing it.

half day gone try to find or remember the password of some SSL/key/encrypt/crt/shit/whatever.

Blaming myself for hours, how could I not save the password somewhere?

#Enter Password:
(I pressed enter, no password).
it works.

I love IT security

I had a friend who wanted to make a social network and Steam-like gaming platform with "near impenetrable" security in around 2 months from scratch. He still wants to do it. Maybe he should think.

A classmate saw me using Firefox today and laughed at me saying Chrome is more secure. I'm not very knowledgeable about the security; I use Firefox because it uses less memory and it's more stable on my machine.

I doubt that info of his is current so can someone who actually knows about the security give me some counter-arguments for him? The more facts the better :D

TFW your company does a security test by sending out a mystery link to everyone which tracks how many people have clicked it and then just redirects to "Never gonna give you up"!

A rule of of thumb that I use when it comes to security is "don't do it yourself, use a library"

THE CODE USED IN MY MANDATORY ONLINE TRAINING ABOUT CYBER SECURITY AND STUFF LIKE THIS:

<script>window.showQuestion(someOverlyVerboseResponseFromTheServerWithTheCorrectAnswersMarked);
</script>

Oh boi it would be a real shame if someone proxied your precious function :)

Just a rant... It really sucks to work with maven on a security-paranoid financial institution enforcing ntml proxy auth...

Also usb ports disabled... :(

When an application has tons of security holes and fixes never make it into sprint prioritization because "they're not new features"

This picture represents a whole lot of things for me in software development when it comes to bad design or security... You add a new feature along the way and it seems to work well - but basically you f-ed everything up.

Had my first interview for a cyber security gig.

1st round, preliminary questions about ethics in a security related topic, etc.

I wrote a report about that topic, but for some reason brain fogged the answer.

At the end of the interview, I also blurted out that I found the interviewer's presentation at a past conference and really liked it.

Pretty sure they now think I'm a creep.

That being said, it's been a few years since I've interviewed, so it feels great to get the dust off, even if I bombed it

Practice makes perfect, right?!

Just heard this on the news...

"The cyber security on my smart phone compared to the cyber security in medical equipment..."

Wtf did I just hear??? I mean, I get it...using terms the general public understands... But how about educating people instead. 😤

Corporate IT blocks all network traffic, whitelists port 80 and 443 😡

... cos port number is the best predictor of security threats, amirite? 😒

Imagine updating a legacy web app and the code is so bad it physically makes you sick every time you look at it. Tables with over 400 columns, . And don't even get me started on the security issues. Apparently writing "Confidential" on the top of the page is enough security. And that's just the tip of the iceberg. People should get licenced before being allowed to code.

Every week in my intro to information security class we are asked about what security stuff has gone down in the past week. Equifax is making it incredibly easy to not have to do much research.

Google simply can't knock off harrassing their users with security theatre.

A friend of mine has a small personal YouTube channel. He has recently been bombarded with several phone verification requests a week: "Verify it's you. To continue your session, complete a brief verification. This extra step helps us keep your account safe by making sure it’s really you. "

While frequent verifications may be understandable on YouTube channels with millions of subscribers, channels with only a few dozen subscribers are not attractive hacking targets. A verification would be justified before a potentially harmful action such as deleting videos or deleting a channel. But not for normal everyday use.

What's next? Will they ask users to "verify it's them" every ten minutes, "just for extra security"? Just to verify that it is "really, really, really, really, really" them?

It's not security. It's security theatre.

Sorry, Google, but users are not in the mood of doing a phone verification every other day.

Has this been Google's perverted wet dream all along?

!dev

I'm checking out at Walgreens right now and have an item with a security device on it. The cashier just took a pair of scissors to it. Didn't work obviously and now I think she's trying to rip the cords off the box

Security Issues with Chrome:
My dad was just saying that his work wouldn't let him use Google Chrome because of its supposed 'security issuse'. Just wondered if anyone knew of any real 'security issuse' with chrome that are legitimate? Or is it all just rumours...

A developer said to me: developers may hurry to finish the project before deadline that they might miss many security bugs specially in the updates. That a creative hacker will later take his time and exploit them.

Is it correct ?

PM asked me to develop an application to fetch data from the customer's DB, which would require an access security token provided by the customer. To get the token, I would have to travel to Germany (I live in Portugal) to get it personally (it's not possible to have someone else pick it up for me).

It turns out the security token is a completely closed environment, with its own OS, without the possibility of installing any application or communicating with the exterior. The laptop itself would boot from the token's OS.

It was concluded I would have to hack the security token, which is completely non compliant. So the PM decided not to go forward with it.

But now, I have to go Germany anyway to pick up the security tokens because they forgot to order them for these other guys who would be using them to access the customer's DB manually and they don't want to delay the project anymore.

Oh, and the security tokens cost the project 500€/month each...

My university provides advanced education courses and you'll get certified if you pass them. I'm really interested but I don't have so much time, so which one should I pick?
List of courses I'm interested in:

SQL
IT-Security
Project Management
PHP

I'm curious about your suggestions ;)

fuck..fuck..FUCK..FUCK YOU MANTIS!!!
fuck you and your fucking invalid security token... fucking cunt...
yeah i love extracting my notes from POST data via the browser dev console cause you fucking delete it when hitting the back button...
THANKS FOR NOTHING

Goddamit I hate it when services advertise how they are about security and then deny me using random readable words with hyphens as passwords.

Had this life not turned out the way it is. Had you not been a dev, what would you imagine you would have been?

I'll go first.. i would probably have been a librarian or a security guard. Someone with lot of time at hand to read.

Is it a bad idea to learn about cracking from the dark web? I mean they seem like they know their shit with security

Problem:
some folks left the angular codebase full of ridicolous console.logs, client was upset as he noticed it during UAT

Solution:
1. add extra script in main template page
window.console.log = function(){};
2. translate it into JSFuck
3. if they ask, pretend it's a super-secret encryption algorithm to improve security

I hate Wednesdays. Networking has the Antimalware service run a full/deep scan every Wednesday and my machine is basically unusable until it finishes.

Devs: "Can we have the scheduled task not run during the day, maybe even on the weekend?"
Gary: "Security is our #1 priority and without proper security methods in place, we'll be open to outside threats. Security begins with you, and ..blah blah blah"

Bite me Gary. I got something for ya.

Get-ScheduledTask | ? TaskName -eq 'Windows Defender Scheduled Scan' | Stop-ScheduledTask

‪People who are shitting on a chrome browser for desktop because of security reasons, but using it on their phones - you are mental.

Why is it that security (hacking) distros went so popular?

I see more and more posts pictures even on devrant featuring them. Even I see people at my uni that are on kali. I can't believe all of them are that into security. I even know two linux noob friends that wont listen to advice and went to kali as first distro.

I'd never use kali/parrot/whatever vs my current manjaro setup... I'd rather go back to arch.

Imagine implementing PHP scripts which execute shell commands defined in URL GET query params on your customer's dedicated server without any basic authentication or similar. The only security is by barely obfuscating it's URL.
I think I've seen it all now...

Guys...

It has come this far...

I... I like test driven development and the amount of unit tests and security it gives you. And I kinda laugh at people that don't take unit testing seriously :p

So today a colleague confessed to an attempt to troll my computer by SSHing into it and playing random songs. Thankfully he did not manage but he would just happen to do it the day we have a security audit.

Soooooo, why is it that so often 'security' just means bloody mindedly getting in your way for no reason?

Coz I fail to see how whitelisting a subnet of private IPs that are already only accessible through company VPN presents any kind of security risk, especially since the blocking software is literally only on our company laptops and can be easily bypassed by being on the VPN on *any other device*. But nooooooo, we have to go to the this other company our umbrella company owns (who by the way are making every dev at our company redundant in six months) and beg them to change each individual IP address every time we create a service.

Really does feel like security often means either 'our parent company doesn't understand security so we just need to go through the motions and *look* like we are doing things properly' or 'we just want to get in your way enough that we win in the who gets made redundant fight because you can't actually get any work done and we can'.

Bonus points: on the website for the blocking software they use, it literally recommends using Internet Explorer for everything. I'm surprised they haven't tried to enforce that on us as well.

I reached out to a developer who's site was being contracted out to Amazon devs, because when their site launched it had a couple of security issues. This was his response:

"An additional thought/opinion... Just because a college freshman from Arizona wasn't too hungover to make the effort to notify us and take the liberty of classifying this as a security issue for us doesn't mean we need to take their word for it."

Job security:
- Create bugs purposely
- Discover the bugs after a while (if you discover it too quickly it will look suspicious)
- Fix the bug

SSL should really stand for "Satan's Security Layer", because anytime I have to deal with it, it's always a major pain in the rear. (And an expensive pain at that!) Why in 2016 is the SSL process so bad.

So I was like "imma be smart with my internet security and put 2 factor on my GitHub" only to find out I'm getting authenticating errors on trying to push. Disabling 2FA makes it work again.

GitHub y u do dis D:

It's a really interesting discussion, when your boss tells you that it's a perfectly fine idea to directly use a Firebase DB from an Angular web app by storing the Admin Auth Token in a variable in JS.
Thank the spaghetti monster, I was able to argue against it and use the already partially implemented RESTful API with the already used auth.
He basically wanted to save time and omit extra login routes.

It's OK to save time and not implement $randomFeatures.
BUT DON'T FUCKING TRY TO SAVE TIME ON SECURITY!

If it wasn't for me, this web app would turn into a bigger gaping (security) asshole than Sasha Grey's...

Opinion?

College: We will give you six to twelve weeks to build a decent, fully-equipped application that involves a backend with domain business logic, DAL, service layer, security, etc.

In the real world: we give you an afternoon. If it takes two days, you are slow.

Gotta love it.

How is it security, a function of IT, does not understand developers? I mean, they work in IT, should not at least pick-up on the culture?

Start with it at age 4, learn children to protect themselves on the internet, but also show them the possibilities. It's not something I expect this generation to properly teach the next one

And name it something like Computer Security

They call it security questions.
I call it social engineering backdoor.

I'm supposed to enter those questions after logging into my account and I'm not able to skip it nor to set a proper two factor method.

Well, fuck you. Did you ever thought about dying by a two factor method? Ever watched a Saw movie? You got the idea.

I have to maintain a system for a financial institution that only works with Windows XP and Ms Access 2003. All VBA code, security is handled using a workgroup file. Can't upgrade anything because client doesn't want to pay for it.

Before getting my dev job, I taught myself some java and made a program to assist myself in the position I was working. It was borderline a keyloger, but it helped me with a lot of repetive tasks. Long story short, our security didn't dig that I installed something they didn't approve (I probably could have just not made it an exe and gotten away with it but my boss wanted it as an exe to run on other computers) they didn't know exactly what it was. I totally understood the security concerns though but they sure gave me a fucking heart attack right before my interview for my first dev job! Was seriously worried I was going to be fired and miss my big chance to make it in with out a degree.

Nothing in my office like incompetent developers or their lack of regard for security really bothers me.
But the fact that the coffee's been out for a week now and nobody has replaced it is pissing me off.

Best toothpaste it will make your teeth extra white. As a bonus it’ll get you past border security while they check your temperature all that heat will be appropriately spread out to a cool 98.6F.

*Has more advanced knowledge on computers and cyber security...

Mother still cant trust with repairing phone, asking which phone to buy, and naggs about the amount of time i spend on my laptop saying i'd break it.

On Friday afternoon, i got an e-mail from the IT manager of the company I'm working for.

"Due to security issues we have been forced to stop the server you deployed"

Today, on Monday morning, i got a message from the director saying LITERALLY NOBODY CAN ACCESS THE SYSTEM

I wonder what it could be.

I code. I'm not a network or security admin. Did you even read my resume before hiring me? It says "math degree then data analysis then programming degree" Subnets, firewalls and security certs are not my areas of expertise. Given enough time, could I stumble through? Probably. But I'd probably come up with something worthy of mocking on networkadminrant.

Guys has this happened with anyone ..my older aws ec2 instance just vanished from my console but I can still ssh into it, how do I manage it for security groups and other things..?

!rant

I'm a computer engineering student.
I'm very much interested in Systems and networking.
That's why I was thinking of persuing cyber-security as a career option.
But I'm not quite sure if that is a good choice.
Also I don't know how to proceed in order to achieve excellence in cyber-security.

It would be a great help if you guys could help me.

Thanks :)

They tell me to only review security in the security reviews I'm doing (and if I bring to attention that they're implementing a weak encryption so even though they're not using it at the moment it might cause issues so be careful with that they say to only review security 😵) and then I see this mssql in a where:
AND ISNULL(field, 0) IS NULL
And I think wtf, should I report that? I did and it's a bug and they're thanking me now....
God dammit it's hard to "review security" here...

@linuxxx
Can you do a security / privacy check for ProtonVPN? All I know is that it is Switzerland based and pretty much secure.

I forgot my password to my mindfactory account, one of Germany's biggest online vendor for computer components. So I go through the resetting process, which is:

- apply for password reset
- get a mail
- confirm the mail
(So far, so good)

- get a mail with a new CLEAR TEXT PASSWORD

Is this the stone age!?

You never send an email containing the cleartext! You never even store the password as is!
You, as the provider, should never be able to know what the actual password was.

All you are supposed to do is to generate a random salt, and hash the user's password with the salt, and then you only store the salt and the hash. And whenever a user inputs their password, all you do is to check if the you can recreate the hash with the help of the salt and your hash algorithm. (There are libraries for that!)

If a user wants to reset their password? Send them to a mail with link on where they can assign a new password.

At no point should the password ever be stored or transmitted in any other medium.

So my day started well.

I come in an the DVR monitor is not working, ok lets turn it off and on, nope. Lets turn the DVR on and off, nope still nothing. Played around with the VGA cable, nope. I cant replace the cable because its hard wired into the monitor....

I grab the spare screen next to me and connect it all up and it works!

Boss tells me to throw "broken" monitor out, I say I want to test it just to make sure, connect it all up to my pc and now it fucking works!

There are days I hate technology....

Guys, please use caddyserver as your webserver! It creates official tls certs for you without you having to do anything. Help making the web secure. There are too many websites that do not have any security.

why is every auth provider utter and complete shit?

why are docs and tutorials that try to teach auth so complete shit?

No wonder there are so many security holes everywhere, nobody bothers to make it simple for the next person.

Next time people that cry about security/bad auth, and work in that field, this one is for you:

Best: take a job as a data analyst. 1 year later, re-write and re-deploy the entire backend following correct security concentions and well-hashed-out data models.

Worst: attempt to backup a hard drive using dd, just to accidentally brick the laptop (because it had some security layer the school put to prevent just that)

Bestest: use knowledge acquired at my "best" story to nuke windows on bricked laptop. Then extract the leftover data using dd and a series of recovery tools.

Not only is the default password they set a piece of shit, the password field actually shows the password even after you save it, why even bother with security?

Hash your fucking passwords!

The internet kills my insides.

Apple's provisioning profiles/entitlements suck. They can all go wreak havoc on Android now. -___- App all coded, passed IT Security..will be passed by QA once they can actually test the app. Yet App piloting is in hold because of these stupid profiles and entitlements.

So the contract for this big project with a client has some interesting content in it. I'm not sure if I can sign this in good faith.

Because I seem to be lacking guard dogs and a receptionist at my home office. Maybe I could build a force field for them.

And I'm not really looking forward towards having all my friends sign a document every time they visist.

5 PHYSICAL SECURITY
5.1 Adequate physical security perimeters (e.g. fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) shall be implemented to safeguard Information and information systems.

5.2 Supplier shall have a documented visitor policy and all visitors must be identified, registered, logged, and accompanied by an employee from Supplier.

Ok.
I am not a security expert, but when i was working on downloading youtube videos directly from googlevideos.com server, found out there was some security issue that allows to manipulate login requests.

Reported to google.
Let's see how it goes.