Did you say security?

They call it $5/gb hotel wifi, i call it free uncapped 100meg fibre because your security sucks

Oh and they host their entire POS (and database with backups) on the same network accessible to every TV in the hotel

"You should use Windows server!"

It was a high security project which needed to run very stable. Even the windows sysadmin looked at that guy like 'dude what the actual fuck'.

Me wanting to board Plane,
Goes through security Check...
"Sorry sir Laptops are not allowed."
Me
"Why?"
Security
"It could be a modified bomb"
Me
"But this is a Tablet!"
Security
"No sir, it has a Keyboard and Trackpad attached to it, its also running Windows..."
Me
"Excuse me, but this is clearly a Tablet"
*Detatches Keyboard from Surface Book*
"See? Tablet."
Security,
"Sorry sir, but no. You cant board the plane with this, only Tablets and Smartphones"
Me
"WTF? you dont allow Laptops because they could be bombs but A FUCKING SMARTPHONE IS ALLOWED? AND TABLETS TOO?!"
Security
"Yes, because the Battery is not removable..."
Me
"But my Laptop Battery is also not Removable..."
Security
"I dont have anymore Time for an Argument"
Me
"So I can board the Plane?"
Security
"No, the Ticket will be refunded"

WHO THE FUCK CAME UP WITH THIS BULLSHIT? LIKE RLY? WHO!!
I MEAN WHAT THE FUCK IS ALLOWED?!

Why not have a game of DevSecOpoly? Doing DevOps and Security right!

At the airport.

Security: Please put all your electronics in the bin, including your watch.

Me: No problem

<goes through scanner>

Me: there was an Apple Watch in here and now it is gone.

Security: Oh, you lost your Apple Watch?

Me: No! I put my Apple Watch in the bin like you instructed and YOU lost my Apple Watch.

Security: It must be in the spinners.

Me: So my $500 Watch is in the spinners being run over by bins?

Security: you have to put the small things on the bottom.

Me: It was on the bottom and I did as you asked, this is entirely on you. Do not try to shift the blame to me again please.

Security: As I said...

Me: As I said, Do not try to shift the blame to me again. This is entirely your responsibility once you separate me from my electronics so you can perform security theatre. Have a nice day.

—————

Fuck this god damn security theatre. Fuck the dumbasses they hire. Fuck your country. Fuck your god damn feeling of insecurity. Fuck Your ineffective security theatre.

Sick my fucking dick until you choke and gag you worthless pieces of shit. Homeless people the street provide more security than you incompetent, under-educated assholes. Fuck you

And yes, I have 2 fucking laptops. I have a real fucking job where I provide actual value and for that I need a work laptop. I don’t come to work in a stupid looking outfit with a chip on my shoulder looking to inconvenience people. I come to work to provide real value to someone.

Fuck you and your worthless bullshit

Security is everything for this application

Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜

Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.

First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.

Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.

Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.

Dealing with attacks and getting hacked.

Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.

linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)

How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!

One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)

Dealing with different kinds of attacks:

Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.

So yah, hereby :P

Java security applied.

A dude with a THICK Russian accent just called me offering server security services.

After I politely declined, he insisted on a free audit of my servers. I declined that as well.

Now I’m backing up our DB’s and going through my nginx logs.

Am I being racist?

Are you serious? Are you afraid of an SQL injection or something, and instead of properly sanitizing your queries you disallow characters? Or is your software and database so outdated that you're afraid special characters will break it? Goodbye security

> Claims to be a security expert and an Anonymous member

> His router uses WEP as encryption

"I really love the new $3k Fortigate firewall switch you bought for the office after our chat about security but it doesn't change the fact that you can access any computer in the company using Password123" - me

Windows firewall security he like..

I now know how serious linksys takes my security.

What the actual fuck? Person (or people!) who devised this password policy, you are an idiot (or idiots - all of you). You are stupid and insane and have no idea about security or user experience.

!rant
Security 101

A conversation with our network/system admin.

Me : Can I install linux on my computer, windows is slow and terrible.

Him : No, if you use anything but Windows in this company, you will be fired for bypassing our security protocols. Its written in your contract.

Me : *boots up my Macbook*

Presenting my paper on PHP Security in IEEE conference today... Wish me luck. I hope it gets published 😃🤞

OMG, security breach on devRant!!!
My password is shown in clear text near my avatar.

Found a security hole....

A fast food delivery service had an ID for every order it Said
"example.com/order/9237" - i go 9236... finds another persons order, address, and phone number

So What should i do?

i thought of making a crawler and then make statistics on everyones orders and send Them a link 😂

Found a private api key on a github project. Created a pull request with key changed to “TH1S5HOULDB3SECR3T!iMBECIL5“ comment was “security fix“ i wonder if they accept

PM: We need security on signup, the password entry should contain "A capital letter, 2 numbers, a symbol, an inspiring message, a spell, a gang sign, a hieroglyph and the blood of a virgin."
ME:

Much security, very captcha!

I competed in two competitions Computer Security and C++ Programming and I got 6th in Security and 1st in C++!!

The amount of thinking and programming that goes into writing a secure backend is fucking high but I love it!

It helps to think like someone who'd want to hack a user or the application so you know most security measures you have to take :)

Happened with anyone?

I'm a programmer and an aspiring cyber security specialist. Yesterday, after I gave a presentation about smart bulb hacking, I heard through a coworker that a cyber security company is interested in talking to me. Yay!

First rant, please take pity on the noob! 😐

Recently I've secured many of my user accounts spread throughout the internet. Using the same old password for everything is bad for security and for mental health! 😫

Since I was on the mood, I've tried to do a 'break glass' scenario, simulating an attacker that possessed my Gmail account credentials. "How bad can it be?" I've thought to myself...

... Bad. Very bad. Turns out not only I use lots of oauth based services, I also wasn't able to authenticate back to Google without my pass.

So when you get home today, try simulating what would happen if someone got to your Google or Facebook account.

Makes you consider the amount of control these big companies have over your life 😶

I recently found a company that used employee social security numbers as their login username and their MMDDYYYY as their password (which could not be changed) also their entire network was using a router with no wifi password set. :/

Stepping up my security game!
This just showed up today!

First rant

Context: I work in a cyber security company which develop cyber security solutions.
I started testing the API of the dashboard we have. Within 15 minutes, after poking around with burp suite, found SQL injection in post data that leads to the whole DB dumping in sqlmap.

Told the boss and the API developer. Boss said, "it's ok to have bugs/holes in trial box". But this is on a machine that is gonna be sent to client for trial in a few days. I even compiled a report and how to fix it, which is like 2 lines of "if else" statement by the way. Told the API developer how to fix, he didn't care. 'I work on functionality first'. Doesn't look like he gonna fix.

A damn cyber security company, developing cyber security solution, do the "don't" in web security 101, which is dumping POST data directly into the SQL query, which requires only 5 minutes to fix. 🤦‍♂️🤦‍♂️🤦‍♂️

Dear Prof,

One does not simply encrypt the exam tips and give it to the students in a computer security introductory module.

Sincerely,
Disgruntled Undergraduate

(The PM is pretty technical)
One day:
Me: Could you create this subdomain?
PM: Sure, just a sec.
Me: Ohh and could you add a letsencrypt cert? (one click thingy)
PM: Why would you need that on this kinda site...
Me: Well in general for security...
PM: Nahh.
*walks away*

Next day:
(referring to my internship manager/guider as Bob)
Bob: Hey... we have a new subdomain!
Me: Yup!
Bob: Wait why is there no letsencrypt certificate installed...?!?
Me: Well, the PM didn't find that neccesary...
Bob: (Oo) of course it is... are we going for security by default or what?
Me: Yup agreed.
Bob: *creates cert and sets everything up in under a minute*

It wasn't a high profile site (tiny side project) but why not add SSL when you can for free?

The first rule of cyber security:

"Be Paranoid"

Fuck me, big fucking security flaw with a UK internet service provider, my head has gone through my desk and hit the floor it’s that bad.

Just looked at the anonymous analytics I collect on the security/privacy blog.

No SQL Injection attacks yet (would be useless anyways as I don't use MySQL/MariaDB for the databasing.

Directory Traversal attacks. Really? 🤣

Nice try, guys.

#1 Being honest with your customers
#2 Security

Fucking crunchyroll hardcodes their access tokens in a Constants Class in their APK, technically that is a security issue.

What the actual fuck Crunchyroll!? No fucking wonder you got DNS Hijacked so quick, security is literally your second priority you dumbed down twats, get some real devs and some real QAs for fucking god sakes, you're tearing down your own system by inviting exploits.

- I'm forced to do dev on Windows with no admin because security
- We receive patches to critical systems from outside company on FTP secured with password "asd123" and install them without reading because fuck security

As a firm supporter of information security, it really "irks" me to see people get up and walk away form their desks without locking their machines... Anyone else with me on this?!

Had a discussion with a developer about security. His software transfers all user data (password and files) unencrypted, so anyone can grab them with wireshark. I told him that this is a severe issue. He said no its no problem because if you get hacked its your own fault, because you probably used an insecure network. NO ! YOU FUCKING MALADJUSTED SHEEP-MOLESTING OBJECT OF EXECRATION, YOU SHOULD ALWAYS ENCRYPT SENSITIVE USERDATA NO MATTER WHAT NETWORK YOU USE. FUCKING KILL ME ALREADY.
Not implementing encryption is one thing but then acting like its no problem is a fucking nother one. Why do people not understand that security of userdata is important???

Security "experts" forcing monthly password expiry because it's more secure.

Repost: This is one of the worst security questions I have ever seen

Cmon guys it's an important security update..

Security rant ahead - you have been warned.
It never fails to amuse and irritate me that, despite being in the 2019 supposed information age, people still don't understand or care about their security.
I've travelled to a lot of ports and a lot of countries, but, at EVERY port, without fail, there will be at least one wifi that:
- Has default name/password that has been cracked already (Thomson/SpeedTouch/Netfaster etc)
- Has a phone number as password (reduces crack time to 15-30 mins)
- Someone, to this day, has plain old WEP
I am not talking about cafeteria/store wifi but home networks. WTF people?! I can check my email (through VPN, of course) but it still bugs me. I have relented to try and snoop around the network - I can get carried away, which is bad. Still...
The speed is great though :P

I really have this fucking love/hate relationship with application security.

For a lot of stuff that I write, user input has to be validated, authentication is required and so on and I do love looking into that, pentesting my own applications to death and thinking about the security architecture of the application itself.

But, sometimes, I just want to focus on the fucking features and then it annoys the living hell out of me that securing an application can take so much time and brain power.

Yay and grrrr, I guess.

Security for 2017: Because SSL has nothing to do with security, and just Google's way of increasing it's monopoly...

Lol..Windows is Funny..

Customer: «We want all the users belonging to this organization share the same username and password»
[Editor's note: we are talking about 500 users, more or less half of the total in the system]
Customer, after some minutes: «It's very important for us having the web interface using HTTPS, because we care security a lot».
So, please, go fuck yourself. And die.

Security tips guys :
use iptables -A INPUT -j DROP to secure your servers.
NO ONE can access your servers now... NO ONE...

Typical TSA (Airport Security)

Security: Please put all of your handheld objects and your outer clothes in this basket.
Me: (puts my bag, in flight luggage, and takes out laptop, bluetooth speaker, bluetooth mouse, bluetooth keyboard, tablet, android phone, dongle bag, and windows phone)
S: (stares at me as if I am a rich kid)
M: May I go through?
S: (nods)
M: (smirks, and goes through metal detector)
BeepBeepBeep!
M: (oh shit.)
Scanning Officer: Raise your hand!
M: Mmmhmm
S: (Hovers the detection stick around my body, but it doesn't ring, tells me to pass through the detector again. Still rings. Super confused. Asks me to do this 2-3 times more. Still same.)
M: Aha! I have my bluetooth earphones here! Sorry!
S: (stares at me, as if he is saying what a f****** weirdo)
My stuff comes out. I put my devices in the bag. The scanning officer stares at me.
M: (smirks)

To be continued....

My friend tells me #Linux has demons that work in the background! Does that mean Linux users are evil too?! #imscared

Fun with headers (from OWASP.org node.js security presentation)

OK... OK... OK...
Today we reached another level of security for one of our MiniMac in the office...
sudo chmod -R 400 /
Oh... he was supposed to write ./ but he forgot the dot...
Now, even the OS can’t work...

soo... 5 days ago I ranted because of the "security" of the wifi on a restaurant.. here goes anotha one.

We recently took over development of an app. Upon inspection the API had no security, and passwords were stored in plain text. While the manager was slightly concerned, it wasn't a big deal....

That was until, using only a browser, I found the bosses account and personal email address.

Minutes later I was in his gmail, Facebook and credit cards account.

Improving security is now concern #1, and my boss is "suffering" 2 factor authy on everything.

Ah, I see you studies music in college! Why don't you work in information security!

> Builds CLI tool to generate app security tokens
> immediately leaks first set of tokens in public commit

I astound myself with own stupidity sometimes.

A store in Russia was robbed for 30k$ using ArtMoney.

ArtMoney is a Game cheating program that is used in games that have no AntiCheat system or it is insanely horrible(Cookie clicker as an example for a game that had no anticheat and ArtMoney is used in it)

The robbers placed orders for tech(like phones and laptops) and then used the program to change the prices from thousands of dollars down to 5$.

The cheat program is insanely easy to defend against or detect its changes.

This is a good reminder to check your security if youre adminstating things like online shops or other stuff thag can be targeted at a similar fashion.

I work at a place where security is really high when it comes to server access. Today I was in urgent need to get admin access to a server, this is a real pain. Luckily I found an xml in version control containing the credentials for the web application which happens to be an admin account! Lucky me, saved me at least two weeks of waiting to get admin access!

Client: why do I have to use such a hard password for this website?

Me: For security reasons to protect your content and identity of your clients.

Client: Can't you just use the password that I'm used to? I use it on my banking software, and I've never been hacked so it should be good enough for you!

Me: what's the password that you want me to set up for you?

Client: you ready to take it down?

Me: go ahead.

Client: T ... U ... R ... D. You got that?

Me: ... Yes ...

*sigh*

For security purposes, it should be good practice to lock your pc when you walk away. At my office, we practice harmless pranks when someone forgets, to "teach them a lesson". Usually just involves reversing/inverting displays, reversing mouse buttons, or changing the desktop background like this (because everyone is a closet bronie apparently)

Welcoming security issues like

me: the source code is currently store on GitHub and we use GitHub Actions after each updates to compile your code into binary before deploying to your servers
client: storing source code on GitHub (external server) is insecure and breaks compliance
me: so i guess you will need to have a copy of the source code on all your servers and build them directly there (too cheap to have a separate build server) instead of using GitHub Actions
client: yeah
me: keep in mind that all your certificates and tokens are going to be store as plain text in all your servers so if a hacker gain access to anyone of your servers, they will have access to everything.
client: yeah, this is in compliance to our security policy

Saw this security blunder a while ago. Went onto some site and it showed me this username/password dialog (probably an apache's htpasswd or nginx one). Went away but returned quickly because I noticed I could see all content. Then I thought 'why the fuck not try?' so I dragged the auth popup thingy to the side of the screen and et voila... I could interact with the page as if nothing was wrong while the authentication popup was hovering above the page on the right!

I sat there giggling dramatically for a while.

Pro security tip:
Use a very simple password because h4x0rs expect a difficult one so they can't cr4ck yours

A security guy of a coffee shop takes advantage of his freetime to coding.

so yeah let's have conference about security but its perfectly fine to have registrations over non-secure connection!

Epic!!!!

!rant
I passed my Security+ cert exam! I know a lot of people say it's super easy, but it actually has a lot of really specific networking stuff, and some legacy tech specifics, etc.

Every time I got a mandatory security question, I type in "go fuck yourself with a cactus". There's only one answer for all of them.

At my previous job we had to complete an online security training exercise. It shows you how to behave secure in the work place, to not open unknown links etc. The scary part was that the entire training thing was BUILT IN FUCKING FLASH. So I'm suppose to listen to some god damn virus shitting flash application on how to do online security?! Get your shit together before teaching others.

My team manager showed me a web application of a new client and asked me if I can find vulnerabilities in it to push for a better product contract. She showed me the system architecture and asked me if I could try finding something from their login page. I politely refused since we don't have written permission to conduct a security audit (it's also a ministry website). She was pretty disappointed and idk if I'm doing the right thing not helping the company (I'm an intern but still). I'm sure I can scan in stealth but I don't think it's ethical on a corporate level. Thoughts?

Clicking "forgot my password" and getting a mail with my password in clear text. Sending a mail and asking why they don't care about security. The answer I'm getting is "it's a feature, makes things easier". Yeah...

This is just priceless. I submitted my thesis to an academic congress, which sent me this confirmation email. They are so 'concerned about security' that they assured me the email is legitimate by including MY PASSWORD.

It's a new semester and the introductory class for a General Ed is going on.
Prof: What do you want to be when you are done with engineering?
Me: I'd like to be in the security domain but I'm still not sure.
Prof: Then why are you doing Computer Science? You can just get a job as a security personnel.
FML.

WTF!!!!! I officially have someone trying to extort me just had this in my email box this morning!

--------

Hello,

My name is [name removed], I'm an IT security expert and I found a security issue on your website.
This email is personal and in no way related to any of my employers.

I was able to access to a lot of files which contains sensitive data.
I attached a screenshot of the files I found to this email.

I would be happy to give you the method I used to access these files in order to let you fix it.
Would be a monetary compensation possible?

Please forward this email to the right person, if your are not responsible for the security of the website.

Best Regards,
[name removed]

---

He can basically see the contents of my wp-config.php. How has he managed this?

"Ultron brings to you the best in security and encryption, directly taken from IE 5.5."

*screams internally*

First year at university, prepared to set up multiple electronics.
rPi, arduino Ethernet shield, laptop, and desktop.
Brand new netgear switch to satisfy my internet surfing needs....

After setting up my devices, I realized none of them have internet. Hm. The feed port on my switch wasn't blinking either. So I tell the front desk, and a short 7 days later the port is back on. Yay, problem solved.

One morning I arise to see the port dark and inactive. Furious I use my laptop to share an internet connection while my actual port is "broken".

Support ticket is reopened and this time I get an email saying the port was disabled due to a security issue.

Me: what's the issue?
IT: there was more than two devices connected to the port

(OnLy TwO dEvIcEs PeR port???)

Me: oh okay I will only connect two.

The next day the port is disabled, again.

Me: can you tell me why it was disabled?
IT: a switch was detected being used, security error.
Me: how do I connect more than one device to the port without a switch???
IT: ...
IT: Please only connect one device.

🤔

Today, the security department stopped our new project and told us to work on the last project instead because of a top-secret security flaw.

Problem is, they are not allowed to tell us what the problem is. FML

My security knowledge is so bad. But I don't know where should I start.😖
My coworkers know about this, so I don't get involved on related topics.🤤
Last time I asked same question, someone gave me link, and it all about DIY welding metal tubes into a security door.🤦‍♂️
Any better suggestion?

Someone ask to me as a security engineer.

Bro : what do you think about most secure way to authenticate, i read news using fingerprint no longer safe?
Me : yes they can clone your fingerprint if you take a photo with your fingerprint to camera.
Bro : so what is the other way to authenticate more secure and other people can't see in picture ?
Me : D*ck authentication is more secure now, other people can't see your d*ck pattern right?

programmer's child

My local library still hasn't noticed the change of name. They need to stop using a default password for the printer! Imagine how users would feel knowing private documents they scanned can be seen elsewhere? Making good passwords either needs to be incentivised, or factory passwords should be generated. Or I guess one day, people and maybe companies too will have such trash IoT security everywhere else too that you get the smart home hack from Mr Robot.

Seriously, it's dumb.

Thanks to mandatory password change, today:

- My windows account got locked because my phone kept logging into wifi using
old password.
- Google Hangouts were silently running in background with old session until I re-opened it. Work of others delayed by 4 hours due to missing message notifications.
- Docker for Windows lost credentials needed to use SMB mounts - 1h of debugging why my containers mount empty folders ( now I will know)
- Google G-Sync for Outlook asked for new password on outlook restart - few mails delayed.

All of that for sake of security that could be easily solved with 2FA instead, not faking that "I do not change number at the end of my password"

My boss just came to me and demanded that we drop the first layer of security from our new servers so that the snake oil salesmen he used can open test it. I did try to explain that you don't remove security to test security.

Tl;dr stupid password requirements

Begin quote

Password must not contain any non-alphanumeric characters.

Your Password change was not accepted. Enter your current Password correctly following the rules for New Passwords. Please try again.

Passwords must be between 8 and 12 characters in length and MUST contain each of the following:

At least 1 lower case character (a-z)
At least 1 upper case character (A-Z)
At least 1 numeric digit (0-9)

But, MUST NOT contain:

more than five repeating characters in a row (e.g. 111111356 would not be valid, but 112233445 would be valid)
spaces or other special characters

NOTE: Your new password cannot be the same as any of your 10 previous passwords.

End quote

Are you fucking kidding me? Only (26+26+10)^8 through
(26+26+10)^12 different passwords to go through? It's like the oxygen wasters that built this website give zero fucks about security.

Why? This is the site that manages money and investments. Just allow passwords up to 64 characters, allow any ascii character and just fucking encod the characters to prevent any Injunction.

The security on my school computers is a joke.
The standard student accounts have no user rights, but the "guest" account has admin rights???
The teachers private data is not secured, it's just hidden from explorer, so if you manually type in the folder location into the explorer bar, you can access the teacher's data. Not to mention everything is running on Windows 7 machines from 10 years ago.

I'm the best.
I started a project and 12 hours of work and 16 commits later I decide to reorganize the entire project focusing on security and user experience.

I'm a genius.

Secure security camera... :'D

IT security calls to tell me my new password, because it is poor practice to send it over encrypted message.

New password = password

I'm glad we are taking security so seriously!

I am really getting sick of recruiters contacting me with "great opportunities" then when I ask questions about the post they just give me the answers they think I want to hear. I know when you're lying because if you knew the answer you would have led with that. At least say you'll find out more and then give me a follow up response.

Recruiter: Would it be possible for you to deliver hacking training?
Me: You mean pentesting?
R: Yes, that.
Me: Well, what will it be used for? Breaking into peoples networks and spying on them?
R: Yes, they'll want it to be able to spy on people.
Me: Well, that's unethical, I'm only interested in defensive security practices.
R: Yes, they'll only want it for ethical reasons like defence and against bad guys.
Me: *dirtiest look I could muster*

I mean there's gullible and then there's what ever it is you think I am.

This is not fucking security, it's obscurity! What the fuck is a memorable word without any context! It drives me up the fucking wall. This doesnt help anyone it just promotes people to put silly shit like password or something so they won't forget but it just makes their account weaker.

I swear, the next time I hear a web developer say to me: "Yeah let's pretend as if the security hole in the website isn't there, because truth be told, i cannot be bothered to fix it."

Anyone who's interested in cyber security, go follow Binni Shah (@binitamshah) on Twitter. The amount of tutorials and guides she retweets is crazy and very informative.
Also if you're not on Twitter you're missing out on a lot of content to learn from ✌️

So after 6 months of asking for production API token we've finally received it. It got physically delivered by a courier, passed as a text file on a CD. We didn't have a CD drive. Now we do. Because security. Only it turned out to be encrypted with our old public key so they had to redo the whole process. With our current public key. That they couldn't just download, because security, and demanded it to be passed in the fucking same way first. Luckily our hardware guy anticipated this and the CD drives he got can burn as well. So another two weeks passed and finally we got a visit from the courier again. But wait! The file was signed by two people and the signatures weren't trusted, both fingerprints I had to verify by phone, because security, and one of them was on vacation... until today when they finally called back and I could overwrite that fucking token and push to staging environment before the final push to prod.

Only for some reason I couldn't commit. Because the production token was exactly the same as the fucking test token so there was *nothing to commit!*

BECAUSE FUCKING SECURITY!

Trying to log in as a vendor on a client's timesheet web portal,

Web only accessible on safari,

Latest Java must be installed,

Java security must be set to highest, but Java applet for 2 very specific domain must be allowed,

An Avast antivirus must be installed for reason as below,

Must access the web, wait for applet to run and check computer's security settings, only if it's satisfactory will then redirect to a login page,

In which I spent an hour trying to figure out why I cannot login with my username, until another friend has same problem, what in common between us is both our names are long, and after experimenting, we found out that inputting only 20 characters of our name enabled us to login,

After login another tiny app will be installed and activate a VPN, in which then we are able to access the actual system,

The VPN will only active for 15-20 minutes tops, after that we will be kicked out and had to repeat the whole process,

Sometimes it works, sometimes it's not, even worse sometimes the only way to make it work again is to restart the computer, and redo the steps in exact same way

*sigh

First rant.
How do I know the email is from twitter?
Easy, just check for https and if the links *contain* twitter.com. and the browser shows a padlock, its legit!
😒😒😒😒😒😒😒😒
I don't like these type of security tips.

Do they don't know SSL can be obtained for free
And twitter.com.somedomain.com can trick people too.

I think Twitter should update there security *tip* in the world where SSL is free and anybody can make a twitter.com sub domain. This can cause some trouble.

half day gone try to find or remember the password of some SSL/key/encrypt/crt/shit/whatever.

Blaming myself for hours, how could I not save the password somewhere?

#Enter Password:
(I pressed enter, no password).
it works.

I love IT security

Hey, DBA guy! Security blocked this one port for the database. Can you change the database to a different port?
Me: No, I actually like working here.

Have you heard that Facebook is developing a cryptocurrency?

Huge waste of money. Everyone knows Facebooks security flaws and will problably not invest in their cryptocurrency because of that.

I wanna make you feel what you have brought into my house!!

I was working with security cameras once in a home automation project. One of those camera particularly stand out by offering a cgi without password request to view and change the current passwort and username.

Seriously wtf is wrong with you? I mean this thing automatically connects to an internet service offering everyone to connect to it with that passwort and username. And I know some of you might say "hey chill the cgi is only available on the wifi" - dammit no. Security is a lifestyle do it complete or get the fuck out. God knows what other mistakes there might be hidden in that thing screaming out to everyone to watch me taking a shit.

But that's not the end of it. My company arranged a call to the technical support of that camera so that I can explain the problem and a patch gets released. Those guys didn't give a shit about it and were even laughing at me. Fuck you!

So whoever is responsible - I will find you - and you will never see me coming.

many from the outside world believe incognito is the purest form of anonymity and security.....because its logo has a suspicious man with a hat and an overcoat

I'm at a Dutch Meet-up about security and privacy. Quite interesting. Any Dutch ranters here as well?

We developed this website plus custom CMS for an university. I told them that we could host the entire system and take care of it for an annual fee but they decided to host it in house because security. The IT guy didn't ask for my public key, he sent me a password. By email. Less than 8 characters long. Only recognizable abbreviated words. And a dot.

"Using MD5" !? What year are we in again?

NOTICE OF DATA BREACH

Dear Yahoo User,
We are writing to inform you about a data security issue that may involve your Yahoo account information. We have taken steps to secure your account and are working closely with law enforcement.
...
What Information Was Involved?

The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5)

Saw a classmate returning an plain text password from a function to try to push it in a JSON file for an API we have to build for class.

I try to correct him and show him a few things that are better practices and for security, I get yelled at and called a know-it-all for trying to help... I'm so done with people -.-

A team at school spent 3-4months on an eStore web app, for selling items. The title was "Securing your eStore".

When they were done with their presentation, the examinator asked: "But... You haven't said a thing about the security part."

"Oh, sure we did, as we showed you, we added validation on the email address and credit card text fields etc. If you press the Pay button here, you will get an alert()-dialog telling you which fields are invalid..."

Security fail here. I've just started a PPI claim and have been provided a link to a so called "very secure" client area.

There are no username or passwords and the screenshot is not a first time sign up screen.

All I need to login is a surname, postcode and DOB - all information easy enough to find online.

Pretty bad IMO, esp, so considering the effort required to add a proper login using a username/password combination.

I mean I'm logged in now and have no option to set an account password :|

Seems like my connection to much-security isn't so... secure 😂
Didn't you forget something, @linuxxx?

Apple's security fix for Meltdown just came in!

Conversion topic: a security feature the PM doesn't like
PM: but WordPress doesn't do this.
Me: yes but WP is hacked every couple weeks and isn't exactly a security standard!
Debate continues for 5 minutes... And I'm forced to remove the feature 😑

Just a rant... It really sucks to work with maven on a security-paranoid financial institution enforcing ntml proxy auth...

Also usb ports disabled... :(

During a design meeting, our boss tells me that Vertx's MySQL drivers don't have prepared statements, and that in the past, he's used a library or his own functions to do all the escaping.

"Are you kidding me? Are you insane?"

I insisted that surely he must be wrong; that no one would release a database library without built in support for query arguments. Escaping things by hand is just asinine and a security risk. You should always use the tools in the database drivers, as new security vulnerabilities in SQL drivers can be found and fixed so long as you keep your dependencies up to date.

He told me escaping wasn't as tricky as I made it out to be, that there were some good libraries for it, and insisted Vertx didn't have any built in support for "prepared statements." He also tried to tell us that prepared statements had performance issues.

He searched specifically for "prepared statements" and I was like, "You know they don't have to be called that. They have different names in different frameworks."

Sure enough, a short search and we discovered a function in the Vertx base database classes to allow SQL queries with parameters.

I find it hilarious the total misconception of hacking that the general public has. I tell people I know cyber security (Not as much as a lot of people around here) but it is a hobby of mine and I find it very useful/interesting.

But I can't stop but laugh when someone is like, can you get all the text messages my bf receives?

Can you hack this for me can you back that?

C'mon even if I knew how to do that without being caught you think I would even admit that to you. Do hackers just walk around with an index card pasted to their forehead of their skill? It's not even slightly reasonable to think this lol even for someone who doesn't know about the field

When an application has tons of security holes and fixes never make it into sprint prioritization because "they're not new features"

First day at my new work.
They gave me a Mac to deal with security on servers.

Wtf??

Question for Web Server Gurus and Security Ninjas.

How to prevent bots, crawlers, spammers sending various numerous requests to your web servers?

There have been numerous requests to routes like /admin /ssh /phpmyadmin etc etc and all kinds of stuff to the web server.

Is there a way to automatically block those stupid IPs :/

What the actual f. I just changed my password on uplay to a 30 character password which works fine on the web account manager. Apparantly some moron decided to limit password field in the uplay client where your actual games are stored to 17 or 18 characters.

And that while they want to "improve" security. Please ubisoft, fix your shit

!dev

I'm checking out at Walgreens right now and have an item with a security device on it. The cashier just took a pair of scissors to it. Didn't work obviously and now I think she's trying to rip the cords off the box

Every week in my intro to information security class we are asked about what security stuff has gone down in the past week. Equifax is making it incredibly easy to not have to do much research.

Privacy peeps, what's your opinion on usage of surveillance for national defence, domestic security, etc. ?
I'm just curious, most privacy-minded people I know generally trip up when confronted with stuff like "yeah, but if surveillance was a thing then that blast which killed 20 people yesterday could have been averted."
I've heard quite a few opinions on both sides, what's yours?

I don't know why is that everytime you guys find a security bug or a data leak or that someone is saving plain passwords on their database, you try to cover and censor the company name. Listen people, fuck the company and their name and their brand if someone's data might be in danger. Everybody should be aware of what is happening with their personal information.

Also, maybe would be great if devRant would let users to post anonymous rants for this kind of issues or a special thread with latest news about our online security.

The one thing more annoying than my girlfriend is the chain of mail I get from Github saying,

"One of your dependencies has a security vulnerability."

Question

What server monitoring do you use, both for statistics and security?

--------------------
tl;dr ends here

Ideally I would like to have one clean dashboard that shows me all the nodes I have, proxmox already offers a great range of stats - but it is a page per container etc. so not ideal, I thought of having datadoghq, but their per host pricing is huge, since I have more than 5 hosts to track.

PM asked me to develop an application to fetch data from the customer's DB, which would require an access security token provided by the customer. To get the token, I would have to travel to Germany (I live in Portugal) to get it personally (it's not possible to have someone else pick it up for me).

It turns out the security token is a completely closed environment, with its own OS, without the possibility of installing any application or communicating with the exterior. The laptop itself would boot from the token's OS.

It was concluded I would have to hack the security token, which is completely non compliant. So the PM decided not to go forward with it.

But now, I have to go Germany anyway to pick up the security tokens because they forgot to order them for these other guys who would be using them to access the customer's DB manually and they don't want to delay the project anymore.

Oh, and the security tokens cost the project 500€/month each...

Apache Tomcat vulnerability "GHOSTCAT" allows read conduct files and implant web shells. All versions in the last 13 years vulnerable.

According to Security Researcher of Chaitin Tech : Due to a flaw in the Tomcat AJP protocol (the channel for Tomcat to connect to the outside, pass them to the corresponding web application for processing and return the response result of the request), an attacker can read or include any files in the webapp directories of Tomcat.

For example, An attacker can read the web-app configuration files or source code. In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through "GHOSTCAT" vulnerability.

Apache Tomcat has officially released versions 9.0.31, 8.5.51, and 7.0.100 to fix this vulnerability.

When you've been looking forward to a lecture on security only to find out you have to hack their website in order to register and you're completely lost 😫

Mozilla will update the browser to DNS-over-HTTPS security feature to all Firefox users in the U.S. by default in the coming weeks.

According to the report of TechCrunch : Whenever you visit a website ; even if it's HTTPS enabled, the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. DNS-over-HTTPS or DoH encrypts the request so that it can not be intercepted or hijacked in order to send a user to a malicious site. These unencrypted DNS queries can also be used to snoop on which websites a user visits. The feature relies on sending DNS queries to third-party providers such as Cloudflare and NextDNS which will have their DoH offering into Firefox and will process DoH queries. Mozilla also said it plans to expand to other DoH providers and regions.

A couple of days ago, an individual attempted to convince me that the National Security Agency is capable of cracking Rijndael encryption; as a response, I informed the individual of the infeasible nature of the factoring of extremely large semiprimes; however, my attempts were futile, as the individual believes that NSA possesses sufficient power to crack this encryption without intercepting the transmission of the corresponding private key.
The Dunning-Kruger effect is real; although this individual tends to be logically-minded, there does exist an exception to this good behaviour.

"It is easier to square a circle than get 'round a mathematician."

Security Issues with Chrome:
My dad was just saying that his work wouldn't let him use Google Chrome because of its supposed 'security issuse'. Just wondered if anyone knew of any real 'security issuse' with chrome that are legitimate? Or is it all just rumours...

What's a good password manager for Linux?

A few (optional) conditions (in order of preference):
1. It's free
2. It supports ssh, gpg, etc.
3. It has a GUI (a nice one with gtk/qt support)
4. It's (properly) secure
5. It has FIDO U2FA support (i.e. supports physical security keys like Yubikey or Solo)
6. It has a browser extension
7. It's compatible/non-conflicting with gnome-keyring

Cryptography and Network Security
<william Stallings>

Got the book ^ ^
Feel free to comment any cool book about security :)

I was taught that an IDS is a passive protection method, and an IPS is active. My security+ boot camp is trying to tell me IDS is active. Thoughts?

And yes, I'm still studying for this, I've been avoiding it because I'm salty I failed by one. But now it's a requirement, so I have no more time to avoid. :(

Security check at the airport, I hand hover my surface pro as usual, the guy asked if I have also an ipad... Lol man I don't need that expensive toy limited to stupid apps

I reached out to a developer who's site was being contracted out to Amazon devs, because when their site launched it had a couple of security issues. This was his response:

"An additional thought/opinion... Just because a college freshman from Arizona wasn't too hungover to make the effort to notify us and take the liberty of classifying this as a security issue for us doesn't mean we need to take their word for it."

When customers pretend to really care about security but then share server folders to "everyone" 🤨

People, even on devrant, are complaining about having to change their Twitter passwords. A major security event is not the only occasion to change your password (for anything).

You should change your passwords for everything regularly. Like, once every month or two.

This is why password managers are brilliant.

Three-factor authentication:
1. Setup an Amazon.com account.
2. Setup an Amazon Web Services account under the same e-mail address
3. Setup two-factor authentication for both systems.
4. Login to Amazon Web Services in a new browser session, and you'll be required to provide BOTH security tokens at login (Amazon.com first, then AWS second.)

Why is it that security (hacking) distros went so popular?

I see more and more posts pictures even on devrant featuring them. Even I see people at my uni that are on kali. I can't believe all of them are that into security. I even know two linux noob friends that wont listen to advice and went to kali as first distro.

I'd never use kali/parrot/whatever vs my current manjaro setup... I'd rather go back to arch.

So, the Network I was on was blocking every single VPN site that I could find so I could not download proton onto my computer without using some sketchy third-party site, so, being left with no options and a tiny phone data plan, I used the one possible remaining option, an online Android emulator. In the emulator running at like 180p I once again navigated to proton VPN, downloaded the windows version, and uploaded it to Firefox send. Opened send on my computer, downloaded the file, installed it, and realized my error, I need access to the VPN site to log in.

In a panic, I went to my phone ready to use what little was left of data plan for security, and was met with no signal indoors. Fuck. New plan. I found a Xfinity wifi thing, and although connecting to a public network freaked me out, I desided to go for it because fuck it. I selected the one hour free pass, logged in, and it said I already used it, what? When?, So I created a new account, logged in, logged into proton, and disconnected, and finally, I was safe.

Fuck the wifi provider for discouraging a right to a private internet and fuck the owner for allowing it. I realize how bad it was to enter my proton account over Xfinity wifi, but I was desperate and desperate times call for desperate means. I have now changed my password and have 2fa enabled.

Anybody else feel like their Internet traffic constanty being monitored after downloading pen testing tools?

Have our identities been added to lists of potential cyber criminals :/

Thoughts?

(For ethical purposes - involving your own site's security!!)

‪People who are shitting on a chrome browser for desktop because of security reasons, but using it on their phones - you are mental.

Today we start working on a app that learns biometric data from the user for extra security, so if some one else uses my account... The system would know and shuts the bad user out. Although we use an api for the biometric data collection, it's still epic! 😀😀😀

Only bad thing is that the deadline is next week

Quick question:
Anyone here has any apps that they want to get tested for vulnerabilities and stuff?
I am training for job in it-security field but it's hard to find a starting point for testing a real app/site/whatever
So I would like to test some stuff you guys make, just for fun

Ugh, been debating with a client for an hour about basic backups and security practices and want to tear my hair out. How do you guys deal with stubborn clients?

So I was like "imma be smart with my internet security and put 2 factor on my GitHub" only to find out I'm getting authenticating errors on trying to push. Disabling 2FA makes it work again.

GitHub y u do dis D:

Security level: Consuela

[OC] Microsoft security

They tell me to only review security in the security reviews I'm doing (and if I bring to attention that they're implementing a weak encryption so even though they're not using it at the moment it might cause issues so be careful with that they say to only review security 😵) and then I see this mssql in a where:
AND ISNULL(field, 0) IS NULL
And I think wtf, should I report that? I did and it's a bug and they're thanking me now....
God dammit it's hard to "review security" here...

How did you learn cyber security, especially pentesting ?

I know that making VM lab and/or doing CTFs and reading writeups can help a lot, but is there any more "formal" way to get into things like pentesting etc. ?

(Without having to pay for OSCP, Sans and all this)

A very suspicious thing happened at work last Friday, security team told me to uninstall adblockplus and disconnect.me plugin 😟

Just found the most embarrassing security hole. Basically a skelleton key to millions of user data. Names, email addresses, zip codes, orders. If the email indicates a birthdate, even more shit if you chain another vector. Basically an order id / hash pair that should allow users to enter data AND SHOULD ONLY AUTHORIZE THEM TO THE SITE FOR ENTRING DATA. Well, what happend was that a non mathing hash/id pair will not provide an aith token bit it will create a session linked to that order.

Long story short, call url 1 enter the foreign ID, get an error, access order overview site, profit. Obviously a big fucking problem and I still had to run directly to our CEO to get it prioritized because product management thought a style update would be more important.

Oh, and of course the IDs are counted upwards. Making them random would be too unfair towards the poor black hats out there.

!rant
Recently I started to be interested in how code actually work. I do a for-loop or an if-statement but how do they actually work at the lowest level.

Another thing I've been interested in is security. I thought about learning how to hack my own systems in order to learn how to write more secure code and keep people out. But I'm a little afraid that as soon as I start look at how to hack, the police will storm through the window and take my computer 😂😂

Wowza..... Security certifications get expensive! Gonna have to spend half the week writing one hell of a business case for the certs my team needs!

@linuxxx
Can you do a security / privacy check for ProtonVPN? All I know is that it is Switzerland based and pretty much secure.

Sux Security: Banking site asked me to set up 3 "security questions" for validation purposes. When I typed in my responses they were obfuscated behind asterisks.

When I log in later, from a different computer than usual, and am prompted for the answer to one of the security questions my answers appear in clear text.

Tomorrow I must present a summery of what the prof said in the first session of security+ within 20 min.
All he said was about the most important security certs and some definitions including CIA triangle.

Any idea how I can make my summery cooler or anything relative I can say in addition to those?

What the best way to learn about hacking and cyber security??

I think that my interview on Tuesday went well, 2 hours after the interview, i got invitation to second round of interviews and a simple " find security flaws in this code" test by email

It may have something to do with the fact that first thing in said i interview was: here is a list of security issues on the recruitment system you are using, it apparently stores passwords in plaintext and ******(Redacted)******

I'm feeling pretty good right now

I've implemented my own version of IoT all over my room and home.

Hope the protocol I've designed has proper security...

Mfw on azure/iot conference, one presenter shows his certificate validation, to connect to all devices in his house:

return true;

He said:
"lets not be paranoid about security"

Well for starters the website that gave you assignments on security of web applications shouldn't have an SQL injection vulnerability on the login page.

Next would be the method of teaching, they would skip what not to do and go straight to what you should do. This in turn causes people to use the exec command in php that actually takes a POST parameter.

And stop allowing teachers to be lazy fucks that don't explain shit and only give you assignments.

And finally when telling the teacher that a method he uses would cause another vulnerability the teacher should properly fix this issue not say it is for an "advanced course".

Yes I am pissed

Dude at work floats the idea of creating separate Github accounts for personal and work for security. My response:

While we're discussing options, we should also consider maintaining a list of users as a CSV^H^H^H MS Excel file, and install an authentication server that runs off the laptop of an "IT Administrator". That way it'll be super secure because hackers cannot access any system outside of working hours, as well as the days that said admin is off from work.