Ahhh DDoS attacks

Strange how Buddha accurately predicted the ransomware attacks :/

1995: Viruses create funny VGA effect
2000: Viruses send SPAM e-mails
2010: Viruses steal credentials
2016: Viruses launch DDoS attacks
2017: Viruses demand ransom
2018: Viruses mine crypto coins

Welcome back to practiseSafeHex's most incompetent co-worker!

*sitcom audience cheers*

Thank you, thank you. Ok so far we've had a developer from hell and a CEO who shot to fame for being the first rectum to receive a passport and be given a job.

2 pretty strong entrants if you ask me. But its time to slow it down and make sure everyone gets a fair chance. Its not all just about the psychopaths and assholes, what about the general weirdo's and the stoners who just made life awkward?

So here we go, Most incompetent co-worker, candidate 3, "A".

"A" was a bit of an unusual developer, despite having a few years experience in his home country, he applied for an unpaid internship to come work with us ... probably should have rang alarm bells but hey we were all young and dumb back then.

I had to say I felt very bad for A, as he suffered from 2 very serious, and job crippling personal conditions / problems

- Email induced panic attacks
- Extreme multifaceted attachment disorder (also known in layman terms as "get the fuck away from me, and do your job" syndrome)

While he never openly discussed these conditions, it was clear from working with him, that he had gone undiagnosed for years. Every time an email would come in no matter how simple ... even the services team asking to confirm his staff ID, would send him into a panic causing him to drop everything he was doing and like a homing missile find me anywhere in the building and ask me what to do.

Actually "A" also suffered from a debilitating literacy issue too, leaving him completely unable to read our internal wiki's himself. Every week we had to follow a set of steps to upgrade something and every week to mask his issue, he'd ask me what to do instead ... no matter how many times I sat with him previously ... must have been truly embarrassing for him.

But "A"'s finest moment in the company, by far, was the day where out of the blue, at the top of his voice (as if wearing headphones ... without wearing headphones) he asked

"DO YOU KNOW ANYONE WHO SELLS POT?"

... why no, manager of the entire department standing behind you, I do not

... why no, tech lead talking to manager, I do not

... why hello 50% of my team staring at me ... no "A", I do not!

Needless to say all our team meetings were a little awkward for the next few weeks after that but hey who doesn't like being thought of as a stoner / drug dealer by their team mates huh?

Will A make it to the top of the list of most incompetent? Well he has some truly logic defining competition yet to be announced.

Tune in later for more practiceSafeHex's most incompetent co-worker!!!

So someone is constantly ddos'ing the privacy/security blog.

Just wondering if they really think that 500 hits a second will bring the site down?!

500 h/s consumes about 0.1 percent CPU and 1mb/s.

At least give me a challenge 😥

Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜

Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.

First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.

Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.

Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.

Dealing with attacks and getting hacked.

Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.

linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)

How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!

One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)

Dealing with different kinds of attacks:

Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.

So yah, hereby :P

How to secure yourself from flash 0-day attacks:

1. Uninstall flash
2. Don't reinstall flash
3. Seriously, you don't need flash

Fuck Microsoft.

No, not in any relation to windows this time.

Dear Microsoft, why on earth did you put us on your spam blacklist? There haven't been any spam attacks from our side, our servers have nearly the highest 'reputation' that email servers can get, we comply to all security standards and yet you're blacklisting us.

If for some reason you think something is wrong at our side anyways, we've tried to contact you and we either get ignored or get a very late response saying that we'll get delisted again within a day/week or whatsoever.

Microsoft, please go fuck yourself.

One week, and it turned out to be worse than that.

I was put on a project for a COVID-19 program in America (The CARES Act). The financial team came to us on Monday morning and said they need to give away a couple thousand dollars.

No big deal. All they wanted was a single form that people could submit with some critical info. Didn't need a login/ registration flow or anything. You could have basically used Google Forms for this project.

The project landed in my lap just before lunch on Monday morning. I was a junior in a team with a senior and another junior on standby. It was going to go live the next Monday.

The scope of the project made it seem like the one week deadline wasn't too awful. We just had to send some high priority emails to get some prod servers and app keys and we were fine.

Now is the time where I pause the rant to express to you just how fine we were decidedly **not**: we were not fine.

Tuesday rolls around and what a bad Tuesday it was. It was the first of many requirement changes. There was going to need to be a review process. Instead of the team just reading submissions from the site, they needed accept and reject buttons. They needed a way to deny people for specific reasons. Meaning the employee dashboard just got a little more complicated.

Wednesday came around and yeah, we need a registration and login flow. Yikes.

Thursday came and the couple-thousand dollars turned into a tens of millions. The amount of users we expected just blew up.

Friday, and they needed a way for users to edit their submissions and re-submit if they were rejected. And we needed to send out emails for the status of their applications.

Every day, a new meeting. Every meeting, new requirements that were devastating given our timeframe.

We put in overtime. Came in on the weekend. And by Monday, we had a form that users could submit and a registration/ login flow. No reviewer dashboard. We figured we could take in user input on time and then finish the dashboard later.

Well, financial team has some qualms. They wanted a more complicated review process. They wanted roles; managers assign to assistants. Assistants review assigned items.

The deadline that we worked so hard on whizzed by without so much as a thought, much less the funeral it deserved.

Then, they wanted multiple people to review an application before it was final. Then, they needed different landing pages for a few more departments to be able to review different steps of the applications.

Ended up going live on Friday, close to a month after that faithful Monday which disrupted everything else I was working on, effective immediately.

I don't know why, but we always go live on a Friday for some reason. It must be some sort of conspiracy to force overtime out of our managers. I'm baffled.

But I worked support after the launch.

And there's a funny story about support too: we were asked to create a "submit an issue" form. Me and the other junior worked on it on a wednesday three weeks into the project. Finished it. And the next day it was scrapped and moved to another service we already had running. Poor management like that plagued the project and worked in tandem with the dynamic and ridiculous requirements to make this project hell.

Back to support.

Phone calls give me bad anxiety. But Friday, just before lunch, I was put on the support team. Sure, we have a department that makes calls and deal with users. But they can't be trained on this program: it didn't exist just a month ago, and three days ago it worked differently (the slippery requirements never stopped).

So all of Friday and then all of Saturday and all of Monday (...) I had extended panic attacks calling hundreds of people. And the team that was calling people was only two people. We had over 400 tickets in the first two days.

And fuck me, stupid me, for doing a good job. Because I was put on the call team for **another** COVID project afterwards. I knew nothing about this project. I have hated my job recently. But I'm a junior. What am I gonna say, no?

This rant is a confession I had to make, for all of you out there having a bad time (or year), this story is for you.

Last year, I joined devRant and after a month, I was hired at a local company as an IT god (just joking but not far from what they expected from me), developer, web admin, printer configurator (of course) and all that in my country it's just called "the tech guy", as some of you may know.

I wasn't in immediate need for a full-time job, I had already started to work as a freelancer then and I was doing pretty good. But, you know how it goes, you can always aim for more and that's what I did.

The workspace was the usual, two rooms, one for us employees and one for the bosses (there were two bosses).

Let me tell you right now. I don't hate people, even if I get mad or irritated, I never feel hatred inside me or the need to think bad of someone. But, one of the two bosses made me discover that feeling of hate.

He had a snake-shaped face (I don't think that was random), and he always laughed at his jokes. He was always shouting at me because he was a nervous person, more than normal. He had a tone in his voice like he knew everything. Early on, after being yelled for no reason a dozen of times, I decided that this was not a place for me.

After just two months of doing everything, from tech support to Photoshop and to building websites with WordPress, I gave my one month's notice, or so I thought. I was confronted by the bosses, one of which was a cousin of mine and he was really ok with me leaving and said that I just had to find a person to replace me which was an easy task. Now, the other boss, the evil one, looked me on the eye and said "you're not going anywhere".

I was frozen like, "I can't stay here". He smiled like a snake he was and said "come on, you got this we are counting on you and we are really satisfied with how you are performing till now". I couldn't shake him, I was already sweating. He was rolling his eyes constantly like saying "ok, you are wasting my time now" and left to go to some basketball practice or something.

So, I was stuck there, I could have caused a scene but as I told you, one of the bosses was a cousin of mine, I couldn't do anything crazy. So, I went along with it. Until the next downfall.

I decided to focus on the job and not mind for the bad boss situation but things went really wrong. After a month, I realised that the previous "tech guy" had left me with around 20 ancient Joomla - version 1.0 websites, bursting with security holes and infested with malware like a swamp. I had never seen anything like it. Everyday the websites would become defaced or the server (VPN) would start sending tons of spam cause of the malware, and going offline at the end. I was feeling hopeless.

And then the personal destruction began. I couldn't sleep, I couldn't eat. I was having panick attacks at the office's bathroom. My girlfriend almost broke up with me because I was acting like an asshole due to my anxiety issues (but in the end she was the one to "bring me back"(man, she is a keeper)) and I hadn't put a smile on my face for months. I was on the brink of depression, if not already there. Everyday I would anxiously check if the server is running because I would be the one to blame, even though I was trying to talk to the boss (the bad one was in charge of the IT department) and tell him about the problem.

And then I snapped. I finally realised that I had hit rock bottom. I said "I can't let this happen to me" and I took a deep breath. I still remember that morning, it was a life-changing moment for me. I decided to bite the bullet and stay for one more month, dealing with the stupid old server and the low intelligence business environment. So, I woke up, kissed my girlfriend (now wife), took the bus and went straight to work, and I went into the boss's office. I lied that I had found another job on another city and I had one month in order to be there on time. He was like, "so you are leaving? Is it that good a job the one you found? And when are you going? And are you sure?", and with no hesitation I just said "yup". He didn't expect it and just said "ok then", just find your replacement and you're good to go. I found the guy that would replace me, informing him of every little detail of what's going on (and I recently found out, that he is currently working for some big company nowadays, I'm really glad for him!).

I was surprised that it went so smoothly, one month later I felt the taste of freedom again, away from all the bullshit. Totally one of the best feelings out there.

I don't want to be cliche, but do believe in yourself people! Things are not what the seem.

With all that said, I want to give my special thanks to devRant for making this platform. I was inactive for some time but I was reading rants and jokes. It helped me to get through all that. I'm back now! Bless you devRant!

I'm glad that I shared this story with all of you, have an awesome day!

So, i tried to demonstrate my roommate how many people push their credentials to github by searching for "password remove" commits.

I decided to show him the file and noticed something interesting. A public IP, and mysql credentials.

I visit the IP and what do i see there, a directory listening with a python script, with injects the database into a webpage (???) and a log of all http requests. Lots of failed attacks aiming at the PHP CGI. Still wondering how they failed on a python server 🤔🤔🤔

Edit phpmyadmin to connect to the mysql database. Success.

Inserted a row telling him the his password is on github. Maybe i should also have told him how to actually remove it. 😅
Yes, root can login from %

This is how far i can get with my current abilities.
------------------------------

Scary how insecure this world is.

Example #1 of ??? Explaining why I dislike my coworkers.

[Legend]
VP: VP of Engineering; my boss’s boss. Founded the company, picked the CEO, etc.
LD: Lead dev; literally wrote the first line of code at the company, and has been here ever since.
CISO: Chief Information Security Officer — my boss when I’m doing security work.

Three weeks ago (private zoom call):
> VP to me: I want you to know that anything you say, while wearing your security hat, goes. You can even override me. If you need to hold a release for whatever reason, you have that power. If I happen to disagree with a security issue you bring up, that’s okay. You are in charge of release security. I won’t be mad or hold it against you. I just want you to do your job well.

Last week (engineering-wide meeting):
> CISO: From now on we should only use external IDs in urls to prevent a malicious actor from scraping data or automating attacks.
> LD: That’s great, and we should only use normal IDs in logging so they differ. Sounds more secure, right?
> CISO: Absolutely. That way they’re orthogonal.
> VP: Good idea, I think we should do this going forward.

Last weekend (in the security channel):
> LD: We should ONLY use external IDs in urls, and ONLY normal IDs in logging — in other words, orthogonal.
> VP: I agree. It’s better in every way.

Today (in the same security channel):
> Me: I found an instance of using a plain ID in a url that cancels a payment. A malicious user with or who gained access to <user_role> could very easily abuse this to cause substantial damage. Please change this instance and others to using external IDs.
> LD: Whoa, that goes way beyond <user_role>
> VP: You can’t make that decision, that’s engineering-wide!

Not only is this sane security practice, you literally. just. agreed. with this on three separate occasions in the past week, and your own head of security also posed this before I brought it up! And need I remind you that it is still standard security practice!?

But nooo, I’m overstepping my boundaries by doing my job.

Fucking hell I hate dealing with these people.

Not particularly worried about the increase in mobile cyber attacks.

This fucker has some balls (I'm being completely ignorant), the day his website goes live guess who is going to flood it with Dados attacks.

Multiple weird ones but one specifically where I fixed a bug over and over again and the second I pushed and deployed, the fix was gone both locally and remote.

I kept going more and more crazy and had rage attacks and such.

"Wait what, I changed and fixed this.. Let's try again"
"Huh, I definitely changed this..."
"Oh no, I fucking changed you"
"Go fuck yourself, I fixed this and pushed already, you can't just fucking disappear on me!"
"Oh yeah no of course, disappeared again, totally fucking logical. GET BACK HERE"
"I FIXED YOU A GAZILLION TIMES ALREADY, DON'T YOU DISAPPEAR ON ME AGAIN"
*NO. NO. NO. NO. NO. I. FUCKING. FIXED. YOU"

It went worse and worse for a while and then I woke up with a "....ahh" feeling 😅

Just looked at the anonymous analytics I collect on the security/privacy blog.

No SQL Injection attacks yet (would be useless anyways as I don't use MySQL/MariaDB for the databasing.

Directory Traversal attacks. Really? 🤣

Nice try, guys.

Mordern Phishing attacks..
(Credits: Hacker News)

So, continuing with the story, I decided to quit today.

I'm not even a month there, and I'm running out of there in flames.

I've got 2 panic attacks in one week, I'm not sacrificing my mental health for some idiot's scam.

The gift that keeps on giving... the Custom CMS Of Doom™
I've finally seen enough evidence why PHP has such a bad reputation to the point where even recruiters recommended me to remove my years of PHP experience from the CV.

The completely custom CMS written by company <redacted>'s CEO and his slaves features the following:
- Open for SQL injection attacks
- Remote shell command execution through URL query params
- Page-specific strings in most core PHP files
- Constructors containing hundreds of lines of code (mostly used to initialize the hundreds of properties
- Class methods containing more than 1000 lines of code
- Completely free of namespaces or package managers (uber elite programmers use only the root namespace)
- Random includes in any place imaginable
- Methods containing 1 line: the include of the file which contains the method body
- SQL queries in literally every source file
- The entrypoint script is in the webroot folder where all the code resides
- Access to sensitive folders is "restricted" by robots.txt 🤣🤣🤣🤣
- The CMS has its own crawler which runs by CRONjob and requests ALL HTML links (yes, full content, including videos!) to fill a database of keywords (I found out because the server traffic was >500 GB/month for this small website)
- Hundreds of config settings are literally defined by "define(...)"
- LESS is transpiled into CSS by PHP on requests
- .......

I could go on, but yes, I've seen it all now.

Am I the only here who get so much PUSSY when encountering bugs in code?
P - panic attacks
U - uncontrollable anxiety
S - suicidal fantasies
S - sadness
Y - yearning to death

Idea: Emoji passwords

Bdixbsufhdbe HEAR ME OUT

I know, I know, emojis belong with teenage girls on Snapchat but there are some theoretical benefits to emoji passwords.

Brute Force attacks are useless! With such a wide range of characters and so many different combinations, they just wouldn't be viable.

Dictionary attacks are less useful! Because those require...words.

They can be easier to remember. Tell a story with your emojis. Images are easier to commit to memory than combinations of letters and numbers.

Users would adopt the feature! For whatever reason, the general population fucking loves these things. So emoji passwords probably won't take very long to see use.

I don't know much about this last one, so I saved it for last, but I would imagine that decryption would be more difficult if the available values is quite vast. I dunno how rainbow tables and hash defucking works so I'll just put this here as a "maybe"

😀

I went for an interview for a position stated as "web developer" . They questioned me on Pen testing and writing scripts for detecting attacks. This is how the interview went. Fucking get your shit together .Fucking waste of time

FLOYD IS HERE 😎

Gather around kids, it's story time.

So my first breakup left me so damaged and I was in darkest phase of my life. I was alone. Physically, mentally, and emotionally. I went for therapy and spearheaded into success and grew in life soooo fucking much.

31st December 2016, I first joined dR and since the first day this place felt home. Met some of brightest mind and most amazing souls here (sadly many left the place).

I used to shit post and rant a lot. But I loved everyone here. But then I don't quite remember, but I decided to quit this place as community started to grow. Many others left as well.

I came back here in 2019 IIRC and started all over again. Got along well with new members and started having fun.

I used to crib and cry about being underpaid. Lost a kickass Europe job due to pandemic.

I will skip what all happened between me and @Scout but she is a sweetheart, though very rough and brutal with me at times (actually very often), but she is so selfish for me and cares for me that I couldn't resist but listen to her always. A lifelong friend for sure :)

I used to rant about my dumb office colleagues. Definitely not the sharpest minds but good people at heart (which I did not realise).

So in October 2020, I earned a new job and my company retained me with a 100% raise and a promotion making me lead of product innovation and UX.

November end I met a girl in professional context on LinkedIn who was conducting a workshop. Being hungry for learning, meeting new people and kill my lockdown boredom, I singed up.

Now I went for December break and my colleagues sent me a gift hamper when they came to know I got a promotion. I felt bad that I ranted about them so I deleted my account and also wanted a social detox.

Post the workshop, I started conversing casually with the girl I met. She was married. But things hit off. Eventually in February end I confessed that I had feelings for her and in next few days she reciprocated. I told her I was aware of her marital status and it's okay if nothing happens between us. Then she started to open up of how she was with one guy for 17 years and was abused in everyway and wanted to separate but never had the courage and all.

She decided to file for paperwork and then be with me. Things got messy when her family got involved thinking I was causing all of it.

She went back to her partner and I realised I had some emotional and mental issues of a person's past that bothered me. But we were overcoming it. Soon the honeymoon period started phasing out.

Her family started giving me death threats. We went underground even further. More arguments and fights between us.

@Scout kept telling me I was stupid and I disregarded her. I feel like an idiot for not listening to her.

That girl kept gaslighting me, hurting me intentionally, scratching the surface made me realise how broken and damaged she was. She lied to me and created fake persona of herself to make me fall for her. Everything was lie. Literally.

I felt horrible for trusting her. My trauma relapsed and I started having crazy panic attacks leading to self harm and being suicidal. That girl was drugged all the time with psychological medicines and very poor character & personality in general (I don't want to judge anyone but just stating the facts).

Eventually she just disappeared and I was like fuck this. Earlier, after every fight, she used to show fake affection and I used to melt but not this time.

I was like fuck this shit. I have some super amazing friends like @kiki who helped me overcome this. I started going for therapy and realised what all areas I need to improve. My therapist is soooo brilliant, she understands the root cause instantly and also knows how to fix it. And the same day I and both my parents were COVID-19 positive. Last few weeks were dark and haunting.

Further more, the girl comes back after a week and then acts as a 'nice girl'.
Initially fake affection, then drama, followed by making me guilt trip, then threats, and now blaming me.

I kept ignoring her calls (50 to 70 calls in a day), emails, left her unread on Telegram, and everything I could do to ignore her without blocking her. I started gaining my happiness back.

During this mess, I lost 5+ KG of weight. She has no friends in her mid 30s. Knows no life or survival skills. Her family hates her, no career, no emotional or mental maturity, literally nothing. Insanely dumb and toxic manipulative person who is not even worth being called an ex. As per her everyone around her is an asshole except her. Every time something happened, she used to blame and bad mouth the other person. Now she is doing with me. In all her life situations, either she was a hero or a victim. One upped me all the time. Now that I see it, I hate myself for allowing it all of it and now having enough self worth to walk out of it earlier.

Continued in comments...

Client reads about MomgoDB ransomware attacks online.

Him: I heard that the MongoDB is not secure, we should use something else in our system.
Me: Those databases got attacked because security features were turned off. If you want you can have an external security team to test the system when it's done.
Him: I don't wana take any risk, so I we should use something else.

We have been working on this system for almost a year and the final stage was supposed to be delivered in a month.

He wants me to replace it with MySQL

My IT team installed Antivirus on my 5 year old Mac Mini due to company security policy after the recent Ransomware attacks.
Now my Mac is slow as fuck. They are not even providing me new Mac, due to budget constraints. Totally fucked.
Fuck Ransomware. Fuck security policies. Fuck my company. Fuck everyone. Fuck everything. 😤

About 2 months ago. My job fired half the dev staff including the only other web developer. I am a junior, and now the sole web developer. I have been yelled at for not working fast enough and not knowing the code base well enough. (I did a lot of Rails, and this is a Spring shop). I have daily panic attacks about coming to work and having to be here for 8 hours. I have never felt more abused. I'm constantly stressed, and drinking more than I should. All advice given to me has been "just stay there til you find something else or they fire you." but it feels like no one really knows how unhealthy this is for me. My one hope is that I didn't bomb this interview at a university. I fucking hate my job.

Just got a new TV, 4K... it’s one of those smart ones, by Samsung.

Anyone want to explain what the fuck “McAfee Security for TV” is, and why the fuck it is necessary!?

What kind, of absolute waster madman goes “I know what I’ma do today, write a virus for a tv”!?

Take that shit elsewhere McAfee.

Now accepting any links to known Smart TV 0-days and attacks...

And I had to sign in to 5 different fucking accounts to get to the fucking tv.

The world is broke as fuck. Roll on the apocalypse.

More like woman-in-the-middle 😂

Work at a media company that reports political news. The government tries to block, launch DDoS attacks, and send a group of thugs to protest outside the office. How to migrate to Canada again?

I've found and fixed any kind of "bad bug" I can think of over my career from allowing negative financial transfers to weird platform specific behaviour, here are a few of the more interesting ones that come to mind...

#1 - Most expensive lesson learned

Almost 10 years ago (while learning to code) I wrote a loyalty card system that ended up going national. Fast forward 2 years and by some miracle the system still worked and had services running on 500+ POS servers in large retail stores uploading thousands of transactions each second - due to this increased traffic to stay ahead of any trouble we decided to add a loadbalancer to our backend.

This was simply a matter of re-assigning the IP and would cause 10-15 minutes of downtime (for the first time ever), we made the switch and everything seemed perfect. Too perfect...

After 10 minutes every phone in the office started going beserk - calls where coming in about store servers irreparably crashing all over the country taking all the tills offline and forcing them to close doors midday. It was bad and we couldn't conceive how it could possibly be us or our software to blame.

Turns out we made the local service write any web service errors to a log file upon failure for debugging purposes before retrying - a perfectly sensible thing to do if I hadn't forgotten to check the size of or clear the log file. In about 15 minutes of downtime each stores error log proceeded to grow and consume every available byte of HD space before crashing windows.

#2 - Hardest to find

This was a true "Nessie" bug.. We had a single codebase powering a few hundred sites. Every now and then at some point the web server would spontaneously die and vommit a bunch of sql statements and sensitive data back to the user causing huge concern but I could never remotely replicate the behaviour - until 4 years later it happened to one of our support staff and I could pull out their network & session info.

Turns out years back when the server was first setup each domain was added as an individual "Site" on IIS but shared the same root directory and hence the same session path. It would have remained unnoticed if we had not grown but as our traffic increased ever so often 2 users of different sites would end up sharing a session id causing the server to promptly implode on itself.

#3 - Most elegant fix

Same bastard IIS server as #2. Codebase was the most unsecure unstable travesty I've ever worked with - sql injection vuns in EVERY URL, sql statements stored in COOKIES... this thing was irreparably fucked up but had to stay online until it could be replaced. Basically every other day it got hit by bots ended up sending bluepill spam or mining shitcoin and I would simply delete the instance and recreate it in a semi un-compromised state which was an acceptable solution for the business for uptime... until we we're DDOS'ed for 5 days straight.

My hands were tied and there was no way to mitigate it except for stopping individual sites as they came under attack and starting them after it subsided... (for some reason they seemed to be targeting by domain instead of ip). After 3 days of doing this manually I was given the go ahead to use any resources necessary to make it stop and especially since it was IIS6 I had no fucking clue where to start.

So I stuck to what I knew and deployed a $5 vm running an Nginx reverse proxy with heavy caching and rate limiting linked to a custom fail2ban plugin in in front of the insecure server. The attacks died instantly, the server sped up 10x and was never compromised by bots again (presumably since they got back a linux user agent). To this day I marvel at this miracle $5 fix.

So my previous alma mater's IT servers are really hacked easily. They run mostly in Microsoft Windows Server and Active Directory and only the gateway runs in Linux. When I checked the stationed IT's computer he was having problems which I think was another intrusion.

I asked the guy if I can get root access on the Gateway server. He was hesitant at first but I told him I worked with a local Linux server before. He jested, sent me to the server room with his supervision. He gave me the credentials and told me "10 minutes".

What I did?

I just installed fail2ban, iptables, and basically blocked those IP ranges used by the attacker. The attack quickly subsided.

Later we found out it was a local attack and the attacker was brute forcing the SSH port. We triaged it to one kid in the lobby who was doing the brute forcing connected in the lobby WiFi. Turns out he was a script kiddie and has no knowledge I was tracking his attacks via fail2ban logs.

Moral of lesson: make sure your IT secures everything in place.

This is going to be a rant, but personally, I'm pleased with the outcome of my life now.

I was part of a community for a few years and decided to help them out with my knowledge of programming Lua nearly 2 years ago since they lacked developers for the project itself.

Since it was sort of a custom language that they modified how Lua worked on it, it took me a bit to adapt, but within a few weeks, I was pretty fluent in this so-called custom language they had. Began working on some major updates, additions, removals, and just optimizing this code base. It was a pretty old code base and needed a good chunk of love.

A few months later, I've implemented loads of features, optimized the base whenever I could, and then things start taking a turn for the worse. We get new 'developers' who haven't ever coded the language, and worse they couldn't afford to provide them development servers thus they ended up breaking my servers. I helped them and they learned, they were decent, but now the Seniors and CEO's of the project began to take a toll on me.

I was told that this community had a reputation of driving out developers, ruining their reputations, and that is what started happening. I started getting questioned if I was loyal to helping them, that I've become lazy, even though they were explained I've had mental health issues for a few years and have been hospitalized multiple times.

These sort of attacks kept happening for months, and then they finally pushed my buttons, where I was talking to another Senior of how we should redo the base since it's just so massive and a few tiny updates to the base take a few days to implement across the entire code. What instead happened was that I went to sleep, and this Senior told the CEO I was going to steal the code base and go sell it...

I woke up to messages of how the CEO is all pissed off, and that this what the Senior said. At this point, I started responding with, fuck it. I was so sick and fucking tired of their bullshit. I was the only fucking competent developer, and I did more work in the few months I was there then some people did in 2 or 3 years.

A few hours later I decided to go chat with the CEO and explained what was truly brought up, and he just brushed it off like I was lying. At that point, I lost it. I told him why the code base was horrible since he hired stupid ass developers. He didn't know how to code. People wanted certain items, and he wouldn't be able to add them for fucking months and players sit there making fun of it. Some people state the only differences they see within the code is the code I've done. Basically, he was an incompetent fuck that said he knew what he was doing, and had all these big plans for the future yet couldn't listen to the only competent developer and fucking claimed bullshit.

Now a few months have gone by, I'm looking at their community and it's basically dead with no proper updates except for copy and paste updates claiming to be custom coded. While I'm working on my real life businesses (Which are currently being a headache, but within the year should resolve its issues), starting University for my Computer Science degree here soon, and even considering building my own game here.

Basically, karma is a bitch and that's why when you get loyal people in your life, keep them. (Writing this at 3 am after a few drinks, hopefully, it made sense, I think it does.)

Anyways, goodnight everyone.

So my boss is staring a new security oriented product and he asked one of my colleagues to prepare a presentation about the possible attacks on the product.

During the presentation there was a section on DoS attacks. The boss didn't know what DoS was and after a brief explanation, he interrupted the presentation and said DDoS is not a threat because there is no data stolen. This is a webapp.

The fox attacks.

We got DDoS attacked by some spam bot crawler thing.

Higher ups called a meeting so that one of our seniors could present ways to mitigate these attacks.

- If a custom, "obscure" header is missing (from api endpoints), send back a basic HTTP challenge. Deny all credentials.

- Some basic implementation of rate limiting on the web server

We can't implement DDoS protection at the network level because "we don't even have the new load balancer yet and we've been waiting on that for what... Two years now?" (See: spineless managers don't make the lazy network guys do anything)

So now we implement security through obscurity and DDoS protection... Using the very same machines that are supposed to be protected from DDoS attacks.

Not going to one because crowds give me panic attacks unless I've had a beer or ten

SuperCell is hiring.. Here is their job description:

Description

We need a new Builder. Are you an independent and passionate maker? Do you love spending 24 hours a day turning wood and gold into walls and defensive buildings? Do you answer the call to build even if that call comes at 4:00 a.m. and you haven’t had a day off in literally five years? If the answer to these questions is “Yes! Yes! A million times yes!” then we have a hammer with your name on it!

The Role

The focus of the Builder is to, uh, build.

You will be responsible for taking instructions from the player and building whenever and wherever they see fit. They say build and you say...well, you don’t say anything, you just build.

The world of Clash of Clans can get intense. Our Builder is expected to build quickly and expertly at all times, even while under great amounts of stress and/or attacks from Barbarians, Archers, Goblins, Giants, Wall Breakers, Wizards, and P.E.K.K.A.s.

Equally as important as building is rebuilding. All of the things you build will inevitably be destroyed, if not immediately, then soon after you just finished building or rebuilding everything. You can’t let it get you down. You must maintain your resolve and rebuild. Fast!

Responsibilities

Must be willing to relocate to the World of Clash
Must build and maintain a wide-range of buildings, statues, and war machines.
Must be on call 24 hours a day, 7 days a week, 365 days a year
Must have up-to-date Level 9 Tesla Tower maintenance certification 
Must have proficiency with building materials both common (wood, stone, etc.) and uncommon (lightning, lava, etc.)

Requirements

Must provide own leather helmet
Must possess a passion for building
Must be comfortable working hands-on with molten lava.
Must adhere to strict dress code (orange sleeveless shirt, brown canvas pants, and boots).
Must speak fluent Barbarian

How to Apply

Send us your qualifications via e-mail to bethebuilder@supercell.com or write out your qualifications and send them to us via Baby Dragon. Either format is accepted. 

I've always liked the idea of a virus that attacks other viruses. An antivirus virus, if you will. It would infect a computer and clean out all the malware and perform a bunch of random system improvements, then delete itself without a trace. To the end user, one day their computer would suddenly start running a little better for no apparent reason.

I am Done! I am extremely burnt out and unhappy with my work. I have been doing this professionally for over 5 years now and much longer than that unprofessionally.
This new company I joined finally gave me the salary I always dreamt of but now I am extremely unhappy and depressed and anxious all the time. And I don't like the work I am doing. I don't like the team. I hate being isolated at home for over 2 years, working from home. I had a mental breakdown in the middle of the meeting the other day. And after that, I said. that's it. I am done. So, I gave the resignation letter. I don't know what I am gonna do. But I sure as hell can't do this shit any longer. But now, the fucking hr is making it even more difficult for me by not letting me leave without serving the notice period. I told her I am on fucking medication and I am having severe mental health issues. Now, she wants to see the medical certificate. Or I have to pay two months' salary. WTF? If I had that kind of money lying around, I wouldn't have slaved myself away at your shitty company, would I?
I went to my psychiatrist whom I have been seeing consulting for the last couple of years now. I asked for a medical certificate and he thinks it'll hamper my future career. So, he said I should get a certificate from a general physician. So, that's the world we live in then? You can't even speak the truth? And the way HR is behaving over the mail makes me feel like a total slave. I mean I am not at all fit for work these days, and it feels like, if she had her way, she would tie me down to a chair and ask me to push out code. what the fucking fuck. This is some fucked up industry and I think I am finally done with software development. But now, I don't have any idea what I am gonna do with my life or how am I gonna earn money. I am so burnt out and anxious that even the thought of working again gives me panic attacks. even working from home. What the fuck do I do?

Who has a DDOS attack story they want to share ? Dyn put up the good fight today... DDOS attacks can be incredibly difficult to deal with ... Internet of Things devices makes this an even more complicated situation. Outside of calling Prolexic, any vets have some good stories ?

Someone once sent me an email talking about vulnerabilities in my website. He sent a full document with step by step instructions and code.

I emailed back and said woah! Thanks for the heads up I really appreciate it!

He responds back and says
"usually people send a payment as thank you"

I said sorry we're poor.

And he responds with "should I disclose the issue to your users?"

I said "we have like 6 users and most of them are my mom. Lol"

This was the email title:

Vulnerability Report 1 : Clickjacking On Login Lead to Account Takeover Of Any User/Cross Site Scripting Attacks/User Account Privilege Escalation/Victim Privilege Escalation/Malware Execution/Victim PC Hijack/Unauthorized Access To Any User Account/Account Takeover Of All The Users Registered On Your Application 

So, packing up and leaving this hell hole.

In the end I just said that I had 2 panic attacks in the last week, and that I am leaving for medical reasons.

So... did I mention I sometimes hate banks?

But I'll start at the beginning.

In the beginning, the big bang created the universe and evolution created humans, penguins, polar bea... oh well, fuck it, a couple million years fast forward...

Your trusted, local flightless bird walks into a bank to open an account. This, on its own, was a mistake, but opening an online bank account as a minor (which I was before I turned 18, because that was how things worked) was not that easy at the time.

So, yours truly of course signs a contract, binding me to follow the BSI Grundschutz (A basic security standard in Germany, it's not a law, but part of some contracts. It contains basic security advice like "don't run unknown software, install antivirus/firewall, use strong passwords", so it's just a basic prototype for a security policy).

The copy provided with my contract states a minimum password length of 8 (somewhat reasonable if you don't limit yourself to alphanumeric, include the entire UTF 8 standard and so on).

The bank's online banking password length is limited to 5 characters. So... fuck the contract, huh?

Calling support, they claimed that it is a "technical neccessity" (I never state my job when calling a support line. The more skilled people on the other hand notice it sooner or later, the others - why bother telling them) and that it is "stored encrypted". Why they use a nonstandard way of storing and encrypting it and making it that easy to brute-force it... no idea.

However, after three login attempts, the account is blocked, so a brute force attack turns into a DOS attack.

And since the only way to unblock it is to physically appear in a branch, you just would need to hit a couple thousand accounts in a neighbourhood (not a lot if you use bots and know a thing or two about the syntax of IBAN numbers) and fill up all the branches with lots of potential hostages for your planned heist or terrorist attack. Quite useful.

So, after getting nowhere with the support - After suggesting to change my username to something cryptic and insisting that their homegrown, 2FA would prevent attacks. Unless someone would login (which worked without 2FA because the 2FA only is used when moving money), report the card missing, request a new one to a different address and log in with that. Which, you know, is quite likely to happen and be blamed on the customer.

So... I went to cancel my account there - seeing as I could not fulfill my contract as a customer. I've signed to use a minimum password length of 8. I can only use a password length of 5.

Contract void. Sometimes, I love dealing with idiots.

And these people are in charge of billions of money, stock and assets. I think I'll move to... idk, Antarctica?

I was working in a manufacturing facility where I had hundreds of industrial computers and printers that were between 0 and 20 years old. They were running on their own clean network so that someone has to be in the manufacturing network to access them. The boss announced that the executives will be pushing a “zero trust” security model because they need IoT devices. I told him “A computer running Windows 98 can’t be on the same VLAN as office computers. We can’t harden most of the systems or patch the vulnerabilities. We also can’t reprogram all of the devices to communicate using TLS or encrypt communications.“ Executives got offended that I would even question the decision and be so vocal about it. They hired a team to remove the network hardware and told me that I was overreacting. All of our system support was contracted to India so I was going to be the on-site support person.

They moved all the manufacturing devices to the office network. Then the attacks started. Printers dumped thousands of pages of memes. Ransomware shut down manufacturing computers. Our central database had someone change a serial number for a product to “hello world” and that device got shipped to a customer. SharePoint was attacked in many many ways. VNC servers were running on most computers and occasionally I would see someone remotely poking around and I knew it wasn’t from our team because we were all there.

I bought a case of cheap consumer routers and used them in manufacturing cells to block port traffic. I used Kali on an old computer to scan and patch network vulnerabilities daily.

The worst part was executives didn’t “believe” that there were security incidents. You don’t believe in what you don’t understand right?

After 8 months of responding to security incident after security incident I quit to avoid burning out. This is a company that manufactures and sells devices to big companies like apple and google to install in their network. This isn’t an insignificant company. Security negligence on a level I get angry thinking about.

We were going over man in the middle attacks today and I honestly just could not stop thinking about that SpongeBob episode where Squidward keeps intercepting the bubble messages between SpongeBob and Patrick and it was so dumb that I could not stop smiling.

I wrote an app (took all morning until now) that tells me which shows and movies Amazon removed from Prime...

I forget why I wanted this... was it just to screw with Amazon because they rejected me....

The app is also going to tell me what movies/shows were added because they can't fucking sort them in chronological order by release date. I don't want movies from pre-1990s that were recently added...

Yes I could search for them manually but it's too fuckin tedious, gotta turn on like 10 filtering options...

And maybe I just want to run mini-DDOS attacks on their servers...

Sort of !dev

I can't do school anymore. I get so many panic attacks. I was shaking the entire time I was writing my essay today. It's hard to focus when your brain is fucking freaking out. I'm missing deadlines, failing tests left and right.

Real talk, I'm not dumb. This was never a problem. My University fucked me up and now I can't even look at an assignment without an electric feeling and I don't know what to do.

I had a panic attack during the opening crawl of Star Wars. I had to leave the theater. My anxiety is going to give me a heart attack one of these times. I'm 18, why am I experiencing health issues like this?

School isn't done right. How could this be the intended effect?

I setup an email server a couple of months ago.

The amount of port scans and brute force attacks I've received this month alone is awful.

JUST SOD OFF ALREADY, PLEASE.

Woo crunch time! The 3 panic attacks a day, no sleep, massive guilt complex, caffiene addiction, lack of seeing my wife, phone breaking(calling doesn't work), lawn needing mowing, upper management bothering all of my team, more guilt, more panic, inferiority complex, theory that coworkers think I am slacking, and technology just not working because the machine spirit decided I pissed it off is starting to get to me a little.

Damn hackers! Within the course of a week, the internet of my country has been DDOS-attacked three times! Last week the attacks came from Russia or China". Yesterday they came from Russia and Ukraina. Is this a part of the Russian military exercises Zapad 17? Well, when an important part of the infrastructure is down and thousands of civilians are affected, it's for real and not an exercise.

Stress made me fall into old habits of instead of saying stop and letting my team now that I was falling apart (not realising it myself even) I just kept saying "Yes, I fix that." to every single request that was made in the project.

The closer we got to the deadline, the more I hyperfocused and ignored the signs. I just kept working. The last two days I didn't even sleep.

Of course the launch botched. I finally broke down and both my mind and my body have given up, since yesterday I'm in a mental feedback loop causing continuous anxiety attacks and migraines. I literally CAN'T do anything but trying to not go back into fight- or flight mode and remember to breathe.

I FINALLY made my project manager aware (something I should have done days ago) that I am incapacitated and now I am waiting for medication (Oxazepam) to be picked up at the pharmacy by my husband.

I almost literally worked myself into the ground.

I've been here before. Never again.

This is what happens if you don't listen to your mind and body and put up a white flag in time.

This was a long time ago, when I was working part time in my uni helpdesk. as part of the uni IT service, they offered ISP services at the dorms. It was cheap, and fast. This essentially allowed students living in the dorms to connect thier personal computers to the uni LAN. Then one day...
An ARP poison malware infected some of those computers. An arp poison attack is simple (look at ettercap) - it redirects network traffic via the affected computer, and adds malware to webtraffic to infect more computers. One of these on a network is bad enough, but when there more then one... traffic was redirected a lot. this caused the Dorm switches to collapse under the load. Fun times to work at the helpdesk...
The IT guys came up with a solution for this: they blocked the arp poision attacks at the firewall, and then disabled the switch port for the infected computer for 24 hours. so, when someone called with 'I have no internet!', we told them to bring us the computer, and installed an AV on it.
3-4 month the problem was cleared.

So today i went to another town for a car service, and by accident i met a very old man looking at the cars in the saloon, he was very calm person, in conversation he said he was system analyst and a COBOL developer in a big industry... but what got me the most he said he survided FOUR heart attacks... i don't know if that was a common practice for COBOL developers but i do php most of the time... so... i just wanted to say hello guys... and delete my browser history if i'm not around for some time :)

Unnamed hacking game - "terminal" graphics
-Multiplayer. Last man standing.
-Like a tower-defence game but technical
You work for a company that has outsourced their technical department to Bykazistan, a country with good internet and bad laws. On one hand, labor is very cheap! There are no pesky laws protecting workers, so you don't need to pay them what they're worth. Phew. However, there are also no laws against cyber crime. But for a start-up like you, the risk is worth the reward!
...which would be great! If you were the only company with that idea. As it turns out, you aren't. All of your competitors also recently outsourced to Bykazistan, and that could be an issue.
You would be afraid, but you are a hardened businessman. You are familiar with the cut-throat nature of the business world and where others see risk, you see opportunity. Let the games begin.
Your mission is to protect your ciritical assets at all costs, eliminate your opponents, and make ciritical financial decisions - all while maintaining your uptime!
Build a botnet and attack your competition to decrease their uptime and disable their attacks. Port scan your opponents to learn more about their network, but beware of honeypots! Initiate devastating social engineering attacks - and train your employees against them! Brute-force their credentials, and strengthen your own.
Make sure to keep your software patched...

“It wasn’t my fault!” -person sentenced to 40 years in jail for cyber attacks.

When i started my work I encoubtered this db(one of 4): more than 20 tables, some with 200 columns literally... EVERYTHING is a varchar 😓.

I'm slowly designing some normalized tables with real fk on new features and projects and people are like: how the fuck did you implement this feature so fast? the other guy spent 3 months designing this form (and I'm just speechless):

The form was some sort of crazyness shit passing input names as "name-of-property" and a file only to check if(name="string") then store a number value to an array and save it as a "number" (actually varchar) on the db. literally more than 50 if statements to do this.

Everything on a single table that made no sense at all.

Just wtf... At least my boss let me start if from scratch cause he we were always having panick attacks every time he needed to do something with it. 😂😂

I’m fairly new to maintaining my own webservers. For the past week the servers (two of them) kept crashing constantly.

After some investigation I figured it was due to someone running a script trying to get ssh access.

I learned about fail2ban, DOS and DDOS attacks and had quite a fight configuring it all since I had 20 seconds on average between the server shutdowns and had to use those 20 second windows to configure fail2ban bit by bit.

Finally after a few hours it was up and running on both servers and recognized 380 individual IPs spamming random e-mail / password combos.

I fet relieved seeing that it all stopped right after fail2ban installation and thought I was safe now and went to sleep.

I wake up this morning to another e-mail stating that pinging my server failed once again.

I go back to the logs, worried that the attack became more sophisticated or whatever only to see that the 06:25 cronjob is causing another fucking crash. I can’t figure out why.

Fuck this shit. I’m setting another cronjob to restart this son of a bitch at 06:30.

I’m done.

Hey, we need a service to resize some images. Oh, it’ll also need a globally diverse cache, with cache purging capabilities, only cache certain images in the United States, support auto scaling, handle half a petabyte of data , but we don’t know when it’ll be needed, so just plan on all of it being needed at once. It has to support a robust security profile using only basic HTTP auth, be written in Java, hosted on-prem, and be fully protected from ddos attacks. It must be backwards compatible with the previous API we use, but that’s poorly documented, you’ll figure it out. Also, it must support being rolled out 20% of the way so we can test it, and forget about it, and leave two copies of our app in production.

You can re-use the code we already have for image thumbnails even though it’s written in Python, caches nothing and is hosted in the cloud. It should be easy. This guy can show you how it all works.

!rant

MASSIVE UPGRADE ROUND 2:

We took it by steps, the DBA did his portion and I did mine, we had waited for the entire thing to be finalized today on Sunday since our users are probably jerking off to their waifus (as they should) and today was my part. MA BOE the DBA was with me the entire time and the whole process took us about 4 hours of both of us getting multiple heart attacks here and there and praying to the elder gods of Asgard for their devine protection as we venture into the calamity of fire and juten ass mfkers that are our fucking servers for this particular process.

Man I really hope for the pandemic to be over and take my dude out for a nice beer, some wings and some relaxation time.

Best DB/Dev team I have ever been with.

So I enventually spent 2 years working for that company with a strong b2b market. Everything from the checkouts in their 6 b2c stores to the softwares used by the 30-people sales team was dependant on the main ERP shit home-built with this monstruosity we call Windev here in France. If you don't know it just google and have some laugh : this is a proprieteray FRENCH language. Not french like made by french people, well that too, but mostly french like the fucking language is un fucking french ! Instructions are on french, everything. Hey that's my natural language okay, but for code, really ?

The php website was using the ERP database too, even all the software/hardware of the massive logistic installation they had (like a tiny Amazon depot), and of course the emails of all employees. Everything was just handled by this unique shitty and so sloooooow fucking app. When there was to many clients on the website or even too many salespeople connected to the ERP at the same time, every-fuckin-piece of the company was slowing down, and even worse facing critical bugs. So they installed a monitor in the corner of a desk constantly showing the live report page of Google analytics and they started panic attacks everytime it was counting more than 30 sessions on the website. That was at the time fun and sad to observe.

The whole shit was created 12 years ago and is since maintened locally by one unique old-fashion-microsoft dev who also have to maintain all the hardware of all the fucking 150+ people business. You know, when the keyboard of anyone is "broken" cause it's unplugged... That's his job too. The poor guy was totally overstressed on a daily basis and his tech knowledge just saddly losts themeselves somewhere in the way. He was my n+1 in a tech team of 3 people : him, a young and inexperimented so-called "php developer" who was in charge of the website (btw full of security holes I discovered and dealed with when I first arrive at the job), and myself.

The database was a hell of 100+ tables of business and marketing data with a ton of specific logic added on-the-go during years. No consistent data model or naming. No utf8. Fucked up relations that ends with queries long enough to fill books. And that's not all, all the customers passwords was just stored there uncrypted. Several very big companies and administrations were some of these clients. I was insisting on the passwords point litterally all the time, that was an easy security fix and a good start... But no, in two years of discussions on the subject I never achieved to have them focusing on other considerations than "our customers like that we can remind them their password by a simple phone call if they lost it". What. The. Fuck. WHATTHEFUCK!

Eventually I ran myself out of this nightmare. I had a few bad jobs already, and worked on shitty software already. But that one really blows my mind (and motivation for a time too). Happy it's over.

You know you're passionate about computers when your completely immune to scams and phishing attacks but the mention of laptop stickers makes you type a rant about it. ~(￣▽￣)~

Conversation yesterday (senior dev and the mgr)..

SeniorDev: "Yea, I told Ken when using the service, pass the JSON string and serialize to their object. JSON eliminates the data contract mismatch errors they keep running into."
Mgr: "That sounds really familiar. Didn't we do this before?"
SeniorDev: "Hmmm...no. I doubt anyone has done this before."
Me: "Yea, our business tier processor handled transactions via XML. It allowed the client and server to process business objects regardless of platform. Partners using Perl,
clients using Delphi, website using .aspx, and our SQLServer broker even used it."
Mgr: "Oh yea...why did we stop using it?"
Me: "WCF. Remember, the new dev manager at the time and his team broke up the business processor into individual WCF services."
Mgr: "Boy, that was a crap fest. We're still fighting bugs from the mobile devices. Can't wait until we migrate everything to REST."
SeniorDev: "Yea, that was such a -bleep-ing joke."
Me: "You were on Jake's team at the time. You were the primary developer in the re-write process saying passing strings around wasn't the way true object-oriented developers write code.
So it's OK now because the string is in JSON format or because using a JSON string your idea?"

SeniorDev turns around in his desk and puts his headphones back on.

That's right you lying SOB...I remember exactly the level of personal attacks you spewed on me and other developers behind our backs for using XML as the message format.

Keep your fat ass in your seat and shut the hell up.

I went to uni for CompSci with knowing no prior knowledge.

In my first year of uni I created a DigitalOcean droplet to host an SQL server. I didn't change the root password or disable password login out of convenience and as I didn't think anyone would be able to find the IP address to be able to hack it.

Within 3 hours DigitalOcean had locked my account for using my droplet to send DDoS attacks. Support contacted me to ask what was going on. I knew nothing at the time so I was a bit 🤷‍♂️.

And that's when I learned the importance of changing your root password.

So, these guys came to me at work, asking if I knew how the "Low Orbit Scanner" worked...
I said: "no, what's that?"
They said: "It's that tool used for DDoS attacks"
So I replied: "Oh you mean Low Orbit Ion Cannon"
them: "yea that, you know how it works?"
me: "ye, but what do you want to use it for?"
them: "just want to learn how it works"
me: "you download it, run it then fill out the things?"
them: "but I tried it and it doesn't take out the server I tried"
me: "Means your PC is to much of a filthy casual, buy a new one"
them: "can't you help us getting it more effective"
me: "yes, but I rather not end up in jail... I have a job and a clean document..."

The looks of their faces, love to see that disappointment of my colleagues when I say (or atleast hint): "go figure it out yourself"

#confession

I don't know what you guys think but I freaking love programming my own Minecraft client. It sounds childish but I love to see server owners rage when they see their Servers dying because of my exploits. It's a good feeling.

But I got 3 DOS attacks afterwards so there is a high risk to make lifetime enemy's.

Let us all post our dark side of knowledge and the shit we have done to amuse ourselves!

With the recent attacks by governments and corporations on our freedom, I feel like this is more relevant than ever.

"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." (Benjamin Franklin)

First rant! I hate being OnCall. I'm just out of college, give me some time to ramp up without these panic attacks.

Game for coders or really anyone interested in programming where you have simulated network on which you can perform attacks

I fucking hate this low level programming shit. The fucking buffer overflow attacks and the whole understanding of the system architecture just goes over my mind. Can anyone who has found relatively useful resources be kind enough to refer them to me so my stupid mind can understand that better?

browser extension to 100% protect against phishing attacks

What do you do when your redirect doesn’t go where you tell it?

Clearly I’m missing something.

I stepped through the code, following the failure path of Sheogorath’s Recaptcha. It fails as expected, and hits this redirect before doing anything else:

`return redirect_to new_user_session_path`

I verified that this redirects to the “/users/sign_in” path, and it returns so the server doesn’t even try to authenticate the user. It just nopes out as it should to prevent timing attacks.

But somehow instead of doing that and redirecting as it should, it signs the user in and redirects somewhere else entirely: the role select page, which only happens after authenticating an admin user. It never even hits my breakpoint after the recaptcha check! It never authenticates!

I think what I’m missing is my old reality where things made sense.

When you're panic attacks stop Midway as you realise you don't have the time to deal with that shit you know you need a break

Old unused military satellite to make international calls free. Local tv station to leak episodes. 4500 hosts zombie net with autoreplicant bots that scans for vulnerability to populate the net to do distributed denial of service attacks. Jumper on the neighborhood cabin to redirect the school's call for being absent, an older friend pretended to be my father.

The more I'm on here the more I remember all the shit I have had to deal with in the past.

Anyway, lets rant! I just moved cities after college to be closer to my family, I didnt have any work lined up at that stage but started job hunting the moment I was settled in, I did some freelance for smaller companies to stay afloat.

Eventually I got a job at this agency startup where "SEO" was there main focus, still very inexperienced they put me on frontend and data capturing but will teach me how to code using their systems in due time. At this stage I was getting paid minimum wage, but I was doing minimum work and it wasnt that bad.

A new investor bought 49% of the company and immediately moved into the office space to focus more on marketing (He was one of those scaly marketing guys that will sell you babies if he could get his hands on enough to make a profit).

This is where everything starts going to shit. He hires a bunch of "SEO Gurus", fills up the small office with people like sardines squished together. Development was still our main money maker at this stage, so there where 3 new more senior developers at this stage and I started learning a lot really fast.

Here are some of the issues we had to deal with:

1. Incentives - Great more money, haha! No, No, you where 5 minutes late so you only get half of the promised amount.

2. For every minute you are late we will deduct it from you paycheck (Did I mention I was getting paid minimum wage).

3. If you take a smoke break we will dock it from your pay.

4. Free gym membership to the gym downstairs, but you can only go once a week during your lunch.

5. No pay raises if you cant prove your worth on paper.

He on purposely made up shitty rules and regulations to keep us down and make as much profit as he could.

Here are some shitty stuff he has done:

1. We arent getting a 13th check this year because the company didnt make a big profit - while standing next to his brand new BMW.

2. Made changes over FTP on clients work because we where too slow to get to it, than blames me for it because its broken the next day and wants to give me a written warning for not resolving the issue Immediately. They went as far as wanting to fire me for this, gave me 1 day notice for meeting and that I can bring a lawyer to represent me (1 day notice is illegal, you need 5 days where I am from), so I brought a lawyer since my mom was a lawyer. They freaked the fuck out and started harassing me about this a week later.

3. Would have meetings all the time about how much money the company is making, but wont be raising our pay since no one has proven they are worth it yet.

4. Would full on yell at employees infront of the entire office if they accidentally made an mistake on a clients project.

One one occasion I took a week off for holiday, my coworker contacted me to ask a question and I answered that I will handle it when I am back the following week. Withing 2 hours my other boss phones me in a rage, "he is coming to fetch the company laptop from my house in 5 minutes, he will let me know when he arrives. Gives me no time to talk at all and hangs up - I have figured out what has happened by now so when he showed up he has this long speech about abandonment, and trust and loyalty to the company. So I pass him my laptop once he shut up and said: "You do know I am on holiday leave which you approved, right?", he goes even more silent and passes me back my laptop without saying anything, and drives off.

While the above was happening Douche manager back at the office has a rage as well and calls the whole office (25 people) to a meeting talking about how I abandoned the company and how disgraceful that is.

Those are the shitty experiences I can remember, there where many more like this. All of the above eventually led to me going into a deep depression and having panic attacks weekly, from being overworked or scared to step out of line. Its also the reason I almost stopped coding forever at that stage. I worked there for 2.5 years with the abuse.

I left 2 weeks after the last shit show, I am ok now and have my anxiety and depression well under control if not almost gone completely.

Ran into Douche Manager a few months ago after 9 years, the company got bought out and the first person they fired was him. LOL! He now has his own agency and is looking for Developers (They are hard to find he says), little does he know I spread his name far and wide to all and every Dev I knew and didnt know to avoid working for him at all costs. Seems like word of mouth still works in this digital age.

Thanks for reading this far!

I worked for a company that was in entertainment news. Specifically rock music.

On the terrible night of the Battaclan (spelling?) terror attacks in Paris. Few years ago our site was one of the first to run the story (the main attack happened at a rock concert). Anyway the tech debt that we’d been complaining about for months reared it’s head. The site got so much traffic that it was just fucked all night. Literally couldn’t get the databases back up for about 7 straight hours.

I dunno if you gents remember the Nickelodeon show known as Drake and Josh.

It was pretty big in Mexico and the U.S.

Well, one of the characters from that show is the singer/actor Drake Bell.

For a while, Drake Bell would **constantly** tweet about how much Justin Bieber sucks.

I aint denying that Justin Bieber sucks, i don't like his music at all.

But the constant attacks came out as jealousy, at least to me.

What does this has to do with development or even computers? Well this is EXACTLY how I feel about Louis Rossman CONSTANTLY making videos about apple products.
We get it man we really do, sadly for a lot of us the only way to get ios development done is through a fucking Mac

EVEN if his whiny ass is right about the hardware not being top notch and all that shit I AM still not able to explain a 2013(early...as in january) macbook pro still working with literally NO fucking problems. Before that the other macbook was just changed because we wanted the 2013 model. The thing worked, the one before did so too and the 2017 model that I have works, amazingly so i will add.

Still, the army of dell,hp and lenovo laptops that I've had before just died or are not functioning properly. Either it is my shit luck or Apple's "shitty hardware" got something really fucking right.

I think its retarded really. If you don't like them then fine, you don't have to, personally I fucking love all computers and os, but I don't get fanboys hating for the sake of hate.

the fuck you care if I spend 2500 on a computer? I would the same shit for your mom and the computer would last me longer.

Does owning multiple macs make me better than you? No

Does this mean that you are piss poor and can't afford shit and that is why you are hating? No

Will I call you <insert number of insults> gor your choice of pc or os? No

What is retarded is this: you all are DEVELOPERS(at least a good chunk) and your ass better fucking know that some people USE a certain tool because IT IS THE RIGHT ONE FOR THE JOB.

It is a damn fine operating system, a really good computing experience. It ain't your taste? Fine, das cool, but for fucks sake it does not mean that the other people are idiots or whatever.

Grow the fuck up and get yourself an opinion.

I know this is selfish, but this whole COVID-19 thing is driving me insane. The virus and quarantine I don't mind too much. What gets me is the number of people I see every single day having legit panic attacks because they can't buy "x" right now and it's the end of the world. I can't stand people who are literally in tears because they have to take an extra day off of work each week because of the state of the economy. I've been virtually unemployed for two years (not for lack of trying) and borderline homeless for six months. Grow up. You have a Lexus, a Range Rover, and a four bedroom house for you and your partner.

I wanna go back to the age where a C program was considered secure and isolated based on its system interface rathe than its speed. I want a future where safety does not imply inefficiency. I hate spectre and I hate that an abstraction as simple and robust as assembly is so leaky that just by exposing it you've pretty much forfeited all your secrets.
And I especially hate that we chose to solve this by locking down everything rather than inventing an abstraction that's a similarly good compile target but better represents CPUs and therefore does not leak.

On a previous job, my coworkers were jealous because I started going out for lunch some days of the week instead of staying with them at the office kitchen. So every time I went out, I came back to find some kind of small prank, and also a sign reading "Lunch Break Maffia Attacks Again". Once they made garlands by glueing/taping together a lot of sauce packets (mayonnaise, ketchup, and so on) in different patterns and decorated my whole box with them.

Many ATMs here in India are planning to upgrade from Windows XP due to the wannacry ransomware attacks.
I literally want wannacry to seize my data so that i can go ahead and pay them 600$ to do something that even the FUCKING GOVERNMENT wont do.

A new YouTube (AI) tool by google for battling misinformation failed in a highly public way on Monday, wrongly linking video of the flaming collapse of the spire at Notre Dame Cathedral in Paris to the Sept. 11, 2001, terrorist attacks.

Is it OK to punch a game dev who codes stupid numeric bugs?

So my wife got into Stardew Valley, that admittedly awesome comfort game farming simulator.
She went pretty far in the game, and found some item that was supposed to highly increase the damage she could inflict onto cute little monster thingies.
It didn't work as intended.
Since equipping the piece of shit all her hits did 0 damage. She tossed the item away but the problem persisted. And on and on...
She took to the googles to try and find some explanation, and apparently that is a fairly common bug for mobile devs.
Then she called in the big guns (that is how I'm calling myself in this case, you will see why).

Apparently there is some buggy piece of shitcode somewhere in the game with a numerical insecure routine that overflows the attack modifier. I.e. if it was supposed to increase from 1.990 to 2.010, it actually went all the way down to -0.4.
She was lucky her attacks weren't increasing the monsters' HP.

We found a forum post where some dude said that he managed to edit the game save file and reset the negative-value attack increase modifier variable. Seems easy enough at first, but my wife uses iOS. Nothing is ever so straightforward with apple stuff.

We did get to the save file, she emailed it to me (the file has no extension and no line breaks in it, so we facepalm'd on a couple attempts at editing it directly).
I finally manage to get it into my personal 11-yo laptop... that won't open a single line file that big.

Cue the python terminal. Easy enough to read the file into a string var and search for the buggy XML tag. Edit the value and overwrite into a new file. Send it back to her by email. Figure out how to overwrite the file in iOS.

Some tense moments while the game reloads... and it works!!!! Got some serious hubby goodwill points here.
Srsly, this troubleshoot process is not for technophobes. It is out of reach to pretty much every non-techy user.

And now back to the original question: If I ever manage to find the kid who coded a game-breaking numerically unsafe routine and shipped it as if every test in the planet had waved it bye-bye, can I punch them? Or maybe buy them a beer, let's see how I get to cash that hubby goodwill tonight :)

!$rant

Hmm.. I kinda want to add a terminal type feature to my portfolio project that let's you type commands to navigate the site or change some options. I could still keep the standard navigation elements for the people who get mini heart attacks when they even see a terminal xD

The most powerful weapon an engineer can ever have, is his mind.

What happens when someone attacks the mind and their mind is the system with most power?

When you attack the central system with most power of any person, they become extremely vulnerable and defenseless.

What happens when the mental state of an engineer has been attacked and damaged?

How to focus with a damaged mind?

I paid $55 for a therapy app on the ios store with binaural waves sound programming and mind healing sounds.

It helps. But temporarily. When the attacker gets in sight, the mind becomes vulnerable again.

How to develop a strong mind that can not be disturbed by external real world triggers or attackers?

A new system developed at CSAIL was shown to have stronger security guarantees than Intel's existing approach for preventing so-called "timing attacks" like Meltdown and Spectre, made possible by hardware vulnerabilities.

Image courtesy of Graz University of Technology

What are you guys doing against brute force attacks on your login webpages? I don't want anybody to access my porn ( ͡° ͜ʖ ͡°). But I don't want to block the useraccount because that would be annoying because you could simple lock a user out of his account :/ any suggestions? What are you doing on your sites?

Novice computer enthusiasts argue that an application is safe because it's end-to-end encrypted.. but they don't realize this doesn't guarantee safety because of MITM attacks on possibly exploitable midpoints.

A good example of this is mail servers using TLS 1.2 but one or two of them not verifying certificate autorities.

First time programming for work... Man in the middle student password changes. Yep that's right I'm being asked to write a program that will change students passwords on their Google accounts and local domain while also keeping a decryptable format password in a database. Granted it's much better than not letting students change their passwords at all. Plus were doing it because it will let us fix their issues while their out of school so...

I need guidance about my current situation.
I am perfectionist believing in OOP, preventing memory leak in advance, following clean code, best practices, constantly learning about new libraries to reduce custom implementation & improve efficiency.
So even a single bad variable name can trigger my nerves.

I am currently working in a half billion $ IT service company on a maintenance project of 8 year old Android app of security domain product of 1 of the top enterprise company of the world, which sold it to the many leading companies in the world in Govt service, banking, insurance sectors.

It's code quality is such a bad that I get panic attacks & nightmares daily.

Issues are like
- No apk obfuscation, source's everything is openbook, anybody can just unzip apk & open it in Android Studio to see the source.
- logs everywhere about method name invoked,
- static IV & salt for encryption.
- thousands of line code in God classes.
- Irrelevant method names compared to it's functionality.
- Even single item having list takes 2-3 seconds to load
- Lag in navigation between different features' screens.
- For even single thing like different dimension values for different density whole 100+ lines separate layout files for 6 types of densities are written.
- No modularized packages, every class is in single package & there are around 100+ classes.

Owner of the code, my team lead, is too terrified to change even single thing as he don't have coding maturity & no understanding of memory leak, clean code, OOP, in short typical IT 'service' company mentality.

Client is ill-informed or cost-cutting centric so no code review done by them in 8 years.

Feeling much frustrated as I can see it's like a bomb is waiting to blast anytime when some blackhat cracker will take advantage of this.

Need suggestions about this to tackle the situation.

Analogy: Assume a JVM is a kingdom, Object is a king of the kingdom, and GC is an attacker of the kingdom who tries to kill the king(object).
When King is Strong, GC can not kill him.
When King is Soft, GC attacks him but King rule the kingdom with protection until resource are available.
When King is Weak, GC attacks him but rule the kingdom without protection.
When king is Phantom, GC already killed him but king is available via his soul.

So Phantom ref is basically GC saying "Omaewa mo shindheru" and the object saying "Nani???"

So easy to make typographic attacks on image recognition models.

Depending on your implementation, you may need to change your entire model.
FML.

Is it a good idea to hack the website of my previous condescending and irrational boss? and do social media attacks on their online pages as well?

GitHub doesn't give a shit about DDoS attacks lol

Well after working a normal office job for a while I'm kinda starting to think I thrive on isolation.

All of the people, the noise, the distractions, the lights, it's all so overwhelming. I have constant anxiety attacks.

Idk does anyone relate with this? We're they ever able to overcome? Cope? Bend their employer to the will of their isolationism by working at home more often and still producing results despite the Beck and call to "please stay in the office and fit in our prescribed work time box, you robot."

Doing a talk on 'Security in PHP' and live demo on web attacks and safeguard tips this Saturday. Any tips fellow Ranters...?

Argh.
I am backend web dev, which has nice software developer role, with later going to dive into devops a bit more.
And yet some people don't understand when they are told No!

I will not accept being hired for short terms job of sysadmin.

To make it worse it is offered by my mother.
She works for some person who has multiple web sites, and they suffer from some sort of attacks.

I am having no time for this. I work and learn 95% of my time.

I don't care what they offer. According to what I heard she works for corrupt person, and she already offered illegal work few days ago to me.

Thanks, no. They deal with too big sums of money, I dont wish to be arrested or killed. I have a good job, planned schedule for next half of year and my own life.

Oh shit, I love DDoS attacks. FML...going to have nightmares after today

Headsup: if you're making a game, or want to, a good starting point is to ask a single question.
How do I want this game to feel?

A lot of people who make games get into it because they play and they say I wish this or that feature were different. Or they imagine new mechanics, or new story, or new aesthetics. These are all interesting approaches to explore.

If you're familiar with a lot of games, and why and how their designs work, starting with game
feel is great. It gives you a palette of ideas to riff on, without knowing exactly why it works, using your gut as you go. In fact a lot of designers who made great games used this approach, creating the basic form, and basically flew-blind, using the testing process to 'find the fun'.

But what if, instead of focusing on what emotions a game or mechanic evokes, we ask:
How does this system or mechanic alter the
*players behaviors*? What behaviors
*invoke* a given emotion?

And from there you can start to see the thread that connects emotion, and behavior.

In *Alien: Isolation*, the alien 'hunts' for the player, and is invulnerable. Besides its menacing look, and the dense atmosphere, its invincibility
has a powerful effect on the player. The player is prone to fear and running.

By looking at behavior first, w/ just this one game, and listing the emotions and behaviors
in pairs "Fear: Running", for example, you can start to work backwards to the systems and *conditions* that created that emotion.

In fact, by breaking designs down in this manner, it becomes easy to find parallels, and create
these emotions in games that are typically outside the given genre.

For example, if you wanted to make a game about vietnam (hold the overuse of 'fortunate son') how might we approach this?

One description might be: Play as a soldier or an insurgent during the harsh jungle warfare of vietnam. Set ambushes, scout through dense and snake infested underbrush. Identify enemy armaments to outfit your raids, and take the fight to them.

Mechanics might include

1. crawl through underbrush paths, with events to stab poisonous snacks, brush away spiders or centipedes, like the spiders in metro, hold your breathe as armed enemy units march by, etc.

2. learn to use enfilade and time your attacks.

3. run and gun chases. An ambush happens catching you off guard, you are immediately tossed behind cover, and an NPC says "we can stay and fight but we're out numbered, we should run." and the system plots out how the NPCs hem you in to direct you toward a series of
retreats and nearest cover (because its not supposed to be a battle, but a chase, so we want the player to run). Maybe it uses these NPC ambushes to occasionally push the player to interesting map objectives/locations, who knows.

4. The scouting system from State of Decay. you get a certain amount of time before you risk being 'spotted', and have to climb to the top of say, a building, or a tower, and prioritize which objects in the enemy camp to identity: trucks, anti-air, heavy guns, rockets, troop formations, carriers, comms stations, etc. And that determines what is available to 'call in' as support on the mission.

And all of this, b/c you're focusing on the player behaviors that you want, leads to the *emotions* or feelings you want the player to experience.

Point is, when you focus on the activities you want the player to *do* its a more reliable way of determining what the player will *feel*, the 'role' they'll take on, which is exactly what any good designer should want.

If we return back to Alien: Isolation, even though its a survival horror game, can we find parallels outside that genre? Well The Last of Us for one.

How so? Well TLOU is a survival third-person shooter, not a horror game, and it shows. Theres
not the omnipresent feeling of being overpowered. The player does use stealth, but mostly it's because it serves the player's main role: a hardened survivor whos a capable killer, struggling through a crapsack world. The similarity though comes in with the boss battles against the infected.

The enemy in these fights is almost unstoppable, they're a tank, and the devs have the player running from them just to survive. Many players cant help but feel a little panic as they run for their lives, especially with the superbly designed custom death scenes for joel. The point is, mechanics are more of a means to an end, and if games are paintings, and mechanics are the brushes, player behavior is the individual strokes and player emotion is the color. And by examining TLOU in this way, it becomes obvious that while its a third person survival shooter, the boss fights are *overtones* of Alien: Isolation.

And we can draw that comparison because like bach, who was deaf, and focused on the keys and not the sound, we're focused on player behavior and not strictly emotions.

Avoided IoT(IoS - InternetOfShit) for a long time now, due to the security concerns with retail products.
Now I looked into 433 Transceiver + Arduino solutions.. to build something myself, just for the lolz.

Theory:
Smallest Arduino I found has 32 KByte of programmable memory, a tiny tiny crypto library could take around 4 KBytes...

Set a symetric crypto key for each homebrewn device / sensor / etc, send the info and commands (with time of day as salt for example) encrypted between Server <-> IoT gadget, ciphertext would have checksum appended, magic and ciphertext length prepended.

Result:
Be safe from possible drive-by attacks, still have a somewhat reliable communication?!
Ofc passionate hackers would be still able to crack it, no doubt.

Question: Am I thinking too simple? Am I describing just the standard here?

WTF kind of bullshit software is sonar.
I can't deploy my application because sonar is telling me that there is a vulnerability. So I look at it. IT'S A FUCKING DEV DEPENDENCY. Are you fucking serious sonar? I can't deploy because a dev dependency has a vulnerability that allows DOS attacks. What the fuck do you think will happen?! I'm going to DOS my own fucking application whilst coding or what? Who the fuck would even care?!
I fucking hate our Pipeline, all the tools behind it operate like shit. the only thing positive about it, is that I am able to deploy applications myself without having to call someone and wait a week. Because putting a file in a directory is hard ._.

My plan was to potato today.

... But given anxiety, might as well have a minor heart attack and a few panic attacks on the side.

Plus, second day of no proper food seems to be helping that cause greatly too.

At this rate, I'll die of dehydration first. Lol. My greatest regret is missing out on the robot's uprising. Ain't got nobody I love deeply, so at least I don't feel regrets for people I leave behind. Tiz a short meh life I've lived.

Aight. Ms NoRegrets is out.

P.S.
In case you're stupid, let me clarify: I was being a drama queen. Shall fetch water... soon, hopefully.

At Rackspace there are lights on the walls that go off for things like ddos attacks, fire alarm, etc. The being a code rainbow. Meaning "evacuate the building".

Every time we deployed to prod I always joked one day that it would fail so spectacularly that it would cause a code rainbow.

Hey guys, I'll be starting my oscp/pwk course soon, any suggestions as to what should I study beforehand or types of attacks I should practice?
Thanks

“httpOnly cookies prevent XSS attacks”… wow.
As if not being able to get your cookies is going to stop me from doing bad things.

When I'm in via XSS, it's over. I'm changing the page content to your sign-in form with “please sign in again” notice, but it sends email/password straight to me. What percentage of users is going to enter their data? What do you think? With password managers prefilling data, and the annoyance being one “enter” hit away, I think a lot of users will fall for that. No one, including you, will be able to tell the difference without devTools.
You can rotate the session token, but good luck rotating the user's password.

Oh, did I tell you I could register a service worker using XSS that will be running in background FOREVER?

But don't listen to me. Don't think. Just use httpOnly and hope for the best. After all, your favorite dev youtuber said they could protect you from XSS.

!rant
I didn't know that working with React will destroy my confidence like this, I know that coding is hard but being tasked to build a front end for a large project with React and use React Boilerplate (which is not for beginners) just a month after starting my first job as a front end developer is nowhere to be the perfect start to one's career.

the quarantine did not help, it made it worse, I have so much fear that I can't even see my code, I even wanted to write some simple side project to retake some confidence but I can't, I want to tell my boss that I can't continue but he's very nice that I don't want to worry him, and here I am having panic attacks and fear, not a fear of being fired, because I am prepared and I deserve it, but fear that I can't code any more, I am not a good developer, but it's the only thing I know.

I had low confidence before but not as much as this time, this time I feel like it's the end of everything, I keep staring at the screen for hours and I can't think straight.

I am lost and I don't know how to handle this, I became a bad father and a bad husband, I don't talk to anyone, not even my kids ...

as always thanks for reading me, I only have this community that understand me.

Remember kids, passwd is a readable file! You can have a very bad day trying to figure out a user's shell from side-channel attacks and getting nowhere, or you could remember that it LITERALLY SAYS WHAT IT IS PUBLICLY IF YOU DON'T FORGET THAT IT'S THERE.

On the plus side, I learned a ton about what you can do with ssh arguments and debugging logs. Shit's pretty cool.

BT "We'll give you BT Virus Protect, which protects against viruses, phishing and other online attacks."

Or... For a start, let your users provide a good secure password when signing up? More than 8 characters is a bit ambiguous. 20 minutes later and several attempts to find out it can't be longer than 20 characters, only upper and lower case letter and numbers aaaand must start with a letter is a bit s**t. Not to mention LatPass doesn't like it as you can't copy and paste.

Google researchers have exposed details of multiple security flaws in Safari web browser that allowed user's browsing behavior to be tracked.

According to a report : The flaws which were found in an anti-tracking feature known as Intelligent Tracking Prevention, were first disclosed by Google to Apple in August last year. In a published paper, researchers in Google's cloud team have identified five different types of attacks that could have resulted from the vulnerabilities, allowing third parties to obtain "sensitive private information about the user's browsing habits."

Apple rolled out Intelligent Tracking Prevention in 2017, with the specific aim of protecting Safari browser users from being tracked around the web by advertisers and other third-party cookies.

I feel like sometimes insomnia just attacks. Like panic or asthma.

I currently have to finish some intermediate report for a big international research project which my CEO forced us into because of the incentives. But he doesn't care for any of the research and just want to get the money.
Due to my inexperience I promised some things for this project, which now prove to be untenable. And now I realize all this and I get to deal with small anxiety attacks (especially today).
I just want to say "fuck you all" and go, but this no real option for me. That makes me totally exhausted, especially because it feels like a personal failure. :/

when yo freakin open editor you use from time to time>

Last night the Russians stroke again. It's become obvious that these Ddos attacks are not performed by just some casual hackers, but are part of cyber warfare - just as I suspected in one of my rants a couple of weeks ago

I've been wondering about renting a new VPS to get all my websites sorted out again. I am tired of shared hosting and I am able to manage it as I've been in the past.

With so many great people here, I was trying to put together some of the best practices and resources on how to handle the setup and configuration of a new machine, and I hope this post may help someone while trying to gather the best know-how in the comments. Don't be scared by the lengthy post, please.

The following tips are mainly from @Condor, @Noob, @Linuxxx and some other were gathered in the webz. Thanks for @Linux for recommending me Vultr VPS. I would appreciate further feedback from the community on how to improve this and/or change anything that may seem incorrect or should be done in better way.

1. Clean install CentOS 7 or Ubuntu (I am used to both, do you recommend more? Why?)
2. Install existing updates
3. Disable root login
4. Disable password for ssh
5. RSA key login with strong passwords/passphrases
6. Set correct locale and correct timezone (if different from default)
7. Close all ports
8. Disable and delete unneeded services
9. Install CSF
10. Install knockd (is it worth it at all? Isn't it security through obscurity?)
11. Install Fail2Ban (worth to install side by side with CSF? If not, why?)
12. Install ufw firewall (or keep with CSF/Fail2Ban? Why?)
13. Install rkhunter
14. Install anti-rootkit software (side by side with rkhunter?) (SELinux or AppArmor? Why?)
15. Enable Nginx/CSF rate limiting against SYN attacks
16. For a server to be public, is an IDS / IPS recommended? If so, which and why?
17. Log Injection Attacks in Application Layer - I should keep an eye on them. Is there any tool to help scanning?

If I want to have a server that serves multiple websites, would you add/change anything to the following?
18. Install Docker and manage separate instances with a Dockerfile powered base image with the following? Or should I keep all the servers in one main installation?
19. Install Nginx
20. Install PHP-FPM
21. Install PHP7
22. Install Memcached
23. Install MariaDB
24. Install phpMyAdmin (On specific port? Any recommendations here?)

I am sorry if this is somewhat lengthy, but I hope it may get better and be a good starting guide for a new server setup (eventually become a repo). Feel free to contribute in the comments.

I just saw a marketer announcing a new partnership between their entertainment service and Facebook. Mouthbarfed a little. Then two posts below was an actual ad marketing for Facebook.

The comments were filled with cynical disgust and personal attacks on Mark Zuckerberg. This is probably the best moment I've ever experienced on LinkedIn. Let's hope his new partnership goes great.

!dev-related

Found out that a pervert from my gf’s highschool took a bunch of screenshots of her Instagram (bikini pictures, etc.) and posted them to the r/breeding and other fucked up subreddits even though she was only 16/17 in the photos

We notified the uni he goes too and nothing happened. We noticed the police of his hometown and they said they couldn’t do anything because he was currently at his uni

He then claimed it was a rumor and it wasn’t him even though the Reddit account that posted it had a previous post that directly connected the Reddit account to his Instagram account and the Reddit account mentioned had a post that mentioned his home town

My poor gf is now having panic attacks bc this motherfucker wanted to jerk his tiny dick off with his retard friends bc they were rejected by her in highschool

It’s taking so much effort not to send him some phishing emails and empty his fucking bank account

Hi!
I want to know if there is possibility to find a vulnerability on a .jar file.
I tried to install Kali on VM (for now) and tried to use metasploit but I found that it attacks the inter system on a indicated ip address.
There are many application or video (and so on) for my problem?
This .jar file is an application and I want to do pentesting...
Sorry for my poor english but it isn't my native language.
I'm new in pentesting wolrd 🤣

Thoughts after a security conference.

The private sector, no matter the size, often plays a role (e.g. entry vector, DDoS load generating botnet, etc.) in massive, sometimes country-wide attacks. Shouldn't that make private businesses' CyberSec a matter of national security? Shouldn't the government create and enforce a security framework for private businesses to implement in their IT systems? IMO that'd also enforce standardised data security and force all the companies treat ITSec with at least minimal care (where "minimal" is set by the gov)

What are your thoughts?

This shithead continuously wasted 2 lectures of CNS(Cryptography and Network Security) on debating: in a link to link encrytion if encryption and decryption takes place on every node, what if attacker attacks the node while the data is decrypted.

Though I couldn't care less about the lecture but this guy brings the same issue in every lecture

Do anyone have any idea about the link to link encryption?

I know already it encrypts the whole packet with header and on each hop the data is decrypted and the destination ip address is fetched and encrypted again, but i don't know if it's possible to perform an attack on the decrypted data.

I am still at the office, and I have come to the the conclusion it is alive. I am a parasite that works in it, but by doing so I give it value so it is maintained. It's name is Smarlethotep...

So in the past 3 days I've almost had 6 heart attacks, I've been giving public speeches for random classes at my school as a practise.
Today I'm going to some capital city finals shit whatever you call it and I have to give a public speech to fuc knows how many people.
I wrote a speech about lies in 700 words, speech has to be 5 minutes, oh yeah, in English. It's not my native...

Man, I am not ok at all Xd, they had to choose the one who has anxiety dosorders.

The NPC has stated that the personal data of atleast 2000 people was leaked after the attacks on the websites of the philippinian goverment on april 1, the data contains; names,adresses,passwords and school data.

Over 7 administrators of schools, universities and other goverment structures have been called out for not reporting on the leakage of personal info on public facebook groups and violaton of the NPC in under 72 hours.

The representatives of the next structures stood before the comission on the 23 and 24 of april

- Taguig City University

- Department of Education offices in Bacoor City and Calamba City

- the Province of Bulacan

- Philippine Carabao Center

- Republic Central Colleges in Angeles City

- Laguna State Polytechnic University

The agency has reported that none of the organisations had notified about the personal info leakage yet.

This is a good reminder that you should inform about security/personal info breaches everyone that might be related to it as soon as possible, even if it seems unecessary.

Is anyone around experienced with SDR, especially the HackRF?

I am trying to send OOK data at a certain frequency but it doesn't work. I am basically recording the wave, then using ooktools to decode the wave to binary and the hackrf_ook to send the binary. It doesn't work...

Using GNURadio for replay attacks works great, since I am not testing it on a rolling code device.

Has anyone managed to transmit binary (or hex) with the HackRF or any other SDR as a matter of fact? I cant use rfcat with the HackRF.

I handed in my notice last week, now I have to be held prisoner for 6 weeks in a company that hits all my Asperger triggers, and causes me daily panic attacks. But then... I get a big pay jump, remote working, more holiday.. and a much more fun project

Going to a business summit tomorrow and I get to see a live hack and learn about cyber attacks.

Shit better be good.

Is it just me or does anyone else wince when someone says the word "cyber" when referencing something on the internet ....like the current series of attacks ..... oh god ... i winced just typing that !

I hate the word, its an irrational hate i know still !

<script>
alert('Always escape and encode your inputs to avoid XSS attacks');
</script>

I’m working on a new app I’m pretty excited about.

I’m taking a slightly novel (maybe 🥲) approach to an offline password manager. I’m not saying that online password managers are unreliable, I’m just saying the idea of giving a corporation all of my passwords gives me goosebumps.

Originally, I was going to make a simple “file encrypted via password” sort of thing just to get the job done. But I’ve decided to put some elbow grease into it, actually.

The elephant in the room is what happens if you forget your password? If you use the password as the encryption key, you’re boned. Nothing you can do except set up a brute-forcer and hope your CPU is stronger than your password was.

Not to mention, if you want to change your password, the entire data file will need to be re-encrypted. Not a bad thing in reality, but definitely kinda annoying.

So actually, I came up with a design that allows you to use security questions in addition to a password.

But as I was trying to come up with “good” security questions, I realized there is virtually no such thing. 99% of security question answers are one or two words long and come from data sets that have relatively small pools of answers. The name of your first crush? That’s easy, just try every common name in your country. Same thing with pet names. Ice cream flavors. Favorite fruits. Childhood cartoons. These all have data sets in the thousands at most. An old XP machine could run through all the permutations over lunch.

So instead I’ve come up with these ideas. In order from least good to most good:

1) [thinking to remove this] You can remove the question from the security question. It’s your responsibility to remember it and it displays only as “Question #1”. Maybe you can write it down or something.

2) there are 5 questions and you need to get 4 of them right. This does increase the possible permutations, but still does little against questions with simple answers. Plus, it could almost be easier to remember your password at this point.

All this made me think “why try to fix a broken system when you can improve a working system”

So instead,

3) I’ve branded my passwords as “passphrases” instead. This is because instead of a single, short, complex word, my program encourages entire sentences. Since the ability to brute force a password decreases exponentially as length increases, and it is easier to remember a phrase rather than a complicated amalgamation or letters number and symbols, a passphrase should be preferred. Sprinkling in the occasional symbol to prevent dictionary attacks will make them totally uncrackable.

In addition? You can have an unlimited number of passphrases. Forgot one? No biggie. Use your backup passphrases, then remind yourself what your original passphrase was after you log in.

All this accomplished on a system that runs entirely locally is, in my opinion, interesting. Probably it has been done before, and almost certainly it has been done better than what I will be able to make, but I’m happy I was able to think up a design I am proud of.

Susan Wojcicki is a cunt. Period!

Difference between security threat and programming bug ?

Found a cool paper about format string attacks which mentioned buffer Overflow is a security threat while format string is a programming bug.
Had no idea what that really meant.

Tnx

I have anxiety attacks and i wanted to get my mind of things. I took 2 internships at once so that my mind would stay focused. Turned out that was really the worst idea i ever came up with.
I was fretting a lot. People calling me from different time zones at 1-2 am midnight asking me about updates. Things went completely messed up faught with my friends.

So i messaged my boss. I told him i have some problems in life i need time to sort it. And believe me he said take a month off.
He is really the coolest boss i know (out of the 4 i ever worked dor 😅)

Guys a lesson don't overdo the things you love. You want to make it a good experience. But making it unbearable to yourself can make you hate your love for coding.

So, for about two days ago I got hit with a crazy anxiety attack. My chest started to tighten and things seemed dark at the time.

I'm a CS freshmen this year and I find myself struggling with some subjects. I felt like I've dissapointed a lot of people that I really cared. Anxiety attacks have been happening recently. Do you guys have any advice for dealing with anxiety attacks ?

*sorry for the bad english

I recently moved to a house where my gf and me each have our separate office space. However, i’m sitting with my back to the door so whenever i’m in the zone with noise cancelling on and my gf walks in i don’t hear her. Resulting in me having a couple of almost heart attacks lately.

I have ideas about mirrors or sensors but since i’m working of three screens i din’t think it will do. The second option is ofcourse to move the desk to the other side of the room so that i’m facing the door more. But there are no power plugs.

My gf basically locks her door by sitting in front of it. Also she doesnt have a noise cancelling head set.

I signed up to a website, and my password contained & symbol, got an error that password cannot contain that symbol, I thought we are way beyond vulnerability of SQL injection?

Or that symbol can be used for some other attacks?

I keep having these ideas of a steam like interface for transfering money and buying virtual items, but I can't for the life of me figure out how i would go about it other then a basic flask mongo db set up which would be ripe for malicious attacks

Has anyone maybe a link to HTTP security topics in general?

I find often breadcrumbs, like in several different attack possibilities, but nothing comprehensive.

Mostly regarding HTTP 1.1 / HTTP 2 (h2c) and proxying.

I'm currently unclogging an whole ecosystem of proxies, endpoints, edge nodes and so on...

My knowledge is limited and it's frustrating to Google cause seemingly I get always just pieces of the puzzles but not a collection -.-

(Looking for specific information, e.g. regarding attacks like H2C Smuggling, HPACK attacks, stuff regarding Cookies / Headers / Encoding... But please not spread over several dozen pages where it becomes frustrating to read the same shit over and over again without learning something new :( )

Though I’ve seen devices like the following I’ve only ever seen them used for horrible purposes.

I was envisioning facility control being made capable by the use of a larger tablet device or tablet computer. The device would have no internet connection. It would not attach to the outside world at all.

It would not receive non manual software updates

It could view all air flow, temperature, lights, locks, electrical outlets, power draw, water usage, heaters, air conditioners, computer statins etc
And control and report statistics on them all.

Impractical you people said last time. But I would say cool if the device is kept super secure . That being said who knows how to do that since everything sucks once someone who knows what they’re doing has physical access lol

Personally all I don’t know how to break into is smart phones
Comps I could always figure out even if they had disk encryption given enough time.

The only reason phones are hard is you’re limited to network attacks and the boot loader is on the chip page.

Cause in the end a computer is just it’s hard drive in terms of security lol

I hate so much RStudio that it gives me anxiety attacks whenever I try to debug something with it. What a fucking nightmare

Anyone know about attacks on static variable in JVM? Any links?

I may need some ideas for a personal project in mind:
I plan to have a server that shall connect to a usb stick/device, the usb is plugged to a TV. The usb device can create its own local wifi network which provides CRUD on media files via REST. My own server should be accessible via the internet, but at the same time connect to the local usb wifi, once the usb wifi is available, and then send requests to it. Kind of a user-friendly bridge.
There's a PC near the device, almost always turned on. It's used by family members as regular office machine and could run a local server. What if as remotely accessible server? Then what about DOS attacks? (Would that "kill" the PC?)
An alternative would be a separate server. A raspberry pi? A dedicated server?

Need advice about protecting ddos via iptables and whitelisting. Currently I launched my gameserver and am fighting against a massive attack of botnets. Problem was solved by closing all ports on my gameserver linux machine and shipping game.exe with injected c++ socket client. So basically only gamers who launch my game exe are being added to firewall iptables via the socket client that is provided in the game exe. If some ddosers still manage to get inside and ddos then my protection is good enough to handle attacks from whitelisted ips from inside. Now I have another problem. Lots of players have problems and for some reason shipped c++ client fails to connect to my socketserver. Currently my solution was to provide support in all contact channels (facebook,skype,email) and add those peoples ips to whitelist manually. My best solution would be to make a button in website which you can click and your ip is whitelisted auromatically. However if it will be so easy then botnets can whitelist themselves as well. Can you advice me how I could handle whitelisting my players through web or some other exe in a way that it cant be replicated by botnets?