You know what?

Young cocky React devs can suck my old fuckin LAMP and Objective-C balls.

Got a new freelance job and got brought in to triage a React Native iOS/Android app. Lead dev's first comment to me is: "Bro, have you ever used React Native".

To which I had to reply to save my honor publicly, "No, but I have like 8 years with Objective-C and 3 years with Swift, and 3 years with Node, so I maybe I'll still be able help. Sometimes it just helps to have a fresh set of eyes."

"Well, nobody but me can work on this code."

And that, as it turned out was almost true.

After going back and forth with our PM and this dev I finally get his code base.

"Just run "npm install" he says".

Like no fuckin shit junior... lets see if that will actually work.

Node 14... nope whole project dies.

Node 12 LTS... nope whole project dies.

Install all of react native globally because fuck it, try again... still dies.

Node 10 LTS... project installs but still won't run or build complaining about some conflict with React Native libraries and Cocoa pods.

Go back to my PM... "Um, this project won't work on any version of Node newer than about 5 years old... and even if it did it still won't build, and even if it would build it still runs like shit. And even if we fix all of that Apple might still tell us to fuck off because it's React Native.

Spend like a week in npm and node hell just trying to fucking hand install enough dependencies to unfuck this turds project.

All the while the original dev is still trying TO FIX HIS OWN FUCKING CODE while also being a cocky ass the entire time. Now, I can appreciate a cocky dev... I was horrendously cocky in my younger days and have only gotten marginally better with age. But if you're gonna be cocky, you also have to be good at it. And this guy was not.

Lo, we're not done. OG Dev comes down with "Corona Virus"... I put this in quotes because the dude ends up drawing out his "virus" for over 4 months before finally putting us in touch with "another dev team he sometimes uses".

Next, me and my PM get on a MS Teams call with this Indian house. No problems there, I've worked with the Indians before... but... these are guys are not good. They're talking about how they've already built the iOS build... but then I ask them what they did to sort out the ReactNative/Cocoa Pods conflict and they have no idea what I'm talking about.

Why?

Well, one of these suckers sends a link to some repo and I find out why. When he sends the link it exposes his email...

This Indian dude's emails was our-devs-name@gmail.com...

We'd been played.

Company sued the shit out of the OG dev and the Indian company he was selling off his work to.

I rewrote the app in Swift.

So, lets review... the React dev fucked up his own project so bad even he couldn't fix it... had to get a team of Indians to help who also couldn't fix it... was still a dickhead to me when I couldn't fix it... and in the end it was all so broken we had to just do a rewrite.

None of you get npm. None of you get React. None of you get that doing the web the way Mark Zucherberg does it just makes you a choad locked into that ecosystem. None of you can fix your own damn projects when one of the 6,000 dependency developers pushes breaking changes. None of you ever even bother with "npm audit fix" because if security was a concern you'd be using a server side language for fucking server side programming like a grown up.

So, next time a senior dev with 20 years exp. gets brought in to help triage a project that you yourself fucked up... Remember that the new thing you know and think makes you cool? It's not new and it's not cool. It's just JavaScript on the server so you script kiddies never have to learn anything but JavaScript... which makes you inarguably worse programmers.

And, MF, I was literally writing javascript while you were sucking your mommas titties so just chill... this shit ain't new and I've got a dozen of my own Node daemons running right now... difference is?

Mine are still working.

A dude with a THICK Russian accent just called me offering server security services.

After I politely declined, he insisted on a free audit of my servers. I declined that as well.

Now I’m backing up our DB’s and going through my nginx logs.

Am I being racist?

In a user-interface design meeting over a regulatory compliance implementation:
User: “We’ll need to input a city.”
Dev: “Should we validate that city against the state, zip code, and country?”
User: “You are going to make me enter all that data? Ugh…then make it a drop-down. I select the city and the state, zip code auto-fill. I don’t want to make a mistake typing any of that data in.”
Me: “I don’t think a drop-down of every city in the US is feasible.”
Manage: “Why? There cannot be that many. Drop-down is fine. What about the button? We have a few icons to choose from…”
Me: “Uh..yea…there are thousands of cities in the US. Way too much data to for anyone to realistically scroll through”
Dev: “They won’t have to scroll, I’ll filter the list when they start typing.”
Me: “That’s not really the issue and if they are typing the city anyway, just let them type it in.”
User: “What if I mistype Ch1cago? We could inadvertently be out of compliance. The system should never open the company up for federal lawsuits”
Me: “If we’re hiring individuals responsible for legal compliance who can’t spell Chicago, we should be sued by the federal government. We should validate the data the best we can, but it is ultimately your department’s responsibility for data accuracy.”
Manager: “Now now…it’s all our responsibility. What is wrong with a few thousand item drop-down?”
Me: “Um, memory, network bandwidth, database storage, who maintains this list of cities? A lot of time and resources could be saved by simply paying attention.”
Manager: “Memory? Well, memory is cheap. If the workstation needs more memory, we’ll add more”
Dev: “Creating a drop-down is easy and selecting thousands of rows from the database should be fast enough. If the selection is slow, I’ll put it in a thread.”
DBA: “Table won’t be that big and won’t take up much disk space. We’ll need to setup stored procedures, and data import jobs from somewhere to maintain the data. New cities, name changes, ect. ”
Manager: “And if the network starts becoming too slow, we’ll have the Networking dept. open up the valves.”
Me: “Am I the only one seeing all the moving parts we’re introducing just to keep someone from misspelling ‘Chicago’? I’ll admit I’m wrong or maybe I’m not looking at the problem correctly. The point of redesigning the compliance system is to make it simpler, not more complex.”
Manager: “I’m missing the point to why we’re still talking about this. Decision has been made. Drop-down of all cities in the US. Moving on to the button’s icon ..”
Me: “Where is the list of cities going to come from?”
<few seconds of silence>
Dev: “Post office I guess.”
Me: “You guess?…OK…Who is going to manage this list of cities? The manager responsible for regulations?”
User: “Thousands of cities? Oh no …no one is our area has time for that. The system should do it”
Me: “OK, the system. That falls on the DBA. Are you going to be responsible for keeping the data accurate? What is going to audit the cities to make sure the names are properly named and associated with the correct state?”
DBA: “Uh..I don’t know…um…I can set up a job to run every night”
Me: “A job to do what? Validate the data against what?”
Manager: “Do you have a point? No one said it would be easy and all of those details can be answered later.”
Me: “Almost done, and this should be easy. How many cities do we currently have to maintain compliance?”
User: “Maybe 4 or 5. Not many. Regulations are mostly on a state level.”
Me: “When was the last time we created a new city compliance?”
User: “Maybe, 8 years ago. It was before I started.”
Me: “So we’re creating all this complexity for data that, realistically, probably won’t ever change?”
User: “Oh crap, you’re right. What the hell was I thinking…Scratch the drop-down idea. I doubt we’re have a new city regulation anytime soon and how hard is it to type in a city?”
Manager: “OK, are we done wasting everyone’s time on this? No drop-down of cities...next …Let’s get back to the button’s icon …”

Simplicity 1, complexity 0.

Act I

Me (Lead Developer), Boss (Head of IT), CEO

> enter stage left CEO

CEO > "Alright Boss, give it to me straight. Are we going to be able to release app x by this date?"

Boss > "Yup we'll have a beta release on that date"

> exit stage right CEO

Me > types long email to Boss outlining exactly why we won't be able to release app x anywhere near that date, beta or otherwise, because:
1. We have a development team of 2
2. I've never developed an iOS app before
3. Developer 2 is still trying to understand git, because
3a. Developer 2 isn't even a developer (but he's doing iOS front-end so w/e)
4. We don't have the required database systems in place
5. Or CRM
6. Or CPQ
7. We'll need to conduct a security audit

Boss > "yeah, but CEO is gonna need to hear that date a few more times before he can fully understand"

Me > *internally screaming BUT YOU HAVEN'T TOLD HIM THAT AT ALL*
"ok cool just glad we're on the same page on that one"

!rant Decided to use the DevTools audit thing to try to improve my personal website. An embarrassing number of hours later and I finally have to tell the perfectionist in me to chill.

Data scientist: we need to whitelist a pod to connect to a database
Me: Whitelist? We don't use whitelists on private databases
DS: It's the new data warehouse database
Me: is it on <X> VPC?
DS: I'm not sure what that means but its ip is <real world ipv4>
Me: Are you hosting a publicly accessible database with all our end users information?!
DS: ...
Me: There goes our SOC2 audit controls...
DS: how long until you can white list it?
Me: I won't be whitelisting it. You need to put it on a private VPC and peer with the cluster, you'll have to rebuild all the Terraform and redeploy
DS: We didn't use Terraform because it takes too long, just white list the pods IP.
Me: No. I'm contacting the CISO and CTO...

Boss hands over to me an old security audit report and tells me "Go through this and check if all the problems mentioned have been resolved". Quick glance through the report shows all expected issues - SQLi, plaintext transmission and storage etc. I tell him that I need access to the application both from admin and a user with restricted privileges.
He hands me the admin credentials and tells me, "After you login in, just go the "Users" tab. You'll find the profiles of all the users there. You can get the emails and passwords of any user you want from there."
I had to hold back a chuckle. There's nothing to verify. If they haven't resolved storing plain text passwords in the database (AND displaying it IN PLAIN TEXT in the website itself (which to my surprise wasn't mentioned in the audit)), they probably haven't even looked at the report.

Dev: Hey that internal audit you asked me to perform didn’t go so well

Manager: It has too! I’ll get in a lot of trouble if it doesn’t pass.

Dev: Ok well it’s a lot of work to get it to a passing state, we have to dedicate a lot of resources to fix all these findings.

Manager: We don’t have any spare resources, they are all working on new projects! Why did you have to find things??

Dev: ….It’s a lot of hard to miss stuff, like missing signatures on security clearance forms

Manager: Ok can’t you just say that everything is all good? They’ll probably not double check.

Dev: I’m not really comfortable with that…Look all of these findings are all just from one member of the team consistently not doing their job, can’t you just address that with him and I can make a note on the audit that issues were found but corrective action was made? That’s the whole point of audits.

Manager: You don’t get it, if anything is found on the audit I’ll look bad. We have to cover this up. Plus that’s a really good friend of mine! I can’t do that to him. Ok you know what? You are obviously not the right person for this task, I’ll get someone else to do it. Go back to your regular work, I’m never assigning you audits again.

My CTO told the COO and CEO i'd be finished SOC2 compliance by the end of December... On December 14th.

It takes 3 months to do the audit, let alone all the actual work. I hadn't even started yet.

He was fired shortly after that.

a stored XSS vuln in a banner-like component, visible in ALL the pages in the portal. Anyone can attack anyone.

HOWEVER this was not discovered by 3rd-party security specialists during latest security audit. I have escalated this to my manager and got replied that unless client actively requests this to be fixed should I do anything about it.

FFS.. it's only 2 lines of code.. And there's nothing I can do about it.

Eventualy I was transfered to another project. Now it's not my problem anymore.

$ npm audit

> found 19 vulnerabilities (10 low, 5 moderate, 3 high, 1 critical)

$ npm audit fix

> fixed 0 of 19 vulnerabilities in 11987 scanned packages

> (use `npm audit fix --force` to install breaking changes; or do it by hand)

$ npm audit fix --force

> npm WARN using --force I sure hope you know what you are doing.

Me too, buddy. Me too.

*tries to SSH into my laptop to see how that third kernel compilation attempt went*
… From my Windows box.

Windows: aah nope.

"Oh God maybe the bloody HP thing overheated again"
*takes laptop from beneath the desk indent*
… Logs in perfectly. What the hell... Maybe it's SSH service went down?

$ systemctl status sshd
> active (running)

Well.. okay. Can I log in from my phone?

*fires up Termux*
*logs in just fine*

What the fuck... Literally just now I added the laptop's ECDSA key into the WSL known_hosts by trying to log into it, so it can't be blocked by that shitty firewall (come to think of it, did I disable that featureful piece of junk yet? A NAT router * takes care of that shit just fine Redmond certified mofos).. so what is it again.. yet another one of those fucking WanBLowS features?!!

condor@desktop $ nc -vz 192.168.10.30 22
Connection to 192.168.10.30 22 port [tcp/ssh] succeeded!

ARE YOU FUCKING FOR REAL?!

Fucking Heisen-feature-infested piece of garbage!!! Good for gaming and that's fucking it!

Edit: (*) this assumes that your internal network doesn't have any untrusted hosts. Public networks or home networks from regular users that don't audit their hosts all the time might very well need a firewall to be present on the host itself as well.

I just got four CSV reports sent to me by our audit team, one of them zipped because it was too large to attach to email.

I open the three smaller ones and it turns out they copied all the (comma separated) data into the first column of an Excel document.

It gets better.

I unzip the "big" one. It's just a shortcut to the report, on a network share I don't have access to.

They zipped a shortcut.

Sigh. This'll be a fun exchange.

I've caught the efficiency bug.

I recently started a minimum wage job to get my life back in order after a failed 2 year project (post mortem: next time bring more cash for a longer runway)

I've noticed this thing I do at every job, where I see inefficiency and I think "how can I use technology to automate myself out of this job?"

My first ever application was in C++ for college (a BASIC interpreter) and it's been so long I've since forgotten the language.

But after a while every language starts to look like every other language, and you start to wonder if maybe the reason you never seriously went anywhere as a programmer was because you never really were cut out for it.

Code monkey, sure. Programmer? Dunno, maybe I just suffer from imposter syndrome.

So a few years back I worked at a retail chain. Nothing as big as walmart, but they have well over 10k store locations. They had two IBM handscanners per store, old grungy ugly things, and one of these machines would inevitably be broken, lost or in need of upgrade/replacement about once a year, per location. District manager, who I hit it off with, and made a point of building report with, told me they were paying something like $1500 a piece.

After a programming dry spell, I picked up 'coding' with MIT app inventor. Built a 'mostly complete' inventory management app over the course of a month, and waited for the right time.

The day of a big store audit, (and the day before a multi-regional meeting), I made sure I was in-store at the same time as my district manager, so he could 'stumble upon' me working, scanning in and pricing items into the app.

Naturally he asked about it, and I had the numbers, the print outs, and the app itself to show him. He seemed impressed by what amounted to a code monkeys 'non-code' solution for a problem they had.

Long story short, he does what I expected, runs it by the other regionals and middle executives at the meeting, and six months later they had invested in a full blown in house app, cutting IBM out of the mix I presume.

From what I understand they now use the app throughout the entire store chain.

So if you work at IBM, sorry, that contract you lost for handscanners at 10k+ stores? Yeah that was my fault (and MIT app inventor).

They say software is 'eating the world' but it really goes to show, for a lot of 'almost coders' and 'code monkeys' half our problem is dealing with setup and platform boilerplate. I think in the future that a lot of jobs are either going to be created or destroyed thanks to better 'low code' solutions, and it seems to be a big potential future market.

In the mean while I've realized, while working on side projects, that maybe I can do this after all, and taken up Kotlin. I want to do a couple of apps for efficiency and store tracking at my current employer to see if I'm capable and not just an mit app-inventor codemonkey after all.

I'm hoping, by demonstrating what I can do, I can use that as a springboard into an internal programming position at my current gig (which seems to be a company thats moving towards a more tech oriented approach to efficiency and management). Also watching money walk out the door due to inefficiency kinda pisses me off, and the thought of fixing those issues sounds really interesting. At the end of the day I just like learning new technologies, and maybe this is all just an excuse to pick up something new after spending so long on less serious work.

I still have a ways to go, but the prospect of working on B2B, and being able to offer technological solutions to common and recurring business needs excites the hell out of me..as cringy and over-repeated as that may sound.

The fuck did I do wrong?

So I had 11 vulnerabilities 1 high.
I just npm audit fix

Now it’s 44 vulnerabilities

!rant Finally got 100 across the board in audit and made a favicon/logo that I actually like.

Manager: what is the estimations for this task A nd B?

Me: Task A: 3 months for 1 guys, and task B: 2 Months

Manager: ok, u can have a fresher, and finish task A, and u urself can pick task B, u can train him and bring him up to pace...

Me: (trying to recalibrate my estimations)...

Manager: oh and u have 3 weeks to deliver production ready scalable quality code with junits, documentation and testing done...

Me: then why the fuck did u bother for the estimates?

Manager: oh that is just for the process complaince...I don't want any trouble in audit...

My team manager showed me a web application of a new client and asked me if I can find vulnerabilities in it to push for a better product contract. She showed me the system architecture and asked me if I could try finding something from their login page. I politely refused since we don't have written permission to conduct a security audit (it's also a ministry website). She was pretty disappointed and idk if I'm doing the right thing not helping the company (I'm an intern but still). I'm sure I can scan in stealth but I don't think it's ethical on a corporate level. Thoughts?

we just had a security audit

I used to do audits for private companies with a team. Most of them where black box audits and we were allowed to physically manipulate certain machines in and around the building, as long as we could get to them unnoticed.

Usually when doing such jobs, you get a contract signed by the CEO or the head of security stating that if you're caught, and your actions were within the scope of the audit, no legal action will be taken against you.

There was this one time a company hired us to test their badge system, and our main objective was to scrape the data on the smartcards with a skimmer on the scanner at the front of the building.

It's easy to get to as it's outside and almost everyone has to scan their card there in order to enter the building. They used ISO 7816 cards so we didn't even really need specified tools or hardware.

Now, we get assigned this task. Seems easy enough. We receive the "Stay-out-of-jail"-contract signed by the CEO for Company xyz. We head to the address stated on the contract, place the skimmer etc etc all good.

One of our team gets caught fetching the data from the skimmer a week later (it had to be physically removed). Turns out: wrong Building, wrong company. This was a kind of "building park" (don't really know how to say it in English) where all the buildings looked very similar. The only difference between them was the streetnumber, painted on them in big. They gave us the wrong address.

I still have nightmares about this from time to time. In the end, because the collected data was never used and we could somewhat justify our actions because we had that contract and we had the calls and mails with the CEO of xyz. It never came to a lawsuit. We were, and still are pretty sure though that the CEO of xyz himself was very interesed in the data of that other company and sent us out to the wrong building on purpose.
I don't really know what his plan after that would have been though. We don't just give the data to anyone. We show them how they can protect it better and then we erase everything. They don't actually get to see the data.

I quit doing audits some time ago. It's very stressful and I felt like I either had no spare time at all (when having an active assignment) or had nothing but spare time (when not on an assignment). The pay also wasn't that great.

But some people just really are polished turds.

OMFG I don't even know where to start..
Probably should start with last week (as this is the first time I had to deal with this problem directly)..

Also please note that all packages, procedure/function names, tables etc have fictional names, so every similarity between this story and reality is just a coincidence!!

Here it goes..

Lat week we implemented a new feature for the customer on production, everything was working fine.. After a day or two, the customer notices the audit logs are not complete aka missing user_id or have the wrong user_id inserted.
Hm.. ok.. I check logs (disk + database).. WTF, parameters are being sent in as they should, meaning they are there, so no idea what is with the missing ids.

OK, logs look fine, but I notice user_id have some weird values (I already memorized most frequent users and their ids). So I go check what is happening in the code, as the procedures/functions are called ok.

Wow, boy was I surprised.. many many times..
In the code, we actually check for user in this apps db or in case of using SSO (which we were) in the main db schema..
The user gets returned & logged ok, but that is it. Used only for authentication. When sending stuff to the db to log, old user Id is used, meaning that ofc userid was missing or wrong.

Anyhow, I fix that crap, take care of some other audit logs, so that proper user id was sent in. Test locally, cool. Works. Update customer's test servers. Works. Cool..

I still notice something off.. even though I fixed the audit_dbtable_2, audit_dbtable_1 still doesn't show proper user ids.. This was last week. I left it as is, as I had more urgent tasks waiting for me..

Anyhow, now it came the time for this fuckup to be fixed. Ok, I think to myself I can do this with a bit more hacking, but it leaves the original database and all other apps as is, so they won't break.
I crate another pck for api alone copy the calls, add user_id as param and from that on, I call other standard functions like usual, just leave out the user_id I am now explicitly sending with every call.
Ok this might work.

I prepare package, add user_id param to the calls.. great, time to test this code and my knowledge..

I made changes for api to incude the current user id (+ log it in the disk logs + audit_dbtable_1), test it, and check db..
Disk logs fine, debugging fine (user_id has proper value) but audit_dbtable_1 still userid = 0.

WTF?! I go check the code, where I forgot to include user id.. noup, it's all there. OK, I go check the logging, maybe I fucked up some parameters on db level. Nope, user is there in the friggin description ON THE SAME FUCKING TABLE!!
Just not in the column user_id...

WTF..Ok, cig break to let me think..

I come back and check the original auditing procedure on the db.. It is usually used/called with null as the user id. OK, I have replaced those with actual user ids I sent in the procedures/functions. Recheck every call!! TWICE!! Great.. no fuckups. Let's test it again!
OFC nothing changes, value in the db is still 0. WTF?! HOW!?

So I open the auditing pck, to look the insides of that bloody procedure.. WHAT THE ACTUAL FUCK?!
Instead of logging the p_user_sth_sth that is sent to that procedure, it just inserts the variable declared in the main package..
WHAT THE ACTUAL FUCK?! Did the 'new guy' made changes to this because he couldn't figure out what is wrong?! Nope, not him. I asked the CEO if he knows anything.. Noup.. I checked all customers dbs (different customers).. ALL HAD THIS HARDOCED IN!!! FORM THE FREAKING YEAR 2016!!! O.o

Unfuckin believable.. How did this ever work?!

Looks like at the begining, someone tried to implement this, but gave up mid implementation.. Decided it is enough to log current user id into BLABLA variable on some pck..
Which might have been ok 10+ years ago, but not today, not when you use connection pooling.. FFS!!

So yeah, I found easter eggs from years ago.. Almost went crazy when trying to figure out where I fucked this up. It was such a plan, simple, straight-forward solution to auditing..

If only the original procedure was working as it should.. bloddy hell!!

No other language can do something as fucky as javascript.

"7 high severity vulnerabilities"
$> npm audit fix --force
"13 vulnerabilities (11 high, 2 critical)"

How is this fixed?!

It will be a great day when JS finally prolapses under the weight of its own hubris.

11 months ago I was tasked to audit 58 computer and 6 servers including network speed analysis. In the meeting with the client & stakeholders, they asked my boss how we will achieve this. He replied... "Pen and Paper. We have interns to capture all info into a spreadsheet ". GEEEEEEEZUS!!!

`npx create-react-app blah`
`cdls blah && npm audit`

63 vulnerabilities.
good fucking job.

To be fair, they're all minor, but they're all *exactly* the same, caused by the same freaking package. Update your dependencies already!

------

`npm i --save formik && npm audit`
68 vulnerabilities, three of them critical.

ugh.

I should just quit. I am not paid enough to deal with this pissing contest.
Reviewer:
Need to add instructions (on readme) for installing pnmp, or if possible, have the top-level npm i install it (lol).
Also, it looks like we are no longer using lerna? If that's right, let's remove the dependency; its dependencies give some security audit messages at install.
Me:
it's good enough for now. Added a new ticket to resolve package manager confusions. (Migrate to pnpm workspaces)
Reviewer:
I will probably be responsible for automating deployment of this (I deployed the webapp on cloudflare pages and there is no work that needs to be done. "automating deployment" literally means replacing npm with pnpm). I disagree that it's good enough for now.

Imagine all readmes on github document how to install yarn/pnpm.

Lesson learned:
If you think an OOP static site developer can't handle modern JS framework, you are probably right.

Today I'm ranting about Windows. No, it's not "WiNdOwS sUcKs!", it's more like "But why!?"

See, I'm an IT guy for the year, and in my office they use Windows. Now once upon a time, they had Active Directory and all that (well, actually, they still do) but then they got some new computers running Windows 10, and for some reason they just couldn't join them to the domain!

Why can't they, you ask? Well, Microsoft only allows Win 10 Pro and up to join a Domain, and since these computers came with Win 10 Home, that wasn't possible.

Long story short, I now have some 30 computers that need to be upgraded (possibly from 7) to Win 10 Pro, and joined to the Domain.

Thing is, I would like to do that all in one go, so I look into how to automatically setup Windows.

"Ah! Got it, provisioning packages!"

Lest you think they work let me spare you now: they don't. Just like real computers where everything is different, provisioning packages failed to work twice, and after wasting about a week trying to make it work, I gave up.

So now I realized that I need to try a different method, a custom windows image. Issue is, I've got no clue how to make one. See, microsoft decided to go all in on the provisioning packages thing (they do have advantages in certain use cases), and seemed to decide that making custom images was no longer necessary, so they documentation was nearly impossible to find.

But after a lot of searching, I figured out how to do it:

1. Install Windows in a VM.
2. Put it in audit mode.
3. Install your stuff.
4. Create an unattend.xml file with certain customizations.
5. Put the unattend in Windows\System32\Sysprep
6. Generalize the image.
7. Boot WinPE.
8. Open the console.
9. Capture the image.
10. Wait an hour or two.
11. Done!

I'm over simplifying, it was a huge PITA, and yet there were still issues.

Maybe another time I'll talk about those.

I am slowly losing my mind and will to live because of this PCI audit, I hate it so much

There comes that dreaded time in the life of a developer working in a conservative, borderline medieval corporate, where darkness sweeps over the land and the evil lords rummage through every peasant's hovel searching for the forbidden - AKA software audit.
So I made a list of all the unauthorized open source code we desperately rely on, and we decided as a team to go down in flames and gloriously fail the audit, a legend of sacrifice that shall be passed on in hushed voices.

A vendor gave us what is turning out to be a very stable storage appliance/software, so we're happy for that. But even so, disks fail. So we need an automated way to identify, troubleshoot, isolate, and begin ticketing against disk failures. Vendor promised us a nice REST API. That was six months ago. The temporary process of SSHing(as root) to every single appliance(60-200 per site, dozens of sites) to run vendor storage audit commands remains our go-to means of automation.

I never thought clean architecture concepts and low complicity, maintainable, readable, robust style of software was going to be such a difficult concept to get across seasoned engineers on my team... You’d think they would understand how their current style isn’t portable, nor reusable, and a pain in the ass to maintain. Compared to what I was proposing.

I even walked them thru one of projects I rewrote.. and the biggest complaint was too many files to maintain.. coming from the guy who literally puts everything in main.c and almost the entire application in the main function....

Arguing with me telling me “main is the application... it’s where all the application code goes... if you don’t put your entire application in main.. then you are doing it wrong.. wtf else would main be for then..”....

Dude ... main is just the default entry point from the linker/startup assembly file... fucken name it bananas it will still work.. it’s just a god damn entry point.

Trying to reiterate to him to stop arrow head programming / enormous nested ifs is unacceptable...

Also trying to explain to him, his code is a good “get it working” first draft system.... but for production it should be refactored for maintainability.

Uggghhhh these “veteran” engineers think because nobody has challenged their ways their style is they proper style.... and don’t understand how their code doesn’t meet certain audit-able standards .

You’d also think the resent software audit would have shed some light..... noooo to them the auditor “doesn’t know what he’s talking about” ... BULLSHIT!

Hurricane Maria - electricity audit

ÆÃÅĀÀÁÂÄ!!!
I'm so thrilled!! I am not a GUI person & I am rly rly slow & bad when it comes to minor changes on that part..
But today I finally finished GUI, client logic, server side logic & db shiiit for some audit interface I was making.. ..from scratch, meaning it wasn't some changese here & there, no copy pasta no nothin.. I did the whole thing by myself..did a lot of things for the first time & it didn't take me ages!! Wiiiiii!!! Having a total 'I iz so proud of myself' moment!! // I usually am not the boasting/confident/happy with myself type..

So one of my clients had a different company do a penetrationtest on one of my older projects.

So before hand I checked the old project and upgraded a few things on the server. And I thought to myself lets leave something open and see if they will find it.

So I left jquery 1.11.3 in it with a known xss vulnerability in it. Even chrome gives a warning about this issue if you open the audit tab.

Well first round they found that the site was not using a csrf token. And yeah when I build it 8 years ago to my knowledge that was not really a thing yet.

And who is going to make a fake version of this questionair with 200 questions about their farm and then send it to our server again. That's not going to help any hacker because everything that is entered gets checked on the farm again by an inspector. But well csrf is indeed considered the norm so I took an hour out of my day to build one. Because all the ones I found where to complicated for my taste. And added a little extra love by banning any ip that fails the csrf check.

Submitted the new version and asked if I could get a report on what they checked on. Now today few weeks later after hearing nothing yet. I send my client an email asking for the status.

I get a reaction. Everything is perfect now, good job!

In Dutch they said "goed gedaan" but that's like what I say to my puppy when he pisses outside and not in the house. But that might just be me. Not knowing what to do with remarks like that. I'm doing what I'm getting paid for. Saying, good job, your so great, keep up the good work. Are not things I need to hear. It's my job to do it right. I think it feels a bit like somebody clapping for you because you can walk. I'm getting off topic xD

But the xss vulnerability is still there unnoticed, and I still have no report on what they checked. So I have like zero trust in this penetration test.

And after the first round I already mentioned to the security guy in my clients company and my daily contact that they missed things. But they do not seem to care.

Another thing to check of their to do list and reducing their workload. Who cares if it's done well it's no longer their responsibility.

2018 disclaimer: if you can't walk not trying to offend you and I would applaud for you if you could suddenly walk again.

We have a badly out of shape but functional product , the result of a "if its not broke don't fix it" mentality. The only thing manangement cares is our next release and making meetings to plan other meetings...

Now comes the time of the security Audit (PCI)...

Manager : oh noooo the audit will fix this issue, quickkk fix it !

Us : welllll its a lengthy process but doable, we just gotta do a,b,c,d,e . Part a is essentially what we need the rest are refactoring bits of the system to support part a since the performance would be shit otherwise

Manager: can you do part a before the audit starts ?

Us: yep.

Manager: do it . Oh and pop those other issues on JIRA so we can track em

Audit completed....

Manager: so we got through ok?

Us : 👍 yep

Manager: okayy, take those other issues..... and stick em at the bottom of the back log...

Us : huh ? *suspicious faces*..... okay but performance is gonna be poor with the system as it is cuz of part A....

Manager: yeaaahhh * troll face* ....about that.... roll it back and stick that too at the bottom of the log. We got to focus our next release. Lemme schedule a meeting for that 😊

Us : faceplam

If I had to audit my current code I'd definitly stick a cactus up my arse shouting in the mirror:

ALL YOUR CODE IS GOOD FOR IS ULTIMATE DELETION. YOU FILTHY MAGGOT! LEARN TO CODE... *rage quit*

Really, coding shit because of spare time simply makes me ripping my face of 💀

Impossible deadline experience?
A few, but this one is more recent (and not mine, yet)

Company has plans to build a x hundred thousand square feet facility (x = 300, 500, 800 depending on the day and the VP telling the story)

1. Land is purchased, but no infrastructure exists (its in a somewhat rural area, no water or sewage capable of supporting such a large facility)
2. No direct architectural plans (just a few random ideas about layout, floor plans, parking etc)
3. Already having software dev meetings in attempt to 'fix' all the current logistical software issues we have in the current warehouse and not knowing any of the details of the new facility.

One morning in our stand-up, the mgr says

Mgr: "Plans for the new warehouse are moving along. We hope to be in the new building by September."
Me: "September of 2022?"
<very puzzled look>
Mgr: "Um, no. Next year, 2021"
Me: "That's not going to happen."
Mgr: "I was just in a meeting with VP-Jack yesterday. He said everything is on schedule."
Me: "On schedule for what?"
<I lay out some of the known roadblocks from above, and new ones like the political mess we will very likely get into when the local zoning big shots get involved>
Mgr: "Oh, yea, those could be problems."
Me: "Swiiiiishhhhh"
Mgr: "What's that?"
Me: "That's the sound of a September 2021 date flying by."
Mgr: "Funny. Guess what? We've been tasked with designing the security system. Overhead RFID readers, tracking, badge scans, etc. Normally Dan's team takes care of facility security, but they are going to be busy for a few weeks for an audit. Better start reaching out to RFID vendors for quotes. Have a proposal ready in a couple of weeks."
Me: "Sure, why not."

Some Project Manager outsourced a redundant RADIUS setup with MySQL backend. We got 2 copies of a daloradius appliance running on Ubuntu 10.04. Once I saw this, I started to get a bit suspicious and requested to audit the system and database redundancy. With the system in production, and without getting back any documentation, I got into the VMs using the default root password. This was not even the worst part, as I found. One server was using a local MySQL instance, while the other was also using the first one's MySQL instance. When I reported this, I was told to comment clearly any changes to the configuration files, which resulted in commenting the word SHAME above each change.

We had 1 Android app to be developed for charity org for data collection for ground water level increase competition among villages.

Initial scope was very small & feasible. Around 10 forms with 3-4 fields in each to be developed in 2 months (1 for dev, 1 for testing). There was a prod version which had similar forms with no validations etc.

We had received prod source, which was total junk. No KT was given.

In existing source, spelling mistakes were there in the era of spell/grammar checking tools.

There were rural names of classes, variables in regional language in English letters & that regional language is somewhat known to some developers but even they don't know those rural names' meanings. This costed us at great length in visualizing data flow between entities. Even Google translate wasn't reliable for this language due to low Internet penetration in that language region.

OOP wasn't followed, so at 10 places exact same code exists. If error or bug needed to be fixed it had to be fixed at all those 10 places.

No foreign key relationships was there in database while actually there were logical relations among different entites.

No created, updated timestamps in records at app side to have audit trail.

Small part of that existing source was quite good with Fragments, MVP etc. while other part was ancient Activities with business logic.

We have to support Android 4.0 to 9.0 of many screen sizes & resolutions without any target devices issued to us by the client.

Then Corona lockdown happened & during that suddenly client side professionals became over efficient.

Client started adding requirements like very complex validation which has inter-entity dependencies. Then they started filing bugs from prod version on us.

Let's come to the developers' expertise,
2 developers with 8+ years of experience & they're not knowing how to resolve conflicts in git merge which were created by them only due to not following git best practice for coding like only appending new implementation in existing classes for easy auto merge etc.

They are thinking like handling click events is called development.

They don't want to think about OOP, well structured code. They don't want to re-use code mostly & when they copy paste, they think it's called re-use.

They wanted to follow old school Java development in memory scarce Android app life cycle in end user phone. They don't understand memory leaks, even though it's pin pointed by memory leak detection tools (Leak canary etc.).

Now 3.5 months are over, that competition was called off for this year due to Corona & development is still ongoing.

We are nowhere close to completion even for initial internal QA round.

On top of this, nothing is billable so it's like financial suicide.

Remember whatever said here is only 10% of what is faced.

- An Engineering lead in a half billion dollar company.

Got to talking with someone in our company about AI generated code. I said we still have to audit the code, understand how it works, and ensure there isn't any nefarious libraries or code in what is produced. Like what we "should" be doing when we find libraries on the web. I explained how people will purposely create libraries that are spoofs of other libraries, but have malicious code embedded in them. It doesn't take much to imagine someone using a sketchy AI to push this kinda code.

How do you reasonably fight this if we start increasingly relying on generated code by AI? So I suggested we need an AI to review AI generated code. Then we need an AI to review the AI that reviews the AI generated code. Then...

When you want to be more secure

Create a full open-source company based on no-knowledge services to compete with the data hogs that pretty much own the internet as it stands

I really hate sales people. My stakeholder wants to buy an address verification service but is hesitant to purchase now because the dev time needed would be substantial. Now the sales rep has planted seeds of doubt in my SH and SH thinks I grossly overestimated the labor I quoted.

Sales rep is all “major corporations have installed this in a weekend.” 🤬🤬🤬 Major corporations also have more than one developer and probably aren’t dealing with a website that has a dozen address forms that all work differently. Oh, and I DON’T WORK WEEKENDS MOFO.

My SH originally requested a labor estimate for installing the AVS on all address forms and that’s what I delivered. My audit revealed a dozen different forms. I’m working with a legacy code base that’s been bandaged together and maintained by an outside dev agency. The only thing the forms have in common is reusable address fields. They all work differently when it comes to validating and submitting data to the server and they all submit to different api endpoints. At least a quarter of those forms are broken and would need to be fixed (these are mostly admin-facing). I also had to provide an estimate on frontend implementation when I have no idea what they want the FE to look like.

My estimate was 5-8 weeks for implementation AND testing. I wrote up my findings and clearly explained the labor required, why it was needed, and the time needed. All was fine until the sales rep tried to get into SH’s head.

My SH is now asking for a new estimate and hoping for 1-2 weeks of labor, which is what will SH to buy the AVS. Then go to the outside dev agency you used to work with and ask for a second opinion. I’m sure they’d also tell you at least month if not more for testing, implementation, and deployment because you have a DOZEN FORMS you want to add this to. 1-2 weeks is only possible for a single form.

My manager doesn’t work in the same coding language I do, but he read my documentation and supports my original estimate.

I honestly want to ask my SH if this sales rep is giving a very good price for the AVS. If not, are there other companies in the mix? Because right now you have a sales rep that’s taking you for a ride and trying to pressure you all so he can get another notch in his belt for getting another “major corporation” as his account. I don’t think it’s a good idea to be locked in with a grimy sales rep.

Ok so: today I have an ISO 27001:2013 audit at work, wish me luck!

So today a colleague confessed to an attempt to troll my computer by SSHing into it and playing random songs. Thankfully he did not manage but he would just happen to do it the day we have a security audit.

Hi FuLlStAcKcLoWn,

I fOuNd A fEw ErRoRs On YoUr SiTe.

MaY i SeNd OvEr SoMe Of ThOsE eRrOrS aNd AuDiT rEpOrT wItH pRiCeS?

i’m LoOkInG fOrWaRd To YoUr RePlY

bEsT rEgArDs

god this is getting repetitive, how can we spam the spammers? wasn't there a site like "send your enemies glitter"? classic!

i guess this is what I get for putting my company email public

but really, what happened to gmail's spam filter? should spot ones like these from miles away

this is a chrome audit report/lighthouse report of the website of the company for which I work.

There is this friend of mine, total business profile, working in banking audit for MNEs. The guy is in trouble with his PowerPoint, asking me if I can assist because "as you working in IT". I'm a Golang distributed system engineer for a major delivery company. Be sure I will call you next time I need to open a bank account.

Ever have one of those moments where you're running a service you built to update about a decade worth of police records, realize about halfway through that you fucked the loop and you're copying data from the first record onto every other record, and then just really wish that you had checked things better in test before running this on the prod server?

I'm sure the only reason I'm still here is because the audit log contained the original values and I'm good at pulling data out of it.

TLDR: I need advice on reasonable salary expectations for sysadmin work in the rural United States.

I need some community advice. I’m the sysadmin at a small (35 employee) credit card processing company. I began as an intern and have now become their full time sysadmin/networking specialist. Since I was hired in January I have:

-migrated their 2007 Exchange server to Office 365

-Upgraded their ailing Windows server 2003 based architecture to 2012R2

-Licensed their unlicensed VMware ESXi servers (which they had already paid for license keys for!!!) and then upgraded them to 6.5 while preventing downtime on hosted VMs using tricky transfers and deployments (without vMotion!)

-Deployed a vCenter server to manage said ESXi servers easier

-Fixed a three month gap in their backups by implementing Veeam, and verifying its functionality

-Migrated a ‘no downtime’ fileserver to a new hypervisor host, implemented a ‘hot standby’ server as a backup kept up to date by the minute with DFS replication.

-Replaced failing hard drives in a RAID array underlying their one ‘business critical’ fileserver, which had no backups for 3 months at that time

-Reorganized Active Directory and Group Policy deployment from a nightmare spiderweb of OUs and duplicate policies

-Documented the entire old network and now the new one as I’ve been upgrading this

-Audited the developers AWS instances and removed redundant machines, optimized load balancing on front end Nginx servers, joined developer run Fedora workstations to the AD domain and implemented centralized syslog monitoring on them.

-Performed network scans and rewrote firewall exceptions to tighten security

There’s more, but you get the idea. I’ve now been tasked with taking point on an upcoming PCI audit which will be my first.

I’m being paid $16/hr US, with marginal health benefits. This is roughly $32,000 a year, before taxes.

I have two years previous work experience managing a third party Apple repair facility (SimplyMac) and every Apple certification for warranty repair and software troubleshooting. I have a two year degree in general sciences, with about 4 years of college credit (Two years of a physics education and two years of computer science after I switched focus) I’m actively pursuing a CCNA and MCSA server 2016 with exams paid for and scheduled.

I’m going into a salary negotiation in two months. What is a reasonable salary to request, from your perspective, for someone in my position?

Thanks in advance!

User: If we use Oauth2, can we audit exactly where this data is going and who sends it there, and in addition cam we audit who grabs that data from the Authenticating app and make sure it doesn't violate our requirements?

Me: No

User: Why not?

Me: Because thats like asking us to audit whether or not a user accessed files and then uploaded them to their personal drive instead of corporate. We don't mandate that application owners take responsibility for their data outside of their application, why would we require that in this case???

User: Uhhhhh

FFS the lack of understanding of application accounts here boggles my mind. I understand that the security concerns are real but throwing out all permissible contexts based on a mandate that we dont even apply to extremely permissive accounts (i.e. users compared to apps) is folly

-4 Domain Administrators in my organization-

Me, a Doman Administrator: "Boy, I sure hope the FDIC IT Audit goes well!"

Braindead FDIC Examiner: "So let me get this straight, you use your administrator account to do things on a day-to-day basis?"

Me: "Uhh, I'm an admin so yeah, my account has admin privileges."

Examiner: *gives disapproving glare* "And your personal account has administrative rights?"

Me: "...I'm an admin... So I thought that'd be fairly obvious."

Examiner: "I'm sorry, but that is unacceptable. How can we tell which admin made what change when?"

Me: *dumbfounded* "...I'm sorry, what?"

Examiner: "You're going to need separate accounts, 1 normal user account and 1 admin account per domain admin."

Me: "You do realize that everything I do while I'm working requires elevation of SOME kind, don't you?"

Examiner: "I'm sorry, but you need to make this change. Thank you."

Me: *stares at the short pile of braindead shit as he walks away*

So i work in support (do dev stuff in my own time). Spent 3 months seconded to another team supporting in project clients.

First issue i had in that team was a client with serious data issues which took about 30 hours +/- to diagnose and write some scripts to resolve.

After they went live and got handed over to support they had the same issue again but instead of support picking it up they sat on it till i came back on Monday.

Ive spent about another 10 hours or so picking through audit logs. I get all the shit no one else can either be bothered or capable of doing and to top it off i didnt get the promotion i was going for because i hadnt closed enough tickets, because they keep giving me all the shit to fix for everybody else

I wasn't hired to do a dev's job (handled sales) but they asked me to help the non-HQ end with sorting transaction records (a country's worth) for an audit.

Asked HQ if they could send the data they took so I wouldn't need to request the data. We get told sure, you can have it. Waits for a month. Nothing. Apparently, they've forgotten.

Asks for data again. They churn it out in 24 hours. Badly Parsed. Apparently they just put a mask of a UI and stored all fields as one entire string (with no separators). The horror!

Ended up wasting most of a week simply fixing the parsing by brute force since we had no time.

Good news(?): We ended up training the front desk people to ending their fields with semi-colons to force backend into a possibly parsed state.

Just give me anything BUT coding to work on and I'm instantly in the zone for coding. End of Year Review, access reviews for Audit, any other kind of paperwork, which is most of what my job is these days, and I have some brilliant insight into a problem on my back burner, or a brilliantly simple way to implement a feature I've been stewing on for weeks.

It's my procrastinating nature to not want to do the thing I HAVE to do.

Maybe I should volunteer for more paperwork?

I "love" when tables in database have columns such as UpdatedBy, Updated and this is the only audit that system has.

Every meeting that contains one or more of the following points:

- "I don't think it belongs in the meeting, but"
- "Didn't get the meeting notes"
- "When's the food coming?"
- "I know we've said no technical discussion, but..."
- "Why is he so strict, this is no fun meeting at all :("
- "I think it's unfair to include risk assessment, you blame US before XY is finished"
- "The admins / the Team XY / ZX didn't talk with us, so we don't talk with him / her / them..."
- "Why are we here?"
- "Why is it so bad when production is down?"
- "I didn't know we do security / audit checks... Why hasn't anyone told us?"
- "Not happening. I'm against it"
- "I don't want to work with XY - he doesn't do it like I want it"

...

I could add thousand more things here.

I had countless meetings where I really thought that I was an alien who got broadcasted in a comedy reality TV soap...

Me : So cool ! My new graphQL APIs are working so good !
Also me : ‘order by <text field> take 50 skip 10000’
Me : Hmmmm.. 2.3 SEDCONDS ?! WTF. Let’s add an index !
SQL : Sorry bro, can’t add index on nvrachar(max).
Me: OK. Here you go, you are nvrachar(128) now. Add my index !
SQL : Ok
GraphQl :<same query > Here : 90 milliseconds
Me : ‘order by <text field> desc take 50 skip 10000’
GraphQL : Sorry bro : 3 seconds. (Yes, slower than without any index)
Me : Do I fu7cking need to manually add ASC and DESC indexes ? WTF IS GOING ON !
I should’ve learnt a bit more about databases. ☹. And now I don’t have time to refactor a prod database as “needed” .
/me needs to buy DB audit. Company is still a bit small to have a DBA full time.

So, as you may be aware, I work as solo dev for small company. There is easly enough work for team, but I digress..

So, they wanted to stay updated whats progress on some projects. We use slack. I use git. I set up account for them so they can come into my git and controll if issues are solved, etc. I wont get started about any dev ever beeing judged by how much code is outputted, beyond scope of this.

So they started bitching about that git is too technical and too complicated and shit. They made bizzare bullshit google excel (not even in polish) and stupidass form to "audit issues". Hmm.. wtf. I just didnt use it becouse it was slowing me down and was just frustrating, how one can replace git + issue tracker with fucking spreadsheet?!

Okay, so having that aside, I complained about that so they were like "okay, so you want to use git and we want to be notified. whats your solution" me "oh, you want to stay notified, thats easy, I can plug my git into slack"

Now our slack is spammed to oblivion with git notifications.

Now they are annoyed that they are too notified. (Yes I consulted with them what will be plugged into slack)

Oh well

¯\_(ツ)_/¯

I'm way past the point of being pissed now....

So there's some software (API's, mobile app + website) that I wrote to manage supplier incentive programs in a big hurry last year - which lead to a bunch of stuff being hard-coded in to launch on time. So after last years promotion was done I took down all the services etc was very fucking clear that in order to finish & deploy it to run again I would need at least around 4 months notice.

On the surface its pretty simple but it has quite a large user base and controls the distribution of enough cash & prizes to buy a small country so the setup of the incentives/access/audit trails is not something to be taken lightly.

Then once I'm done with the setup I have to hand it over to be "independently audited" by 3 of the larger corporate behemoths who's cash it distributes (if I get a reply from one in 3-4 weeks it's pretty fast).

I only happened to find out by chance an hour ago that we are apparently launching an even larger program this year - ON FUCKING MONDAY. I literally happened to over hear this on my way for a smoke - they have been planning it since last year November and not one person thought it might be kinda important to let me know because software is "magic" and appears and works based on the fucking lunar cycle.

I am trying to "invent" secure client-side authentication where all data are stored in browser encrypted and only accessible with the correct password. My question is, what is your opinion about my idea. If you think it is not secure or there is possible backdoor, let me know.

// INPUT:
- test string (hidden, random, random length)
- password
- password again
// THEN:
- hash test string with sha-512
- encrypt test string with password
- save hash of test string
// AUTH:
- decrypt test string
- hash decrypted string with sha-512
- compare hashes
- create password hash sha-512 (and delete password from memory, so you cannot get it somehow - possible hole here because hash is reversible with brute force)

// DATA PROCESSING
- encrypt/decrypt with password hash as secret (AES-256)

Thanks!

EDIT: Maybe some salt for test string would be nice

Few years ago I was asked to give advice on a project. There was an intern doing all the work and I even gave him almost ready code to use. And he didn't use it even properly.

And best part is that they thought at the time that it would be finished in couple of months.

After few months I took over and had to deal with the "intern code". Almost all of the code is rewritten.

Status of the project is now very good. We are implementing new features and it has even passed strict security audit done by other company.

Sadly I can't drop any names etc due to NDA.

Good code is a lie imho.

When you see a project as code, there are 3 variables in most cases:

- time
- people / human resources
- rules

Every variable plays a certain role in how the code (project) evolves.

Time - two different forms: when certain parts of code are either changed in a high frequency or a very low frequency, it's a bad omen.

Too high - somehow this area seems to be relentless. Be it features, regressions or bugs - it takes usually in larger code bases 3 - 4 weeks till all code pathes were triggered.

Too low - it can be a good sign. But it should be on the radar imho. Code that never changes should be reviewed at an - depending on size of codebase - max. yearly audit. Git / VCS is very helpful here.
Why? Mostly because the chances are very high that the code was once written for a completely different requirement set. Hence the audit - check if this code still is doing the right job or if you have a ticking time bomb that needs to be defused.

People
If a project has only person working on it, it most certainly isn't verified by another person. Meaning that only one person worked on it - I'd say it's pretty bad to bad, as no discussion / review / verification was done. The author did the best he / she could do, but maybe another person would have had an better idea?

Too many people working on one thing is only bad when there are no rules ;)

Rules. There are two different kind of rules.

Styling / Organisation / Dokumentation - everything that has not much to do with coding itself. These should be enforced at a certain point, otherwise the code will become a hot glued mess noone wants to work on.

Coding itself. This is a very critical thing.

Do: Forbid things that are known to be problematic in the programming language itself. Eg. usage of variables in variables, reflection, deprecated features.

Do: Define a feature set for each language. Feature set not meaning every feature you want to use! Rather a fixed minimum version every developer must use and - in case of library / module / plugin support - which additional extras are supported.

Every extra costs. Most developers don't want to realize this... And a code base that evolves over time should have minimal dependencies. Every new version of an extra can have bugs, breakages, incompabilties and so on.

Don't: don't specify a way of coding. Most coding guidelines are horrific copy pastures from some books some smart people wrote who have no fucking clue what you're doing and why.

If you don't know how to operate on people, standing in an OR and doing what a book told you to do would end in dead person pretty sure. Same for code.

Learn from mistakes and experience, respect knowledge from other persons, but always reflect on wether this makes sense at this specific area of code.

There are very few things which are applicable to a large codebase on a global level. Even DRY / SOLID and what ever you can come up with can be at a certain point completely wrong.

Good code is a lie - because it can only exist at a certain point of time.

A codebase should be a living thing - when certain parts rot, other parts will be affected too.

The reason for the length of the comment was to give some hints on what my principles are that code stays in an "okayish" state, but good is a very rare state

How many of you still use devRant UWP (my third-party client for Windows)?

If activeUsers > 0 {
How many would like & would use a Windows 11 update version?
}
else {
Never mind, I don't blame you
}

Why is 99% of my development job responding to audits, security questions, and idiocy spewing from something called an “Office of Innovation”? So this Innovation team sends down a project request which is silently intended to push my resource allocation over 100%. Security shoots down the idea. Innovation team tells me to tell security no, we need this. Ummm, here’s a thought, why don’t you idiots all get together and tell me when there’s some coding to be done?

npm audit has gone wild since GitHub (aka Microsoft) acquisition, they surely found a way to influence the community.

Now, guys, embrace the creeping evil until deno is really out.

The most important thing my mentor taught me was “ in an audit if the auditor asks ‘do you have the time?’ And you do simply respond ‘yes’” it done me well so far!

Was an internal auditor translating department process to a technical spec for a programmer. We were going to leverage an external company's API which would replace our need to use their slow and buggy web app.

During a meeting, an audit teammate suggested something be changed with the external service we were using. I said we could bring it up with the company but we shouldn't rely on it because we were a small customer even during out busiest month (200 from us vs 10000+ from big banks).

Teammate said we should have our programming team fix it. I made it clear that it was not our side and that to build out the service on our side was beyond our scope. Teammate continued to bring it up during the meeting then went back to desk after meeting and emailed us all marked up screenshots of the feature.

I ignored this and finished writing up the specs, sending them over to the programmer building out the service.

30 minutes later I get a call from programmer's manager who was quite angry at an expanded scope that was impossible (engineers were king at this company. Best not to anger them). Turns out my teammate had emailed his own spec to the programmers full of impossible features that did not reference the API docs.

I feel bad about it now but I yelled at my teammate quite loudly. I said he was spending time on something that was not reasonable or possible and when they continued to talk about their feature I yelled even louder.

Didn't get fired but it definitely tagged me as an asshole until I left. Fair enough :)

If only NPM' security team (so pretty much NSP's) would inform the package owners as soon as they discover vulnerabilities and give them the standard 30-90 days to fix them and release a new version before going public, instead of straight out publishing the security audits which generates noise on the terminal (obviously when using npm) and on Github

Okay, yes, modsecurity WAF is amazing and all, but... When one tries to implement its rules atop an existing app that wasn't developed in accordance to the rules... That hurts.

How tf am I supposed to parse and present a 6.5GB / 22M line audit log to the client?! Just parsing that monstrosity once takes *minutes*, let alone doing any sort of sorting / analysis!

I feel sick. This is exactly why I am a sysadmin and not a programmer, I don't like writing analysis stuff, or programs more complex than a few hundred lines of bash... :|

Sooooo I came in to work yesterday and the first thing I see is that our client can't log on to the cms I set up for her a month ago. I go log in with my admin credentials and check the audit logs.

It says the last person to access it was me, the date and time exactly when we first deployed it to production.

One month ago.

I fired a calm email to our project managers (who've yet to even read the client complaint!) to check with ops if the cms production database had been touched by the ops team responsible for the sql servers. Because it was definitely not a code issue, and the audit logs never lie.

Later in the day, the audit log updated itself with additional entries - apparently someone in ops had the foresight to back up the database - but it was still missing a good couple weeks of content, meaning the backup db was not recent.

Fucking idiots.

Oh! Damn No No Nooooo
Our team was working on upgrading our infrastructure for PCI Compliance for two months. Did all assesments and testing and waiting for long approvals. Finally, we finished all upgradation smoothly.

After we submitted our report to Infrastructure and that guy comes with Audit reports stating that the PCI Compliance requirements has changed.
And we were like we just upgraded a few hours and how come it changed. And we have to the whole job again. Just want to flip tables now.

Me at 3 front-end tech screenings of candidates with +3y of exp last year: "can you name a few npm commands you have used?"

Candidate:
- "Ehh.. npm start?" (npm start is a shortcut to a user-defined run-script)
- "npm version, it publishes the package" (wrong)
- "not going to pretend I know and sound stupid"

Mind you these candidates were not necessarily bad, but come on? You never used npm info, outdated, audit, install, remove, update, why, link, init?

Question: How would you reimagine the dev interview process, trying to make it efficient to find ingenious freshers?

I'm gonna be hiring full MERN stack dev freshers soon. I hate coding interviews, and I just want to test their ingenuity and problem solving, not if they can code a textbook algorithm.

Plan so far was to ask them questions like: "What happens when you like a link in the browser" to gauge how deep they could track a request and understand the internet infrastructure.

And make them audit gpt generated react code, and optimize it.

What're your thoughts, folks?

Got to do some security audit of legacy ABAP code for SAP systems. Do people still use it? If yes, why.

Ok, @jestdotty , today, i give up on china.

I've been messaging with a rep who is taking the time to keep editing a contract... Im pretty sure she was genuinely trying...

As typing this we finally got to a 'correct enough' contract... so I could click the damn pay button.

Over the past 7 hrs.. at 3 back and forth exchabges and modifications at each issue:
1. Used previous PI from the dude i gave up on... so had a qty at 12 when only 11 exist a colour wrong for a crate of items, and listed the dude i refused to sign a contract under listed as the rep.

2. Now the item subtotals were off... just a few pennies or so... assumed she left the usd prices but calculated with ¥... didn't want alibaba to reject in a day so i checked if it was noted anywhere... Oh boy was it... VERY clearly, all caps, bold in the body of the total row... that the total was, exactly, 11680 (spelled out ofc) RMB aka ¥ chinese yen. I told her this, she sends me a cropped shot of the $ numeric total field... so i sent her the giant all caps bolded line, the one thatd typically be considered final say in most international courts... no clue where that value came from, it had zero relation to any actual values... and i was as curious as when chatGPT creates totally new, unique, lyrics for satirical german songs... i really tried.

3. Wrong incoterms (trade terms... abbreviated to a few letters... had it that I'd be physically going to the tbd port to accept/clear customs... no)

4. Technically it was accurate (well a few strange subtotals since she used ¥ half the time... told her it was fine as long as it had the company name on the label (gave 3 full examples to use whichever)
I get the contract ...shipping...
"To: Sara"
Then the right address (seriously wtf)

5. I point this out and carefully explain in mostly just examples and "the us government doesn't like anything being sent to just a first name, there's no legal way to sign for acceptance"

6. She gets stressed enough to tell me she doesn't have time to keep editing (since this horrid pile of poor formatting was just thrown at her a day ago... i dont point out the ridiculous irony)

7. Imo, the highlight of my night/morning... in her stress she promises me it'll ship right... sooo many issues there...
Even if it was delivered/allowed a signature for "sara" for 7ish large boxes just off a sea freight from china to a residence in the middle of a corn field (which tbh would be hysterical)...the IRS would have a valid reason to audit me... theyve done it w/o valid reasons several times, since I was 18 doing international trade and a contractual employee of a large gambling company, quarterly reporting, and ofc declaring more than my taxes in donating melted glass and crane game prizes...yea, they hate me and always do all that work to find the same thing... i underdeclare charity by 10%.

The entire concept of getting USA mail, even when pristine and you know logistics agents in every major company and port or distribution center, to properly deliver anything... ROFLOL ... and im already on some 'open and check everything' list with customs for a hysterical misconception they made years ago... cant/shouldn't get into detail publicly... but it was caused because 2 packages from different cities in China were both going to my address/through customs at the same time... package 1, 75 of those cheap af ball-pit hollow plastic balls for a 2yr old's bday(very delayed) package 2. 75 rechargeable batteries (the kind in power banks) 9600mah.

8. Told her to change "sara" to company name... glad it's registered to this address still.

It took me under 5min to type this... had to get the WTF out.

Dear AliBaba, please give an option to allow buyers to create the supply side contract for review, not just req modification... please?

STOP! Look and Listen.

This was an audit, designed to see if you were paying attention. You didn't pass.

Don't worry, we've already handled this post appropriately – but please take a minute to look it over closely, keeping in mind the guidance above.

Seems like StackOverflow is actively training users to become unfriendly gatekeepers by participating in SO's review queues.

Well, the new audit tool in the chrome dev tools seems to be nice and shiny, but even google does not pass its tests completly...

Google is like the parent or teacher who is never happy with your work. I've never seen something so unattainable in a world where non-technical clients rely on CMSes, theme templating, server-side page rendering, and external scripting as Google's mobile PageSpeed recommendations. Especially under the Lighthouse audit in Chrome Inspector. Unless I go back to pre-2001 web development methods, and never have external scripting, and make every page have its own CSS file with only critical path CSS for each page, I will never get all the high scores I'm expected to have to rank well for mobile. When and how will Google get called out on this B.S.?

When you're just waiting around for the designer to finish their audit of your build so you can get back to work.

I think I found a way to audit college courses without paying for them. Find someone that is taking the courses and get paid doing their homework (for cheap/free). Make sure they take good notes and provide access to all materials. Do their homework of course. If taken to the extreme you could have a CS/CE/Math background while possibly making money on the deal. Any time you want to take a course you advert that you will do the homework. You could even wrangle the victim to record the lectures so you can reference as needed.
At the end you won't have a degree, but will be able to do everything the degree demands.
Obviously there are issues with this, one being a moral issue.

fix available via `npm audit fix --force`
^ will actually downgrade packages
wtf

Does anyone have experince with UPnP audit/hacking tools like miranda? I need to show my prof how to do it and either show it live or record it and show the video. Do you know some good tutorials or sites?

3 days when I had to complete documentation for an audit. I only returned to my room to shower and change clothes for the next day. That too I left at 8AM and returned at 09:30AM.
2 days when I had to complete setting up the office network over the weekend. Note that this was over a weekend.

And this is without counting the many hours I've spent semi-working at hackathons. I've gone up to 60 hours without sleep, coding the shit out of my brains.

Sifting through data soothes my brain. I decided to audit my own phone records and I am like what the hell, who have I been talking to?!??

Segregation of duties evidence

Getting tasked as a developer to work on an SEO audit for a client. :*( FML. #smallcompanyproblems

recently, I was working on a project to playback archived call recordings, and another developer was hired. part of my job is also to support a third party automation framework for customers, so I got "seconded" to support a proof of concept. the original project had now been messed up, it works, however, the functionality that made it secure has been MASSIVELY compromised for the sake of effort. I've tried to cause a stink as we have a major customer who will fail the next PCI audit. opinions on the situation. the other developer has a lot more experience, but seems to have chosen to satisfy management on deadlines over the original spec...