Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜

Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.

First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.

Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.

Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.

Dealing with attacks and getting hacked.

Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.

linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)

How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!

One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)

Dealing with different kinds of attacks:

Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.

So yah, hereby :P

Before you're hired:
1. A binary tree?
2. Currying?
3. Higher-order function?
4. How does event loop work?
5. What is prototype?
6. What is encapsulation?
7. Can you draw an algorithm?

After you're hired:
1. Hey, can you add auth token and login to our app?

Ever wanted cheat codes to devRant? Well, that's weird. But here you go, I guess.

Since the avatars do not use any external assets (Such as images), all avatars are generated. To be friendly to people who want to make third-party devRant clients (such as devRantron), avatars are generated server-side, so that the assets don't need to be distributed, and third-party programmers don't need to work out rendering avatars.

But this allows you to cheat a little.

The devRant avatars API works like this: you request a really long URL from the API, specifying the IDs of each cosmetic item the user has active, and it returns a PNG file. But you don't need an auth token to generate an avatar (which makes sense), so the avatar API is essentially a sandbox you can play around with if you have the time and patience.

You can write a really good avatar previewer with this knowledge, and see your avatar with a white tiger, even if you don't have the ++s

Funny story about the first time two of my servers got hacked. The fun part is how I noticed it.
So I purchased two new vps's for proxy server goals and thought like 'I can setup fail2ban tomorrow, I'll be fine.'

Next day I wanted to install NginX so I ran the command and it said that port 80 was already in use!

I was sitting there like no that's not possible I didn't install any server software yet. So I thought 'this can't be possible' but I ran 'pidof apache2' just to confirm. It actually returned a PID! It was a barebones Debian install so I was sure it was not installed yet by ME. Checked the auth logs and noticed that an IP address had done a huge brute force attack and managed to gain root access. Simply reinstalled debian and I put fail2ban on it RIGHT AWAY.

Checked about two seconds later if anyone tried to login again (iptables -L and keep in mind that fail2ban's default config needs six failed attempts within I think five minutes to ban an ip) and I already saw that around 8-10 addresses were banned.

Was pretty shaken up but damn I learned my lesson!

Reinstalled my dedicated server and realized (afterwards) that I just erased my entire openvpn/mysql auth setup and I don't have an entirely working copy.

FUCK.

Okay, nothing I can do about that afterwards, setup csf right away, monitored the auth log for a minute and noticed one ip which had just connected and found it weird somehow. Blocked the ip.

Then, one second later, as my console stopped responding and that ip address suddenly looked veeeery familiar, I realized I just blocked myself. (the blocks persist across reboots)

😐

Went to the control panel and hit the reinstall button. Confirmed, and two seconds later I realized I could just have connected to any of my own fucking vpn services to unblock myself.

What in the living fuck is wrong with me @_@

Painfully funny || funnily painful

"Do you have 2 factor auth for the database?"
a customer asked. I stared on the wall in front of me and suddenly fel and urge to punch and piss on something.
I took a deep breath while thinking to myself
*Oh boy, here we go. Another retard*
I put on my nice voice and asked:
"What you mean?"
The customer seems confused, as if my question did not make sense and he said:
"TWO FACTOR AUTHENTICATION! Dont you know what it is? To make the database more secure."

I was fucking right, this person reads to much shit. The fact that the email signature of that person said "Wordpress Developer" made me more angry.
I, still with the nice voice asked
"How would that work?"
"Two factor authentication when I am connecting to the database."
"So, do you want it by SMS then? You'll get alot of messages if it is going to send you one every time a query is made."
The following 7 seconds was dead silent until I heard the person hang up.

Guys i guess i did it.. more than a year ago i started developing an API.. every admin of it could create new endpoints through the webui.. for rach endpoint you can create an own auth system.. a local company just fucking bought my shit.. a fucking simple API for 12k€.. im kinda proud now because i am only 18

It's maddening how few people working with the internet don't know anything about the protocols that make it work. Web work, especially, I spend far too much time explaining how status codes, methods, content-types etc work, how they're used and basic fundamental shit about how to do the job of someone building internet applications and consumable services.

The following has played out at more than one company:

App: "Hey api, I need some data"
API: "200 (plain text response message, content-type application/json, 'internal server error')"
App: *blows the fuck up

*msg service team*

Me: "Getting a 200 with a plaintext response containing an internal server exception"
Team: "Yeah, what's the problem?"
Me: "...200 means success, the message suggests 500. Either way, it should be one of the error codes. We use the status code to determine how the application processes the request. What do the logs say?"
Team: "Log says that the user wasn't signed in. Can you not read the response message and make a decision?"
Me: "That status for that is 401. And no, that would require us to know every message you have verbatim, in this case, it doesn't even deserialize and causes an exception because it's not actually json."
Team: "Why 401?"
Me: "It's the code for unauthorized. It tells us to redirect the user to the sign in experience"
Team: "We can't authorize until the user signs in"
Me: *angermatopoeia* "Just, trust me. If a user isn't logged in, return 401, if they don't have permissions you send 403"
Team: *googles SO* "Internet says we can use 500"
Me: "That's server error, it says something blew up with an unhandled exception on your end. You've already established it was an auth issue in the logs."
Team: "But there's an error, why doesn't that work?"
Me: "It's generic. It's like me messaging you and saying, "your service is broken". It doesn't give us any insight into what went wrong or *how* we should attempt to troubleshoot the error or where it occurred. You already know what's wrong, so just tell me with the status code."
Team: "But it's ok, right, 500? It's an error?"
Me: "It puts all the troubleshooting responsibility on your consumer to investigate the error at every level. A precise error code could potentially prevent us from bothering you at all."
Team: "How so?"
Me: "Send 401, we know that it's a login issue, 403, something is wrong with the request, 404 we're hitting an endpoint that doesn't exist, 503 we know that the service can't be reached for some reason, 504 means the service exists, but timed out at the gateway or service. In the worst case we're able to triage who needs to be involved to solve the issue, make sense?"
Team: "Oh, sounds cool, so how do we do that?"
Me: "That's down to your technology, your team will need to implement it. Most frameworks handle it out of the box for many cases."
Team: "Ah, ok. We'll send a 500, that sound easiest"
Me: *..l.. -__- ..l..* "Ok, let's get into the other 5 problems with this situation..."

Moral of the story: If this is you: learn the protocol you're utilizing, provide metadata, and stop treating your customers like shit.

Client: "Hey we want you to integrate your product with our system."
Me: "Oh, OK. Where's your API?"
Client: "Here! We even have an outdated .Net SDK, we use XML."
Me: "Ok.. how do we authenticate? What's your OAuth 2.0 endpoint?"
Client: "O auth what?"
Me: " You know, the current standard for REST API authentication and authorisation"
Client: " What's REST?"
*Hungs up*

Every step of this project has added another six hurdles. I thought it would be easy, and estimated it at two days to give myself a day off. But instead it's ridiculous. I'm also feeling burned out, depressed (work stress, etc.), and exhausted since I'm taking care of a 3 week old. It has not been fun. :<

I've been trying to get the Google Sheets API working (in Ruby). It's for a shared sales/tracking spreadsheet between two companies.

The documentation for it is almost entirely for Python and Java. The Ruby "quickstart" sample code works, but it's only for 3-legged auth (meaning user auth), but I need it for 2-legged auth (server auth with non-expiring credentials). Took awhile to figure out that variant even existed.

After a bit of digging, I discovered I needed to create a service account. This isn't the most straightforward thing, and setting it up honestly reminds me of setting up AWS, just with less risk of suddenly and surprisingly becoming a broke hobo by selecting confusing option #27 instead of #88.

I set up a new google project, tied it to my company's account (I think?), and then set up a service account for it, with probably the right permissions.

After downloading its creds, figuring out how to actually use them took another few hours. Did I mention there's no Ruby documentation for this? There's plenty of Python and Java example code, but since they use very different implementations, it's almost pointless to read them. At best they give me a vague idea of what my next step might be.

I ended up reading through the code of google's auth gem instead because I couldn't find anything useful online. Maybe it's actually there and the past several days have been one of those weeks where nothing ever works? idk :/

But anyway. I read through their code, and while it's actually not awful, it has some odd organization and a few very peculiar param names. Figuring out what data to pass, and how said data gets used requires some file-hopping. e.g. `json_data_io` wants a file handle, not the data itself. This is going to cause me headaches later since the data will be in the database, not the filesystem. I guess I can write a monkeypatch? or fork their gem? :/

But I digress. I finally manged to set everything up, fix the bugs with my code, and I'm ready to see what `service.create_spreadsheet()` returns. (now that it has positively valid and correctly-implemented authentication! Finally! Woo!)

I open the console... set up the auth... and give it a try.

... six seconds pass ...

... another two seconds pass ...

... annnd I get a lovely "unauthorized" response.

asjdlkagjdsk.

> Pic related.

So, some time ago, I was working for a complete puckered anus of a cosmetics company on their ecommerce product. Won't name names, but they're shitty and known for MLM. If you're clever, go you ;)

Anyways, over the course of years they brought in a competent firm to implement their service layer. I'd even worked with them in the past and it was designed to handle a frankly ridiculous-scale load. After they got the 1.0 released, the manager was replaced with some absolutely talentless, chauvinist cuntrag from a phone company that is well known for having 99% indian devs and not being able to heard now. He of course brought in his number two, worked on making life miserable and running everyone on the team off; inside of a year the entire team was ex-said-phone-company.

Watching the decay of this product was a sheer joy. They cratered the database numerous times during peak-load periods, caused $20M in redis-cluster cost overrun, ended up submitting hundreds of erroneous and duplicate orders, and mailed almost $40K worth of product to a random guy in outer mongolia who is , we can only hope, now enjoying his new life as an instagram influencer. They even terminally broke the automatic metadata, and hired THIRTY PEOPLE to sit there and do nothing but edit swagger. And it was still both wrong and unusable.

Over the course of two years, I ended up rewriting large portions of their infra surrounding the centralized service cancer to do things like, "implement security," as well as cut memory usage and runtimes down by quite literally 100x in the worst cases.

It was during this time I discovered a rather critical flaw. This is the story of what, how and how can you fucking even be that stupid. The issue relates to users and their reports and their ability to order.

I first found this issue looking at some erroneous data for a low value order and went, "There's no fucking way, they're fucking stupid, but this is borderline criminal." It was easy to miss, but someone in a top down reporting chain had submitted an order for someone else in a different org. Shouldn't be possible, but here was that order staring me in the face.

So I set to work seeing if we'd pwned ourselves as an org. I spend a few hours poring over logs from the log service and dynatrace trying to recreate what happened. I first tested to see if I could get a user, not something that was usually done because auth identity was pervasive. I discover the users are INCREMENTAL int values they used for ids in the database when requesting from the API, so naturally I have a full list of users and their title and relative position, as well as reports and descendants in about 10 minutes.

I try the happy path of setting values for random, known payment methods and org structures similar to the impossible order, and submitting as a normal user, no dice. Several more tries and I'm confident this isn't the vector.

Exhausting that option, I look at the protocol for a type of order in the system that allowed higher level people to impersonate people below them and use their own payment info for descendant report orders. I see that all of the data for this transaction is stored in a cookie. Few tests later, I discover the UI has no forgery checks, hashing, etc, and just fucking trusts whatever is present in that cookie.

An hour of tweaking later, I'm impersonating a director as a bottom rung employee. Score. So I fill a cart with a bunch of test items and proceed to checkout. There, in all its glory are the director's payment options. I select one and am presented with:

"please reenter card number to validate."

Bupkiss. Dead end.

OR SO YOU WOULD THINK.

One unimportant detail I noticed during my log investigations that the shit slinging GUI monkeys who butchered the system didn't was, on a failed attempt to submit payment in the DB, the logs were filled with messages like:

"Failed to submit order for [userid] with credit card id [id], number [FULL CREDIT CARD NUMBER]"

One submit click later and the user's credit card number drops into lnav like a gatcha prize. I dutifully rerun the checkout and got an email send notification in the logs for successful transfer to fulfillment. Order placed. Some continued experimentation later and the truth is evident:

With an authenticated user or any privilege, you could place any order, as anyone, using anyon's payment methods and have it sent anywhere.

So naturally, I pack the crucifixion-worthy body of evidence up and walk it into the IT director's office. I show him the defect, and he turns sheet fucking white. He knows there's no recovering from it, and there's no way his shitstick service team can handle fixing it. Somewhere in his tiny little grinchly manager's heart he knew they'd caused it, and he was to blame for being a shit captain to the SS Failboat. He replies quietly, "You will never speak of this to anyone, fix this discretely." Straight up hitler's bunker meme rage.

Long story short, I'm unofficially the hacker at our office... Story time!

So I was hired three months ago to work for my current company, and after the three weeks of training I got assigned a project with an architect (who only works on the project very occasionally). I was tasked with revamping and implementing new features for an existing API, some of the code dated back to 2013. (important, keep this in mind)

So at one point I was testing the existing endpoints, because part of the project was automating tests using postman, and I saw something sketchy. So very sketchy. The method I was looking at took a POJO as an argument, extracted the ID of the user from it, looked the user up, and then updated the info of the looked up user with the POJO. So I tried sending a JSON with the info of my user, but the ID of another user. And voila, I overwrote his data.

Once I reported this (which took a while to be taken seriously because I was so new) I found out that this might be useful for sysadmins to have, so it wasn't completely horrible. However, the endpoint required no Auth to use. An anonymous curl request could overwrite any users data.

As this mess unfolded and we notified the higher ups, another architect jumped in to fix the mess and we found that you could also fetch the data of any user by knowing his ID, and overwrite his credit/debit cards. And well, the ID of the users were alphanumerical strings, which I thought would make it harder to abuse, but then realized all the IDs were sequentially generated... Again, these endpoints required no authentication.

So anyways. Panic ensued, systems people at HQ had to work that weekend, two hot fixes had to be delivered, and now they think I'm a hacker... I did go on to discover some other vulnerabilities, but nothing major.

It still amsues me they think I'm a hacker 😂😂 when I know about as much about hacking as the next guy at the office, but anyways, makes for a good story and I laugh every time I hear them call me a hacker. The whole thing was pretty amusing, they supposedly have security audits and QA, but for five years, these massive security holes went undetected... And our client is a massive company in my country... So, let's hope no one found it before I did.

Authentication feature was only checking the length of the auth header instead of the actual content. I abused this to make a request to our API from inside our system with a junk header, so we were basically hacking ourselves...

I built very involved code with multiple auth systems, async programming, business logic, error handling, and etc. I was asking for the missing environment variables during the call with devops and had a screen share going. Environment variables were the last thing I needed before knowing if it would work. I filled in the config and all the code worked perfectly.

The devs lost their shit. One suggested that I had somehow tested it beforehand because it is impossible that it would work the first time. “How? I didn’t have config details or access to any of the remote APIs until now.”

The dev lead finished the call with, “That was some big brain next level shit.” Then they went and reviewed and tested it after the call and didn’t have much to suggest besides naming nitpicks.

It was at that point I knew I was a hero to the other devs.

*deploys new VPS*
Click clack tap.. alright, done.
*notices that I accidentally made an Ubuntu 14.04*
Well shit... Guess I'll have to update that immediately to 18.04 then.
*logs in, immediately disables SSH password auth*
# systemctl restart sshd
> systemctl: command not found.
What the fuck..?
What was the command for that old init again.. >_<
# /etc/init.d/ssh restart

WHY THE FUCK IS THIS UBUNTU STILL USING THAT OLD INIT?!! Goddamit, Canonical living up to the philosophy of its Debian counterpart indeed!

The 5 whys

So.. we cant deploy

Why? > We had to take our deployment tool offline
Why? > Because random people from the internet started deployments
Why? > Because we had no authentication and so it was publicly available
Why? > Boss said auth was no priority (we told him every day)
Why? > ¯\_(ツ)_/¯

Request from a senior backend dev in a previous company:

Talking to the team thats responsible for the auth API's is such a pain. For this new API can we just not add any auth to it? Its only going to return details about who the email address belongs too. Like name, address, date of birth, car registration etc. No one will care about that, and it will be easier for mobile to integrate right?

Why nobody uses public/private key authentication for ssh and disable password auth?

Am I the only one around here doing this?

Getting real fucking sick of shitty websites excessive security measures!

1. Username
2. Password
3. Captcha
4. Mandatory 2FA

We don't recognize your IP, please log into your email, click the link, get redirected and complete steps 1-4 again! Also the site will time out in 10 minutes if you aren't actively using it. Have a nice day!

Go fuck yourself.

On the presentation for my database project my team and I showed a NodeJS + Mongo + VueJS project with cloud storage capability, nothing fancy but did everything from scratch (from token auth and system encryption to the frontend CSS and the database) the teacher made some questions and meh'd at it.

Behold team two's project, WordPress with a standard template and phpMyAdmin, teacher loves it because "it's so beautiful"

Guess who just failed that class?

God I love college, it's the best time investment I've ever done and it'll surely pay out.

Worst security issue : being able to make a money transfer with no auth and changing freely the bank account in the POST params...

Dev excuse : "I didn't know my job was also to take care about security."

!rant
TIL: The IKEA effect is a cognitive bias, that lets you think, stuff build by yourself is more worth then stuff build by others

Does that sound familiar to anyone?

Holy fuck nvidia. Why the fuck you want me to login to your fucking app in order to download a fucking driver. You also want me to click a fucking link that you sent to my email for verification on every fucking login? Why on earth someone would stole my fucking nvidia account? To see which drivers I use? What the fuck nvidia? Oh wait. DO YOU DARE ASK ME TO SETUP TWO FACTOR AUTH TO SECURE MY ACCOUNT?!? What the fuck? Even if I put my credentials online no one would care to login my fucking nvidia account. Just let me download my fucking driver!

Auth Endpoint:

user name and password correct:
- response 200: with session key and profile info
user name and password incorrect:
- response 200: blank

smh

Saw this security blunder a while ago. Went onto some site and it showed me this username/password dialog (probably an apache's htpasswd or nginx one). Went away but returned quickly because I noticed I could see all content. Then I thought 'why the fuck not try?' so I dragged the auth popup thingy to the side of the screen and et voila... I could interact with the page as if nothing was wrong while the authentication popup was hovering above the page on the right!

I sat there giggling dramatically for a while.

Worst coding mistake: forget to remove print statement that prints user authentication details.

how to be a shitty client:
- have a legacy database where column names are misspelled and everything is nullable
- hire external help which instead of helping break the ui (bonus points for breaking the api too)
- demand a very much custom auth logic but decide to use aws cognito for shits and giggles
- demand 1hr daily meetings
- demand biometric auth with 0 knowledge of how biometric auth works (the previous devs just had a face id prompt which does nothing and retrieved email and password saved on the device???)
- message me at 2am because you don't understand how timezones work + demand a build while you're at it
- call me a "heretical pagan" because i took a day off on a holiday you don't celebrate (???)

i could go on but i think this is enough

Last week my company thought it would be a great idea to introduce a new sh*tty internal web portal that gives federated access to aws (instead of using our own accounts to assume dev roles like we used to do).

This broke a lot of sh*t that simply used to ask for an MFA token and used our practically permissionless accounts to assume a proper dev role. An MFA token that we'd enter directly into the terminal/tool. It was very seamless. But nooooooo we now have to go a webpage, login with sso (which also requires mfa), click "generate credentials," copy-paste those into terminal/creds file and _then_ continue our aws cli call. Every. Single. Day.

BUT TODAY I HAD ENOUGH.

I spent the entire day rewriting the auth part of our tools so they would basically read the cookie that's set by the web portal, and use it to call the internal api that generates the credentials, and just automatically save those. Now all we need to do is log into the portal, then return to the tool and voilà, the tool's also got access! Sure, it's not as passive as just entering an MFA token directly, but it's as passive as it gets. Still annoyed by this sh*tty and unnecessary portal, but I learned a thing or two about cookies.

For the love of god, I spent 2,5 hours debugging why Minecraft from the windows store doesn't work...

The game just shows a red message telling you it didn't work.

I checked the logs, nothing just warnings

I re-installed the game, nothing, same error

Updated java and all parts of the store, nothing....

Obviously I had to install Something called the "xbox identity Provider"... You know... On a PC... For a distinctly PC game to work... Installed by the store... And the provider is also on the store... But it doesn't auto-install with the game

Ever since you migrated to the Microsoft Auth the login experience is awful (I ranted about that already)

How about you do the bare fucking Minimum of an User experience and Install the fucking dependencies when I re-installed something your fucking store??!!!

The fucking bare minimum that every package manager ever created fucking has as a basic requirement?! Are you kidding me?

Rename your fucking services so they make sense and please don't waste everyone's time by having both shitty logs and no dep management for your own apps... Fucks sake

Coolest thing I’ve built solo?

Damn, there’s been a lot of things over the years, but I guess the most used one I’ve made would be my voice activated tv remote - yes it’s real.

So in essence it’s a google home... yea I know spyware and all, but look it was free so I’m going to make use of it... err where was I, oh yea.

An IFTTT account which taps into the google assistant API and creates a webhook, although the authentication side of things is 0 to none, so had to put a api-key into the requests to at least have some layer of auth.

This webhook then hits a raspberry pi containing a PHP API to accept and authenticate the request in, digest this into KEY commands for the TV, and drops this into a Python script to connect to the TV over a web socket connection ( I found python more stable for this ) and sends the pre made key requests, it can even do multiple keys at a time... that was a pain.

So after all that, the end game becomes about a second from saying “hey google, change the tv channel to xxx”

This sick and twisted contraption is finished and the tv is my little bitch.

This has been built out to handle channels by name, number, volume up/down, sources switching to hdmi, tv, vga and a bunch of other things.

The things we do when we can’t find a tv remote for days....

Next up, getting it to launch Netflix app and going to a specified show / episode.. but may be to adventurous.

Manager: You want a promotion? To senior? Ha. Well, build this web app from scratch, quickly, while still doing all your other duties, and maybe someone will notice and maybe they’ll think about giving you a promotion! It’ll give you great visibility within the company.

Your first project is adding SSO using this third party. It should take you a week.

Third party implementation details: extremely verbose, and assumes that you know how it works already and have most of it set up. 👌🏻

Alternative: missing half the details, and vastly different implementation from the above

Alternative: missing 80%; a patch for an unknown version of some other implementation, also vastly different.

FFS.
Okay, I roll my own auth, but need creds and a remote account added with the redirects and such, and ask security. “I’m building a new rails app and need to set up an SSO integration to allow employees to log in. I need <details> from <service>.” etc. easy request; what could go wrong?

Security: what’s a SSO integration do you need to log in maybe you don’t remember your email I can help you with that but what’s an integration what’s a client do you mean a merchant why do merchants need this

Security: oh are you talking about an integration I got confused because you said not SSO earlier let me do that for you I’ve never done it before hang on is this a web app

Security: okay I made the SSO app here you go let me share it hang on <sends …SSL certificate authority?>

Boss: so what’s taking so long? You should be about done now that you’ve had a day and a half to work on this.

Abajdgakshdg.

Fucking room temperature IQ “enterprise security admin.”
Fucking overworked.
Fucking overstressed.

I threw my work laptop across the room and stepped on it on my way out the door.
Fuck this shit.

soo.. yeah.. I've just solved an annoying bug using only chatgpt.

My first commit in this new project. And it's based on chatgpt.

Literally just saved me from days of reading through kafka docs, auth mechanisms and other stuff. And no, the google did not provide me with a proper answer/hints. The only hint was "the configuration might be wrong". Well alright, but I was NOT using any configuration in the first place...

Fun times ahead :) I might even consider the pro version if it keeps delivering like that.

Google has a password reset procedure so intense, that even if I can sign into my recovery account and give them the code from there, use 2 factor auth and give them the code from there, tell them my recovery phone(s) number(s), give them my mother's father's mother's late cousin twice removed daughter's maiden name, and whatever other security measures were set in place, I can't get a fucking password reset. Thanks Google, fuck you.

So you want full stack engineers to: design, do UX, create front end, build backend and deploy it in your mono repo stupid manual deployment "kubernetes cluster", add monitoring alerting manually, review others PR, QA our own apps and features, manually sync to Production, use VPN otherwise we cannot connect to anything, 2factor auth, do SRE, architecture diagrams, demo, run agile ceremonies, and learn a legacy coding language which was never mentioned in the job description. Did I miss anything?

We have a portal which uses Windows Integrated auth that lists out all off our internal sites.

Navigating to any of these produces a URL like the one in the attached image.

Turns out all our internal application use a base64 encoded email address in the query string as the means of authentication.

So, anyone can authenticate themselves as another employee within the company by simply changing the query param value to said employees email address.

Fucking nuts.

Someone ask to me as a security engineer.

Bro : what do you think about most secure way to authenticate, i read news using fingerprint no longer safe?
Me : yes they can clone your fingerprint if you take a photo with your fingerprint to camera.
Bro : so what is the other way to authenticate more secure and other people can't see in picture ?
Me : D*ck authentication is more secure now, other people can't see your d*ck pattern right?

Fuck this
I get to work with API where you CAN authenticate with username/password and get a token

But you CAN'T get user info from token (auth response contains ONLY token)

So what I have to do:

1. Get token

2. Request ALL FUCKING USERS and load them into my DB

3. Search through local DB by username and, yeah, here I go

Now I need to have a cron job to update user DB 1/2 times per day

I can't think of ANY reason not to allow this

Why the fuck does your API have to send 401 when the server is down.

Just spent an hour thinking something was wrong with my auth wrapper.

Working on another online pokemon game sort of thing and I'm super proud of myself because I just got the user registration, login, auth session, and logout done. Last time I tried making one of these damn things I didn't bother using a database and I tried making a complex user auth system using JSON files and God, I regret that now.

Now only a million steps to go (Including making the game)

5 stages of failing WIFI connectivity on Linux

This morning I woke up my laptop to start my work day. I have 2 very important meetings today, so I better get all prepared.

"Wifi connection failed"
Syslog says:
- wpa_supplicant: wlp9s0: SME: Trying to authenticate with <MAC>
- kernel: wlp9s0: authenticate with <MAC>
- kernel: wl9s0: send auth to <MAC> (try 1/3)
- kernel: wl9s0: send auth to <MAC> (try 2/3)
- kernel: iwlwifi: Not associated and the session protection is over already...
- kernel: wl9s0: send auth to <MAC> (try 3/3)
- kernel: wl9s0: authentication with <MAC> timed out

#### DENIAL #####

No biggie, let's try another AP (I have 3). All 3 failed to connect. Fine, let's try my phone's hotspot! FAILED!!!!!

w00t.... okay, let's restart the router... but failing to connect to a phone hotspot is already a worrying sign.

Wifi connection failed

wtf.. disable and re-enable wifi

Wifi connection failed

#### ANGER #####

the fuuuuuuck. Maybe my router is dead. But my phone connects to it, no fuss. My personal lappy also connects there easily.

wtf... Does that mean I'm about to lose my uptime?? Come one!! It's Linux - there MUST be something I could do! I don't see processes hanging in D state so the radio must be fine - it's gotta be a software issue!

ChatGPT – type all the log entries manually, via phone (that took a while...). Nothing useful there: update firmware, restart NetworkManager, etc.

#### BARGAINING #####

Alright... How about a USB dongle? Plug it in and wifi connects immediately! Yayyy!!! But that's only b/g/n and I'd very much like to have ac. It works well as a limping backup, but not something I'd use for the meetings.

rfkill block/unblock all the radios. No change. USB dongle connects right away but the PCIe adapter keeps throwing notifications at me with failure messages. It's annoying, to say the least.

So I've already tried
- restarting the router(s)
- disabling/reenabling the radios
- multiple APs
- suspending/waking again several times
- praying

#### DEPRESSION #####

The only thing I haven't tried yet is the most cruel one - restarting the laptop. But that's unfair... It's LINUX! How could it disappoint me. I have so many tmux sessions open, so many unsaved leafpad notes, terminal histories with oh so comfy ^r and ! retriggers all ready and waiting to be executed...

#### ACCEPTANCE #####

But I can't miss the meeting. So I slowly start closing off apps, starting with the least important ones, trying to preserve as much history and recent commands as I can. I'm gonna lose my uptime, that's the inevitable obvious truth... Linux has failed me. Or maybe it's a hardware issue... I can't be sure until I restart.

I must reboot.

#### A NEW HOPE #####
Hold on.. What if... What if before restarting I try to reload the Intel wifi kernel module? Just for the giggles. I've got nothing to lose anyway...

rmmod iwlmvm
rmmod iwlwifi
modprobe iwlwifi
modprobe iwlmvm

*WiFi Connected*

YESSSS!!!!!!!!! My uptime is saved!
403 days and counting! YEAH BABY!!!

Linux is the best!

My predecessor used auth as a bool. The only way he kept basic users from accessing admin functions was by including the word "admin" or "user" in the URL so any user could be the administrator by just changing the URL parameters after logging in

For example, mysite.com/admin/editorderdetails vs. mysite.com/user/editorderdetails

Today my grandmother called and told me she wasnt able to login to her account for her ISP. Alright, maybe shes confused about the passwords as we had to change it recently. No, turns out they still have this "oh sorry you typed your password incorrect three times, so we will lock your account and your granny have to do the 2 hour telephone queue"

You and your fucking outdated auth practise can go and kindly fuck yourself. Fix this shit before I get real mad.

Saw this popup in my feed today. Glad I've never had to deal with code like this.

Sauce: @LoganDice@mastodon.social

Thank God the week 233 rants are over - was getting sick of elitist internet losers.

The worst security bug I saw was when I first started work as a dev in Angular almost year ago. Despite the code being a couple of years old, the links to the data on firebase had 0 rules concerning user access, all data basically publicly available, the API keys were uploaded on GitHub, and even the auth guard didn't work. A proper mess that still gives me the night spooks to this day.

Read a blog post at work yesterday from the company head of IT security. Line 1:
As part of our company policy we enforce the use of usernames and passwords, known as two factor authentication. However we also need to ensure.....

Stopped listening at this point as I hit Google to confirm the definition of two factor auth.

Nope I'm not loosing my mind, the blog post is insane....

Twilio literally broke my integration because I have not logged into its portal for 2 weeks. Got notified by users complaining SMS wasn’t going through.

Don't you hate it when this happens?

"It works on our end", the sentence that made me lose my shit.

I've been working on a project were we're supposed to integrate an API into our system.

When trying to get some user id's (UUID) from said API, we got a type-error in the response (???), so I called their integration support and asked what the fuck they were doing (not really, i was kinda calm at this point).

The answer I got was following:

Integration guy: "Uh, bro, like, I don't even know, it's probably on your end"

Me: "We literally used this endpoint with the same parameters yesterday, and got a result we expected. I noticed you updated your API this morning, did you make any major changes?"

Integration guy: "Yeah we changed the type of user id from string to number"

Me: "So, you changed the type of a UUID (uuid4) from string to number? How did you not think that would be an issue? I can see in your forums that everyone else is having the same issue."

Integration guy: "Nah, it's probably a bug in your code, it works on our end"

Me in my mind: *IT WORKS ON YOUR END?!? IT DOESN'T FUCKING MATTER IF IT WORKS ON YOUR END, FUCKTARD.*

What I actually said: "Uhm, I'm not sure if works on your end either, I'm not even sure how this change made it to production. But hey, thanks I guess, bye."

WHY AM I NOT ABLE TO YELL AT PEOPLE WHEN THEY ARE BEING RETARDED???

But really though, when you're maintaining an API, you shouldn't fucking care if things work on your end in your dev environment. What matters is how it works in production, for the end user/users.

And I know that 99% of cases it's the users fault by entering the wrong parameters or trying to request with wrongly setup auth and what not, but still.

Don't ASSUME nothing's wrong on your end. It's your fucking job to fix the issues.

And guess what? The problem was on their side.
I'm going fucking bald.

Holy fuck is learning new frameworks frustrating.

I'm trying to setup a simple fucking flutter app and all their tutorials are basic shit with no auth/complex routing.

Any feature of flutter that's not in a tutorial has absolute shit documentation with 0 examples on how to use it.

Material app has like 20 properties and if you click on something like on generate there is shit for knowing what the fuck it's expecting.

Stackoverflow has a ton a code but that's just it, code. I have absolutely no idea how they generate the code they have from the documentation on the site. They must have been following flutter from the start.

Ahhhhh! 😠

I'm convinced no one really understands OAuth2, probably not even the creators.

Every blog, articles and tutorial, you have people saying don't do this, don't do that. Basically, no one agrees on a single implementation.

Want to use passwords for auth in a first party system you fully own? Apparently, that's unsafe.
Hmmm, what about magic links for passwordless auth? Also not safe you say?
Okay, I believe Okta just wants people to use their services, nothing else.

I used to work for a company that had a main website and a lightweight app. LW app was distributed to partners and added to other sites using an iframe.

Someone decided a requirement was to retain the shopping cart for anonymous users. Some dev thought the best way to do that was to issue auth cookies to anonymous users.

The auth cookie issued by the LW app was actually for the main site. A few users for LW app decided to just come to main site to make a purchase. Since they already had an auth cookie (issued from LW app), they were never prompted to log in, create an account, or use guest checkout on the main site. They were still able to complete their order and we had their shipping address, but we didn’t have their email address so we couldn’t contact them about their order.

Customer service had no way to email customers if something went out of stock or if there was a product recall. CS would have to call these customers and ask for email addresses. Good luck getting anyone to answer or return a call nowadays. Customers were asking where their confirmation email was. The admin website was polluted with “users” that had the placeholder email for non-logged in users.

This happened because of a combination of an understaffed and overextended engineering department. Of course when something goes bad it’s going to be bad.

So I've been working a lot with Docker lately (who isn't) and there was this one service always DIEING on me.
Docker logs showed me that it was killed because the container was unhealthy.
I researched for a whole day and couldn't find it...
After I got home it hit me like a hammer...
The healthcheck uses basic Auth and the password was changed yesterday...

How the fuck could I start to try every shit before I even checked if the request done by the healthcheck is working...

FUCK ME I'M SUCH A MORON SOMETIMES

I use a Mac that implements MAC using MAC and its got multiple hardware MACs along with a hardware MAC.... btw, I'm eating a Big Mac.

...

Media Access Control - Networking
Manditory Access Control - Security
Message Auth Code - Security
Mac - Apple
Multiply ACcumulate - Chip Design

My non dev friend called me in middle of night for getting shortcut virus removed! I would have blasted 🔫 him but I felt pity on the guy as I know that he is poor with tech stuff

Any he had only windows, so I Google up solution and replied back to him.

He asked where to put it. I told him in cmd. He is like what so I told him to press win+r then in that type d and "black" 🏴 window will appear. Type in that.

guess what he typed exactly as mentioned in the reply and didn't replace the drive name properly .😑

I told him to put proper drive and saw that he missed spaces so l told him that he missed space 😤 and he put only one space and it still had problem so I had to explain it in weirdest was possible( shown in fig 1.1 had been writing report and figure gave yo be mentioned with number 😅)

Finally. It was all done! Well some pf my cs ( !counter strike but computer science friend) are worse then this can't use teminal or even connect to WiFi (wpa-enterprise @ college with mschap v2 and peap auth which is crackable using twin tower and brute force) properly, do I guess it not BA's that this guy cry to get rid of shortcut virus (virus > wifi setup) 😬

Finally I feel relived after ranting 😪

Call it mental disorder. Sickness. Masochism or just bein a demented individual...

But I used to work with classic ASP. Yes, my JS ran on servers before it was cool (I am the original tech hipster) and I was writing VBScript with it as well because why the fuck not?

And
I
LIKED IT.

Kinda miss it to be honest. Shit was simple as fuck, the downside of it was the "fuckLibrariesAndDoShitByHand.asp" mentality and consequence of using old tech....but I liked it.

Tutorials for that shit had to teach you damn near everything in one book, not just how to code it, but how to really work with servers on the bare minimum and one would learn sooo much. Now a days most books be like "this is how you do yo auth tokens..because all y'all mofockas should know this shit by now" NO mofocka! Our books was all about "aaaallrighty dipshit, this shit here is auth, and in order to bla bla blah" THOROUGHT AS FUCK B.

So yeah......i had fun, by far not my first choice on new shit, but shit was fun.

Sign in with Apple...

* Nobody tells you that a app group can consist of a maximum of 6 apps.
* Nobody tells you that suddenly a key id is needed for constructing the signing key for signing the client_secret when other keys are added in the dev portal.
* Apple gives you email and name only (and i mean only) the first time a customer uses Sign In With Apple.
* You have no chance to reset your user during development in a way to try a fresh auth. So either create separate app ids or separate apple ids.

Sounds like fun, right?

Hey, we need a service to resize some images. Oh, it’ll also need a globally diverse cache, with cache purging capabilities, only cache certain images in the United States, support auto scaling, handle half a petabyte of data , but we don’t know when it’ll be needed, so just plan on all of it being needed at once. It has to support a robust security profile using only basic HTTP auth, be written in Java, hosted on-prem, and be fully protected from ddos attacks. It must be backwards compatible with the previous API we use, but that’s poorly documented, you’ll figure it out. Also, it must support being rolled out 20% of the way so we can test it, and forget about it, and leave two copies of our app in production.

You can re-use the code we already have for image thumbnails even though it’s written in Python, caches nothing and is hosted in the cloud. It should be easy. This guy can show you how it all works.

Internal mail form CIO's office:

"Thank you for being part of the internal trial for NPMe, we have decided to remove this tool in favour of Artifactory because of its support for multiple platforms and tools. We are sorry for the inconvenience, here is a link to migration scripts ..."

Migration "script" readme, please clone this repo, create file A, and B, and install these 2 dependencies.

Dependency 1:

- "install via homebrew ..."
- .... homebrew needs to update, checking for updates
- 10 mins later = Update failed, please upgrade to Ruby version 2.3
- Installs ruby version manager
- GPG signature verification failed
- Install GPG v2 + accept keys
- Install ruby version manager
- "please execute this command before running rvm"
- execute command
- "rvm install ruby-2.3"
- Install failed, please see log file
- Opens log file
- "Xcode on its own is not sufficient, please install xcode cli tools"
- Install xcode tools
- 5 minutes later -> "rvm install ruby-2.3"
- 10 minutes later "brew install jq"

Ok back to read me, "login to Artifactory, go here and copy paste XXX."

- Login to Artifactory
- Eventually find repo
- Login again to actually see credentials for some reason
- Screen doesn't match instructions in readme
- Click around
- Back to readme
- Back to artifactory
- Login again
- Execute command auth / setup command
- Copy contents to npmrc file .... now all my scoped packages are going to point to 1 specific repo

Fuck the migration, Fuck these shitty instructions, i'll set them all up again manually. See tags below for further opinions on this matter.

I just had a boys-out night with my son. Went to some restaurant, found a parking spot in a confusing parking lot (half is more expensive than the other half of the lot, not sure which fee applies to the middle row... confusing), started paying for parking with the app (pays every 15 minutes until stopped).

Went inside, ordered a pizza, some ice cream. Chatting, playing, eating, having fun,... An SMS comes: "You have outstanding fines" and a link to the gov taxes' website.

wtf.. I must have parked in the wrong spot. FUCK! Oh well, it should not be a large fine anyways, it's just for parking....

Click on the link, login with my bank/SmartID creds. Another SmartID dialog pops up asking for a PIN2.
What? PIN1 is for authentication, PIN2 is for Authorization. What am I authorizing...?
Reading through the Auth message: "Paying 2473€ for Boris SomeLastname".

what.....?

Thank God my muscle memory did not kick in and I did not enter that PIN2.
And thank God I know what PIN1 and PIN2 are for.
It would've been one expensive boys-out evening... Even a strip club would've been cheaper.

Stay sharp, guys!

P.S. Later I checked the URL. It used all the right keywords, and it was registered as an .info domain. It was somewhat off, but gov websites trying to be lean do sometimes use some weird ass domains.

Fuck you windows 10. Fuck you private keys. Fuck you tortoise git. Fuck you git bash. Fuck you cygwin. Want 3x hours of my life back. Had an auth problem... Had to reinstall all the above on windows to connect to my private repo. Took me 5 minutes to connect after reinstalling all the tools. Grrrrrrr. And I'll never know why it wouldn't connect apart from fatal protocol error: bad line length character..I tried ever stack overflow answer... I nearly bricked my gitlab CE...and it was windows being a motherslut

Progress since my last post - quite like where the iterations since the cold design got me, next is the actual rant view and then will implement all sort of auth things like posting comments.

Have also figured out a way to have style and script plugins, haven't tried it yet though, especially with storage rulesets it might not be as smooth as I imagine it to be.

Another screenshot in the comments.

Just a rant... It really sucks to work with maven on a security-paranoid financial institution enforcing ntml proxy auth...

Also usb ports disabled... :(

Oh boy I got a few. I could tell you stories about very stupid xss vectors like tracking IDs that get properly sanitized when they come through the url but as soon as you go to the next page and the backend returns them they are trusted and put into the Dom unsanitized or an error page for a wrong token / transaction id combo that accidentally set the same auth cookie as the valid combination but I guess the title "dumbest" would go to another one, if only for the management response to it.

Without being to precise let's just say our website contained a service to send a formally correct email or fax to your provider to cancel your mobile contract, nice thing really. You put in all your personal information and then you could hit a button to send your cancelation and get redirected to a page that also allows you to download a pdf with the sent cancelation (including all your personal data). That page was secured by a cancelation id and a (totally save) 16 characters long security token.

Now, a few months ago I tested a small change on the cancelation service and noticed a rather interesting detail : The same email always results in the same (totally save) security token...
So I tried again and sure, the token seemed to be generated from the email, well so much about "totally save". Of course this was a minor problem since our cancelation ids were strong uuids that would be incredibly hard to brute force, right? Well of course they weren't, they counted up. So at that point you could take an email, send a cancelation, get the token and just count down from your id until you hit a 200 and download the pdf with all that juicy user data, nice.

Well, of course now I raised a critical ticket and the issue was fixed as soon as possible, right?
Of course not. Well I raised the ticket, I made it critical and personally went to the ceo to make sure its prioritized. The next day I get an email from jira that the issue now was minor because "its in the code since 2017 and wasn't exploited".

Well, long story short, I argued a lot and in the end it came to the point where I, as QA, wrote a fix to create a proper token because management just "didn't see the need" to secure such a "hard to find problem". Well, before that I sent them a zip file containing 84 pdfs I scrapped in a night and the message that they can be happy I signed an NDA.

For the last 20 years, there's one thing I've not been able to do reliably:

Share a folder on a windows computer.

Why the fuck can I write /etc/smb.conf from scratch with a blindfold on and make it securely work from all client devices including auth & acl, but when I rightclick and share on windows it's either playing hide and seek on the network (is it hiding behind //hostname/share? No? Maybe in the bushes behind the IP addresses?), or it's protected by mysterious logins requiring you to sacrifice two kittens a day.

Yes, finally it works! One windows update later... aaaand it's gone.

JUST GIVE ME A FUCKING CONF AND A MAN PAGE, MICROSOFT. I DON'T CARE THAT YOU'RE ORALLY PLEASING ALL THESE MALWARE RIDDEN GUISLUTS ON THE SIDE, JUST GIVE ME A FUCKING TEXT FILE TO STORE AND EDIT.

Running WireShark to see what one of our partners is sending across.

Outdated TLS: Ok, that's par for the course.
Leaking data through DNS queries: ButWhy.jpg
Website leaked through DNS doesn't require auth to view information. TableFlip.jpg

I wrote an auth today.

Without frameworks. Without dependencies. Without under-the-hood magic. Without abstract pluggable adaptor modules for the third-party auth library with 63 vulnerabilities and 1252 GitHub issues. Without security vulnerabilities showing up in NPM log. Without dependency of a dependency of a dependency using md5 and Math.random() under the hood for historical reasons, and now we're fucked, because this is the only lib for our framework, and we have no time to write our own replacement. Without all that shit.

Rock-solid, on top of scrypt. Stateless and efficient.

It felt amazing.

If your website has a login wall, my visceral reaction is to close the tab. After that, my rational reaction is to close the closed tab. Because fuck you.

Story time:

I worked at a firm that had an infernal off the shelf CRM system that they collaborated with the dev company to customise.

They were seriously behind the competition, and didn’t have any app or web presence for interacting with their system, instead relying on people calling (fine for the nature of the business, but competition was leaving them in the dust).

They decided that they needed to redevelop it in-house, with a focus on supporting the web and apps.

I was hired for this purpose.

It was me and one other dev, who was also the head of IT.

He’d built a small prototype, and was new to the whole WPF / MVVM thing for the in-house app, so with my previous experience it was clear it needed to serve as an example only, and that it would need redeveloping.

I was only there three months.

In that time I singularly (he was pulled away to troubleshoot their VOIP installation - yes, for three months as other companies kept dropping the ball) built:

- A WebAPI with JWT auth
- An MVC skeleton frontend
- A WPF desktop app

It had all sorts of cool shit in it, 2FA, Reactive UI, Reactive extensions, server push to desktop, a custom workflow and permissions system.

It was pretty dang cool.

End of the three months rolled around, and the non-technical managers were concerned about time to market, so they decided to drop me as I’d “not made enough progress”.

I’d also had a bit of absence which they were aware of and were supposedly supporting me through.

But MFW three months is assumed to be enough time to build such a system with one dev.

Signet, the google auth library, is somehow throwing a DivideByZero error, despite the only math in the file being linear back-off (`sleep retry++ * 0.3`). Also, the line it’s getting thrown on very specifically throws an entirely different error: a Signet::AuthorizationError.

What is even going on?
Also this worked yesterday.

🥺

TL;DR my first vps got hacked, the attacker flooded my server log when I successfully discovered and removed him so I couldn't use my server anymore because the log was taking up all the space on the server.

The first Linux VPN I ever had (when I was a noob and had just started with vServers and Linux in general, obviously) got hacked within 2 moths since I got it.
As I didn't knew much about securing a Linux server, I made all these "rookie" mistakes: having ssh on port 22, allowing root access via ssh, no key auth...

So, the server got hacked without me even noticing. Some time later, I received a mail from my hoster who said "hello, someone (probably you) is running portscans from your server" of which I had no idea... So I looked in the logs, and BAM, "successful root login" from an IP address which wasn't me.

After I found out the server got hacked, I reinstalled the whole server, changed the port and activated key auth and installed fail2ban.
Some days later, when I finally configured everything the way I wanted, I observed I couldn't do anything with that server anymore. Found out there was absolutely no space on the server. Made a scan to find files to delete and found a logfile. The ssh logfile. I took up a freaking 95 GB of space (of a total of 100gb on the server). Turned out the guy who broke into my server got upset I discovered him and bruteforced the shit out of my server flooding the logs with failed login attempts...

I guess I learnt how to properly secure a server from this attack 💪

I've just checked my server's auth logs and my god that's a lot of failed ssh login attempts.

I think I'll install an ssh honeypot to waste these peoples time...

Outlook put my other outlook's auth code email in Junk................

Let's talk about the cargo cult of N-factor authentication. It's not some magic security dust you can just sprinkle onto your app "for security purposes".

I once had a client who had a client who I did server maintenance for. Every month I was scheduled to go to the site, stick my fingerprint in their scanner, which would then display my recorded face prominently on their screens, have my name and purpose verified by the contact person, and only then would the guards let me in.

HAHA no of course not. On top of all of that, they ask for a company ID and will not let me in without one.

Because after all, I can easily forge my face, fingerprints, on-site client contact, appointment, and approval. But printing out and laminating a company ID is impossible.

---

With apologies to my "first best friend" in High School, I've forgotten which of the dozens of canonicalisations of which of your nicknames I've put in as my answer to your security question. I've also forgotten if I actually listed you as my first best friend, or my dog - which would actually be more accurate - and actually which dog, as there are times in my High School life that there were more tails than humans in the house.

I have not forgotten these out of spite, but simply because I have also forgotten which of the dozen services of this prominent bullshit computer company I actually signed up for way back in college, which itself has been more than a decade ago. That I actually apparently already signed up for the service before actually eludes me, because in fact, I have no love for their myriad products.

What I have NOT forgotten is my "end of the universe"-grade password, or email, or full legal name and the ability to demonstrate a clear line of continuity of my identity from wherever that was to now.

Because of previous security screwups in the past, this prominent bullshit company has forced its users to activate its second, third, and Nth factors. A possibly decade-old security question; a phone number long lost; whatever - before you can use your account.

Note: not "view sensitive data" about the account, like full name, billing address, and contact info. Not "change settings" of the account, such as changing account info, email, etc. Apparently all those are the lowest tier of security meant to be protected by mere "end of the universe"-grade passwords and a second factor such as email, which itself is likely to be sold by a company that also cargo cults N-factor auth. For REAL hard info, let's ask the guy who we just showed the address to "What street he lived in" and a couple others.

Explaining this to the company's support hotline is an exercise in...

"It's for your security."

"It's not. You're just locking me out of my account. I can show you a government ID corroborating all the other account info."

"But we can't, for security."

"It's not security. Get me your boss."

...

"It's for security."

Having to explain why GET has its place, but shouldn't be used for anything that shouldn't be viewed ... especially to some one that should fucking know not to show the damn auth credentials. Great thanks for your user and pass, can I get your CC number next please.

Just discovered one of our core systems had literally used api key validation of "drop into database, if exists, its fine"

Well, around 30 seconds later, I have successfully authenticated with apikey "%". Wonder why.... Sigh... Patch already pushed, but still it left bad taste in my mouth...

lesson for beginers:
validate, validate, validate. If user could touch it, treat is as broken unsafe and if used it will nuke your home. check if it will, than use it.

I find it funny that as soon as I disable password authentication on my server and enable key auth then all of the bots spamming my server with incorrect login requests instantly stop when they realise that they aren’t getting through any time soon. Also don’t ask why I don’t have Fail2Ban and a firewall set up.

IoT device endpoint: public fixed IP, raw TCP socket, no auth at all

DEI QA: “For step 2 should the checkbox be checked? Or uncheck ?”

… Step 2 of my testing steps reads: “Check it [the checkbox], save it, reload it. The box should still be checked. Repeat to uncheck it, just to be pedantic, then leave it off so we can test the existing behavior.”

🤦🏻‍♀️

DEI QA: “The payment_method_identifier will be in api callback logs if `Return payment method identifier in auth/confirmation callbacks` is checked?”

🤦🏻‍♀️

Me: it does what it says on the tin.

DEI QA: “BTW its a `tin`.”
DEI QA: “In Canada its `Taxpayer Identification Number`”

🤦🏻‍♀️

2 factor auth with carrier pigeon

FUCK FUCK FUCK FUCK FUUUCJKKK OOOOFFFFFFFFFFFFFFFF (wasted hours why im being redirected to 404 when trying to access a route thats being guarded (u need to login first to access it) only to find out i changed /login into /auth/login and forgot to update this bs into the guard so the guard was redirecting to /login which indeed doesnt exist and is a 404 instead of redirecting to /auth/login)

This is such a fucking dumb bug I have to take a fucking break im going outside for a jog and then intense home workout to unfuck my mind

When depression set in, I thought pain relief lied in getting duller. People I called “stupid” — who lived simple lives filled with alcohol and lack of any talent or purpose — weren't suffering. Better even, they denied the existence of depression.

My “wish” was granted when they prescribed cariprazine. In two months, I lost my ability to read, let alone code.

Before that, even depressed, writing a simple email/password auth was a matter of ten minutes in any of the languages I knew how to do web in (JS, Python, Clojure, PHP). But on cariprazine, I remember myself not quite getting what an HTML form was.

Tell you what… you should never wish to become dumber. When I was smart and depressed, the pain was real, but it felt like… let's say a breakup. When I was dumb and depressed, it felt like being raped with a red-hot soldering iron. Or like being skinned alive. Or like when 100% of your skin is a third-degree burn. The pain weren't listening to me, as my mouth was glued shut as if I was Keanu in the first Matrix movie. You can't say, do or think anything, at all, to ease your pain somehow. You can't even realize that just DMing or calling someone is probably a good idea.

Instead of you vs. despair situation from when you were smart, now it's just despair that is actively melting you, so you two become one. Even time loses its meaning. There is nothing out there but suffering.

If you're smart(er than I was at my lowest), DO cherish it. Losing that will spell disaster. So stay away from substances that can facilitate that loss.

Fucking christ this year is a fucking shitfest:

- wpa2 krack
- "DUHK Attack Lets Hackers Recover Encryption Key Used in VPNs & Web Sessions"
- "Hacker Hijacks CoinHive's DNS to Mine Cryptocurrency Using Thousands of Websites"
- "Bad Rabbit: New Ransomware Attack Rapidly Spreading Across Europe"

My fucking router didn't yet get patched, my fucking phone is outdated and I can't change to my patched one because devrant just shits the bed in extended desktop mode. Windows 8.1 loses support in 3 months, rendering my last chance of using it on my surface pro done, making me use windows 10 with its fucking shit ass not optimized tablet interface. I have just fucking constant paranoia what else could be hacked tomorrow, nothing is fucking safe anymore for fucks sake. I even went as far as implement 3 step auth and intrusion detection on my shitty ass VPS nodes, fucking give me a break you fucking assholes.

when youre working on a API and every testCase is all green plus manual testing thru Postman extension is all good..

then makes a web app use that API, authorization works as intended but the token is immedially invalid...

just..how..

*ssh into server*
*runs 'sudo systemctl start docker'*
*ssh into server again*
> Permission denied

How docker? How are you destroying the ssh servers auth?

all documentation points to an Invalid auth token being code 400 (ignore the fact that this is a code in the JSON response and not HTTP)

Me: here iz credential. Plz send datas
API: haha fock off and die mate, then credentials you got there aren’t workin’
API: code 998 invalid auth token
Me: *speechless* so that’s why it took me longer than it did to find that error, because YOUR CODE WAS MISSING ALL MY CHECKS FOR CODE 400.

Why can’t people design apis properly.

Bringing the funny...

Security is a joke. And people don't seem to get it. Especially Data mungers.

I've spent about half an hour trying to work out how to securely connect to power BI using PowerShell in a renewable manner for unattended access later on.

Every single example I've found seems to involve you storing $user and $password variables inside your script. If I'm lucky, they're going to pass them through ConvertTo-SecureString. And nobody talks about securely storing AD auth tokens, or using the Windows Credential Manager.

I know it's possible, but it's going to take me ages to work out how from all sorts of disparate sources...

Whenever Google alerted me that "a new device was used to access your account", I always hear Skyrim's Meridia voice in my head:

"A NEW HAND TOUCHES THE BEACON"

Boss: so we've got to call an app to verify data in this project. But I've got no more info and I'm on holiday next week. Please contact GuyA next week.
Me: ok I guess?
*writes email to GuyA*
GuyB: GuyA is on holiday please hold the line
*1 week later*
GuyA: we need more time it's not ready yet
*2 weeks later?
Me: so?
GuyA: yeah it's ready here's the wsdl etc your client already has the password
*1 week later*
Me: yeah so I got the data but the api says my auth isn't working
GuyB: yeah your user isn't activated on the test system. I'm gonna forward that and come back at you
*1 week later*
GuyA: so we're going live in about 2 weeks hows testing going?
Me: well I'm still waiting for the response and activation
*suddenly it works*
Me: yeah so auth is working but i can't find any data. Is there any special test data?
GuyA: oh no there is NO test data on the test system. You need to wait for GuyB but he us not here today...
Me: are you fking kidding Me?????

... no response since then and it's been days....

New twist on an old favorite.

Background:
- TeamA provides a service internal to the company.
- That service is made accessible to a cloud environment, also has a requirement to be made available to machines on the local network so you can develop against it.
- Company is too cheap/stupid to get a s2s vpn to their cloud provider.
- Company also only hosts production in the cloud, so all other dev is done locally, or on production non-similar infra, local dev is podman.
- They accomplish service connectivity by use of an inordinately complicated edge gateway/router/firewall/message translator/ouija board/julienne fry maker, also controlled by said service team.

Scenario:
Me: "Hey, we're cool with signing requests using an x509 cert. That said, doing so requires different code than connecting to an unsecured endpoint. Please make this service accessible to developer machines and lower environments on the internal network so we can, you know, develop."
TeamA: "The service should be accessible to [cloud ip range]"
Me: "Yes, that's a production range. We need to be able to test the signing code without testing in production"
TeamA: "Can you mock the data?"
Me: "The code we are testing is relating to auth, not business logic"
TeamA: "What are you trying to do?"
Me: "We are trying to test the code that uses the x509 you provide to connect to the service"
TeamA: "Can you deploy to the cloud"
Me: "Again, no, the cloud is only production per policy, all lower environments are in the local data center"
TeamA: "can you try connecting to the gateway?"
Me: "Yes, we have, it's not accessible, it only has public DNS, and only allows [cloud ip range]"
TeamA: "it work when we try it"
Me: "Can you please supply repro steps so we can adjust our process"
TeamA: "Yes, log into the gateway and try issuing the call from there"
Me: (╯°□°)╯︵ ┻━┻

tl;dr: Works on my server

Your three-second password retry delay is far more likely to annoy users than preventing a brute-force attack.

If you insist on a retry delay, let the user enter a password five times without any delay. This would make no difference in the grand scheme, the trillions of retries needed for a brute-force attack, and guessing a password takes longer than three seconds of thinking anyway.

Another alternative is a tenth of the password retry delay but one added character. One added character slows down a brute-force attack by at least sixty-two (62) times, so one more character but a tenth of the password retry delay would still mean more than six (6) times the protection against brute-forcing.

On Linux, the password retry delay can thankfully be reduced by changing a value inside /etc/pam.d/common-auth or /etc/pam.d/login (out of scope for this post, you can search online for more details).

PouchDB.

It promised full-blown CRDT functionality. So I decided to adopt it.

Disappointment number one: you have to use CouchDB, so your data model is under strict regulations now. Okay.

Disappointment number two: absolutely messed up hack required to restrict users from accessing other users’ data, otherwise you have to store all the user data in single collection. Not the most performant solution.

Disappointment number three: pagination is utter mess. Server-side timestamps are utter mess. ANY server-side logic is utter mess.

Just to set it to work, you need PouchDB itself, websocket adapter (otherwise only three simultaneous syncs), auth adapter (doesn’t work via sockets), which came out fucking large pile of bullshit at the frontend.

Disappointment number four, the final one: auth somehow works but it doesn’t set cookie. I don’t know how to get access.

GitHub user named Wohali, number one CouchDB specialist over there, doesn’t know that either.

It also doesn’t work at Incognito mode, doesn’t work at Firefox at all.

So, if you want to use PouchDB, bear that in mind:
1. CouchDB only
2. No server-side logic
3. Authorization is a mess
4. Error logs are mess too: “ERROR 83929629 broken pipe” means “out of disk space” in Erlang, the CouchDB language.
5. No hosting solutions. No backup solutions, no infrastructure around that at all. You are tied to bare metal VPS and Ansible.
6. Huge pile of bullshit at frontend. Doesn’t work at Incognito mode, doesn’t work at Firefox.

It's a really interesting discussion, when your boss tells you that it's a perfectly fine idea to directly use a Firebase DB from an Angular web app by storing the Admin Auth Token in a variable in JS.
Thank the spaghetti monster, I was able to argue against it and use the already partially implemented RESTful API with the already used auth.
He basically wanted to save time and omit extra login routes.

It's OK to save time and not implement $randomFeatures.
BUT DON'T FUCKING TRY TO SAVE TIME ON SECURITY!

If it wasn't for me, this web app would turn into a bigger gaping (security) asshole than Sasha Grey's...

I'm breaking out our authentication logic to a separate OIDC server. It's technically pretty straightforward, but just the thought of moving all those users and making sure that the communication between the system and the auth server works properly makes me shiver...

I have an issue with my Laravel routing. Can you help me out, @bittersweet?

I have a custom "/home" route called "/admin" and I set the protected property in the LoginController:

$redirectTo = "/admin";

And it works fine, if I log in from guest. But when I navigate to "/login" as auth-user it still redirects me to "/home".

What the fuck is this? What do I have to change to make this work? Who has to be fucked? Is it possible to solve this without sacrificing a virgin at bloodmoon? And why are Platypus so fucking ugly?

"Our Data Service comes PRE-P0WN'D"

Those SHIT-FOR-BRAINS data service providers GLOAT that their data can be natively integrated into most BI platforms, no code required.
How? Because they will EXPOSE THE ENTIRE FUCKING THING ON THE INTERNET.
LITERALLY.
UNAUTHENTICATED URL WITH THE ENTIRE DATASET.
STATIC. WON'T EVER FUCKING CHANGE.
NO VPN REQUIRED. NO AUTHENTICATION HEADERS. NO IN-TRANSIT ENCRYPTION.

"It is safe! No one will know the secret token that is a parameter in the url"
BLOODY BYTE BUTTS, BATMAN! IT IS A FUCKING UNAUTHENTICATED URL THAT DOES NOT REQUIRES RENEWAL NOR A VPN, IT WILL LEAK EVENTUALLY!

That is the single fucking worst SELF-P0WN I have ever seen.
Now I know why there are fucking toddlers "hacking" large scale databases all over the globe.
Because there are plenty of data service providers that are FUCKING N00BS.

How do you get over the bad times? I keep having to work with shitty legacy systems that were written in perl and flash in the 90s, but my boss keeps telling me "No" on redoing some of the bigger stuff even though it is really needed. I mean, that is your goal here, right? Rebuilding this POS? FFS you still stored passwords in plain text twoo weeks ago! But no, you's rather dig around in Perl than upset some random user because his fucking interface looks different.

But then I also have to work with another system that I could redo in Cake/Laravel in two weeks (it's literally getting and writing data to one table, so two views and user auth), and the previous dev just... made a huge mess. I mean, why would you need to post data asynchronously when it's this one stupid form ? Just do a regular form submit? And the system is really not suitable for extending, because everything is in the database, EVERYTHING! Like, html form inputs? So to add a simple input to the template I have to create a new input type in the types table and then add that to the form structure table? Only to have the input checked by fucking regex? REGEX! Why? Seriously, this is not some high end CMS that needs this level of code reusability No. This is a simple fucking form.

And I can't get it to work. No documentation of course. No comments, either. All of this makes me feel like I'm just the shittiest dev ever. I feel dumb, and useless. Haven't turned on my private PC in weeks because I see no reason to work on any of my own stuff.

I used to have a job, working with Magento and Wordpress. And yeah, it was horrible, it was chaos, but it was fun and I was great at it. I bent that motherfucking system to fit my needs. People respected my opinion, they were convinced I could program this and that, and I proved them right. Did I make mistakes? Hell yeah. Did I give up? Fuck no!

But now, I just feel like I can't even write a simple fucking form any more. I'm just so close to giving up on development as a whole, even though I love it so much.

Pentesting for undisclosed company. Let's call them X as to not get us into trouble.
We are students and are doing our first pentest at an actual company instead of assignments at school. So we're very anxious. But today was a good day.
We found some servers with open ports so we checked a few of them out. I had a set of them with a bunch of open ports like ftp and... 8080. Time to check this out.
"please install flash player"... Security risk 1 found!

System seemed to be some monitoring system. Trying to log in using admin admin... Fucking works. Group loses it cause the company was being all high and mighty about being secure af. Other shit is pretty tight though.

Able to see logs, change password, add new superuser, do some searches for USERS_LOGGEDIN_TODAY! I shit you not, the system even had SUGGESTIONS for usernames to search for. One of which had something to do with sftp and auth keys. Unfortunatly every search gave a SQL syntax error. Used sniffing tools to maybe intercept message so we could do some queries of our own but nothing. Query is probably not issued from the local machine.

Tried to decompile the flash file but no luck. Only for some weird lines and a few function names I presume. But decompressing it and opening it in a text editor allowed me to see and search text. No GET or POST found. No SQL queries or name checks or anything we could think of.

That's all I could do for today. So we'll have to think of stuff for next week. We've already planned xss so maybe we can do that on this server as well.

We also found some older network printers with open telnet. Servers with a specific SQL variant with a potential exploit to execute terminal commands and some ftp and smb servers we need to check out next week.

Hella excited about this!

If you guys have any suggestions let us know. We are utter noobs when it comes to this.

So yesterday I had to travel to a different city, which is around 200km to get to (~125 miles), to get my dad to a hospital.
While waiting for him to get processed I did some coding and everything went smooth.

When I came back home, even though my credentials were valid and all, Cognito decided that I'm attempting an "account takeover" and denied my login.

Truly a time to be alive.

Oh, and fuck you Cognito :)

I dug up my old ledger web app that I wrote when I was in my late twenties, as I realized with a tight budget toward the end of this year, I need to get a good view of future balances. The data was encrypted in gpg text files, but the site itself was unencrypted, with simple httpasswd auth. I dove into the code this week, and fixed a lot of crap that was all terrible practice, but all I knew when I wrote it in the mid-2000s. I grabbed a letsencrypt cert, and implemented cookies and session handling. I moved from the code opening and parsing a large gpg file to storing and retrieving all the data in a Redis backend, for a massive performance gain. Finally, I switched the UI from white to dark. It looks and works great, and most importantly, I have that future view that I needed.

Gotta love the IoT.

They set up a new surveillance camera in the company, that can stream live footage over the network and that little shit picked the IP adress of a coworker one day AFTER being set up.
Hurray for static routing. Hurray to the person who didn't disable DHCP on the router (Should probably configure my PC to use a static IP as well lel)

Anyways, this happened outta nowhere when I, the only guy who knows shit about IT and is usually present at yhe office, wasn't there and could not connect remotely.

The other, remote programmer, who set up the network, could guide the coworker to get a new IP but, he was worried that we got ourselves an intruder.

Since nobody told me yet that we (should) have static routing, I thought there was a mastermind at work who could get into a network without a wifi-access point and spoof the coworker in order to access the some documents.

The adrenaline rush was real 😨

Scanning the network with nmap solved the mystery rather quickly but thought me that I need to set up a secure way to get remote access on the network.

I would appreciate some input on the set up I thought of:
A raspberry Pi connected to a vpn that runs ssh with pw auth disabled and the ssh port moved.
Would set up the vpn in a similar fashion.

To me, writing authorization code for securing APIs is like having to fold an enormous pile of laundry and actually putting it all away afterward. It needs to be done but I'm not going to enjoy it.

I wrote some simple pen test scripts that automatically get executed on every ip in my fail2ban log.

Ip count: 2500+ in a few days. Probably victims of botnet. Some have mysql, postgres, smb open and many of them support user/pass auth on their ssh.

The scripts were a lot of fun to write but I don't expect much results.

Question time:
What's the general opinion around here on Authy for 2FA?

I've been down the road of phone wipes and phone swaps before that blow out the Google Auth codes which is nothing but a royal pain in the ass to get access back to all the accounts setup.

Authy having encrypted backups gives me some level of belief they can do what I want them to do, but I figured I would ask around before transferring over since... well that's a pain in the ass too 😂

I'm so done with auth
it's more than a nightmare
it's a disgrace
why can't someone just be like "you know how auth and identity is hard? why don't we make it easy?"
I would pay so much for that

Well. I'm simply SO UNFUCKINGBELIEVABLE PISSED RIGHT NOW!! {>,,,<}

I'm implementing a monolithic frontend that embeds different projects which I don't want to alter if not really necessary. So I put them all into iframes, already handled all the security and auth stuff with proxies and so on and now I just want to access the body.scrollHeight property. Which is not even the probelm at all.

The fucking Problem is, that I just can't find a way to hook into any event which fires when all content is loaded and the final scrollHeight is set. Instead it just returns some default value that is set when the iframe element is loaded, but not something that is actually based on it's damn ass-fucking contents!!

Iframes are fucking pricks and I know I'll gonna go to hell for abusing them like this :S

why is every auth provider utter and complete shit?

why are docs and tutorials that try to teach auth so complete shit?

No wonder there are so many security holes everywhere, nobody bothers to make it simple for the next person.

Next time people that cry about security/bad auth, and work in that field, this one is for you:

I love angular, a fucking hello world with a config file and some auth headers takes 2 fucking days to get done.

Auth0 and Okta merge.... Is Cognito the only other major player here? This merge now makes an Auth monopoly!

When you keep telling your boss that you remade one of their sites so that it has BCrypt(currently use SHA-512),CSRF checks, stricter Auth/Cookie encryption and that we should swap it and all he says we will get to it.

wot n tarnation-_-

I use google auth for 2FA. Had to factory reset my phone for some reason. Meanwhile, github one day forced me to change my password. So I used the back up recovery code to change the password and then logged out. I was in a hurry and actually forgot to set up the new 2FA. But hey I have got the recovery codes right.

But, guess what? The recovery codes are not working anymore! Wtf github?

I'm writing a website for a café and I'd like to use a new tool for generating content and managing it. Only real requirement is a SCSS pre-processor and maybe built-in Auth.

Any suggestions?

Microsoft certsrv is returning UTF-8 on the authorization error page but UTF-16 when logging in via basic auth...

Debugged this for 2 hours today to parse the response correctly. Thanks Microsoft

Status update:

devDNS has been having connection issues over the past hour. Some requests may be dropped due to an issue with the auth API.

@ewpratten is currently looking in to this issue.

I just created a new file in Android Studio called Auth.js and then wondered why I have a folder Auth with a file js.java inside.

Sometimes I forget what framework I'm in.

The fuck? I'm trying to automate login for an asp.net website from a C# console app using HttpWebRequests. I used Fiddler to see how the login happens and how the browser obtains the session and auth cookies from the server. When I replicate the same procedure from C#, I am able to get both cookies withoth a problem, but when I try to use them to get data about the user, I get a 500 ISE. What the actual fuck? I've double-checked every single header and the URLs and it's doing literally the same thing as chrome: Get asp session id (POST)-> get an auth cookie (POST username and passwd) -> interact with the site using the session id and auth cookie (GET). And obiviously I don't have access to the server logs... :/

Hi there.. Stuck since days in the google auth error:disallowed_useragent with xamarin, my colleagues ask me to ask to u :p (the same as the mac with windows features photo)

I am trying to "invent" secure client-side authentication where all data are stored in browser encrypted and only accessible with the correct password. My question is, what is your opinion about my idea. If you think it is not secure or there is possible backdoor, let me know.

// INPUT:
- test string (hidden, random, random length)
- password
- password again
// THEN:
- hash test string with sha-512
- encrypt test string with password
- save hash of test string
// AUTH:
- decrypt test string
- hash decrypted string with sha-512
- compare hashes
- create password hash sha-512 (and delete password from memory, so you cannot get it somehow - possible hole here because hash is reversible with brute force)

// DATA PROCESSING
- encrypt/decrypt with password hash as secret (AES-256)

Thanks!

EDIT: Maybe some salt for test string would be nice

They say that runing the same command over and over again is a sign of insanity.

LIKE HELL IT IS!!!

I've been running `terraform apply` for the last hour (trying to dump an EKS token in plain-text, because my k8s-related providers failed to auth to the cluster), and miraculously the problem went away. Now the error is no more.

Insanity?

I beg to differ!

Narf!

DAILY LARAVEL PROBLEMS

I need to parse a JWT with some custom claims. There's a JWT library with Laravel; documentation really lacking, kinda hardcoded to work with Laravel but whatever; it's already installed, let's see what can I do with it.

It turns out I can't say something like "take this token, parse it, tell me it's valid". Let's see how that goes.
You need to build a parsing class with a manager, some auth stuff, a parser.
To build said manager you need a provider that implements a contract, a blacklist, a factory (of what?)
To build the factory (of what?) you need a claim factory and a payload validator
To build the claim factory you need a request
To build the blacklist you need a Storage
To build the storage you need a CacheContract
To build a CacheContract you need IDK it's a mess
To build the contract you need... IDK for real

WHY LARAVEL IS SHIT: 'cause only in this framework it seems reasonable to build this clusterfuck to parse a base64 encoded string, throw some json_decode and check a signature. And have it work only to authenticate a user.

I'm currently in a bit of a predicament.
Here's the deal:
I want to separate my back-end from my front-end code a bit more (currently PHP code is mixed up with all the HTML, Javascript etc.. basically: front-end and back-end are one).
The question here is: how should I go about this?

In my current project, I have written some javascript code with jQuery that checks whether the user is logged in or not (checks for an auth token and UID to be present in the cookies).
However, this results in the page (in this case a dashboard that only logged in users should see) being visible for a moment before the user is redirected to the login page...

How could I go better about this (No, I won't use AngularJS for this)?

I'm looking into GraphQL and so far so good, but I am finding it hard to implement business rules, for example:

1. Receive request with auth token
2. Know who the user is by extractin userId from token
3. fetch data related to that user only.

I was only able to make it allow or deny if there is a token or not lol

May 2017: They're sunsetting Digits in September, but that's past our runway anyway so we'll worry about it later

September 2017: We have extended the runway this far by letting go of the people who set up our Digits auth and were best equipped to migrate it to Firebase. :|

Fuck Apple with two pineapples in the ass. 99€ per fucking year to tell me how the fuck should the access to my app be. I damn require users to sign up. I only need email and country. Not a single other piece of data. My app is not a goddamn catalogue or boutique. No free content, free app but each user needs to Auth themselves. You fucking telling me y pay 99€ so you decide how the access to my app should be?

Cunt Apple should rot in 10 day old humid shit and let devs be owners of their apps and hard work. Clowns.

The frontend developers in my company are the reason why I have anxiety. Here are few things that grinds my knees:
1) for a long time in projects, they deleted the auth token from their storage without integrating the logout api. They thought why use an API for that. :)
2) most of them had no clue that form fields could accept javascript as inputs and work as XSS vulnerabilities. This actually happened with a client, he got so fucking pissed.
3) One of them asked me to convert a PATCH request to DELETE cos fuck REST and HTTP methods.

For fuck’s sake. I need to get out of this place.

Checking out Meteor JS in 2020 after a loooong time in which I ignored it. I participated in the community when it barely startted, liked a couple of things, was effy about some others.

Built a semi large app (custom user auth through ldap, multiple forms and data fetches on different components inside of each page, reporting bla bla bla.

Did it first in just Meteor and Blaze (pretty easy to digest) and then with Meteor and Svelte (still easy to digest, but Blaze was simpler imho) and both packages totalled less than 100mb which is somewhat amazing considering how node is with packages.It might be a good time to psy attention once more to meteor.

I based much of my shit in the now free Discover Meteor book, there aren't that many breaking changes, which makes it surprisingly stable as an application for development.

I don't know if i would use it for s large scale app, but thus far it seems fairly promising as compared to how it was years ago.

Definitely something to keep in mind for 2020-21 development

Pulled my hair out over one today (and a week ago when I first saw the issue)

Setting up development environment. Created test user and test database and used mysqldump to copy data over.

MySQL was executing a function as the wrong user. Checked my config files, checked my config reader, checked my database connection, checked checked checked. Checked everything twice, I felt like Santa.

Changed the password in the config file to make sure it was logging in right. It threw an error still but not one I had expected so I figured the login still worked (My bias was that I thought the config file was not working or the mysql library was caching authentication. Both were wrong but this blinded my debugging. Foolish, I have forgotten my training)

Logged into the database directly via client. *didn't bother executing the function because I was only testing auth*

Think
Think
Think

Search entire project for database username. It's gotta be hard coded by accident SOMEWHERE.

It's not.

Why
Why
Why

Wait.

-- Flashback to how the test db was created -- What's actually in this damn script?

DEFINER `production_user` CREATE PROCEDURE `old_db`.`procedure_name`

Two issues: definer is old user (this is the error I was seeing) and its creating the procedure on the old db (this would be the next error I would have found if I kept going)

Fuck mysqldump. Install mysqldbcopy. Works

Put hair back in head.

MSAL, Microsoft's absolute dumpster fire of an authentication library. Who in their right mind designed this overcomplicated mess? The documentation reads like it was written by a committee of drunk orangutans throwing darts at a keyboard.
Want to do a simple login? HAHAHA GOOD LUCK! Here's 47 different configuration options you need to set up, three different flow types that are basically the same thing with slightly different names, and error messages that might as well be written in hieroglyphics. "AADSTS700054" yeah that's SUPER helpful, thanks Microsoft!
And don't even get me started on token caching. Oh, you thought your tokens would just... work? NOPE! Hope you enjoy debugging why your perfectly valid token is being treated like a expired coupon at a grocery store. The refresh token flow is about as reliable as a chocolate teapot.

I worked on a great project that was later axed and part of that was because of Msal issues. We literally only dealt with Msal issues. The app was otherwise stable. There were always issues with SSO, login, token validation...
It just couldn't work, like, at all.
I could see the clients getting fed up of the constant issues, yet, they couldn't move away from Microsoft since they'd already invested into their entreprise ecosystem. AzureAD, Office 365, you name it.

Shit like this is why I laugh whenever someone suggests that AGI will take over the world. Like, bro, we still haven't figured out how to make an auth library that actually works, and you think we're close to making a machine capable of thinking like a human?
Yeah right!

Google didn't implement their own straightjacket APIs correctly but sunset Manifest V2 out of pure greed so now authenticated proxies don''t work in Chrome and Chromium-based browsers.

Cognito is the dumbest piece of crap ever known to man. Markets itself as a great & easy auth solution to dumbass CTOs who then force the devs to implement it.

I spent a week or so trying to figure out why my token expires immediately after logging in only to find out that they issued me a token that is already revoked.

WHAT THE ACTUAL FUCK COGNITO????

My neighbor asked me if I could make him a program for managing the wifi connection to his kids devices. Basically, he wants to be able to turn wifi on/off on selected devices, on demand. I know how to de-auth ALL devices temporarily, but that's not the goal. He asked because I am always looking for new ideas to work/practice on. And no, this isn't a vague post to try and get info on hacking into my neighbors wifi, lol... I set it up and have all the credentials. Is this within reach?

!rant

Is there any alternative to socket.io that doesn't need to expose a server ip directly to any client, needing to set up a full nginx anti ddos/auth config and more?

There is the live-ajax way that requests progress, but it feels more like a hack each time. (especially if the site should be able to handle multiple tabs with different progress)

I thought maybe some framework has live requests inbuilt to update content from a server worker model. (without exposing the server ip)

token auth woes

I am fed up of doing shitty token authentications that don't refresh and are database dependent. what's the good way to do token auth for rest APIs? json-web-token?

Okta emailed me trying to sell their SSO gubbins.

I actually quite like the idea of being able to abstract away all the providers people might want to log in with, and making it someone else's job to check whether those providers are trustworthy.

But the email is copied to every permutation of my name/surname/initials etc @mydomain.com.

They had no legitimate way to obtain my email address for marketing purposes, so they just guessed it.

And I'm supposed to believe no corners will be cut and no bodges applied in making sure the user is who he claims to be?

How difficult is it to create a custom 401 page in apache while requiring basic auth for the web root. I cant work out how to allow just the file /401.php

I keep getting:

Additionally, a 401 Unauthorized error was encountered while trying to use an ErrorDocument to handle the request.

Any suggestions?

I've tried the following

ErrorDocument 401 /401.php
<Directory "/var/www/glype">
AuthType Basic
AuthName "Site Under Construction - Dev Only"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
<Files "/var/www/glype/401.php">
order Deny,Allow
Allow from all
</Files>

What am I doing wrong

Fucking google 2 step auth and their lack of customer service.

I have my account setup with my phone and a backup email account. No backup keys, since I only found out about those today! Thanks for letting me know this late in the game -.-

And yet. After I made a clean install of the os on my laptop. Tried to log back into my account. I am not getting text messages or emails to my backup emails (even though its allegedly sent.... And no its not in the junk mail) to validate my 2 factor auth.... Like fuck you!!!

If you gonna give us the ability to fort knox our accounts. At the bare minimum have some customer support to at least be train to answer a phone and tell me if your servers are having an issue or something. Im so in the fucking dark here and cant access shit.

I am new to c and cpp.
I used to exploit my college's competitive programming platform cus it had a bad architecture and almost no auth checks.
For every ajax request, they weren't sending auth tokens or any form of identification and ran all the programs without any logs and on the main thread and as root.. wtf, right?
But recently they've changed something to the site and I cannot run bash commands using system() call.
Is there any other way to execute bash commands using c and cpp.
I already configured a miner in their server but then they re-deployed it cos someone forked bomb the shit out of it.
I'm a noob in c and cpp btw!

Google API authentication is such a pain in the arse.

This is the story of me discovering devRant by accident.
---
I have never meddled with php before and I never intended to do so. For some reason, I accepted this consulting and chose Ci4 as the framework. All hell broke lose on my life. I could be a fucking idiot or the framework is a real ass wipe.

The setup took me hours and when I tried adding myth/auth, the real shit hit the giant fucking fan. WHAT THE FUCK PHP AND CI4? I tried all the weird fucking suggestions from the internet and you still fucked me in the ass with a bigger stick EVERY FUCKING TIME. I spent an whole night figuring you out and now I have my real job to login to with NO FUCKING SLEEP. You royally fucked my night and also my day without an ounce of A FUCKING CLOSURE.

Once I figure this out, Imma fuck the fucking project dealer and throw the weird ass shit on his ugly ass face and yell "FUCK YOU".

I am so depressed that this made me find an app to rant about it like a maniac.

-BrainlessIdiot

Command reads: kubectl auth can-i get love --namespace --will-she-marry-me

Server said yes 😁😍

I had a pretty good year! I've gone from being a totally unknown passionate web dev to a respected full stack dev. This will be a bit lengthy rant...
Best:
- Got my first full time employment dev role at a company after being self-taught for 8+ years at the start of the year. Finally got someone to take the risk of hiring someone who's "untested" and only done small and odd jobs professionally. This kickstarted my career, super grateful for that!
- Started my own programming consulting company.
- Gained enough confidence to apply to other jobs, snatched a few consulting jobs, nailed the interviews even though I never practiced any leet code.
- Currently work as a 99% remote dev (only meet up in person during the initialization of some projects.) I never thought working remotely could actually work this well. I am able to stay productive and actually focus on the work instead of living up to the 9-5 standard. If I want to go for a walk to think I can do that, I can be as social and asocial as I want. I like to sleep in and work during the night with a cup of tea in the dark and it's not an issue! I really like the freedom and I feel like I've never been more productive.
- Ended up with very happy customers and now got a steady amount of jobs rolling in and contracts are being extended.
- I learned a lot, specialized in graph databases, no more db modelling hell. Loving it!
- Got a job where I can use my favorite tools and actually create something from scratch which includes a lot of different fields. I am really happy I can use all my skills and learn new things along the way, like data analysis, databricks, hadoop, data ingesting, centralised auth like promerium and centralised logging.
- I also learned how important softskills are, I've learned to understand my clients needs and how to both communicate both as a developer and an entrepeneur.
Worst:
- First job had a manager which just gave me the specifications solo project and didn't check in or meet me for 8 weeks with vague specifications. Turns out the manager was super biased on how to write code and wanted to micromanage every aspect while still being totally absent. They got mad that I had used AJAX for requests as that was a "waste of time".
- I learned the harsh reality of working as a contractor in the US from a foreign country. Worked on an "indefinite" contract, suddenly got a 2 day notification to sum up my work (not related to my performance) after being there for 7+ months.
- I really don't like the current industry standard when it comes to developing websites (I mostly work in node.js), I like working with static websites (with static website generators like what the Svelte.js driver) and use a REST API for dynamic content. When working on the backend there's a library for everything and I've wasted so many hours this year to fix bugs and create workarounds related to dependencies. You need to dive into a rabbit hole for every tool and do something which may work or break something later. I've had so many issues with CICD and deployment to the cloud. There's a library for everything but there's so many that it's impossible to learn about the edge cases of everything. Doesn't help that everything is abstracted away, which works 90% of the time but I use 15 times the time to debug things when a bug appears. I work against a black box which may or may not have an up to date documentation and it's so complex that it will require you to yell incantations from the F#$K
era and sacrifice a goat for it to work properly.
- Learned that a lot of companies call their complex services "microservices". Ah yes, the microservice with 20 endpoints which all do completely unrelated tasks?

So I was instructed today, after lunch, to spend an hour teaching a member of my team how to SSH, store keys, basic io routines, and create CRON jobs to auth our ECR registry by my team lead.. Why am I wasting dev time teaching someone how to use an operating system? Need I add, our primary Dev workspace is a spun up using vagrant using xubuntu. I just can't comprehend how this person has been using xubuntu as their primary OS for two months and doesn't know the SSH protocol. Much less how they landed a dev job without any prior experience with a *NIX based OS.

So I'm looking for a tutorial somewhere to manage auth with react.

I have passport local setup with jwt in express, but looking to manage users in the front-end, managing the user state app wide, logging out, protected routes etc.

I've done some searching around but I can't see anything to concrete. Any pointers or articles would be great.

I was thinking of localStorage but not sure how to go about setting that up with react.

Hey! I have to build a website using ReactJS and OAuth. Does anyone have tips/links/advice or things NOT to do?
I can't fuck this one up guys...

Am I incredibly paranoid with my idea of multiple(>2)-factor-auth like fingerprint+yubikey+password+OTP aso?

fuck it, im giving my users permanent access tokens, because for some reason using refresh tokens is black magic to the internet -.-

I needed to implement user authentication on an android app during ny internship. It always authenticated and ran code for not authenticated user. Turned out I wrote else instead of an if else.

So, I manage my server with docker containers (nginx-proxy and the letsencrypt-companion). I limit access to some subdomains using basic auth, but I want to use client certificates for convenience.

So my questions to the experts:
1) Do you know a good (and convenient) way to manage client certificates ? This should include revoking certs and allowing specific certs only for specific subdomains.
2) Should I use my letsencrypt CA for this or would a self signed CA better suited?
3) Any things I should be aware of?

Firefox won't access iFrame's domain's Auth cookies when the iFrame is hosted on a 2nd domain, even when the cookies are Secore,SameSite=None, and sandbox is as lax as possible.

Works on chromium-based browsers.

Looked up SO and it's just "oh im facing the same" x10. FFS.

Why does Firefox behave so retarded. Not doing their shrinking userbase numbers any favour :v

Using grafana together with tinc+promotheus, has been a blast.

Initially I wanted to get into ELK with Kibana and all that, but that required 8G of ram, the instructions to get it running in the open source "mode" was nearly non-existent, together with all the ready docker compose stacks out there simply not working or the images being broken.

I'm sure I could've managed around most of those issues, but the fact it is as hungry as gitlab, made it a literal no-go for the usual server resources my clients host or my own scaled down server recently.

Thankfully I remembered that there's grafana and me having experimented some time ago with tinc, so I can have very lightweight beat'esque prometheus agents deployed listening on tinc local net only, with the typical nginx auth and some whitelists to all of the servers I host and all those of my clients.

The dashboard creation was especially great in grafana (tbf promotheus does actually most of it), literally what I always wanted out of those "complicated" solutions, that do it all, but have no proper query language, complex documentation, heavy collectors with no properly named data points, expensive resource runtimes, ..

with grafana I can just easily put dashboards into folders, create users to look only at certain stats or even dashboards (opened up some interesting contracts actually, because now I can also offer proper monitoring for all things delivered), easily drag and drop around stuff to fit more information (most others fix you to a small 3x2 grid, a too big grid for a TV or simply non resizable tiles, making that one counter take up an entire row) and resize to my hearts desire

tinc of course allows me to easily create private networks that are resistant to failure across any region and the routing is done for me, so I don't have to run around it all that much either

P.S: a damn tiny fly went into one of my now 4 monitors and died right in the middle, because I thought it's just some dirt and I pressed it in while trying to wipe it off, so that monitor now serves as the top most on a vesa mount

Opinions

Hello, I’m considering building a web framework.

My ideal features would be:
Customizable authentication system(considering using a jwt lib)
Embedded DB(bolt db)
ORM( writing my own)
REST api to DB (via code generator)
Code generator(generation of models and views via cli)
GUI to db(some admin dashboard)
CORS(web service right?)

Why?
Ease of development
Fast prototyping of small-medium web services.
Fun.

My question is, do i have to many things on my platter? Should i narrow it down into less featured framework? What feature should I focus on? How should i benchmark it? Should i write tests for absolutely everything or just for exported methods? What should i take into consideration when developing ORM API, Auth API...

The language is Go

Thank you for your input

Having to build an auth server from scratch an then having to revert all the code because it was overkill for the app. Fml

Java I hate you! I've been stuck on an authentication issue for weeks now and just figured out what was wrong. The probem was my variable wasn't STATIC so it was passing in an old auth header every time. Literally I've been skimming and modifying my code like crazy for like 2 weeks and this simple modifier changes everything! Java I hate you and can't wait to migrate my code base to kotlin!

Does this happen to you guys too?
Yesterday I was coding auth for node.js with help of tutorial (I'm pretty new to node.js). I was pretty sure that I understood how it works and I turned off my computer. Then when I was in bed ready to go to sleep I tried to go through the code in my head, but I completely forgot everything I wrote. I guess I was just copying the code without even noticing I didn't know how it works. Now I'm trying to learn it once more.

I hate the company (agency) I moved to...I've negotiated good pay and the project for cutting edge medical product which will change the world (cancer diagnose and it actually works).

Now the dark side I've got shit tier laptop which I don't want, overtime is payed 30% less, all the people in the agency from development team don't know shit and are mostly I would call them juniors (of course who would with enough seniority work with shit hardware and almost not payed overtime), only tap water and since this is the old part of town you instantly get sick, they treat people like shit.

The product dark side. We are actually working on crm for doctors to input patient data, we cannot have any real data because we are the agency people, product is being led by the guy who has 0 production experience (they choose the database basically with coin toss and emulated the mongodb in postgress with jsnob, they don't know how to build their own auth system hence my previous rant about b2c, they are using cognito and now moving to auth0 which probably won't fit their need because a lot of stuff needs to be custom), they are choosing every hipe tech out there without any prior experience. It's chaos...

I'm trying to guide them but i think this will be a huge expensive failure and that i need to leave asap.

There I feel better now, moral of the story, choose startups wisely.

Dialogflow documentation is ABSOLUTE TRASH. Trying to run the example code? It gives you a super helpful error: `Unexpected error determining execution environment`. Uh, yes, indeed. What it means? IT MEANS THAT YOU PROVIDED NO CREDENTIALS. Because, as we all know, providing no credentials should end in an error of 'determining execution environment', of fucking course.
You want to know how to provide credentials? Think again, all examples in the ENTIRE DOCUMENTATION assume that you're running the code... from their servers. Seriously. You wanna know how to authenticate your shit? NOT IN THIS DOCUMENTATION, LOSER. You want to know what exactly is happening when you're initializing your client with `new dialogflow.SessionsClient()`? Good luck, documentation is on another platform. For .NET. Because fuck you.
Also, you think you can store your auth info in a neat .env file? THINK AGAIN, because google is above such petty things as industry standards, you're getting a .json file and you're gonna like it, HAVE FUCKING FUN.

Dear google, die in a fire.
Sincerely yours.

While making a backend and frontend I wanted to make an auth flow, but I ask myself isn't HTTPS auth enough ?

What do you think is JWT to check which user it is and HTTPS to secure the connection enough or should I also use PGP ?

I wanted to show our DBA an example of a web api using .net core 3 in regards of how easy it is to create such things. The reason? he has been wanting to get back into programming after many years of just sticking to dba related stuff. The dude has talent and brains, he had worked years ago as a delphi dev and a vb6 dev and we had the same employer at one point, none of this man's apps have been faced out on account of how complete they are and easy to maintain for other devs was after he left. Regardless of the ancient tech stacl, the man shows ample promise and well.

Thing is, the apps I make on the Microsoft stack usually tend to C#, and my frontends are using TS, so I am more on the curlt bracket side of things and he said he was to convert my app(very basic crud example, but with auth, authorization and everything in between to plug into the frontend) to VB.NET. I thought it wouldn't be that much of a problem but apparently microsoft does not hold templates for webapi for vb.net

I thought it was shitty. VB gave Microsoft a lot of developer market back in the VB6 days, and even though I really love c# I see no reason why they would just say fuck you like that to vb.net. Shit still polls pretty high in terms of dev popularity and you can apply the same design ideas to VB without much effort.

I just think this is very shitty from Microsoft's part. Much like how Apple is forcing people to adapt to Swift when there is a huge amount of obj c out there.

I dislike when companies shift focus on tech stacks like that.

I just implemented AWS v4 header based auth in Go and JS. Nice 😄. Next up - asymmetric keys

#Suphle Rant 3: Road to PHP8, Flow travails

Some primer: Flows is a feature that causes the framework to bypass handling the request now but read it from cache. This cache entry is meant to be populated without warming, based on the preceding request. It's sort of like prefetching but done on the back end

While building Suphle, I made some notes on some chapters about caveats and gotchas I may forget while documenting. One such note was that when users make the Flow request, the framework will attempt to determine who user is, using authentication mechanism defined on the first module (of the modular monolith)

Now, I got to this point during documentation and started wondering whether it's impossible for the originating request to have used a different authentication mechanism, which would result in an empty entry for returning user. I *think* it's possible cuz I've got something else called "route mirroring", where web based routes can be converted to API routes. They'll then return JSON, get served under defined API path, use JWT, all automatically. But I just couldn't connect the dots for the life of me, regarding how any of this could impact authentication on the Flow request

While trying to figure out how to write the test for this or whether it was even necessary (since I had no use case), it struck me that since Flow requests are not triggered by an actual user, any code attempting to read authenticated user will see nothing!

I HATE it when I realize there's ambiguity or an oversight, after the amount of attention and suffering devoted. This, along with a chain of personal troubles set off despondency for a couple of days. No appetite for food or talk. Grudgingly refactored in this update over some days. Wrote some tests, not all passed. More pain. May have to convert them to unit tests

For clarity, my expectation is, I built this. Nothing should be impossible for me

Surprisingly, I caught a somewhat lucky break –an ex colleague referred me to the 1st gig I'm getting in 1+ year. It's about writing a plugin for some obscure forum software. I'm not too excited cuz it's poorly documented and I'll have to do a lot of groping, they use arrays instead of objects etc. There's no guarantee I'll find how to implement all client's requirements

While brooding last night, surfing the PHP subreddit, stumbled on a post about using Rector to downgrade a codebase. I've always been interested in the reverse but didn't have any incentive to fret over it. Randomly googled and saw a post promising a codebase can be upgraded with 3 commands in 5 minutes to PHP 8. Piqued my interest around 12:something AM. Stayed up all night upgrading it, replacing PHPSTAN with Psalm, initializing the guy's project, merging Flow auth with master etc. I think it may have taken 5 minutes without the challenge of getting local dev environment to PHP 8

My mood is much lighter than it was, although the battle is not won yet –image tests are failing. For some weird reason, PHP8 can't read generated test images. Hope I can ride on that newfound lease on life to study the forum and get the features working

I have some other rant but this is already a lot to digest in one sitting. See you in rant #4

Caching on auth status checks... For fucks sake

So i have learn android studio course (kotlin) for the basic.I've been practicing for some things, like recyclerview, ViewModel, bottomsheet, fragment, nav view,Firebase auth, intent and some other basic stuff.right now I'm confused what to do next, if it continues I don't know what to learn next, I know there's still a lot of things to learn, it's just that I don't know what it is, I'm trying to find out what apps a beginner should make like me, but most of the suggestions are still far from my abilities, such as making a calculator. So can you give a little advice to beginners like me, thanks

Getting the angular interceptor working the way I want has proven to be a pain for me. I try to update an auth token, which returns a promise that has to be transformed to an observable again. based on that, redirect to a login page, in case of 401. But nothing works! Either infinite page reload because of the login() promise function of the auth provider or no reaction at all after a router redirect. 😤

Going to set up my own mozilla auth + data + sync server for Firefox... Amount of dependencies is fucking huge...