Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜

Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.

First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.

Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.

Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.

Dealing with attacks and getting hacked.

Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.

linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)

How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!

One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)

Dealing with different kinds of attacks:

Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.

So yah, hereby :P

Before you're hired:
1. A binary tree?
2. Currying?
3. Higher-order function?
4. How does event loop work?
5. What is prototype?
6. What is encapsulation?
7. Can you draw an algorithm?

After you're hired:
1. Hey, can you add auth token and login to our app?

Ever wanted cheat codes to devRant? Well, that's weird. But here you go, I guess.

Since the avatars do not use any external assets (Such as images), all avatars are generated. To be friendly to people who want to make third-party devRant clients (such as devRantron), avatars are generated server-side, so that the assets don't need to be distributed, and third-party programmers don't need to work out rendering avatars.

But this allows you to cheat a little.

The devRant avatars API works like this: you request a really long URL from the API, specifying the IDs of each cosmetic item the user has active, and it returns a PNG file. But you don't need an auth token to generate an avatar (which makes sense), so the avatar API is essentially a sandbox you can play around with if you have the time and patience.

You can write a really good avatar previewer with this knowledge, and see your avatar with a white tiger, even if you don't have the ++s

Funny story about the first time two of my servers got hacked. The fun part is how I noticed it.
So I purchased two new vps's for proxy server goals and thought like 'I can setup fail2ban tomorrow, I'll be fine.'

Next day I wanted to install NginX so I ran the command and it said that port 80 was already in use!

I was sitting there like no that's not possible I didn't install any server software yet. So I thought 'this can't be possible' but I ran 'pidof apache2' just to confirm. It actually returned a PID! It was a barebones Debian install so I was sure it was not installed yet by ME. Checked the auth logs and noticed that an IP address had done a huge brute force attack and managed to gain root access. Simply reinstalled debian and I put fail2ban on it RIGHT AWAY.

Checked about two seconds later if anyone tried to login again (iptables -L and keep in mind that fail2ban's default config needs six failed attempts within I think five minutes to ban an ip) and I already saw that around 8-10 addresses were banned.

Was pretty shaken up but damn I learned my lesson!

Reinstalled my dedicated server and realized (afterwards) that I just erased my entire openvpn/mysql auth setup and I don't have an entirely working copy.

FUCK.

Okay, nothing I can do about that afterwards, setup csf right away, monitored the auth log for a minute and noticed one ip which had just connected and found it weird somehow. Blocked the ip.

Then, one second later, as my console stopped responding and that ip address suddenly looked veeeery familiar, I realized I just blocked myself. (the blocks persist across reboots)

😐

Went to the control panel and hit the reinstall button. Confirmed, and two seconds later I realized I could just have connected to any of my own fucking vpn services to unblock myself.

What in the living fuck is wrong with me @_@

Painfully funny || funnily painful

"Do you have 2 factor auth for the database?"
a customer asked. I stared on the wall in front of me and suddenly fel and urge to punch and piss on something.
I took a deep breath while thinking to myself
*Oh boy, here we go. Another retard*
I put on my nice voice and asked:
"What you mean?"
The customer seems confused, as if my question did not make sense and he said:
"TWO FACTOR AUTHENTICATION! Dont you know what it is? To make the database more secure."

I was fucking right, this person reads to much shit. The fact that the email signature of that person said "Wordpress Developer" made me more angry.
I, still with the nice voice asked
"How would that work?"
"Two factor authentication when I am connecting to the database."
"So, do you want it by SMS then? You'll get alot of messages if it is going to send you one every time a query is made."
The following 7 seconds was dead silent until I heard the person hang up.

Guys i guess i did it.. more than a year ago i started developing an API.. every admin of it could create new endpoints through the webui.. for rach endpoint you can create an own auth system.. a local company just fucking bought my shit.. a fucking simple API for 12k€.. im kinda proud now because i am only 18

It's maddening how few people working with the internet don't know anything about the protocols that make it work. Web work, especially, I spend far too much time explaining how status codes, methods, content-types etc work, how they're used and basic fundamental shit about how to do the job of someone building internet applications and consumable services.

The following has played out at more than one company:

App: "Hey api, I need some data"
API: "200 (plain text response message, content-type application/json, 'internal server error')"
App: *blows the fuck up

*msg service team*

Me: "Getting a 200 with a plaintext response containing an internal server exception"
Team: "Yeah, what's the problem?"
Me: "...200 means success, the message suggests 500. Either way, it should be one of the error codes. We use the status code to determine how the application processes the request. What do the logs say?"
Team: "Log says that the user wasn't signed in. Can you not read the response message and make a decision?"
Me: "That status for that is 401. And no, that would require us to know every message you have verbatim, in this case, it doesn't even deserialize and causes an exception because it's not actually json."
Team: "Why 401?"
Me: "It's the code for unauthorized. It tells us to redirect the user to the sign in experience"
Team: "We can't authorize until the user signs in"
Me: *angermatopoeia* "Just, trust me. If a user isn't logged in, return 401, if they don't have permissions you send 403"
Team: *googles SO* "Internet says we can use 500"
Me: "That's server error, it says something blew up with an unhandled exception on your end. You've already established it was an auth issue in the logs."
Team: "But there's an error, why doesn't that work?"
Me: "It's generic. It's like me messaging you and saying, "your service is broken". It doesn't give us any insight into what went wrong or *how* we should attempt to troubleshoot the error or where it occurred. You already know what's wrong, so just tell me with the status code."
Team: "But it's ok, right, 500? It's an error?"
Me: "It puts all the troubleshooting responsibility on your consumer to investigate the error at every level. A precise error code could potentially prevent us from bothering you at all."
Team: "How so?"
Me: "Send 401, we know that it's a login issue, 403, something is wrong with the request, 404 we're hitting an endpoint that doesn't exist, 503 we know that the service can't be reached for some reason, 504 means the service exists, but timed out at the gateway or service. In the worst case we're able to triage who needs to be involved to solve the issue, make sense?"
Team: "Oh, sounds cool, so how do we do that?"
Me: "That's down to your technology, your team will need to implement it. Most frameworks handle it out of the box for many cases."
Team: "Ah, ok. We'll send a 500, that sound easiest"
Me: *..l.. -__- ..l..* "Ok, let's get into the other 5 problems with this situation..."

Moral of the story: If this is you: learn the protocol you're utilizing, provide metadata, and stop treating your customers like shit.

Always tell junior devs the same.

You'r not going to become the senior dev or architect you have in your grand vision by sitting around this company fulfilling mundane tickets.

Start thinking through new ideas, possibilities, software that you think could really help a specific niche Or pick a model that already exists. The ideas prior existence doesn't matter but having a new idea that has potential has always inspired me to keep pursuing it.

Break out lucid charts, learn how to map out your domain objects and their relationships. Build out a service map of how you want things to work together. You dont have to know how context boundaries or demilitarized zones work or any that technical jargon. At the end of the day those concepts <should> develop organically and then the jargon will come to you like "oh thats the term for this". Some people learn better from knowing and then implementing. I usually come to it organically then learn about it later. Thats the point of this though. Read up on it, understand enough to map it out and then start building them out.

Use a language you want to be proficient in but are not. Use a framework you want to understand but do not. If theres an auth protocol in high demand that meets your needs but you do not understand, run with it. You'r proficient with mysql; mongo would also be a good fit for the business needs but you've never used it. Perfect, use mongo then.

Find avenues of improvement down the line. Maybe the simple records resource server would be a good candidate for GraphQL. Pull in a pub/sub to increase service communication/aggregation, learn websockets to maintain a vital client interface. If you dont know what the fuck im talking about, perfect! Jump in there. Start small, build up, tinker.

You'll meet soul sucking blockers all along the way and thats the biggest thing that separates seniors from juniors is having worked through these issues before, time and time again. Embrace failure, embrace change, maintain initiative because you can be another miserable dev that keeps the cogs turning making a decent 50k salary or you can be a positive catalysis.

Every step of this project has added another six hurdles. I thought it would be easy, and estimated it at two days to give myself a day off. But instead it's ridiculous. I'm also feeling burned out, depressed (work stress, etc.), and exhausted since I'm taking care of a 3 week old. It has not been fun. :<

I've been trying to get the Google Sheets API working (in Ruby). It's for a shared sales/tracking spreadsheet between two companies.

The documentation for it is almost entirely for Python and Java. The Ruby "quickstart" sample code works, but it's only for 3-legged auth (meaning user auth), but I need it for 2-legged auth (server auth with non-expiring credentials). Took awhile to figure out that variant even existed.

After a bit of digging, I discovered I needed to create a service account. This isn't the most straightforward thing, and setting it up honestly reminds me of setting up AWS, just with less risk of suddenly and surprisingly becoming a broke hobo by selecting confusing option #27 instead of #88.

I set up a new google project, tied it to my company's account (I think?), and then set up a service account for it, with probably the right permissions.

After downloading its creds, figuring out how to actually use them took another few hours. Did I mention there's no Ruby documentation for this? There's plenty of Python and Java example code, but since they use very different implementations, it's almost pointless to read them. At best they give me a vague idea of what my next step might be.

I ended up reading through the code of google's auth gem instead because I couldn't find anything useful online. Maybe it's actually there and the past several days have been one of those weeks where nothing ever works? idk :/

But anyway. I read through their code, and while it's actually not awful, it has some odd organization and a few very peculiar param names. Figuring out what data to pass, and how said data gets used requires some file-hopping. e.g. `json_data_io` wants a file handle, not the data itself. This is going to cause me headaches later since the data will be in the database, not the filesystem. I guess I can write a monkeypatch? or fork their gem? :/

But I digress. I finally manged to set everything up, fix the bugs with my code, and I'm ready to see what `service.create_spreadsheet()` returns. (now that it has positively valid and correctly-implemented authentication! Finally! Woo!)

I open the console... set up the auth... and give it a try.

... six seconds pass ...

... another two seconds pass ...

... annnd I get a lovely "unauthorized" response.

asjdlkagjdsk.

> Pic related.

So, some time ago, I was working for a complete puckered anus of a cosmetics company on their ecommerce product. Won't name names, but they're shitty and known for MLM. If you're clever, go you ;)

Anyways, over the course of years they brought in a competent firm to implement their service layer. I'd even worked with them in the past and it was designed to handle a frankly ridiculous-scale load. After they got the 1.0 released, the manager was replaced with some absolutely talentless, chauvinist cuntrag from a phone company that is well known for having 99% indian devs and not being able to heard now. He of course brought in his number two, worked on making life miserable and running everyone on the team off; inside of a year the entire team was ex-said-phone-company.

Watching the decay of this product was a sheer joy. They cratered the database numerous times during peak-load periods, caused $20M in redis-cluster cost overrun, ended up submitting hundreds of erroneous and duplicate orders, and mailed almost $40K worth of product to a random guy in outer mongolia who is , we can only hope, now enjoying his new life as an instagram influencer. They even terminally broke the automatic metadata, and hired THIRTY PEOPLE to sit there and do nothing but edit swagger. And it was still both wrong and unusable.

Over the course of two years, I ended up rewriting large portions of their infra surrounding the centralized service cancer to do things like, "implement security," as well as cut memory usage and runtimes down by quite literally 100x in the worst cases.

It was during this time I discovered a rather critical flaw. This is the story of what, how and how can you fucking even be that stupid. The issue relates to users and their reports and their ability to order.

I first found this issue looking at some erroneous data for a low value order and went, "There's no fucking way, they're fucking stupid, but this is borderline criminal." It was easy to miss, but someone in a top down reporting chain had submitted an order for someone else in a different org. Shouldn't be possible, but here was that order staring me in the face.

So I set to work seeing if we'd pwned ourselves as an org. I spend a few hours poring over logs from the log service and dynatrace trying to recreate what happened. I first tested to see if I could get a user, not something that was usually done because auth identity was pervasive. I discover the users are INCREMENTAL int values they used for ids in the database when requesting from the API, so naturally I have a full list of users and their title and relative position, as well as reports and descendants in about 10 minutes.

I try the happy path of setting values for random, known payment methods and org structures similar to the impossible order, and submitting as a normal user, no dice. Several more tries and I'm confident this isn't the vector.

Exhausting that option, I look at the protocol for a type of order in the system that allowed higher level people to impersonate people below them and use their own payment info for descendant report orders. I see that all of the data for this transaction is stored in a cookie. Few tests later, I discover the UI has no forgery checks, hashing, etc, and just fucking trusts whatever is present in that cookie.

An hour of tweaking later, I'm impersonating a director as a bottom rung employee. Score. So I fill a cart with a bunch of test items and proceed to checkout. There, in all its glory are the director's payment options. I select one and am presented with:

"please reenter card number to validate."

Bupkiss. Dead end.

OR SO YOU WOULD THINK.

One unimportant detail I noticed during my log investigations that the shit slinging GUI monkeys who butchered the system didn't was, on a failed attempt to submit payment in the DB, the logs were filled with messages like:

"Failed to submit order for [userid] with credit card id [id], number [FULL CREDIT CARD NUMBER]"

One submit click later and the user's credit card number drops into lnav like a gatcha prize. I dutifully rerun the checkout and got an email send notification in the logs for successful transfer to fulfillment. Order placed. Some continued experimentation later and the truth is evident:

With an authenticated user or any privilege, you could place any order, as anyone, using anyon's payment methods and have it sent anywhere.

So naturally, I pack the crucifixion-worthy body of evidence up and walk it into the IT director's office. I show him the defect, and he turns sheet fucking white. He knows there's no recovering from it, and there's no way his shitstick service team can handle fixing it. Somewhere in his tiny little grinchly manager's heart he knew they'd caused it, and he was to blame for being a shit captain to the SS Failboat. He replies quietly, "You will never speak of this to anyone, fix this discretely." Straight up hitler's bunker meme rage.

Client: "Hey we want you to integrate your product with our system."
Me: "Oh, OK. Where's your API?"
Client: "Here! We even have an outdated .Net SDK, we use XML."
Me: "Ok.. how do we authenticate? What's your OAuth 2.0 endpoint?"
Client: "O auth what?"
Me: " You know, the current standard for REST API authentication and authorisation"
Client: " What's REST?"
*Hungs up*

Long story short, I'm unofficially the hacker at our office... Story time!

So I was hired three months ago to work for my current company, and after the three weeks of training I got assigned a project with an architect (who only works on the project very occasionally). I was tasked with revamping and implementing new features for an existing API, some of the code dated back to 2013. (important, keep this in mind)

So at one point I was testing the existing endpoints, because part of the project was automating tests using postman, and I saw something sketchy. So very sketchy. The method I was looking at took a POJO as an argument, extracted the ID of the user from it, looked the user up, and then updated the info of the looked up user with the POJO. So I tried sending a JSON with the info of my user, but the ID of another user. And voila, I overwrote his data.

Once I reported this (which took a while to be taken seriously because I was so new) I found out that this might be useful for sysadmins to have, so it wasn't completely horrible. However, the endpoint required no Auth to use. An anonymous curl request could overwrite any users data.

As this mess unfolded and we notified the higher ups, another architect jumped in to fix the mess and we found that you could also fetch the data of any user by knowing his ID, and overwrite his credit/debit cards. And well, the ID of the users were alphanumerical strings, which I thought would make it harder to abuse, but then realized all the IDs were sequentially generated... Again, these endpoints required no authentication.

So anyways. Panic ensued, systems people at HQ had to work that weekend, two hot fixes had to be delivered, and now they think I'm a hacker... I did go on to discover some other vulnerabilities, but nothing major.

It still amsues me they think I'm a hacker 😂😂 when I know about as much about hacking as the next guy at the office, but anyways, makes for a good story and I laugh every time I hear them call me a hacker. The whole thing was pretty amusing, they supposedly have security audits and QA, but for five years, these massive security holes went undetected... And our client is a massive company in my country... So, let's hope no one found it before I did.

Authentication feature was only checking the length of the auth header instead of the actual content. I abused this to make a request to our API from inside our system with a junk header, so we were basically hacking ourselves...

*deploys new VPS*
Click clack tap.. alright, done.
*notices that I accidentally made an Ubuntu 14.04*
Well shit... Guess I'll have to update that immediately to 18.04 then.
*logs in, immediately disables SSH password auth*
# systemctl restart sshd
> systemctl: command not found.
What the fuck..?
What was the command for that old init again.. >_<
# /etc/init.d/ssh restart

WHY THE FUCK IS THIS UBUNTU STILL USING THAT OLD INIT?!! Goddamit, Canonical living up to the philosophy of its Debian counterpart indeed!

I built very involved code with multiple auth systems, async programming, business logic, error handling, and etc. I was asking for the missing environment variables during the call with devops and had a screen share going. Environment variables were the last thing I needed before knowing if it would work. I filled in the config and all the code worked perfectly.

The devs lost their shit. One suggested that I had somehow tested it beforehand because it is impossible that it would work the first time. “How? I didn’t have config details or access to any of the remote APIs until now.”

The dev lead finished the call with, “That was some big brain next level shit.” Then they went and reviewed and tested it after the call and didn’t have much to suggest besides naming nitpicks.

It was at that point I knew I was a hero to the other devs.

The 5 whys

So.. we cant deploy

Why? > We had to take our deployment tool offline
Why? > Because random people from the internet started deployments
Why? > Because we had no authentication and so it was publicly available
Why? > Boss said auth was no priority (we told him every day)
Why? > ¯\_(ツ)_/¯

Why nobody uses public/private key authentication for ssh and disable password auth?

Am I the only one around here doing this?

Getting real fucking sick of shitty websites excessive security measures!

1. Username
2. Password
3. Captcha
4. Mandatory 2FA

We don't recognize your IP, please log into your email, click the link, get redirected and complete steps 1-4 again! Also the site will time out in 10 minutes if you aren't actively using it. Have a nice day!

Go fuck yourself.

On the presentation for my database project my team and I showed a NodeJS + Mongo + VueJS project with cloud storage capability, nothing fancy but did everything from scratch (from token auth and system encryption to the frontend CSS and the database) the teacher made some questions and meh'd at it.

Behold team two's project, WordPress with a standard template and phpMyAdmin, teacher loves it because "it's so beautiful"

Guess who just failed that class?

God I love college, it's the best time investment I've ever done and it'll surely pay out.

Last week my company thought it would be a great idea to introduce a new sh*tty internal web portal that gives federated access to aws (instead of using our own accounts to assume dev roles like we used to do).

This broke a lot of sh*t that simply used to ask for an MFA token and used our practically permissionless accounts to assume a proper dev role. An MFA token that we'd enter directly into the terminal/tool. It was very seamless. But nooooooo we now have to go a webpage, login with sso (which also requires mfa), click "generate credentials," copy-paste those into terminal/creds file and _then_ continue our aws cli call. Every. Single. Day.

BUT TODAY I HAD ENOUGH.

I spent the entire day rewriting the auth part of our tools so they would basically read the cookie that's set by the web portal, and use it to call the internal api that generates the credentials, and just automatically save those. Now all we need to do is log into the portal, then return to the tool and voilà, the tool's also got access! Sure, it's not as passive as just entering an MFA token directly, but it's as passive as it gets. Still annoyed by this sh*tty and unnecessary portal, but I learned a thing or two about cookies.

Auth Endpoint:

user name and password correct:
- response 200: with session key and profile info
user name and password incorrect:
- response 200: blank

smh

Worst security issue : being able to make a money transfer with no auth and changing freely the bank account in the POST params...

Dev excuse : "I didn't know my job was also to take care about security."

Request from a senior backend dev in a previous company:

Talking to the team thats responsible for the auth API's is such a pain. For this new API can we just not add any auth to it? Its only going to return details about who the email address belongs too. Like name, address, date of birth, car registration etc. No one will care about that, and it will be easier for mobile to integrate right?

Saw this security blunder a while ago. Went onto some site and it showed me this username/password dialog (probably an apache's htpasswd or nginx one). Went away but returned quickly because I noticed I could see all content. Then I thought 'why the fuck not try?' so I dragged the auth popup thingy to the side of the screen and et voila... I could interact with the page as if nothing was wrong while the authentication popup was hovering above the page on the right!

I sat there giggling dramatically for a while.

!rant
TIL: The IKEA effect is a cognitive bias, that lets you think, stuff build by yourself is more worth then stuff build by others

Does that sound familiar to anyone?

Worst coding mistake: forget to remove print statement that prints user authentication details.

Coolest thing I’ve built solo?

Damn, there’s been a lot of things over the years, but I guess the most used one I’ve made would be my voice activated tv remote - yes it’s real.

So in essence it’s a google home... yea I know spyware and all, but look it was free so I’m going to make use of it... err where was I, oh yea.

An IFTTT account which taps into the google assistant API and creates a webhook, although the authentication side of things is 0 to none, so had to put a api-key into the requests to at least have some layer of auth.

This webhook then hits a raspberry pi containing a PHP API to accept and authenticate the request in, digest this into KEY commands for the TV, and drops this into a Python script to connect to the TV over a web socket connection ( I found python more stable for this ) and sends the pre made key requests, it can even do multiple keys at a time... that was a pain.

So after all that, the end game becomes about a second from saying “hey google, change the tv channel to xxx”

This sick and twisted contraption is finished and the tv is my little bitch.

This has been built out to handle channels by name, number, volume up/down, sources switching to hdmi, tv, vga and a bunch of other things.

The things we do when we can’t find a tv remote for days....

Next up, getting it to launch Netflix app and going to a specified show / episode.. but may be to adventurous.

Today my grandmother called and told me she wasnt able to login to her account for her ISP. Alright, maybe shes confused about the passwords as we had to change it recently. No, turns out they still have this "oh sorry you typed your password incorrect three times, so we will lock your account and your granny have to do the 2 hour telephone queue"

You and your fucking outdated auth practise can go and kindly fuck yourself. Fix this shit before I get real mad.

We have a portal which uses Windows Integrated auth that lists out all off our internal sites.

Navigating to any of these produces a URL like the one in the attached image.

Turns out all our internal application use a base64 encoded email address in the query string as the means of authentication.

So, anyone can authenticate themselves as another employee within the company by simply changing the query param value to said employees email address.

Fucking nuts.

Working on another online pokemon game sort of thing and I'm super proud of myself because I just got the user registration, login, auth session, and logout done. Last time I tried making one of these damn things I didn't bother using a database and I tried making a complex user auth system using JSON files and God, I regret that now.

Now only a million steps to go (Including making the game)

So you want full stack engineers to: design, do UX, create front end, build backend and deploy it in your mono repo stupid manual deployment "kubernetes cluster", add monitoring alerting manually, review others PR, QA our own apps and features, manually sync to Production, use VPN otherwise we cannot connect to anything, 2factor auth, do SRE, architecture diagrams, demo, run agile ceremonies, and learn a legacy coding language which was never mentioned in the job description. Did I miss anything?

Thank God the week 233 rants are over - was getting sick of elitist internet losers.

The worst security bug I saw was when I first started work as a dev in Angular almost year ago. Despite the code being a couple of years old, the links to the data on firebase had 0 rules concerning user access, all data basically publicly available, the API keys were uploaded on GitHub, and even the auth guard didn't work. A proper mess that still gives me the night spooks to this day.

Fuck this
I get to work with API where you CAN authenticate with username/password and get a token

But you CAN'T get user info from token (auth response contains ONLY token)

So what I have to do:

1. Get token

2. Request ALL FUCKING USERS and load them into my DB

3. Search through local DB by username and, yeah, here I go

Now I need to have a cron job to update user DB 1/2 times per day

I can't think of ANY reason not to allow this

Google has a password reset procedure so intense, that even if I can sign into my recovery account and give them the code from there, use 2 factor auth and give them the code from there, tell them my recovery phone(s) number(s), give them my mother's father's mother's late cousin twice removed daughter's maiden name, and whatever other security measures were set in place, I can't get a fucking password reset. Thanks Google, fuck you.

Someone ask to me as a security engineer.

Bro : what do you think about most secure way to authenticate, i read news using fingerprint no longer safe?
Me : yes they can clone your fingerprint if you take a photo with your fingerprint to camera.
Bro : so what is the other way to authenticate more secure and other people can't see in picture ?
Me : D*ck authentication is more secure now, other people can't see your d*ck pattern right?

Saw this popup in my feed today. Glad I've never had to deal with code like this.

Sauce: @LoganDice@mastodon.social

Why the fuck does your API have to send 401 when the server is down.

Just spent an hour thinking something was wrong with my auth wrapper.

My predecessor used auth as a bool. The only way he kept basic users from accessing admin functions was by including the word "admin" or "user" in the URL so any user could be the administrator by just changing the URL parameters after logging in

For example, mysite.com/admin/editorderdetails vs. mysite.com/user/editorderdetails

Read a blog post at work yesterday from the company head of IT security. Line 1:
As part of our company policy we enforce the use of usernames and passwords, known as two factor authentication. However we also need to ensure.....

Stopped listening at this point as I hit Google to confirm the definition of two factor auth.

Nope I'm not loosing my mind, the blog post is insane....

Don't you hate it when this happens?

So I've been working a lot with Docker lately (who isn't) and there was this one service always DIEING on me.
Docker logs showed me that it was killed because the container was unhealthy.
I researched for a whole day and couldn't find it...
After I got home it hit me like a hammer...
The healthcheck uses basic Auth and the password was changed yesterday...

How the fuck could I start to try every shit before I even checked if the request done by the healthcheck is working...

FUCK ME I'M SUCH A MORON SOMETIMES

Holy fuck is learning new frameworks frustrating.

I'm trying to setup a simple fucking flutter app and all their tutorials are basic shit with no auth/complex routing.

Any feature of flutter that's not in a tutorial has absolute shit documentation with 0 examples on how to use it.

Material app has like 20 properties and if you click on something like on generate there is shit for knowing what the fuck it's expecting.

Stackoverflow has a ton a code but that's just it, code. I have absolutely no idea how they generate the code they have from the documentation on the site. They must have been following flutter from the start.

Ahhhhh! 😠

My non dev friend called me in middle of night for getting shortcut virus removed! I would have blasted 🔫 him but I felt pity on the guy as I know that he is poor with tech stuff

Any he had only windows, so I Google up solution and replied back to him.

He asked where to put it. I told him in cmd. He is like what so I told him to press win+r then in that type d and "black" 🏴 window will appear. Type in that.

guess what he typed exactly as mentioned in the reply and didn't replace the drive name properly .😑

I told him to put proper drive and saw that he missed spaces so l told him that he missed space 😤 and he put only one space and it still had problem so I had to explain it in weirdest was possible( shown in fig 1.1 had been writing report and figure gave yo be mentioned with number 😅)

Finally. It was all done! Well some pf my cs ( !counter strike but computer science friend) are worse then this can't use teminal or even connect to WiFi (wpa-enterprise @ college with mschap v2 and peap auth which is crackable using twin tower and brute force) properly, do I guess it not BA's that this guy cry to get rid of shortcut virus (virus > wifi setup) 😬

Finally I feel relived after ranting 😪

Internal mail form CIO's office:

"Thank you for being part of the internal trial for NPMe, we have decided to remove this tool in favour of Artifactory because of its support for multiple platforms and tools. We are sorry for the inconvenience, here is a link to migration scripts ..."

Migration "script" readme, please clone this repo, create file A, and B, and install these 2 dependencies.

Dependency 1:

- "install via homebrew ..."
- .... homebrew needs to update, checking for updates
- 10 mins later = Update failed, please upgrade to Ruby version 2.3
- Installs ruby version manager
- GPG signature verification failed
- Install GPG v2 + accept keys
- Install ruby version manager
- "please execute this command before running rvm"
- execute command
- "rvm install ruby-2.3"
- Install failed, please see log file
- Opens log file
- "Xcode on its own is not sufficient, please install xcode cli tools"
- Install xcode tools
- 5 minutes later -> "rvm install ruby-2.3"
- 10 minutes later "brew install jq"

Ok back to read me, "login to Artifactory, go here and copy paste XXX."

- Login to Artifactory
- Eventually find repo
- Login again to actually see credentials for some reason
- Screen doesn't match instructions in readme
- Click around
- Back to readme
- Back to artifactory
- Login again
- Execute command auth / setup command
- Copy contents to npmrc file .... now all my scoped packages are going to point to 1 specific repo

Fuck the migration, Fuck these shitty instructions, i'll set them all up again manually. See tags below for further opinions on this matter.

Call it mental disorder. Sickness. Masochism or just bein a demented individual...

But I used to work with classic ASP. Yes, my JS ran on servers before it was cool (I am the original tech hipster) and I was writing VBScript with it as well because why the fuck not?

And
I
LIKED IT.

Kinda miss it to be honest. Shit was simple as fuck, the downside of it was the "fuckLibrariesAndDoShitByHand.asp" mentality and consequence of using old tech....but I liked it.

Tutorials for that shit had to teach you damn near everything in one book, not just how to code it, but how to really work with servers on the bare minimum and one would learn sooo much. Now a days most books be like "this is how you do yo auth tokens..because all y'all mofockas should know this shit by now" NO mofocka! Our books was all about "aaaallrighty dipshit, this shit here is auth, and in order to bla bla blah" THOROUGHT AS FUCK B.

So yeah......i had fun, by far not my first choice on new shit, but shit was fun.

Lots of IPs tried accessing my Raspberry Pi's SSH. Dumb bots, trying to brute-force a key-auth-only SSH server...
On a relevant note, I love fail2ban!

Running WireShark to see what one of our partners is sending across.

Outdated TLS: Ok, that's par for the course.
Leaking data through DNS queries: ButWhy.jpg
Website leaked through DNS doesn't require auth to view information. TableFlip.jpg

Signet, the google auth library, is somehow throwing a DivideByZero error, despite the only math in the file being linear back-off (`sleep retry++ * 0.3`). Also, the line it’s getting thrown on very specifically throws an entirely different error: a Signet::AuthorizationError.

What is even going on?
Also this worked yesterday.

🥺

Sign in with Apple...

* Nobody tells you that a app group can consist of a maximum of 6 apps.
* Nobody tells you that suddenly a key id is needed for constructing the signing key for signing the client_secret when other keys are added in the dev portal.
* Apple gives you email and name only (and i mean only) the first time a customer uses Sign In With Apple.
* You have no chance to reset your user during development in a way to try a fresh auth. So either create separate app ids or separate apple ids.

Sounds like fun, right?

There is zero reason why you should roll your own auth. Your app is not special.

I use a Mac that implements MAC using MAC and its got multiple hardware MACs along with a hardware MAC.... btw, I'm eating a Big Mac.

...

Media Access Control - Networking
Manditory Access Control - Security
Message Auth Code - Security
Mac - Apple
Multiply ACcumulate - Chip Design

Just a rant... It really sucks to work with maven on a security-paranoid financial institution enforcing ntml proxy auth...

Also usb ports disabled... :(

Progress since my last post - quite like where the iterations since the cold design got me, next is the actual rant view and then will implement all sort of auth things like posting comments.

Have also figured out a way to have style and script plugins, haven't tried it yet though, especially with storage rulesets it might not be as smooth as I imagine it to be.

Another screenshot in the comments.

I've just checked my server's auth logs and my god that's a lot of failed ssh login attempts.

I think I'll install an ssh honeypot to waste these peoples time...

Story time:

I worked at a firm that had an infernal off the shelf CRM system that they collaborated with the dev company to customise.

They were seriously behind the competition, and didn’t have any app or web presence for interacting with their system, instead relying on people calling (fine for the nature of the business, but competition was leaving them in the dust).

They decided that they needed to redevelop it in-house, with a focus on supporting the web and apps.

I was hired for this purpose.

It was me and one other dev, who was also the head of IT.

He’d built a small prototype, and was new to the whole WPF / MVVM thing for the in-house app, so with my previous experience it was clear it needed to serve as an example only, and that it would need redeveloping.

I was only there three months.

In that time I singularly (he was pulled away to troubleshoot their VOIP installation - yes, for three months as other companies kept dropping the ball) built:

- A WebAPI with JWT auth
- An MVC skeleton frontend
- A WPF desktop app

It had all sorts of cool shit in it, 2FA, Reactive UI, Reactive extensions, server push to desktop, a custom workflow and permissions system.

It was pretty dang cool.

End of the three months rolled around, and the non-technical managers were concerned about time to market, so they decided to drop me as I’d “not made enough progress”.

I’d also had a bit of absence which they were aware of and were supposedly supporting me through.

But MFW three months is assumed to be enough time to build such a system with one dev.

Fuck you windows 10. Fuck you private keys. Fuck you tortoise git. Fuck you git bash. Fuck you cygwin. Want 3x hours of my life back. Had an auth problem... Had to reinstall all the above on windows to connect to my private repo. Took me 5 minutes to connect after reinstalling all the tools. Grrrrrrr. And I'll never know why it wouldn't connect apart from fatal protocol error: bad line length character..I tried ever stack overflow answer... I nearly bricked my gitlab CE...and it was windows being a motherslut

Oh boy I got a few. I could tell you stories about very stupid xss vectors like tracking IDs that get properly sanitized when they come through the url but as soon as you go to the next page and the backend returns them they are trusted and put into the Dom unsanitized or an error page for a wrong token / transaction id combo that accidentally set the same auth cookie as the valid combination but I guess the title "dumbest" would go to another one, if only for the management response to it.

Without being to precise let's just say our website contained a service to send a formally correct email or fax to your provider to cancel your mobile contract, nice thing really. You put in all your personal information and then you could hit a button to send your cancelation and get redirected to a page that also allows you to download a pdf with the sent cancelation (including all your personal data). That page was secured by a cancelation id and a (totally save) 16 characters long security token.

Now, a few months ago I tested a small change on the cancelation service and noticed a rather interesting detail : The same email always results in the same (totally save) security token...
So I tried again and sure, the token seemed to be generated from the email, well so much about "totally save". Of course this was a minor problem since our cancelation ids were strong uuids that would be incredibly hard to brute force, right? Well of course they weren't, they counted up. So at that point you could take an email, send a cancelation, get the token and just count down from your id until you hit a 200 and download the pdf with all that juicy user data, nice.

Well, of course now I raised a critical ticket and the issue was fixed as soon as possible, right?
Of course not. Well I raised the ticket, I made it critical and personally went to the ceo to make sure its prioritized. The next day I get an email from jira that the issue now was minor because "its in the code since 2017 and wasn't exploited".

Well, long story short, I argued a lot and in the end it came to the point where I, as QA, wrote a fix to create a proper token because management just "didn't see the need" to secure such a "hard to find problem". Well, before that I sent them a zip file containing 84 pdfs I scrapped in a night and the message that they can be happy I signed an NDA.

If your website has a login wall, my visceral reaction is to close the tab. After that, my rational reaction is to close the closed tab. Because fuck you.

Just discovered one of our core systems had literally used api key validation of "drop into database, if exists, its fine"

Well, around 30 seconds later, I have successfully authenticated with apikey "%". Wonder why.... Sigh... Patch already pushed, but still it left bad taste in my mouth...

lesson for beginers:
validate, validate, validate. If user could touch it, treat is as broken unsafe and if used it will nuke your home. check if it will, than use it.

TL;DR my first vps got hacked, the attacker flooded my server log when I successfully discovered and removed him so I couldn't use my server anymore because the log was taking up all the space on the server.

The first Linux VPN I ever had (when I was a noob and had just started with vServers and Linux in general, obviously) got hacked within 2 moths since I got it.
As I didn't knew much about securing a Linux server, I made all these "rookie" mistakes: having ssh on port 22, allowing root access via ssh, no key auth...

So, the server got hacked without me even noticing. Some time later, I received a mail from my hoster who said "hello, someone (probably you) is running portscans from your server" of which I had no idea... So I looked in the logs, and BAM, "successful root login" from an IP address which wasn't me.

After I found out the server got hacked, I reinstalled the whole server, changed the port and activated key auth and installed fail2ban.
Some days later, when I finally configured everything the way I wanted, I observed I couldn't do anything with that server anymore. Found out there was absolutely no space on the server. Made a scan to find files to delete and found a logfile. The ssh logfile. I took up a freaking 95 GB of space (of a total of 100gb on the server). Turned out the guy who broke into my server got upset I discovered him and bruteforced the shit out of my server flooding the logs with failed login attempts...

I guess I learnt how to properly secure a server from this attack 💪

For the last 20 years, there's one thing I've not been able to do reliably:

Share a folder on a windows computer.

Why the fuck can I write /etc/smb.conf from scratch with a blindfold on and make it securely work from all client devices including auth & acl, but when I rightclick and share on windows it's either playing hide and seek on the network (is it hiding behind //hostname/share? No? Maybe in the bushes behind the IP addresses?), or it's protected by mysterious logins requiring you to sacrifice two kittens a day.

Yes, finally it works! One windows update later... aaaand it's gone.

JUST GIVE ME A FUCKING CONF AND A MAN PAGE, MICROSOFT. I DON'T CARE THAT YOU'RE ORALLY PLEASING ALL THESE MALWARE RIDDEN GUISLUTS ON THE SIDE, JUST GIVE ME A FUCKING TEXT FILE TO STORE AND EDIT.

I find it funny that as soon as I disable password authentication on my server and enable key auth then all of the bots spamming my server with incorrect login requests instantly stop when they realise that they aren’t getting through any time soon. Also don’t ask why I don’t have Fail2Ban and a firewall set up.

*ssh into server*
*runs 'sudo systemctl start docker'*
*ssh into server again*
> Permission denied

How docker? How are you destroying the ssh servers auth?

2 factor auth with carrier pigeon

Let's talk about the cargo cult of N-factor authentication. It's not some magic security dust you can just sprinkle onto your app "for security purposes".

I once had a client who had a client who I did server maintenance for. Every month I was scheduled to go to the site, stick my fingerprint in their scanner, which would then display my recorded face prominently on their screens, have my name and purpose verified by the contact person, and only then would the guards let me in.

HAHA no of course not. On top of all of that, they ask for a company ID and will not let me in without one.

Because after all, I can easily forge my face, fingerprints, on-site client contact, appointment, and approval. But printing out and laminating a company ID is impossible.

---

With apologies to my "first best friend" in High School, I've forgotten which of the dozens of canonicalisations of which of your nicknames I've put in as my answer to your security question. I've also forgotten if I actually listed you as my first best friend, or my dog - which would actually be more accurate - and actually which dog, as there are times in my High School life that there were more tails than humans in the house.

I have not forgotten these out of spite, but simply because I have also forgotten which of the dozen services of this prominent bullshit computer company I actually signed up for way back in college, which itself has been more than a decade ago. That I actually apparently already signed up for the service before actually eludes me, because in fact, I have no love for their myriad products.

What I have NOT forgotten is my "end of the universe"-grade password, or email, or full legal name and the ability to demonstrate a clear line of continuity of my identity from wherever that was to now.

Because of previous security screwups in the past, this prominent bullshit company has forced its users to activate its second, third, and Nth factors. A possibly decade-old security question; a phone number long lost; whatever - before you can use your account.

Note: not "view sensitive data" about the account, like full name, billing address, and contact info. Not "change settings" of the account, such as changing account info, email, etc. Apparently all those are the lowest tier of security meant to be protected by mere "end of the universe"-grade passwords and a second factor such as email, which itself is likely to be sold by a company that also cargo cults N-factor auth. For REAL hard info, let's ask the guy who we just showed the address to "What street he lived in" and a couple others.

Explaining this to the company's support hotline is an exercise in...

"It's for your security."

"It's not. You're just locking me out of my account. I can show you a government ID corroborating all the other account info."

"But we can't, for security."

"It's not security. Get me your boss."

...

"It's for security."

IoT device endpoint: public fixed IP, raw TCP socket, no auth at all

PouchDB.

It promised full-blown CRDT functionality. So I decided to adopt it.

Disappointment number one: you have to use CouchDB, so your data model is under strict regulations now. Okay.

Disappointment number two: absolutely messed up hack required to restrict users from accessing other users’ data, otherwise you have to store all the user data in single collection. Not the most performant solution.

Disappointment number three: pagination is utter mess. Server-side timestamps are utter mess. ANY server-side logic is utter mess.

Just to set it to work, you need PouchDB itself, websocket adapter (otherwise only three simultaneous syncs), auth adapter (doesn’t work via sockets), which came out fucking large pile of bullshit at the frontend.

Disappointment number four, the final one: auth somehow works but it doesn’t set cookie. I don’t know how to get access.

GitHub user named Wohali, number one CouchDB specialist over there, doesn’t know that either.

It also doesn’t work at Incognito mode, doesn’t work at Firefox at all.

So, if you want to use PouchDB, bear that in mind:
1. CouchDB only
2. No server-side logic
3. Authorization is a mess
4. Error logs are mess too: “ERROR 83929629 broken pipe” means “out of disk space” in Erlang, the CouchDB language.
5. No hosting solutions. No backup solutions, no infrastructure around that at all. You are tied to bare metal VPS and Ansible.
6. Huge pile of bullshit at frontend. Doesn’t work at Incognito mode, doesn’t work at Firefox.

New twist on an old favorite.

Background:
- TeamA provides a service internal to the company.
- That service is made accessible to a cloud environment, also has a requirement to be made available to machines on the local network so you can develop against it.
- Company is too cheap/stupid to get a s2s vpn to their cloud provider.
- Company also only hosts production in the cloud, so all other dev is done locally, or on production non-similar infra, local dev is podman.
- They accomplish service connectivity by use of an inordinately complicated edge gateway/router/firewall/message translator/ouija board/julienne fry maker, also controlled by said service team.

Scenario:
Me: "Hey, we're cool with signing requests using an x509 cert. That said, doing so requires different code than connecting to an unsecured endpoint. Please make this service accessible to developer machines and lower environments on the internal network so we can, you know, develop."
TeamA: "The service should be accessible to [cloud ip range]"
Me: "Yes, that's a production range. We need to be able to test the signing code without testing in production"
TeamA: "Can you mock the data?"
Me: "The code we are testing is relating to auth, not business logic"
TeamA: "What are you trying to do?"
Me: "We are trying to test the code that uses the x509 you provide to connect to the service"
TeamA: "Can you deploy to the cloud"
Me: "Again, no, the cloud is only production per policy, all lower environments are in the local data center"
TeamA: "can you try connecting to the gateway?"
Me: "Yes, we have, it's not accessible, it only has public DNS, and only allows [cloud ip range]"
TeamA: "it work when we try it"
Me: "Can you please supply repro steps so we can adjust our process"
TeamA: "Yes, log into the gateway and try issuing the call from there"
Me: (╯°□°)╯︵ ┻━┻

tl;dr: Works on my server

Fucking christ this year is a fucking shitfest:

- wpa2 krack
- "DUHK Attack Lets Hackers Recover Encryption Key Used in VPNs & Web Sessions"
- "Hacker Hijacks CoinHive's DNS to Mine Cryptocurrency Using Thousands of Websites"
- "Bad Rabbit: New Ransomware Attack Rapidly Spreading Across Europe"

My fucking router didn't yet get patched, my fucking phone is outdated and I can't change to my patched one because devrant just shits the bed in extended desktop mode. Windows 8.1 loses support in 3 months, rendering my last chance of using it on my surface pro done, making me use windows 10 with its fucking shit ass not optimized tablet interface. I have just fucking constant paranoia what else could be hacked tomorrow, nothing is fucking safe anymore for fucks sake. I even went as far as implement 3 step auth and intrusion detection on my shitty ass VPS nodes, fucking give me a break you fucking assholes.

Having to explain why GET has its place, but shouldn't be used for anything that shouldn't be viewed ... especially to some one that should fucking know not to show the damn auth credentials. Great thanks for your user and pass, can I get your CC number next please.

all documentation points to an Invalid auth token being code 400 (ignore the fact that this is a code in the JSON response and not HTTP)

Me: here iz credential. Plz send datas
API: haha fock off and die mate, then credentials you got there aren’t workin’
API: code 998 invalid auth token
Me: *speechless* so that’s why it took me longer than it did to find that error, because YOUR CODE WAS MISSING ALL MY CHECKS FOR CODE 400.

Why can’t people design apis properly.

when youre working on a API and every testCase is all green plus manual testing thru Postman extension is all good..

then makes a web app use that API, authorization works as intended but the token is immedially invalid...

just..how..

Boss: so we've got to call an app to verify data in this project. But I've got no more info and I'm on holiday next week. Please contact GuyA next week.
Me: ok I guess?
*writes email to GuyA*
GuyB: GuyA is on holiday please hold the line
*1 week later*
GuyA: we need more time it's not ready yet
*2 weeks later?
Me: so?
GuyA: yeah it's ready here's the wsdl etc your client already has the password
*1 week later*
Me: yeah so I got the data but the api says my auth isn't working
GuyB: yeah your user isn't activated on the test system. I'm gonna forward that and come back at you
*1 week later*
GuyA: so we're going live in about 2 weeks hows testing going?
Me: well I'm still waiting for the response and activation
*suddenly it works*
Me: yeah so auth is working but i can't find any data. Is there any special test data?
GuyA: oh no there is NO test data on the test system. You need to wait for GuyB but he us not here today...
Me: are you fking kidding Me?????

... no response since then and it's been days....

It's a really interesting discussion, when your boss tells you that it's a perfectly fine idea to directly use a Firebase DB from an Angular web app by storing the Admin Auth Token in a variable in JS.
Thank the spaghetti monster, I was able to argue against it and use the already partially implemented RESTful API with the already used auth.
He basically wanted to save time and omit extra login routes.

It's OK to save time and not implement $randomFeatures.
BUT DON'T FUCKING TRY TO SAVE TIME ON SECURITY!

If it wasn't for me, this web app would turn into a bigger gaping (security) asshole than Sasha Grey's...

Auth0 and Okta merge.... Is Cognito the only other major player here? This merge now makes an Auth monopoly!

Security is a joke. And people don't seem to get it. Especially Data mungers.

I've spent about half an hour trying to work out how to securely connect to power BI using PowerShell in a renewable manner for unattended access later on.

Every single example I've found seems to involve you storing $user and $password variables inside your script. If I'm lucky, they're going to pass them through ConvertTo-SecureString. And nobody talks about securely storing AD auth tokens, or using the Windows Credential Manager.

I know it's possible, but it's going to take me ages to work out how from all sorts of disparate sources...

Well. I'm simply SO UNFUCKINGBELIEVABLE PISSED RIGHT NOW!! {>,,,<}

I'm implementing a monolithic frontend that embeds different projects which I don't want to alter if not really necessary. So I put them all into iframes, already handled all the security and auth stuff with proxies and so on and now I just want to access the body.scrollHeight property. Which is not even the probelm at all.

The fucking Problem is, that I just can't find a way to hook into any event which fires when all content is loaded and the final scrollHeight is set. Instead it just returns some default value that is set when the iframe element is loaded, but not something that is actually based on it's damn ass-fucking contents!!

Iframes are fucking pricks and I know I'll gonna go to hell for abusing them like this :S

Pentesting for undisclosed company. Let's call them X as to not get us into trouble.
We are students and are doing our first pentest at an actual company instead of assignments at school. So we're very anxious. But today was a good day.
We found some servers with open ports so we checked a few of them out. I had a set of them with a bunch of open ports like ftp and... 8080. Time to check this out.
"please install flash player"... Security risk 1 found!

System seemed to be some monitoring system. Trying to log in using admin admin... Fucking works. Group loses it cause the company was being all high and mighty about being secure af. Other shit is pretty tight though.

Able to see logs, change password, add new superuser, do some searches for USERS_LOGGEDIN_TODAY! I shit you not, the system even had SUGGESTIONS for usernames to search for. One of which had something to do with sftp and auth keys. Unfortunatly every search gave a SQL syntax error. Used sniffing tools to maybe intercept message so we could do some queries of our own but nothing. Query is probably not issued from the local machine.

Tried to decompile the flash file but no luck. Only for some weird lines and a few function names I presume. But decompressing it and opening it in a text editor allowed me to see and search text. No GET or POST found. No SQL queries or name checks or anything we could think of.

That's all I could do for today. So we'll have to think of stuff for next week. We've already planned xss so maybe we can do that on this server as well.

We also found some older network printers with open telnet. Servers with a specific SQL variant with a potential exploit to execute terminal commands and some ftp and smb servers we need to check out next week.

Hella excited about this!

If you guys have any suggestions let us know. We are utter noobs when it comes to this.

Yes after months of writing this .NET core 3.1 API, I am still going back and rewriting the Auth flow.

I talk to a lifelong .Net Guru yesterday to get advise about JWT flow with .NET. His take in summary:

"Oh haha yeah all of these settings you kinda just copy over an forget about them over time. They change drastically between every version anyways. 2.0s approach is so different than 3.0-3.1s. "

We then proceed to spend hours trying to copy other peoples solutions and satisfy the type requirements for different services.

Guys look im trying really really hard to get into .NET. Harder then i should try. I come from .Node & php where you import a JWT library, you get the creds, check em and call on function to issue an Bearer token. You write a 5 line middleware function for getting teh claim and fetching the user into global scope and done.

This has been an ongoing nightmare and im about sick of it. I dont need a framework with an over-opinionated, ever changing way of handling auth.

OTHER FRAMEWORKS ARE SCAFFOLDING THIS SHIT FOR US ALREADY!!! ITS THE POINT OF A FRAMEWORK!! TO NOT HAVE TO REINVENT THE WHEEL!!

.NET needs to get its shit together. Most everything else about the framework is proving to be pretty rad though. Im about to get into SignalR though and im sure ill find equal frustration there.

Whenever Google alerted me that "a new device was used to access your account", I always hear Skyrim's Meridia voice in my head:

"A NEW HAND TOUCHES THE BEACON"

Bringing the funny...

Gotta love the IoT.

They set up a new surveillance camera in the company, that can stream live footage over the network and that little shit picked the IP adress of a coworker one day AFTER being set up.
Hurray for static routing. Hurray to the person who didn't disable DHCP on the router (Should probably configure my PC to use a static IP as well lel)

Anyways, this happened outta nowhere when I, the only guy who knows shit about IT and is usually present at yhe office, wasn't there and could not connect remotely.

The other, remote programmer, who set up the network, could guide the coworker to get a new IP but, he was worried that we got ourselves an intruder.

Since nobody told me yet that we (should) have static routing, I thought there was a mastermind at work who could get into a network without a wifi-access point and spoof the coworker in order to access the some documents.

The adrenaline rush was real 😨

Scanning the network with nmap solved the mystery rather quickly but thought me that I need to set up a secure way to get remote access on the network.

I would appreciate some input on the set up I thought of:
A raspberry Pi connected to a vpn that runs ssh with pw auth disabled and the ssh port moved.
Would set up the vpn in a similar fashion.

I have an issue with my Laravel routing. Can you help me out, @bittersweet?

I have a custom "/home" route called "/admin" and I set the protected property in the LoginController:

$redirectTo = "/admin";

And it works fine, if I log in from guest. But when I navigate to "/login" as auth-user it still redirects me to "/home".

What the fuck is this? What do I have to change to make this work? Who has to be fucked? Is it possible to solve this without sacrificing a virgin at bloodmoon? And why are Platypus so fucking ugly?

How do you get over the bad times? I keep having to work with shitty legacy systems that were written in perl and flash in the 90s, but my boss keeps telling me "No" on redoing some of the bigger stuff even though it is really needed. I mean, that is your goal here, right? Rebuilding this POS? FFS you still stored passwords in plain text twoo weeks ago! But no, you's rather dig around in Perl than upset some random user because his fucking interface looks different.

But then I also have to work with another system that I could redo in Cake/Laravel in two weeks (it's literally getting and writing data to one table, so two views and user auth), and the previous dev just... made a huge mess. I mean, why would you need to post data asynchronously when it's this one stupid form ? Just do a regular form submit? And the system is really not suitable for extending, because everything is in the database, EVERYTHING! Like, html form inputs? So to add a simple input to the template I have to create a new input type in the types table and then add that to the form structure table? Only to have the input checked by fucking regex? REGEX! Why? Seriously, this is not some high end CMS that needs this level of code reusability No. This is a simple fucking form.

And I can't get it to work. No documentation of course. No comments, either. All of this makes me feel like I'm just the shittiest dev ever. I feel dumb, and useless. Haven't turned on my private PC in weeks because I see no reason to work on any of my own stuff.

I used to have a job, working with Magento and Wordpress. And yeah, it was horrible, it was chaos, but it was fun and I was great at it. I bent that motherfucking system to fit my needs. People respected my opinion, they were convinced I could program this and that, and I proved them right. Did I make mistakes? Hell yeah. Did I give up? Fuck no!

But now, I just feel like I can't even write a simple fucking form any more. I'm just so close to giving up on development as a whole, even though I love it so much.

Question time:
What's the general opinion around here on Authy for 2FA?

I've been down the road of phone wipes and phone swaps before that blow out the Google Auth codes which is nothing but a royal pain in the ass to get access back to all the accounts setup.

Authy having encrypted backups gives me some level of belief they can do what I want them to do, but I figured I would ask around before transferring over since... well that's a pain in the ass too 😂

Get a message from our teammate explaining o auth. First off, I mean come the fuck on. Second I was building our authentication for a fucking week. It's all around slack and the commit messages.

Then again when you don't even check the fucking repo ever, you won't know the progress. Yes, this is the jackass from my last rant. Sweetheart will only be able to be there 15 minutes before class ends today. Obviously, I'm not going as I don't care about the outcome of this shit at all at this point. I have access to the orgs and repos as the creator. Whenever I decide to get some real work done, I'll just ban his bitch ass.

I can't believe this fucker actually tried to explain o auth like he was talking to a child. I wrote back that he can look at the week long discussion we already had about authentication. Fucking idiot.

Bruh how do that
I dont get it

Status update:

devDNS has been having connection issues over the past hour. Some requests may be dropped due to an issue with the auth API.

@ewpratten is currently looking in to this issue.

I'm breaking out our authentication logic to a separate OIDC server. It's technically pretty straightforward, but just the thought of moving all those users and making sure that the communication between the system and the auth server works properly makes me shiver...

To me, writing authorization code for securing APIs is like having to fold an enormous pile of laundry and actually putting it all away afterward. It needs to be done but I'm not going to enjoy it.

I dug up my old ledger web app that I wrote when I was in my late twenties, as I realized with a tight budget toward the end of this year, I need to get a good view of future balances. The data was encrypted in gpg text files, but the site itself was unencrypted, with simple httpasswd auth. I dove into the code this week, and fixed a lot of crap that was all terrible practice, but all I knew when I wrote it in the mid-2000s. I grabbed a letsencrypt cert, and implemented cookies and session handling. I moved from the code opening and parsing a large gpg file to storing and retrieving all the data in a Redis backend, for a massive performance gain. Finally, I switched the UI from white to dark. It looks and works great, and most importantly, I have that future view that I needed.

why is every auth provider utter and complete shit?

why are docs and tutorials that try to teach auth so complete shit?

No wonder there are so many security holes everywhere, nobody bothers to make it simple for the next person.

Next time people that cry about security/bad auth, and work in that field, this one is for you:

I'm so done with auth
it's more than a nightmare
it's a disgrace
why can't someone just be like "you know how auth and identity is hard? why don't we make it easy?"
I would pay so much for that

I am trying to "invent" secure client-side authentication where all data are stored in browser encrypted and only accessible with the correct password. My question is, what is your opinion about my idea. If you think it is not secure or there is possible backdoor, let me know.

// INPUT:
- test string (hidden, random, random length)
- password
- password again
// THEN:
- hash test string with sha-512
- encrypt test string with password
- save hash of test string
// AUTH:
- decrypt test string
- hash decrypted string with sha-512
- compare hashes
- create password hash sha-512 (and delete password from memory, so you cannot get it somehow - possible hole here because hash is reversible with brute force)

// DATA PROCESSING
- encrypt/decrypt with password hash as secret (AES-256)

Thanks!

EDIT: Maybe some salt for test string would be nice

The fuck? I'm trying to automate login for an asp.net website from a C# console app using HttpWebRequests. I used Fiddler to see how the login happens and how the browser obtains the session and auth cookies from the server. When I replicate the same procedure from C#, I am able to get both cookies withoth a problem, but when I try to use them to get data about the user, I get a 500 ISE. What the actual fuck? I've double-checked every single header and the URLs and it's doing literally the same thing as chrome: Get asp session id (POST)-> get an auth cookie (POST username and passwd) -> interact with the site using the session id and auth cookie (GET). And obiviously I don't have access to the server logs... :/

Hi there.. Stuck since days in the google auth error:disallowed_useragent with xamarin, my colleagues ask me to ask to u :p (the same as the mac with windows features photo)

My neighbor asked me if I could make him a program for managing the wifi connection to his kids devices. Basically, he wants to be able to turn wifi on/off on selected devices, on demand. I know how to de-auth ALL devices temporarily, but that's not the goal. He asked because I am always looking for new ideas to work/practice on. And no, this isn't a vague post to try and get info on hacking into my neighbors wifi, lol... I set it up and have all the credentials. Is this within reach?

Why does every major version. of dotnet core have a different way of setting up Identity. And why is there so many different contextual meanings of the word Identity. Why in the hell do their docs have to state "Microsoft Identity, not be confused with dotnet core identity". Why cant they just call it JWT issuing and claims building or some shit. I cant keep up with whatever "Identity" Intels with every release. I swear my v3 API auth looks nothing like this v5. Granted teh v5 approach is cleaner and a little more abstracted but damn still.

Made a simple jwt auth server with express (node.js) . Used one JWT library that took me no longer than 5 minutes to understand almost all of its functionality and therefore quickly get to work.

Started the JWT auth flow for another app in .NET core 2.0. Microsoft has a recommended JWT library with more than 20 million downloads. Sooooo complex. Every tutorial found is a 50 minute minimum read with an outrageous amount of understanding around the library to even get a JWT token generated.

I guess thats part of the reason I've gone into c# was so i could become much more of a seasoned developer that has a more low level perspective but this is ridiculous.

with the npm library its literally a generateToken method that takes your encryption type string, an object of your claims and your secret to use for signing. With the nuget library im having to do the HMAC hashing manually, utilize more then 10 classes and peace them all together.

I use google auth for 2FA. Had to factory reset my phone for some reason. Meanwhile, github one day forced me to change my password. So I used the back up recovery code to change the password and then logged out. I was in a hurry and actually forgot to set up the new 2FA. But hey I have got the recovery codes right.

But, guess what? The recovery codes are not working anymore! Wtf github?

!rant

Is there any alternative to socket.io that doesn't need to expose a server ip directly to any client, needing to set up a full nginx anti ddos/auth config and more?

There is the live-ajax way that requests progress, but it feels more like a hack each time. (especially if the site should be able to handle multiple tabs with different progress)

I thought maybe some framework has live requests inbuilt to update content from a server worker model. (without exposing the server ip)

I'm writing a website for a café and I'd like to use a new tool for generating content and managing it. Only real requirement is a SCSS pre-processor and maybe built-in Auth.

Any suggestions?

Fuck Azure
Tried to login to my Test Environment for B2C, was asked for SMS AuthCode because of "suspicious activities" (haven't used it in weeks), gave this crap tool my number and pressed send code - no reaction, gave it the same number without a 0 in front, no reaction, pressed "didn't recevieved code" and got "you can't try again today, try it tomorrow" ... 30 minutes later two auth code sms arrived.

Fuck you Microsoft, just fucking fuck you

I just created a new file in Android Studio called Auth.js and then wondered why I have a folder Auth with a file js.java inside.

Sometimes I forget what framework I'm in.

ugh these 3rd party google/ firebase auth apis are so much ! the basic integration seems easy but they have given options to cover a lot of valid scenarios but which path to pick? which options would *we* require? all so much decisions need to be taken by a dev who hasn't ever integrated a single login api( aka me) . noice.

i am banging my head against the docs and articles trying to get some poc working . wish there were some open source app which i could rather follow.

on a different note, which of the following is your choice for implementing a new feature :

1. read some articles/watch some videos that come up as a first search result for "how to make x?"
2. read answers on stackoverflow that comes up when searching "X"
3.search for "x" in github/codota andcheckout other people's implementation of x
4. read the official "guide" articles for "x" (i.e the official articles explaining the most basic implementation for 'x')
5. read the reference docs/ java docs / source code for the framework/library

usually the authors doing 1/2 are people who did option 4/5 and published their findings. blessed are those people. for me 5 is a real bitch and 4 seems good but rarely ever covers the business requirements

Pulled my hair out over one today (and a week ago when I first saw the issue)

Setting up development environment. Created test user and test database and used mysqldump to copy data over.

MySQL was executing a function as the wrong user. Checked my config files, checked my config reader, checked my database connection, checked checked checked. Checked everything twice, I felt like Santa.

Changed the password in the config file to make sure it was logging in right. It threw an error still but not one I had expected so I figured the login still worked (My bias was that I thought the config file was not working or the mysql library was caching authentication. Both were wrong but this blinded my debugging. Foolish, I have forgotten my training)

Logged into the database directly via client. *didn't bother executing the function because I was only testing auth*

Think
Think
Think

Search entire project for database username. It's gotta be hard coded by accident SOMEWHERE.

It's not.

Why
Why
Why

Wait.

-- Flashback to how the test db was created -- What's actually in this damn script?

DEFINER `production_user` CREATE PROCEDURE `old_db`.`procedure_name`

Two issues: definer is old user (this is the error I was seeing) and its creating the procedure on the old db (this would be the next error I would have found if I kept going)

Fuck mysqldump. Install mysqldbcopy. Works

Put hair back in head.

DAILY LARAVEL PROBLEMS

I need to parse a JWT with some custom claims. There's a JWT library with Laravel; documentation really lacking, kinda hardcoded to work with Laravel but whatever; it's already installed, let's see what can I do with it.

It turns out I can't say something like "take this token, parse it, tell me it's valid". Let's see how that goes.
You need to build a parsing class with a manager, some auth stuff, a parser.
To build said manager you need a provider that implements a contract, a blacklist, a factory (of what?)
To build the factory (of what?) you need a claim factory and a payload validator
To build the claim factory you need a request
To build the blacklist you need a Storage
To build the storage you need a CacheContract
To build a CacheContract you need IDK it's a mess
To build the contract you need... IDK for real

WHY LARAVEL IS SHIT: 'cause only in this framework it seems reasonable to build this clusterfuck to parse a base64 encoded string, throw some json_decode and check a signature. And have it work only to authenticate a user.

Anyone else hates the "Getting started" docs as much as I am?

Problem is, most of the code is only useful for doing exactly this - "start a totally useless chat between two windows" for example for Broadcast in Laravel. What is missing is the part where you need to auth with an API in the backend and because it is missing, we see giant security holes in websites that are basically made from 101 tutorials...

Sighs

The frontend developers in my company are the reason why I have anxiety. Here are few things that grinds my knees:
1) for a long time in projects, they deleted the auth token from their storage without integrating the logout api. They thought why use an API for that. :)
2) most of them had no clue that form fields could accept javascript as inputs and work as XSS vulnerabilities. This actually happened with a client, he got so fucking pissed.
3) One of them asked me to convert a PATCH request to DELETE cos fuck REST and HTTP methods.

For fuck’s sake. I need to get out of this place.

Microsoft certsrv is returning UTF-8 on the authorization error page but UTF-16 when logging in via basic auth...

Debugged this for 2 hours today to parse the response correctly. Thanks Microsoft

When you keep telling your boss that you remade one of their sites so that it has BCrypt(currently use SHA-512),CSRF checks, stricter Auth/Cookie encryption and that we should swap it and all he says we will get to it.

wot n tarnation-_-

I'm looking into GraphQL and so far so good, but I am finding it hard to implement business rules, for example:

1. Receive request with auth token
2. Know who the user is by extractin userId from token
3. fetch data related to that user only.

I was only able to make it allow or deny if there is a token or not lol

Checking out Meteor JS in 2020 after a loooong time in which I ignored it. I participated in the community when it barely startted, liked a couple of things, was effy about some others.

Built a semi large app (custom user auth through ldap, multiple forms and data fetches on different components inside of each page, reporting bla bla bla.

Did it first in just Meteor and Blaze (pretty easy to digest) and then with Meteor and Svelte (still easy to digest, but Blaze was simpler imho) and both packages totalled less than 100mb which is somewhat amazing considering how node is with packages.It might be a good time to psy attention once more to meteor.

I based much of my shit in the now free Discover Meteor book, there aren't that many breaking changes, which makes it surprisingly stable as an application for development.

I don't know if i would use it for s large scale app, but thus far it seems fairly promising as compared to how it was years ago.

Definitely something to keep in mind for 2020-21 development

token auth woes

I am fed up of doing shitty token authentications that don't refresh and are database dependent. what's the good way to do token auth for rest APIs? json-web-token?

Fucking google 2 step auth and their lack of customer service.

I have my account setup with my phone and a backup email account. No backup keys, since I only found out about those today! Thanks for letting me know this late in the game -.-

And yet. After I made a clean install of the os on my laptop. Tried to log back into my account. I am not getting text messages or emails to my backup emails (even though its allegedly sent.... And no its not in the junk mail) to validate my 2 factor auth.... Like fuck you!!!

If you gonna give us the ability to fort knox our accounts. At the bare minimum have some customer support to at least be train to answer a phone and tell me if your servers are having an issue or something. Im so in the fucking dark here and cant access shit.

I needed to implement user authentication on an android app during ny internship. It always authenticated and ran code for not authenticated user. Turned out I wrote else instead of an if else.

Hey! I have to build a website using ReactJS and OAuth. Does anyone have tips/links/advice or things NOT to do?
I can't fuck this one up guys...

I wanted to show our DBA an example of a web api using .net core 3 in regards of how easy it is to create such things. The reason? he has been wanting to get back into programming after many years of just sticking to dba related stuff. The dude has talent and brains, he had worked years ago as a delphi dev and a vb6 dev and we had the same employer at one point, none of this man's apps have been faced out on account of how complete they are and easy to maintain for other devs was after he left. Regardless of the ancient tech stacl, the man shows ample promise and well.

Thing is, the apps I make on the Microsoft stack usually tend to C#, and my frontends are using TS, so I am more on the curlt bracket side of things and he said he was to convert my app(very basic crud example, but with auth, authorization and everything in between to plug into the frontend) to VB.NET. I thought it wouldn't be that much of a problem but apparently microsoft does not hold templates for webapi for vb.net

I thought it was shitty. VB gave Microsoft a lot of developer market back in the VB6 days, and even though I really love c# I see no reason why they would just say fuck you like that to vb.net. Shit still polls pretty high in terms of dev popularity and you can apply the same design ideas to VB without much effort.

I just think this is very shitty from Microsoft's part. Much like how Apple is forcing people to adapt to Swift when there is a huge amount of obj c out there.

I dislike when companies shift focus on tech stacks like that.

I'm currently in a bit of a predicament.
Here's the deal:
I want to separate my back-end from my front-end code a bit more (currently PHP code is mixed up with all the HTML, Javascript etc.. basically: front-end and back-end are one).
The question here is: how should I go about this?

In my current project, I have written some javascript code with jQuery that checks whether the user is logged in or not (checks for an auth token and UID to be present in the cookies).
However, this results in the page (in this case a dashboard that only logged in users should see) being visible for a moment before the user is redirected to the login page...

How could I go better about this (No, I won't use AngularJS for this)?

May 2017: They're sunsetting Digits in September, but that's past our runway anyway so we'll worry about it later

September 2017: We have extended the runway this far by letting go of the people who set up our Digits auth and were best equipped to migrate it to Firebase. :|

Dialogflow documentation is ABSOLUTE TRASH. Trying to run the example code? It gives you a super helpful error: `Unexpected error determining execution environment`. Uh, yes, indeed. What it means? IT MEANS THAT YOU PROVIDED NO CREDENTIALS. Because, as we all know, providing no credentials should end in an error of 'determining execution environment', of fucking course.
You want to know how to provide credentials? Think again, all examples in the ENTIRE DOCUMENTATION assume that you're running the code... from their servers. Seriously. You wanna know how to authenticate your shit? NOT IN THIS DOCUMENTATION, LOSER. You want to know what exactly is happening when you're initializing your client with `new dialogflow.SessionsClient()`? Good luck, documentation is on another platform. For .NET. Because fuck you.
Also, you think you can store your auth info in a neat .env file? THINK AGAIN, because google is above such petty things as industry standards, you're getting a .json file and you're gonna like it, HAVE FUCKING FUN.

Dear google, die in a fire.
Sincerely yours.

>finally gets around to installing vsftpd on home server RPi
>doesn't work
hmm.mp2
>configurating
>confusing as fuck template documentation
>man page isn't much better
>gets it working
>goes to log in
User: pi
Password: a
(What? It's a home file/command server isolated from the Internet. Sue me.)
nope.avi
>why
>tries again
nope.svg
>FUCK
>sees small raw-command log in bottom-right of phone FTP client
hmm.flac
>tries again, watches log
PASS *****
>the fuck
>goes to change user pass over SSH
# passwd
"Current password?"
about half a second later
"passwd: auth token manipulation denied"
>the delay tho
>WAIT A SECOND
one time i got past some parental software bullshit on a tablet by abusing the delay between opening a banned app and the redirect to the normal software at like age 7. (Doing so let me enable remote wipe through Google. bye bye software!)
>*inner 7 year old has autistic screech*
# nano temp
a
abcdefghi
abcdefghi
^O Y ^X
# passwd < temp
>fucking works
>logs in to FTP server successfully
>does the one file download that was needed

why and how did that fucking work

Ok, Just Imagine this. You are assigned to add a simple function in an application, using which the company can download user data which was provided by user in that app initially.

Now first twist come, when you realize the Auth system of user is not working. You fix it, and again realize email verification process is not working, which is preventing user to get registered on a first place. You again fix it, and again new problem occurs that user cannot enter detail because he/she is restricted. What the hell, is this some kind of bhul bhulaiyaa or what.

And this shit modern web frameworks, they are meant to make life easier, but half of the time i have to fight against them.

And last honourable mention to continuous disturbance of internet connection. Whenever i am installing any dependencies or want to have quick google search, it goes away. All thanks to work from home state.

I really think now to be a monk and go to do meditation in himalayas. What a life goss !

This is the story of me discovering devRant by accident.
---
I have never meddled with php before and I never intended to do so. For some reason, I accepted this consulting and chose Ci4 as the framework. All hell broke lose on my life. I could be a fucking idiot or the framework is a real ass wipe.

The setup took me hours and when I tried adding myth/auth, the real shit hit the giant fucking fan. WHAT THE FUCK PHP AND CI4? I tried all the weird fucking suggestions from the internet and you still fucked me in the ass with a bigger stick EVERY FUCKING TIME. I spent an whole night figuring you out and now I have my real job to login to with NO FUCKING SLEEP. You royally fucked my night and also my day without an ounce of A FUCKING CLOSURE.

Once I figure this out, Imma fuck the fucking project dealer and throw the weird ass shit on his ugly ass face and yell "FUCK YOU".

I am so depressed that this made me find an app to rant about it like a maniac.

-BrainlessIdiot

I hate the company (agency) I moved to...I've negotiated good pay and the project for cutting edge medical product which will change the world (cancer diagnose and it actually works).

Now the dark side I've got shit tier laptop which I don't want, overtime is payed 30% less, all the people in the agency from development team don't know shit and are mostly I would call them juniors (of course who would with enough seniority work with shit hardware and almost not payed overtime), only tap water and since this is the old part of town you instantly get sick, they treat people like shit.

The product dark side. We are actually working on crm for doctors to input patient data, we cannot have any real data because we are the agency people, product is being led by the guy who has 0 production experience (they choose the database basically with coin toss and emulated the mongodb in postgress with jsnob, they don't know how to build their own auth system hence my previous rant about b2c, they are using cognito and now moving to auth0 which probably won't fit their need because a lot of stuff needs to be custom), they are choosing every hipe tech out there without any prior experience. It's chaos...

I'm trying to guide them but i think this will be a huge expensive failure and that i need to leave asap.

There I feel better now, moral of the story, choose startups wisely.

Using grafana together with tinc+promotheus, has been a blast.

Initially I wanted to get into ELK with Kibana and all that, but that required 8G of ram, the instructions to get it running in the open source "mode" was nearly non-existent, together with all the ready docker compose stacks out there simply not working or the images being broken.

I'm sure I could've managed around most of those issues, but the fact it is as hungry as gitlab, made it a literal no-go for the usual server resources my clients host or my own scaled down server recently.

Thankfully I remembered that there's grafana and me having experimented some time ago with tinc, so I can have very lightweight beat'esque prometheus agents deployed listening on tinc local net only, with the typical nginx auth and some whitelists to all of the servers I host and all those of my clients.

The dashboard creation was especially great in grafana (tbf promotheus does actually most of it), literally what I always wanted out of those "complicated" solutions, that do it all, but have no proper query language, complex documentation, heavy collectors with no properly named data points, expensive resource runtimes, ..

with grafana I can just easily put dashboards into folders, create users to look only at certain stats or even dashboards (opened up some interesting contracts actually, because now I can also offer proper monitoring for all things delivered), easily drag and drop around stuff to fit more information (most others fix you to a small 3x2 grid, a too big grid for a TV or simply non resizable tiles, making that one counter take up an entire row) and resize to my hearts desire

tinc of course allows me to easily create private networks that are resistant to failure across any region and the routing is done for me, so I don't have to run around it all that much either

P.S: a damn tiny fly went into one of my now 4 monitors and died right in the middle, because I thought it's just some dirt and I pressed it in while trying to wipe it off, so that monitor now serves as the top most on a vesa mount

LOL XCode....I think they meant "X"tra useless, resembling such as a bag of dicks without handles!!!!

Also, being fucking buried because there's aren't any devs anywhere to be found near me makes me extra cranky!
Ive been hammering away at this Flutter, Java, Swift, Python, and Google maps for just about 36 hours on 3.5 hrs sleep. I just can't stop, I fuckin love this shit!!!
Considering the fact that I'm self taught and just started writing code for real about 7 months ago, I'd say I'm handling this alright for now. Every bit of tech is getting shot out of a cannon at this one- maps, real time tracking, state level auth/Id verification, custom components like ID scans/native desktop applications on custom linux machines, body cams, SIP trunking... all in 3 apps which are 100% multi-platform and scaled up to high end enterprise levels and being groomed for national release. I'm writing the code and doing the tech for ALL of it- even down to custom painted barcode scanners, a wallet system built from scratch, GPS integration, location/geofence based document querying... holy fuck guys I'm gonna fuckin die haha!!!
I went from barely getting websites made in late summer to this very moment, where I am pumping shit out in Flutter, Dart, Python, CPP, Js, Swift, Java, Kotlin, Obj-C, SQL/noSQL, and who knows what else.
I don't even know what the hell I just said haha I hope everyone has a great day!

I am new to c and cpp.
I used to exploit my college's competitive programming platform cus it had a bad architecture and almost no auth checks.
For every ajax request, they weren't sending auth tokens or any form of identification and ran all the programs without any logs and on the main thread and as root.. wtf, right?
But recently they've changed something to the site and I cannot run bash commands using system() call.
Is there any other way to execute bash commands using c and cpp.
I already configured a miner in their server but then they re-deployed it cos someone forked bomb the shit out of it.
I'm a noob in c and cpp btw!

The PHP rally cry. You can find this phrase frequently in just about any php documentation. Hey now hang in their my php children, we'll get through this 20 line auth configuration together.

fuck it, im giving my users permanent access tokens, because for some reason using refresh tokens is black magic to the internet -.-

Command reads: kubectl auth can-i get love --namespace --will-she-marry-me

Server said yes 😁😍

Caching on auth status checks... For fucks sake

So I'm looking for a tutorial somewhere to manage auth with react.

I have passport local setup with jwt in express, but looking to manage users in the front-end, managing the user state app wide, logging out, protected routes etc.

I've done some searching around but I can't see anything to concrete. Any pointers or articles would be great.

I was thinking of localStorage but not sure how to go about setting that up with react.

Google API authentication is such a pain in the arse.

Am I incredibly paranoid with my idea of multiple(>2)-factor-auth like fingerprint+yubikey+password+OTP aso?

Damnit I am an idiot. I am making a downlader for talkpython lectures and ive managed to get the "user_tpt" (auth key) well when I'm set up the request I sent it in the header when its supost to be in the cookies. I couldent figure out why it wasn't working so I left it for 2 days and now just when I open it I see my mistake

While making a backend and frontend I wanted to make an auth flow, but I ask myself isn't HTTPS auth enough ?

What do you think is JWT to check which user it is and HTTPS to secure the connection enough or should I also use PGP ?

So I was instructed today, after lunch, to spend an hour teaching a member of my team how to SSH, store keys, basic io routines, and create CRON jobs to auth our ECR registry by my team lead.. Why am I wasting dev time teaching someone how to use an operating system? Need I add, our primary Dev workspace is a spun up using vagrant using xubuntu. I just can't comprehend how this person has been using xubuntu as their primary OS for two months and doesn't know the SSH protocol. Much less how they landed a dev job without any prior experience with a *NIX based OS.

How difficult is it to create a custom 401 page in apache while requiring basic auth for the web root. I cant work out how to allow just the file /401.php

I keep getting:

Additionally, a 401 Unauthorized error was encountered while trying to use an ErrorDocument to handle the request.

Any suggestions?

I've tried the following

ErrorDocument 401 /401.php
<Directory "/var/www/glype">
AuthType Basic
AuthName "Site Under Construction - Dev Only"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
<Files "/var/www/glype/401.php">
order Deny,Allow
Allow from all
</Files>

What am I doing wrong

Does this happen to you guys too?
Yesterday I was coding auth for node.js with help of tutorial (I'm pretty new to node.js). I was pretty sure that I understood how it works and I turned off my computer. Then when I was in bed ready to go to sleep I tried to go through the code in my head, but I completely forgot everything I wrote. I guess I was just copying the code without even noticing I didn't know how it works. Now I'm trying to learn it once more.

So, I manage my server with docker containers (nginx-proxy and the letsencrypt-companion). I limit access to some subdomains using basic auth, but I want to use client certificates for convenience.

So my questions to the experts:
1) Do you know a good (and convenient) way to manage client certificates ? This should include revoking certs and allowing specific certs only for specific subdomains.
2) Should I use my letsencrypt CA for this or would a self signed CA better suited?
3) Any things I should be aware of?

Damn you nginx...

Let's say you have a simple location directive like:

location / {
auth_reques /auth;
index index.html;
}

location = /auth {
internal;
proxy_pass <...>;
}

Now guess how often nginx makes a subrequest to /auth.

Thats correct TWO times... "why?" you ask?

Well isn't it obvious that nginx hits the auth request, then rewrites the request to the index file, hits the auth request again because it's technically a different request now and then proceeds to hand out the file?

Thanks for documenting this. NOT

Having to build an auth server from scratch an then having to revert all the code because it was overkill for the app. Fml

While planning my (personal) server I just seem to pile up more and more things to do/consider. Basically, for now I just want to have rclone, nextcloud and jellyfin, plus some usenet stuff later on. But I want to have the whole installation and configuration automated as far as possible, since I'll at first it will run in a test environment and needs to be migrated to another server at a point, possibly even another OS. So I suppose that means docker, docker-compose and Chef (any better options?). I want SSL: Traefik. User management / auth? RADIUS, LDAP. SSO? keycloak. I also need to deal with virtual hosts. And probably much more..

Since I just have basic Linux knowledge and have no real experience with any of the other technologies, I feel a bit lost. I just got to the abovementioned software due to some ddg research. I don't mind digging deep, I want to learn (which is half the reason for this project), but it's not easy to the the best way to set this up.

Going to set up my own mozilla auth + data + sync server for Firefox... Amount of dependencies is fucking huge...

Opinions

Hello, I’m considering building a web framework.

My ideal features would be:
Customizable authentication system(considering using a jwt lib)
Embedded DB(bolt db)
ORM( writing my own)
REST api to DB (via code generator)
Code generator(generation of models and views via cli)
GUI to db(some admin dashboard)
CORS(web service right?)

Why?
Ease of development
Fast prototyping of small-medium web services.
Fun.

My question is, do i have to many things on my platter? Should i narrow it down into less featured framework? What feature should I focus on? How should i benchmark it? Should i write tests for absolutely everything or just for exported methods? What should i take into consideration when developing ORM API, Auth API...

The language is Go

Thank you for your input

Java spring, .net mvc (not web api cause the web apis just beautiful), symfony mvc, do any of these large bloated frameworks stand a chance anymore in a technical landscape that embraces new things every few months. Devs can pick up node and one of its frameworks like express or sails overnight where spring takes years of invested interest to be proficient with. Do we really Need fat frameworks anymore? Today we embrace multi casted approaches, SAML auth, a different server to fit every purpose with a language best capable of handling the business need. Where does a gigantic framework with a steep learning curve fit into this approach anymore ?

JWT auth + vuejs = headache

I swear vuejs is just making laravel more complicated at this point.

Just built a solid desktop app for MacOS with Flutter that's worthy of shipping. I gotta say I'm pretty stoked about it, even if it isn't nearly as dope as LOIC. Haha chargin muh lazers!
I'll get some screenshots up soon!!
I also wrote a comple CLI interface for Firebase management using Python. Advanced auth abilities, CRUD capability, full json import/export, verification/password resets, you name it. Well, except full Firestore/mobile OTP features but it's still a win. Actually dicked around and made a cool little Firebase chat program in the terminal with the Python interpreter.
Finished up my first apps in React, React-Native and Ember, my 2nd with Electron, and also got my first Firebase hosted site up and running. Solid day!!! Cheers to that. And cheers to all of you amazing bastards!

Hey guys, I have almost developed the backend of an app like reddit. My question is about authentication. How should I authenticate my user. Is phone number necessary to add phone otp?Because I don't want to get any legal trouble if someone posts objectionable content on the platform. Most of the apps today need phone number, I dont know why except reducing spam accounts.

Or shall I verify email by otp. But its hard to track disposable emails. I cant go for only gmail too as its banned in china. Email domains of china are weird.

Can I get into legal trouble for objectionable content posted by any evil user?

I dont want to go for auth.

Well, thanks for nothing, twitch/chromecast.

Java I hate you! I've been stuck on an authentication issue for weeks now and just figured out what was wrong. The probem was my variable wasn't STATIC so it was passing in an old auth header every time. Literally I've been skimming and modifying my code like crazy for like 2 weeks and this simple modifier changes everything! Java I hate you and can't wait to migrate my code base to kotlin!

Stuck trying to make Firebase Facebook Auth work with Google Chrome Extension. Just isn't working 😔

Somehow mocking xhr requests (?) for Axios is really hard to make it work. I use React Cosmos as I'm re-doing the frontend of this already running in production and works great, but when my component communicates with the backend it breaks and I'm unable to test the full behavior.

Then, it occurred to me that trying to mock Axios may not be the best. So I came with this scheme where I would have a configuration variable with a default value and change that when I need to work with React Cosmos, which in turn changes the behavior of `/auth` to return a valid JWT in response to a GET, put an Axios interceptor in my outermost Cosmos decorator and BAM! suddenly was able to develop and test my React components closer to how they would work in production.

It surprises me how simple this endeavor was, and because everything runs orchestrated by docker compose things run smoother.

(this is not an excuse to not to learn how to deal with the mocking issues of Axios, after all I wont have a working backend every time I work in some frontend application)

A "REST API" that was using nonsecured HTTP as protokoll and send the users pwd in the basic auth header

Apparently, Spotify requires auth on all of their endpoints. So now, if I want to write a simple CRUD app I have to deal with fucking OAuth.

So I'm going to work on a project with a webapp and mobile applications. I look at this monstrosity that sends username and pass as plain json and there is almost no sparation of concerns, along with very little documentation. Please save me

So, need to secure some requests.
I decided on going passwordless on the website but I want to have an API too.

I am reviewing auth0.
I am also not sure if I can secure the same endpoints as private and public differently, so the private is used by the backend with no auth and the public with auth.

Wold you guys help me with some reading material?

I've been planning a startup project for months now. Then, what was a supposedly simple quest of finding out whether session-based or token-based authentication is better, has become a question of whether I should setup my own OpenID Connect (IODC) auth server or stick to simpler methods.

I've already spent almost a week learning OAuth2 and OIDC, and I can't tell whether this route is an overkill for my usecase. (Or that I just don't want to admit I'm falling into the shiny tech trap.)

How about you guys, how would you approach authentication? JWT/JWE? Sessions?

Hey ranters, I want to setup a centralised auth backend that assigns multiple logins/API keys to a single user account which is managed through a Frontend application.

Background is we use multiple services each with their own login system and not all support a unified login/auth method for their API.

My approach is to setup a simple API/Auth backend that stores the users credentials plus multiple API-Keys of other services or their logins. When auth is successful the Frontend app may receive the associated credentials for the other backends to call their respective API. So the user can login once but the Frontend may access all backend services without the user noticing that their are other auths.

This should be a really general problem today. I'm really just diving into the topic of auth and Frontend, so I hope to get some guidence/overview from you. My questions are:

- Is my approach totally stupid?
- Are there good frameworks you'd recommend for such a setup?
- Is there a best practice which I've overseen so far?
- Resources you think are a must-read?
- Any other recommendations regarding security here?

So, what do you ranters think?

There is something that bothers me at this moment, so basically I started structuring my methods like this: methodName({id}, {auth}) instead of methodName(id,auth), I did this so that I have to specify the id and auth inside the object variables in method and not be able to inverse the order, at this point I think that I did something extremely stupid and doesn’t make any sense or it is good for better strcturing, your toughts ?

P.S. Should have used typescript from the beginning

Work! Terribile doubt about our project 😭i will leave this company if we do not come up with an adult solution 😔

We are working for another Company, they asked to add a web app to their project.

We made frontend and backend, we make user auth to their api, then call their api (place order, get orders etc), passing their auth token to their services.

Which Means that our endpoints are not really protected (i think) and if we add an endpoint that does not use their api, the only way to secure them Is to take the token, validate It by calling for example get /order of the api and if It fails just discard the request....too slow?

my colleagues do not want to put a serious auth they Just want to use the company api and leave the rest open...

And the customer Just asked to use some other api functionality, but that api has another auth... How do we pur them togheter? The last api want the id of the user to do machine ti machine auth

It Is my 6th month here no one thaught me anything, i think i'll Just leave ..or am i Just experiencing the developer Daily work?😔

If your workflow counts on users copying and pasting things (like security tokens from text messages) read this:

Please for fuck sake trim the damn whitespace before you validate. I can't see the fucking space client-side, and you fucking know I didn't mean to enter <SPACE>123456 as my auth code.

Double click, copy, paste, click, curse <-- Story of my life because somebody forgot a damn .replace statement.