Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "authentication"
Me: *Watching a movie*
Main Character: "Oh no, we have to hack the CIA to figure out how this machine works! Hacker girl, do the stuff"
Hacker Girl: "Consider it done!"
Hacker Girl: *Opens Linux bash*
Hacker Girl: *types 'mkdir Hack_CIA'
Hacker Girl: "They have two-factor authentication in place, this is going to be a hard one."
Hacker Girl: *Types 'cd Hack_CIA'*
Hacker Girl: "I'm in!"
Friend: "Wow, so well done, so realistic!"
My last internship (it was awesome). A programmer developed a vacation/free day request application for internal use.
Asked if I could test it for security.
The dev working on it thought that was a very good idea as he wasn't much into security and explained how the authentication process worked.
I immediately noticed a flaw just from his explanation. He said it was secure anyways (with an explanation but his way of thinking was wrong in this case). Asked if I was allowed to show him. He said he was intrigued by this so gave me a yes right away.
For the record, user levels were normal user, general admin and super admin (he was the only super admin).
Wrote a quick thingy server side (one of my own servers/domains) for testing purposes.
Then I started.
Went from normal user to super admin (his account) through a combination of XSS and Session Hijacking within 15 seconds.
Explained him where he went wrong and he wrote a patch under my guidance 😃.
That felt so fucking awesome.5
(sensitive parts censored)
Friend: Hey, can you hack my (some website) account?
Me: Depends... What's your username?
Friend: (tells username)
Me: (clicks forgot password?)
Friend: I will give $10 if you do it. There is 2 factor authentication enabled.
Me: (silence) Ok.
Website: Please type the class number you were in in 4th grade.
Me: Hey, did you graduated BLAH elementary school?
Me: Ahh, I remember. You moved to BLAH elementary school in what grade?
Me: Hmmm, I don't remember seeing you. What class were you in?
Me: Well, I now remember. Stupid me. (smirks)
Friend: Haha. (continues to play games beside me)
Me: (Types in 8)
Website: We sent you a password to email@example.com
Me: (uhh, heads to example.com and clicks forget password?)
Email: Please type the class number you were in in 4th grade.
Me: (wtf is this, types 8)
Email: Please type the teacher's name when you were in in 4th grade.
Me: What was the teacher's name?
Me: When you were in 4th grade.
Friend: Ahh! John Smith.
Me: Ahh, he was strict, right?
Friend: Yeah (continues to play games again)
Me: (Types in John Smith)
Email: Set a new password.
Me: (Types "youaresostupid")
Me: (copies PLAIN TEXT password from email, logs in to website)
Me: Money plz~
Me: (wtf, then remembers i changed his email password) Fine then.
1. There is 2 factor authentication enabled. : Got it?
2. The website sent plaintext password.
3. He is just pure idiot.
4. I didn't got the money.
5. I am now a h4x0r12
** The most hilarious authentication implementation I've ever seen **
They stored password in cleartext, but never mind, this is sadly quite common.
For some reasons credentials were also case insensitive (maybe to avoid silly tickets from CAPS LOCK lovers?).
Then I had a look to the query executed during the login:
SELECT * FROM users WHERE username LIKE ? AND password LIKE ?;
So I tried logging in with user "admin" and password "%"... and it worked!
I laughed all the day.31
Happened a few weeks ago but still awesome.
Me and a good friend have a website together but we don't monitor it too much.
He studied with me in the same class but went towards frontend/apps where I chose backend/servers/security. He knows how to do basic Linux stuff but that's about it.
We were at a party when he noticed that our site was offline. Walked over to me (because I manage the server) to notify me so I could look into it said I'd look into it (phone):
*visits site: nothing*
*online dig tool: got the server ip*
*remembered this one didn't have pubkey authentication - after three passwords attempts I'm in*
"service apache2 status"
*service doesn't exist*
*right, migrated this one from Apache to nginx....*
*ah, an nginx restart probably suffices...*
"service nginx restart"
BAM, site is reachable again.
*god damnit, lets encrypt cert expired...*
*sees command with certbot and our domain both in one*
*20 seconds later: success message*
*service nginx reload*
BAM, site works securely again.
"Yo mate, check the site again"
Mate: 😶 w-w-what? *checks site and his watch* you started less than two minutes ago...?
Mate: 😶 now this is why YOU manage our server and I don't 😐
His face was fucking gold. It wasn't that difficult for me (I do this daily) but to him, I was a God at that moment.
Awesome moment 😊27
So my friend has two-step authentication for his smartphone.
Now he is not able to find his phone.
So, he tried to find his phone by logging into his google account via Android Device Manager.
Now, it is asking for the authentication pin which is in his phone.😂
He just got deadlocked.12
I wrote a Student Information system for my midterm project back in 94 written in Clipper and runs on MS-DOS.
I demoed & explained to the panel of professors how it tracks enrollments, payments, class schedules, grades and attendance of each and every student. Has user authentication, auditing and reporting functionalities.
It has a lite version also written in Clipper that can be installed on a Professor's laptop so that he/she can update records even at home, and would be able to sync with the db at school via a BBS. Telix for DOS (self-taught) was my choice for the BBS as it was shareware, has built-in Zmodem support and comes with it's own programming language called SALT (Script Application Language for Telix) that can be used for automating tasks. The lite version of my project would dump the updates on an ASCII file, compress the file using PKZIP, use the laptop's modem to dial-up the number to the school's BBS and send the file across using Zmodem protocol.
The main version would then download the file(s) from the BBS and proceed to do a sync.
After the doing the demo and answering all their questions the panel asked me to wait outside the room, called me back in after 15mins and told me that I don't have to attend that class for the remainder of the term. The happiness as the my classmates outside of the room gawked at me felt like King Midas himself gave my balls his golden touch.
Then in 97, 2yrs after I graduated, I accompanied my cousins to a different campus of the same school for their enrollment and right there on the bottom of the screen were my initials on a very very familiar UI! They actually used, and were still using, my school project. Needless to say my cousins didn't believe that it was written by me.15
*Facebook Hackers follow the Rules*
TL;DR: sorry, not available, can't do spoilers
One night I was with a group of friends out at a pub. A guy and his girlfriend show up, I didn't know them but they were my friend's friends.
The girl kept bragging the whole time about his boyfriend being a professional programmer, trying to remind it to everybody whenever possible (don't ask me why!).
So, after a while, the discussion moves towards "suspect Facebook activities" and the guy starts saying that he can hack Facebook.
- "What do you mean?", I ask.
- "Hacking into other people's accounts, even with 2 factor authentication. I did it a lot of times"
- "Wait, and they don't notice?"
- "Of course not! ^_^ He's a hacker", the girl replies.
Ok, time to do a coming out.
- "Hey, I'm a developer myself. Can you give me an idea of what you did in technical terms? Did you find a vulnerability? Used a virus? Maybe a keylogger?"
- "No... Uh... Well... The secret is to read the terms of service"
- "Yes... yes it's all in the facebook terms of service..."
- "Uhm, I'm not really sure I'm following. Could you prove it by hacking my Facebook account? I'm giving you the permission".
In less than a minute the discussion flew completely away and they never mentioned computers again.
I strongly dislike the www part in domain names (the subdomain, really), that's not really news anymore.
Loads of sites use it which I find annoying as fuck for some reason but so be it. (I understand that its very logical to loads of people)
And then you get a client who calls in because the email server isn't accepting her username/password.
*looks into the logs*
"incorrect authentication data: firstname.lastname@example.org"
Kill it with fucking fire.19
I get that fingerprint authentication is very convenient but I'd never use it (not even for privacy reasons that much).
When someone guesses/gets your password you can just say "alright let's change my password"
Imagine that with fingerprints: "yeah sure let me change my fingers"
This is not really a rant, but...dude.
I was browsing github for a suitable library when i found a test repo of someone. A script inside and at the top he wrote his authentication token. I first thought it was a placeholder or an example or a test he used. No. I entered the token and could control his instance of the app. I sent him a message to disable this token.9
I work at a small retail store and we have quite a few regular customers who know I'm studying computer science because I'm always coding at work on my laptop.
One lady who comes in quite often and is very sweet asked me if I would take a look at her phone. She said she bought it and paid the owner of a phone repair store to set it up for her, but was felt like he did something weird to it. I told her I wasn't an expert but would look at it.
Oh my god. This guy set up her phone connected to his own personal icloud account. All of his music was on there. All of his contacts were on there. All of his pictures were on there. Even nude pictures of multiple people that this lady said she definitely does not know. I tell her this is very very wrong and no one in their right mind should've set her phone up this way.
I automatically think to factory reset. I'm unfamiliar with iPhone, as the last time I used one was an iPhone4 many years ago. I was unaware that apple applies an authentication lock when the phone is reset.
The authentication is set up underneath yet ANOTHER email address that belongs to this guy, as this lady promised me she has no knowledge of any email address similar to the one listed, nor does she have access to it.
I tell her to call the guy and ask for her money back and to unlock her phone so that she can reset it herself.
He claims that he cannot accept refunds if a factory reset has been performed.
Uhm, I am calling SOOOOO much bullshit. There should be absolutely no reason why the owner of the phone cannot factory reset it. The owner should be able to do ANYTHING she wants with it, without being locked out of it because some creep at a repair store did NOT DO HIS JOB CORRECTLY AND HE KNOWS IT. Why else would he claim he can't refund if it's been reset, because he KNOWS she got locked out.
So long story short I talked on the phone with him and cussed him out telling him he was wrong for taking advantage of someone who doesn't know much about technology and that he was invading privacy and violating her security and that i would report him if he didn't fully refund her and unlock her phone.
He gave her all of her money back, unlocked the phone (which she is deciding to sell because she got so scared by this), and I'm still filing a complaint against this man and his store. Who knows how many more clueless people he did this too. Fucking scumbag.11
"Do you have 2 factor auth for the database?"
a customer asked. I stared on the wall in front of me and suddenly fel and urge to punch and piss on something.
I took a deep breath while thinking to myself
*Oh boy, here we go. Another retard*
I put on my nice voice and asked:
"What you mean?"
The customer seems confused, as if my question did not make sense and he said:
"TWO FACTOR AUTHENTICATION! Dont you know what it is? To make the database more secure."
I was fucking right, this person reads to much shit. The fact that the email signature of that person said "Wordpress Developer" made me more angry.
I, still with the nice voice asked
"How would that work?"
"Two factor authentication when I am connecting to the database."
"So, do you want it by SMS then? You'll get alot of messages if it is going to send you one every time a query is made."
The following 7 seconds was dead silent until I heard the person hang up.6
So I had my exams recently and I thought I'd post some of the most hacky shit I've done there over here. One thing to keep in mind, I'm a backender so I always have to hack my way around frontend!
- Had a user level authentication library which fucked up for some reason so I literally made an array with all pages and user levels allowed so I pretty much had a hardcoded user level authentication feature/function. Hey, it worked!
- CSS. Gave every page a hight of 110 percent because that made sure that you couldn't see part of the white background under the 'background' picture. Used !important about everywhere but it worked :P.
- Completey forgot (stress, time pressure etc) to make the user ID's auto incremented. 'Fixed' that by randomly generating a user id and really hoping during every registration that that user ID did not exist in the database already. Was dirty as fuck but hey it worked!
- My 'client' insisted on using Windows server.Although I wouldn't even mind using it for once, I'd never worked with it before so that would have been fucked for me. Next to that fact, you could hear swearing from about everyone who had to use Windows server in that room, even the die hard windows users rather had linux servers. So, I just told a lot of stuff about security, stability etc and actually making half of all that shit up and my client was like 'good idea, let's go for linux server then!'. Saved myself there big time.
- CHMOD'd everything 777. It just worked that way and I was in too much time pressure to spend time on that!
- Had to use VMWare instead of VirtulBox which always fucks up for me and this time it did again. Windows 10 enjoyed corrupting the virtual network adapters after every reboot of my host so I had to re-create the whole adapter about 20 times again (and removing it again) in order to get it to work. Even the administrator had no fucking clue why that was happening.
- Used project_1.0.zip etc for version control :P.
Yup, fun times!6
Well, here's the OS rant I promised. Also apologies for no blog posts the past few weeks, working on one but I want to have all the information correct and time isn't my best friend right now :/
Anyways, let's talk about operating systems. They serve a purpose which is the goal which the user has.
So, as everyone says (or, loads of people), every system is good for a purpose and you can't call the mainstream systems shit because they all have their use.
Last part is true (that they all have their use) but defining a good system is up to an individual. So, a system which I'd be able to call good, had at least the following 'features':
- it gives the user freedom. If someone just wants to use it for emailing and webbrowsing, fair enough. If someone wants to produce music on it, fair enough. If someone wants to rebuild the entire system to suit their needs, fair enough. If someone wants to check the source code to see what's actually running on their hardware, fair enough. It should be up to the user to decide what they want to/can do and not up to the maker of that system.
- it tries it's best to keep the security/privacy of its users protected. Meaning, by default, no calling home, no integrating users within mass surveillance programs and no unnecessary data collection.
- Open. Especially in an age of mass surveillance, it's very important that one has the option to check the underlying code for vulnerabilities/backdoors. Can everyone do that, nope. But that doesn't mean that the option shouldn't be there because it's also about transparency so you don't HAVE to trust a software vendor on their blue eyes.
- stability. A system should be stable enough for home users to use. For people who like to tweak around? Also, but tweaking *can* lead to instability and crashes, that's not the systems' responsibility.
Especially the security and privacy AND open parts are why I wouldn't ever voluntarily (if my job would depend on it, sure, I kinda need money to stay alive so I'll take that) use windows or macos. Sure, apple seems to care about user privacy way more than other vendors but as long as nobody can verify that through source code, no offense, I won't believe a thing they say about that because no one can technically verify it anyways.
Some people have told me that Linux is hard to use for new/(highly) a-technical people but looking at my own family and friends who adapted fast as hell and don't want to go back to windows now (and mac, for that matter), I highly doubt that. Sure, they'll have to learn something new. But that was also the case when they started to use any other system for the first time. Possibly try a different distro if one doesn't fit?
Problems - sometimes hard to solve on Linux, no doubt about that. But, at least its open. Meaning that someone can dive in as deep as possible/necessary to solve the problem. That's something which is very difficult with closed systems.
The best example in this case for me (don't remember how I did it by the way) was when I mounted a network drive at boot on windows and Linux (two systems using the same webDav drive). I changed the authentication and both systems weren't in for booting anymore. Hours of searching how to unfuck this on windows - I ended up reinstalling it because I just couldn't find a solution.
On linux, i found some article quite quickly telling to remove the entry for the webdav thingy from fstab. Booted into a root recovery shell, chrooted to the harddrive, removed the entry in fstab and rebooted. BAM. Everything worked again.
So yeah, that's my view on this, I guess ;P33
Me: *Installs travis*
Dev: oh what's travis?
Me: it's a continuous integration tool I wanna setup.
Dev: ... contin.... ?
Me: continuous integration, a tool that performs builds.
Dev: ah!, is it the new version of that deprecated tool we were using "client access"?
Me: ... no ... that's an authentication service that generates and stores oauth tokens. This is the continuous integration tool I told you about yesterday (and last week and the week before).
Dev: ... contin....
Me: ... con ........ continuous integration. It listens to branches on GitHub, downloads, builds, tests and then deploys the code.
Dev: ah ok ok, cool.
I would bet my monthly fucking salary he can not repeat what I said, tell me what oauth is, or explain what he's working on at the minute.
Jesus at this rate I'd bet my salary he can't tell me my name.7
So according to some reddit user IKEA sends your password as a GET parameter in plain text.
Seems to be a network authentication thingy, but still 🤔35
Look, PHPVirtualbox, i love you and all and you've worked very well for me for ages.
But, when I see the authentication is successful and you receive an 'OK', YOU'RE NOT SUPPOSED TO THROW A FUCKING "USERNAME OR PASSWORD WRONG" ERROR.
YOU'RE SUPPOSED TO LET ME FUCKING THROUGH.
Client asked for Two Factor Authentication as a part of the webapp we're building and then were confused as to why they needed a second password to login
"we don't want to add an extra step into the login process, can you remove it please"
Navy story continued.
And continuing from the arp poisoning and boredom, I started scanning the network...
So I found plenty of WinXP computers, even some Win2k servers (I shit you not, the year was 201X) I decided to play around with merasploit a bit. I mean, this had to be a secure net, right?
Like hell it was.
Among the select douchebags I arp poisoned was a senior officer that had a VERY high idea for himself, and also believed he was tech-savvy. Now that, is a combination that is the red cloth for assholes like me. But I had to be more careful, as news of the network outage leaked, and rumours of "that guy" went amok, but because the whole sysadmin thing was on the shoulders of one guy, none could track it to me in explicit way. Not that i cared, actually, when I am pissed I act with all the subtleness of an atom bomb on steroids.
So, after some scanning and arp poisoning (changing the source MAC address this time) I said...
"Let's try this common exploit, it supposedly shouldn't work, there have been notifications about it, I've read them." Oh boy, was I in for a treat. 12 meterpreter sessions. FUCKING 12. The academy's online printer had no authentication, so I took the liberty of printing a few pages of ASCII jolly rogers (cute stuff, I know, but I was still in ITSec puberty) and decided to fuck around with the other PCs. One thing I found out is that some professors' PCs had the extreme password of 1234. Serious security, that was. Had I known earlier, I could have skipped a TON of pointless memorising...
Anyway, I was running amok the entire network, the sysad never had a chance on that, and he seemed preoccupied with EVERYTHING ELSE besides monitoring the net, like fixing (replacing) the keyboard for the commander's secretary, so...
BTW, most PCs had antivirus, but SO out of date that I didn't even need to encode the payload or do any other trick. An LDAP server was open, and the hashed admin password was the name of his wife. Go figure.
I looked at a WinXP laptop with a weird name, and fired my trusty ms08_067 on it. Passowrd: "aaw". I seriously thought that Ophcrack was broken, but I confirmed it. WTF? I started looking into the files... nothing too suspicious... wait a min, this guy is supposed to work, why his browser is showing porn?
Looking at the ""Deleted"" files (hah!) I fount a TON of documents with "SECRET" in them. Curious...
Decided to download everything, like the asshole I am, and restart his PC, AND to leave him with another desktop wallpaper and a text message. Thinking that he took the hint, I told the sysadmin about the vulnerable PCs and went to class...
In the middle of the class (I think it was anti-air warfare or anti-submarine warfare) the sysad burst through the door shouting "Stop it, that's the second-in-command's PC!".
Stunned silence. Even the professor (who was an officer). God, that was awkward. So, to make things MORE awkward (like the asshole I am) I burned every document to a DVD and the next day I took the sysad and went to the second-in-command of the academy.
Surprisingly he took the whole thing in quite the easygoing fashion. I half-expected court martial or at least a good yelling, but no. Anyway, after our conversation I cornered the sysad and barraged him with some tons of security holes, needed upgrades and settings etc. I still don't know if he managed to patch everything (I left him a detailed report) because, as I've written before, budget constraints in the military are the stuff of nightmares. Still, after that, oddly, most people wouldn't even talk to me.
God, that was a nice period of my life, not having to pretend to be interested about sports and TV shows. It would be almost like a story from highschool (if our highschool had such things as a network back then - yes, I am old).
Tonight I want to try to setup an openvpn server with mysql based authentication because I'd love to somehow setup/become a vpn provider.
Of course there's a huge ass legal part but let's first make sure I know the technology of the top of my head!
Just ranting this out because I'm excited 😊25
Worst legacy experience...
Called in by a client who had had a pen test on their website and it showed up many, many security holes. I was tasked with coming in and implementing the required fixes.
Site turned out to be Classic ASP built on an MS Access database. Due to the nature of the client, everything had to be done on their premises (kind of ironic but there you go). So I'm on-site trying to get access to code and server. My contact was *never* at her desk to approve anything. IT staff "worked" 11am to 3pm on a long day. The code itself was shite beyond belief.
The site was full of forms with no input validation, origin validation and no SQL injection checks. Sensitive data stored in plain text in cookies. Technical errors displayed on certain pages revealing site structure and even DB table names. Server configured to allow directory listing in file stores so that the public could see/access whatever they liked without any permission or authentication checks. I swear this was written by the child of some staff member. No company would have had the balls to charge for this.
Took me about 8 weeks to make and deploy the changes to client's satisfaction. Could have done it in 2 with some support from the actual people I was suppose to be helping!! But it was their money (well, my money as they were government funded!).1
Every step of this project has added another six hurdles. I thought it would be easy, and estimated it at two days to give myself a day off. But instead it's ridiculous. I'm also feeling burned out, depressed (work stress, etc.), and exhausted since I'm taking care of a 3 week old. It has not been fun. :<
I've been trying to get the Google Sheets API working (in Ruby). It's for a shared sales/tracking spreadsheet between two companies.
The documentation for it is almost entirely for Python and Java. The Ruby "quickstart" sample code works, but it's only for 3-legged auth (meaning user auth), but I need it for 2-legged auth (server auth with non-expiring credentials). Took awhile to figure out that variant even existed.
After a bit of digging, I discovered I needed to create a service account. This isn't the most straightforward thing, and setting it up honestly reminds me of setting up AWS, just with less risk of suddenly and surprisingly becoming a broke hobo by selecting confusing option #27 instead of #88.
I set up a new google project, tied it to my company's account (I think?), and then set up a service account for it, with probably the right permissions.
After downloading its creds, figuring out how to actually use them took another few hours. Did I mention there's no Ruby documentation for this? There's plenty of Python and Java example code, but since they use very different implementations, it's almost pointless to read them. At best they give me a vague idea of what my next step might be.
I ended up reading through the code of google's auth gem instead because I couldn't find anything useful online. Maybe it's actually there and the past several days have been one of those weeks where nothing ever works? idk :/
But anyway. I read through their code, and while it's actually not awful, it has some odd organization and a few very peculiar param names. Figuring out what data to pass, and how said data gets used requires some file-hopping. e.g. `json_data_io` wants a file handle, not the data itself. This is going to cause me headaches later since the data will be in the database, not the filesystem. I guess I can write a monkeypatch? or fork their gem? :/
But I digress. I finally manged to set everything up, fix the bugs with my code, and I'm ready to see what `service.create_spreadsheet()` returns. (now that it has positively valid and correctly-implemented authentication! Finally! Woo!)
I open the console... set up the auth... and give it a try.
... six seconds pass ...
... another two seconds pass ...
... annnd I get a lovely "unauthorized" response.
> Pic related.25
After a few hours, I think I just got mysql based openvpn authentication working O_o
Fucking yay! Now let's implement a maximum amount of connections per user.
Yes, rants can be happy too.12
I can add two-factor authentication to GitHub, but my online banking password must have EXACTLY 5 characters...14
One day with a lot of hours trying later:
Got an OpenVPN server running from scratch and can (still have to write the actual authentication code) accept or refuse clients through a php script ran from a bash script with a username and password.
Client: "Hey we want you to integrate your product with our system."
Me: "Oh, OK. Where's your API?"
Client: "Here! We even have an outdated .Net SDK, we use XML."
Me: "Ok.. how do we authenticate? What's your OAuth 2.0 endpoint?"
Client: "O auth what?"
Me: " You know, the current standard for REST API authentication and authorisation"
Client: " What's REST?"
Long story short, I'm unofficially the hacker at our office... Story time!
So I was hired three months ago to work for my current company, and after the three weeks of training I got assigned a project with an architect (who only works on the project very occasionally). I was tasked with revamping and implementing new features for an existing API, some of the code dated back to 2013. (important, keep this in mind)
So at one point I was testing the existing endpoints, because part of the project was automating tests using postman, and I saw something sketchy. So very sketchy. The method I was looking at took a POJO as an argument, extracted the ID of the user from it, looked the user up, and then updated the info of the looked up user with the POJO. So I tried sending a JSON with the info of my user, but the ID of another user. And voila, I overwrote his data.
Once I reported this (which took a while to be taken seriously because I was so new) I found out that this might be useful for sysadmins to have, so it wasn't completely horrible. However, the endpoint required no Auth to use. An anonymous curl request could overwrite any users data.
As this mess unfolded and we notified the higher ups, another architect jumped in to fix the mess and we found that you could also fetch the data of any user by knowing his ID, and overwrite his credit/debit cards. And well, the ID of the users were alphanumerical strings, which I thought would make it harder to abuse, but then realized all the IDs were sequentially generated... Again, these endpoints required no authentication.
So anyways. Panic ensued, systems people at HQ had to work that weekend, two hot fixes had to be delivered, and now they think I'm a hacker... I did go on to discover some other vulnerabilities, but nothing major.
It still amsues me they think I'm a hacker 😂😂 when I know about as much about hacking as the next guy at the office, but anyways, makes for a good story and I laugh every time I hear them call me a hacker. The whole thing was pretty amusing, they supposedly have security audits and QA, but for five years, these massive security holes went undetected... And our client is a massive company in my country... So, let's hope no one found it before I did.6
So the Microsoft rage continues as I tell a story about my father, the company that he works for and that companies whole IT structure.
So my father is forced to use Windows because, get this (he hates W10 with a burning passion, like me).... Office and other crap. Cool cool
Seems like Libreoffice isn't enough for you.... YES IT FUCKING IS. MY DAD GAVE ME EXAMPLE DOCUMENTS FROM HIS WORK AND GUESS WHAT, THEY ALL OPEN WITHOUT A FUCKING PROBLEM. But OK, maybe not all employees are familiar with Libreoffice/Openoffice, JUST KIDDING THEY ARE SOME FUCKTARDS WHO WORK FOR THEIR COMPANY THAT DON'T KNOW HOW TO FILL OUT A FORM IN EXCEL (aka. PROBABLY NEVER USED AN COMPUTER IN THEIR LIFE/OFFICE SPACE AMNISH). Okay, some employees might be incapable, but their infrastructure might be alright.
IT RUNS ON MICROSOFT SQL AND DIVX (YES, FUCKING DIVX, CAUSE THAT MAKES SENSE) FROM..........2008.
At this point I just feel bad for them. Because there were no IT guys at the company (they didn't understand shit that I said half of the time). I've warned them that their infrastructure might have more holes than fucking swiss cheese. I see they value their data since the front door is a 60 kg one (that's 132 lb in retard units). And there's a 1.8 m fence around the building.
And they've told me that the parent company, which hosts the server also hosts for 100+ other companies around the world.
100+, you say. I'm legit scared for them right now.
So naturally, I've asked them if they have backups... they do, thank god.
But still they use 2008 shit in 2018 and expect it to be secure. Fun fact, logging into their server (which is an HTTP running on Windows Server...... 2008 (that hurts to say)) with a browser other than.... not Edge.... but IE, *drum roll* breaks it, since... it runs authetication dll's (YES FUCKING DLLS) on the host system. THOSE POOR MOTHERFUCKERS COULDN'T EVEN SETUP SERVER SIDE AUTHENTICATION. EVEN CHANGING THE PASSWORD REQUIRES A FUCKING SYSADMIN TO BE CONTACTED, OH YEA YOU CAN'T SINCE THERE ARE NONE.
GOOD DAY TO YOU <INSERT COMPANY>, SORRY BUT YOU'LL GET FUCKING OBLIRIATED IF SOMEBODY DECIDES TO HACK YOU.10
Authentication feature was only checking the length of the auth header instead of the actual content. I abused this to make a request to our API from inside our system with a junk header, so we were basically hacking ourselves...2
- Let's make the authentication system so the user can only login in one device at time, because this is more secure.
- You know that this will be a general-public application, right?
- Sou you want to "punish" users with a logoff on the other device when he tries to login in a new one?
- But before you said we will use Json Web Token to make the backend stateless.
- And how will we check if the token is the last one generated?
- We will store the last generated token for this user on a table in our DB.
- So... you are basically describing the old authentication model, with session tokens stored on the backend and communicating them via cookies.
- Yeah, but the token will be sent on the Header, not on cookies
- Okay, so why will we use Json Web Token to do this in the first place?
- Because this is how they're doing now, and this will make the backend stateless.
A moment of silence, please.7
"So you need access to the test server?"
"Please fill these 800000000 forms,sign here,get your blood sample,your ID ,your right kidney,letter of approval from your boss,...."
Fuuuuuuuck!!!! I just want to change only 3 lines of code!!!!!!5
Recovering a legacy Gmail account after receiving a notice of a blocked login.
*Tries to remember the bloody password*
*Actually remembers it*
> Sorry your password isn't enough. Your father's phone number that you used a decade ago can be used for verification though!
Google, let's get this straight. Things have changed. I know the fucking phone number and yes I can enter it, and out of sheer stupidity I did send an authentication code his way. Unfortunately however, things have changed in 10 years. I can instantly kill the fucker on the spot if I were to meet him ever again. Do you think that I'm going to get that fucking code?!
> Oh but you can try to email the code to the very account that you're trying to recover, despite the fact that you know the password for it.
TO THE FUCKING SAME ACCOUNT THAT I'M RECOVERING.
Must've taken a true genius to code that in!!!15
Why nobody uses public/private key authentication for ssh and disable password auth?
Am I the only one around here doing this?15
What's the point of using a framework if you don't use any of its features!? What the heck, I have to fix this damn web frontend that is so broken in many ways.
The "REST" API is so messed up, nothing is resource-oriented, HTTP methods are chosen randomly as well as status codes. They are returning "412 Precondition Failed" instead of a plain simple "401 Unauthorized" when you're not authenticated! What the hell, did they even bother to check what 412 is about when they copied and pasted it from a crappy website!? I would never come up with 412, not even in my scariest nightmare.
What kind of drugs were they using when they wrote such code? Oh dear, I need a vacation...3
So there is this new rule in my class...
"No cellphones in the classroom.. they stay in your locker"
Everyone in the class starts trying to negotiate so that they can still text...
I am like sitting at my desk thinking:
How am I supposed to use 2fa??
So.. ya that proves that I have different priorities than everyone else..
Anyways.. how am I supposed to use 2 factor authentication????
Is there an Android Wear app or something?14
The 5 whys
So.. we cant deploy
Why? > We had to take our deployment tool offline
Why? > Because random people from the internet started deployments
Why? > Because we had no authentication and so it was publicly available
Why? > Boss said auth was no priority (we told him every day)
Why? > ¯\_(ツ)_/¯5
Question regarding implementing two factor authentication.
I want to implement 2FA for at least one service I'm writing but I'm wondering, next to email, what services/implementations could I use?
I know that email isn't the best when it comes to security but I also don't want to force (a-technical) users to install an app specifically for 2FA so keeping email as an option as well.
But except for email, any ideas? Anything related to Google/facebook (prism integrated services) are a no go anyways (this has, as mentioned before, nothing to do with my ego or giving myself 'a pat on the back')
As for costs, I don't mind a little bit of money but the service will be free at first and I'm not rich :)
Looking forward to the comments!25
Today I'm going to work on my side project that I haven't touched in weeks.
I want to utilize Angular 2 which means I'll need to learn TypeScript. I also want to use the new .Net Core and EF Core 1.0. Oh and I want to handle authentication using JWT!
Wow, that's gonna be a lot of effort to get things off the ground... maybe instead I'll use this time to learn some new concepts. Maybe watch this episode of Fun Fun Function, or maybe this video on writing Assembly code for an app on Raspberry Pi, that sounds cool!
Actually, you know I should really teach myself dependency injection and unit testing for once. I'm so behind the times.
Well, really I should finish this book on design patterns first. Ok, where did I leave off? Page 20 I think... ehh... maybe I'll just work on my side project.
Tomorrow... tomorrow, I'll work on my side project.9
By heavens creating your own api server with the Go standard lib is so easy it should be fucking criminal.
Now....on to add authentication and a nice frontend stack(prob React) to make it all spiffy and show it to my manager and see if she lets me put this shit to use at work.
It will make it more interesting. It took me nearly 1 hour to get what I needed from the docs, build it using the net package first(das right babe, pure TCP) and just a couple of minutes more for net/http and boom. Ferching info and shit left and right
Man I love this shit. Wish I could do this for a living. Stuck fucking around with css, Java and php at work instead ;____;10
Why did I miss my turn while driving ? I was dreaming about authentication strategies in micro services.2
I had some voucher codes for a website, which a worth a night at a hotel of your choice. This website has a function to check, whether your voucher codes are still valid. Because the website got stuck, i opened the dev console in firefox to find the reason. I found something different: behind the check function was an GET service. Very simple thing, without authentication or flood protection. So i built a python script and brute forced that thing. After a couple of hours, i had round about 20 valid codes. So i wrote to the support team and they were really glad about this. They fixed this within 2 weeks and gave me some amazon gift codes and an job offer. That was my badass moment. Very interesting, that a medium sized, international company could have so simple security issues.5
I've just noticed an app review that I've given and would fit right into the wk123 (that's the insult one, right?).
"Biggest pile of junk that I've ever seen. You have one job! To register the fucking phone number (which you could get with Phone permission) and verify it (which you can do with the SMS permission) and you should either have the user do that once upon installation or you automate it entirely so that it can run in the background! You can fully automate this, and it's not that complicated that it needs 10 whole seconds of loading time in between! Heck, this pile of crap can't even continue into the main view after entering the verification code! You haven't published the source code (and maybe that's for the best) but if it was, I'd probably immediately get cancer by viewing your crappy spaghetti code. Dear developer, please take a step back and (re)join the PC tech support guys. You have no place in the development world."
To top it all off, that app currently only needs phone permission to verify my number (at least they've done that much). So I figured, I've already gone through that authentication flow so let's remove that permission to abide by the principle of least privilege.
Except that the fucking crapp just goes through the "requires phone permission" shit again whenever that permission removal happens. Fucking piece of garbage!!! That such spaghetti code fuckers even have a job, it boggles my mind.4
PM ordered me to not use encryption for customer authentication links because we want to be able so send same link if the user loose it. "we have to prioritize usability over security". At least I can tell future hackers it's not my fault..11
Not me but my friend was so fucking worried when I shown him a security breach website he made for his company.
So that's how it went: We were talking about programming and stuff and we came to authentication logic. We were both still at college and both noob programmers.
He told me he didn't use sessions because they suck server memory and he found this neat thing called "cookies". He explained them to me and I was like "holy fuck"... I asked him to show me the website and login to any account.
I opened chrome devtools and took a. look at the stored cookies. There was only one: userId, stored as a plain number straight from db primary key.
You guys should see his face when I changed the cookie values and was, all of sudden, using his website as a. completely different user.
I explained some stuff to him like database stored sessions or encrypted cookies and he told me he'd fix that shit up first thing in the next day.1
Something strange just happened, activated Fail2ban on another server and instantly blocked me when I already had ssh session open >_>
Does macOS terminal keep on sending ssh authentication requests? Or is my OpenVPN that keeps on sending requests.
Why does this keep on happening to me T_T18
The worst project is the one I am currently working on. I didn’t build it but have to manage it, because... Reasons.
The projects is made on Core PHP(red flag right there).
But when I dig in I get to see there is no authentication used in any of the REST service. Yup. What's the fucking point of login if you are just going to update profiles based on user_id you Twat! The querying used is simply mysql_query (I have to say I expected that).
No relationships defined in the Mysql table structure. No migrations.
There is an upload feature which is forcing the image to be saved as jpeg, therby corrupting the images being saved on the server.
No security, terrible logic, no classes, terrible architecture.
And I am the chosen one to maintain this shit!
Ok wtf? How is it that I can give myself admin access to almost any Apple computer just by turning it on, holding down two keys, and then removing one file called “.AppleSetupDone”, without any kind of authentication? And I get access to all of the data on the device too. Within two minutes of having physical access to the computer.
This is a company with millions of devices in use, why is this even possible? And the only way to prevent it is to have a firmware password, which, by the way, is not a default option...are you serious17
Saw this security blunder a while ago. Went onto some site and it showed me this username/password dialog (probably an apache's htpasswd or nginx one). Went away but returned quickly because I noticed I could see all content. Then I thought 'why the fuck not try?' so I dragged the auth popup thingy to the side of the screen and et voila... I could interact with the page as if nothing was wrong while the authentication popup was hovering above the page on the right!
I sat there giggling dramatically for a while.
Me : I should start building user authentication system.
inner self : there are enough free and secure ones out there, just go read the documentation.
Me : fuck I'm not reading 10000 pages of documentation written in alien language.
inner self : well then you better start building
Me : **writes code
Inner self : you better add the data validation and security while coding
Me : I just want it to work !
Me after a few days trying not to suicide : the site is hacked, the code is bugged, hello darkness my friend5
THE FUCK WHY did the company which made the website I'm maintaining now ADD CUSTOM FACEBOOK LIKES AND TWITTER FOLLOWER WIDGETS - IN A SUBDIRECTORY OF THE THEME?
Guess what, you motherfuckers: One year after you made that damn page the Facebook API changed and your stinking widget is broken REQUIRING ME TO REWRITE MOST OF IT!
Also WHO THE FUCK LEFT HIS BRAIN ON HIS BEDSIDE TABLE the day he decided to HARDCODE ASSETS WITH AN http:// (no tls) URL? YES, browsers will block that shift if the website itself is delivered over tls, because it's a GAPING SECURITY HOLE!
People who sells websites that have user management and thus request authentication without AT LEAST OFFERING FUCKING STANDARD TLS SHOUD BE TARRED AND FEATHERED AND THEN PUT IN A PILLORY IN FRONT OF @ALEXDELARGE'S HOUSE!
Maybe I should be a bit more thankful - I mean I get payed to fix their incompetence. But what kind of doctor is thankful for the broken bones of his patient?9
We have a portal which uses Windows Integrated auth that lists out all off our internal sites.
Navigating to any of these produces a URL like the one in the attached image.
Turns out all our internal application use a base64 encoded email address in the query string as the means of authentication.
So, anyone can authenticate themselves as another employee within the company by simply changing the query param value to said employees email address.
Just came across this incredible software. It’s called “Howdy” and provides Windows Hello style facial authentication to Linux via PAM. It’s even better than Windows Hello because, while it works better with IR cameras, it also works with regular webcams!
I have a pretty shitty webcam but it can reliably tell me and my brother apart, and people often tell us that we look alike. https://github.com/boltgolt/howdy8
So this bloody hilarious, I submit my PWA to windows store, mainly for shits and giggles, see how the whole thing works and all that.
According to them, this is 'Opening within my application" and I am apparently able to access user details via google own sign in link, not SSO.
This exists solely for the benefit of Microsoft who are having trouble comprehending the fact that RTMS Events does NOT have Authentication.
Microsoft believes that as the application uses Google Maps, and when Google Maps opens a “Sign In” button appears, that I am able to access your personal information.
As any reasonable person will understand, that is not the case, logging into Google Maps/Google for the benefit of using Google Maps in NO WAY gives anyone else access to your personal information.
Well... I had in over 15 years of programming a lot of PHP / HTML projects where I asked myself: What psychopath could have written this?
(PHP haters: Just go trolling somewhere else...)
In my current project I've "inherited" a project which was running around ~ 15 years. Code Base looked solid to me... (Article system for ERP, huge company / branches system, lot of other modules for internal use... All in all: Not small.)
The original goal was to port to PHP 7 and to give it a fresh layout. Seemed doable...
The first days passed by - porting to an asset system, cleaning up the base system (login / logout / session & cookies... you know the drill).
And that was where it all went haywire.
I really have no clue how someone could have been so ignorant to not even think twice before setting cookies or doing other "header related" stuff without at least checking the result codes...
Basically the authentication / permission system was fully fucked up. It relied on redirecting the user via header modification to the login page with an error set in a GET variable...
Uh boy. That ain't funny.
Ported to session flash messages, checked if headers were sent, hard exit otherwise - redirect.
But then I got to the first layers of the whole "OOP class" related shit...
It's basically "whack a mole".
Whoever wrote this, was as dumb and as ignorant to build up a daisy chain of commands for fixing corner cases of corner cases of the regular command... If you don't understand what I mean, take the following example:
Permissions are based on group (accumulation of single permissions) and single permissions - to get all permissions from a user, you need to fetch both and build a unique array.
Well... The "names" for permissions are not unique. I'd never expected to be someone to be so stupid. Yes. You could have two permissions name "article_search" - while relying on uniqueness.
All in all all permissions are fetched once for lifetime of script and stored to a cache...
To fix this corner case… There is another function that fetches the results from the cache and returns simply "one" of the rights (getting permission array).
In case you need to get the ID of the other (yes... two identifiers used in the project for permissions - name and ID (auto increment key))...
Let's write another function on top of the function on top of the function.
My brain is seriously in deep fried mode.
Untangling this mess is basically like getting pumped up with pain killers and trying to solve logic riddles - it just doesn't work....
So... From redesigning and porting from PHP 7 I'm basically rewriting the whole base system to MVC, porting and touching every script, untangling this dumb shit of "functions" / "OOP" [or whatever you call this garbage] and then hoping everything works...
A huge thanks to AURA. http://auraphp.com/
It's incredibily useful in this case, as it has no dependencies and makes it very easy to get a solid ground without writing a whole framework by myself.
Apple is now forcing 2 factor authentication for publishing apps on the App Store. Except not just regular 2 factor, 2 factor via AppleId. Which means you have to have the AppleID on 2 different Apple devices! You now have to have a Mac and another Apple device to ship an app and you still have to pay $100/yr for the license.
Hell I usually like Apple stuff but this has gone so fucking far off the rails.12
Don't you just hate where we're going forward with these different JS frameworks and packages? WebPack, Electron and all the other ways we try to use JS for desktop development and a simple build of a tiny project taking 10 mins on an average spec core i7 machine, then overdosing on npm install since every frikn thing is now so modular you donwload a gazillion packages just to set up user authentication with a simple route manager in your app.
Really missing the good'ol monolithic days of programming. I mean, modular is fine bro, but for godsakes draw the line somewhere!
Once upon a time, in a proprietary e-commerce framework used by few hundred sites...
I just took over a project where the previous developer stored password in two separate fields.
password & password_visible
First was encrypted and used for authentication. Second was plaintext password and was shown in the admin panel.
Hope to meet this god someday, I'd sure ask why the hell did he use encrypted password for authentication anyway. 😂3
OMFG I don't even know where to start..
Probably should start with last week (as this is the first time I had to deal with this problem directly)..
Also please note that all packages, procedure/function names, tables etc have fictional names, so every similarity between this story and reality is just a coincidence!!
Here it goes..
Lat week we implemented a new feature for the customer on production, everything was working fine.. After a day or two, the customer notices the audit logs are not complete aka missing user_id or have the wrong user_id inserted.
Hm.. ok.. I check logs (disk + database).. WTF, parameters are being sent in as they should, meaning they are there, so no idea what is with the missing ids.
OK, logs look fine, but I notice user_id have some weird values (I already memorized most frequent users and their ids). So I go check what is happening in the code, as the procedures/functions are called ok.
Wow, boy was I surprised.. many many times..
In the code, we actually check for user in this apps db or in case of using SSO (which we were) in the main db schema..
The user gets returned & logged ok, but that is it. Used only for authentication. When sending stuff to the db to log, old user Id is used, meaning that ofc userid was missing or wrong.
Anyhow, I fix that crap, take care of some other audit logs, so that proper user id was sent in. Test locally, cool. Works. Update customer's test servers. Works. Cool..
I still notice something off.. even though I fixed the audit_dbtable_2, audit_dbtable_1 still doesn't show proper user ids.. This was last week. I left it as is, as I had more urgent tasks waiting for me..
Anyhow, now it came the time for this fuckup to be fixed. Ok, I think to myself I can do this with a bit more hacking, but it leaves the original database and all other apps as is, so they won't break.
I crate another pck for api alone copy the calls, add user_id as param and from that on, I call other standard functions like usual, just leave out the user_id I am now explicitly sending with every call.
Ok this might work.
I prepare package, add user_id param to the calls.. great, time to test this code and my knowledge..
I made changes for api to incude the current user id (+ log it in the disk logs + audit_dbtable_1), test it, and check db..
Disk logs fine, debugging fine (user_id has proper value) but audit_dbtable_1 still userid = 0.
WTF?! I go check the code, where I forgot to include user id.. noup, it's all there. OK, I go check the logging, maybe I fucked up some parameters on db level. Nope, user is there in the friggin description ON THE SAME FUCKING TABLE!!
Just not in the column user_id...
WTF..Ok, cig break to let me think..
I come back and check the original auditing procedure on the db.. It is usually used/called with null as the user id. OK, I have replaced those with actual user ids I sent in the procedures/functions. Recheck every call!! TWICE!! Great.. no fuckups. Let's test it again!
OFC nothing changes, value in the db is still 0. WTF?! HOW!?
So I open the auditing pck, to look the insides of that bloody procedure.. WHAT THE ACTUAL FUCK?!
Instead of logging the p_user_sth_sth that is sent to that procedure, it just inserts the variable declared in the main package..
WHAT THE ACTUAL FUCK?! Did the 'new guy' made changes to this because he couldn't figure out what is wrong?! Nope, not him. I asked the CEO if he knows anything.. Noup.. I checked all customers dbs (different customers).. ALL HAD THIS HARDOCED IN!!! FORM THE FREAKING YEAR 2016!!! O.o
Unfuckin believable.. How did this ever work?!
Looks like at the begining, someone tried to implement this, but gave up mid implementation.. Decided it is enough to log current user id into BLABLA variable on some pck..
Which might have been ok 10+ years ago, but not today, not when you use connection pooling.. FFS!!
So yeah, I found easter eggs from years ago.. Almost went crazy when trying to figure out where I fucked this up. It was such a plan, simple, straight-forward solution to auditing..
If only the original procedure was working as it should.. bloddy hell!!8
I once found a MongoDB cluster open to the internet with no authentication with nearly a terabyte of data that backed a CRM service whose customers included Microsoft and Adobe to name a few.7
My security knowledge is so bad. But I don't know where should I start.😖
My coworkers know about this, so I don't get involved on related topics.🤤
Last time I asked same question, someone gave me link, and it all about DIY welding metal tubes into a security door.🤦♂️
Any better suggestion?13
Someone ask to me as a security engineer.
Bro : what do you think about most secure way to authenticate, i read news using fingerprint no longer safe?
Me : yes they can clone your fingerprint if you take a photo with your fingerprint to camera.
Bro : so what is the other way to authenticate more secure and other people can't see in picture ?
Me : D*ck authentication is more secure now, other people can't see your d*ck pattern right?10
So I'm playing around with Node late at night and decide to make something of it. Made a real-time 2-way communication system with NodeJS, Express and Socket.io. The UI currently looks cheap, but it's clean. Open multiple tabs to see it in action.
You can also send private messages by typing /p username message. I could add authentication here and also connect it to MongoDB.
Any other ideas or reviews? Also any other ideas for Node projects? Thank you.
Try it out here: https://node--chat-io.herokuapp.com4
Friend asked if I have ever built authentication using PHP and SQL...
Feel like sending links for them to research how instead of having me build it for them.
Teach a man to fish...?7
Enter full rant mode. Go!
Ok I've been wanting to rant about this for a while...
A while ago I brought my laptop to school to work on a project. While at school I decided to connect to the school wifi. Back then they had one of those things where you connect to the wifi network, then go to a webpage and authenticate from there. (They've since switched to a general WPA or whatever type thing, which obviously works a lot better.)
Note that this school board is a big one, it's probably got at least 100 schools and the area it operates in has around 6 million people. So it's pretty big.
So I was logging in to the wifi, I connected to the network then opened up firefox to authenticate. It redirected me to the authentication page where I typed in my student ID and password and clicked the submit button. It started loading the next page.
Then... my computer froze.
I obviously had too many apps open (video editing software, IDE and a bunch of firefox tabs) so it didn't really surprise me. 4GB of ram really isn't a lot.
But then I noticed, with horror, my PASSWORD IN PLAINTEXT PASSED AS A GET REQUEST IN THE URL BAR.
I am not joking. It literally said, amid all the cluttery GET stuff, `&password=` followed by my password in plaintext.
WTF?!? DO YOU SERIOUSLY KNOW NOTHING ABOUT SECURITY? AT LEAST USE A POST REQUEST, NOT A GET!!!
For you non-techie people, this means that my password is in the URL address that the page redirected to which means that the password, as well as being displayed in plaintext on the screen, is also stored in my browsing history. Definitely insecure.
I actually had to cover up that part of my screen with my hand until my computer unfroze. Ugh. I never got a chance to complain to the school board though as they switched to a native authentication system (wpa or whatever it is).
BUT SERIOUSLY!!! FOURTH LARGEST SCHOOL BOARD IN FUCKING NORTH AMERICA!!! YOU GUYS SHOULD KNOW BETTER!!
End rant, have a nice day4
Call it like you see it:
TF30063 : You have been fired quietly, or the Microsoft authentication system is down (again.)1
Friend of mine created a blog from scratch... You could create a post, by just sending a POST request (no authentication required!)....
As an additional bonus: you could dump full unfiltered HTML in a post, which was then executed...
Please kill me5
Well on my last full-time job, that ware using cookies for authentication (not something new, eh?). The thing is, you see, the cookies had the 'accountId' which if you change to another number, kaboom you're that account, oh but that was not all, there was an option to mark the account type in there 'accountType', which was kind of obvious in VLE (virtual learning environment), 'Teacher', 'Student', 'Manager' put what of those values and boom you are that role for the session
Thing was open of SQL injection from the login form, from said cookies and form every part you can pass input to it, when I raised the question to my TL he said 'no one is going to know about thatt, I don't see what is the problem', then escalated to higher management 'oh well speak to *tl_guy*'
Oh and bonus points for it being written in ASP CLASSIC in 2014+ (I was supposed to rewrite, but ended up patching ASP code and writing components in PHP)
In 2015-2016, in a private college, charging kind-of big money per year1
"How do we share access to two-factor authentication."
What you mean is "how do we defeat the purpose of multi-factor authentication."4
Am I allowed to use an API from the government that they do not have publicly documented or explicitly said anyone can use BUT don't have any authentication on it?10
Don't bother programming anything for us. We'll never use it. (I work at an IT help desk Technician at a school and this was from the IT director)
They now use 3 of my projects (one SSO authentication, another issue tracker, and the other inventory)
Read a blog post at work yesterday from the company head of IT security. Line 1:
As part of our company policy we enforce the use of usernames and passwords, known as two factor authentication. However we also need to ensure.....
Stopped listening at this point as I hit Google to confirm the definition of two factor auth.
Nope I'm not loosing my mind, the blog post is insane....1
Okay, just because I like the OS, doesn't mean that I fully condone Apple.
They now have a constant notification that won't go away unless I enable two factor authentication. But here's the problem: I LIVE IN A PLACE WITH NO CELL SERVICE.
Also, I don't want to recieve a notification every time I open up my laptop!
Apple, why the fuck do you think I encrypt my data? So my disk is secure! I fucking can't have my phone on me all the time, I am not a goddamn teenage white girl! (I am a weeb developer)4
Currently working on my first real REST api and I've arrived at the authentication part.
I'm not sure how to do this one, the client will have to login using username/password but then, what's the most conventional way of authentication logged in users through a REST api? (no oauth (yet))
This should be usable for anything like ajax requests to calls from the backend to curl requests.
Looking forward to ideas!32
Might be more of a self-rant.. We’re developing an application with token-based authentication.
It’s a big an complex authentication model and flow, which we wrapped up a month ago. All of us very proud of it.
All of a sudden none of it worked.
We debugged for days, there were no errors or anything to trace what was happening.
Today we realized that we set the expiration of the token to 20 years.
Aaaand the expiration time is later on converted to epoch.
Guess what happens when you try to use a value > 2 147 483 647 in C#? Stuff blows up, cuz that’s the limit of an int32.
So yeah, feels good having prepared for the Y2K38 bug already, even though we’ll be replaced by AI writing better software than my dumb ass by then.
(To be fair, it was hidden in Microsoft Owin, which could use some error handling and/or proper messages..)
Not only did my boss insist on setting up roles and permissions for our app how he designed them, even after I spent 4 or 5 hours trying to convince him to let me do it differently, but he has now fucked our entire system.
Under this model of roles and permissions you cannot enforce them on the backend by any means, and now we have a service dealing with users including resetting passwords and changing details that does not use authentication. That's right, aurhe tocation and not even talking about authorization now. Good job.
I honestly wish companies like this would get hacked and fucked over as soon as they did it wrong because I can't believe how retarded some people are.3
I sent my app to one of my lecturers(female). She opened it and it said "Login with Facebook". I had integrated FB login just like other apps for authentication. She thought that I was playing some trick on her to hack her facebook account and refused to continue...
Where to run, where to hide... 😂
After all, the login dialog was of facebook's itself and nothing else.3
TL;DR - the doctor is a lazy cunt and I hope he steps on a lego.
We’ve got a user authentication portal for all the users in our network. Well, we have it set to where you can only have two active log ins on two different machines, anything else will give the error message “you need to log out elsewhere” or whatever it is...
This god damn doctor has been told to log out several times and still calls us to ask why it’s “not working”.
I just received a call because the lazy cock sucker didn’t want to walk from the clinic to the hospital to sign out, are you fucking kidding me you lazy fucking ass hole? It’s not my job to be your mother fucking slave dude, get the fuck up and do it yourself!
I’ll take a lot of shit from anyone but when you refuse to retain the information to preform your job and want someone else to do it because you’re too fucking lazy, that’s when we’ve got problems.
I hope you step on a fucking LEGO.
I’m heavily medicated so if this doesn’t make sense I... don’t care.
Stackoverflow launches a new Dance Dance Authentication. https://m.youtube.com/watch/.... Thank god they didn't build a new Framework.😆😆😆3
Slack is cool and all... But do we really have to have an "account per team" ? Damn I cringed so hard when I was setting up two-factor authentication and realized it was this way... Wtf...9
For fuck sake ... please make sure the logged in user is actually fucking authorized to see that orders info!! Very few things I hate more than being able to change the OrderID parameter in a URL and see somebody else’s order information.
Let's talk about the cargo cult of N-factor authentication. It's not some magic security dust you can just sprinkle onto your app "for security purposes".
I once had a client who had a client who I did server maintenance for. Every month I was scheduled to go to the site, stick my fingerprint in their scanner, which would then display my recorded face prominently on their screens, have my name and purpose verified by the contact person, and only then would the guards let me in.
HAHA no of course not. On top of all of that, they ask for a company ID and will not let me in without one.
Because after all, I can easily forge my face, fingerprints, on-site client contact, appointment, and approval. But printing out and laminating a company ID is impossible.
With apologies to my "first best friend" in High School, I've forgotten which of the dozens of canonicalisations of which of your nicknames I've put in as my answer to your security question. I've also forgotten if I actually listed you as my first best friend, or my dog - which would actually be more accurate - and actually which dog, as there are times in my High School life that there were more tails than humans in the house.
I have not forgotten these out of spite, but simply because I have also forgotten which of the dozen services of this prominent bullshit computer company I actually signed up for way back in college, which itself has been more than a decade ago. That I actually apparently already signed up for the service before actually eludes me, because in fact, I have no love for their myriad products.
What I have NOT forgotten is my "end of the universe"-grade password, or email, or full legal name and the ability to demonstrate a clear line of continuity of my identity from wherever that was to now.
Because of previous security screwups in the past, this prominent bullshit company has forced its users to activate its second, third, and Nth factors. A possibly decade-old security question; a phone number long lost; whatever - before you can use your account.
Note: not "view sensitive data" about the account, like full name, billing address, and contact info. Not "change settings" of the account, such as changing account info, email, etc. Apparently all those are the lowest tier of security meant to be protected by mere "end of the universe"-grade passwords and a second factor such as email, which itself is likely to be sold by a company that also cargo cults N-factor auth. For REAL hard info, let's ask the guy who we just showed the address to "What street he lived in" and a couple others.
Explaining this to the company's support hotline is an exercise in...
"It's for your security."
"It's not. You're just locking me out of my account. I can show you a government ID corroborating all the other account info."
"But we can't, for security."
"It's not security. Get me your boss."
"It's for security."9
Someone just guessed my 20+ character one time password on Microsoft 🤔 2 factor authentication and Geo IP checking are definitely good features.
Well, time to change all my passwords.8
*follow-up to https://devrant.com/rants/1887422*
The burnt remnants of my ID card's authentication information, waiting for the wind to come pick it up. It's stored in my password database now and committed to my git server, as it should be. Storing PIN and PUK codes on paper, whatever government cunt thought thought that that was a good idea...
If you've got identification papers containing authentication information like PIN and PUK codes, by all means add them to your password manager (if you're using Linux, I'd like to recommend GNU Pass) at once and burn the physical version. There's no reason why you'd want those on paper, unless you store your passwords on a post-it too.
At least that's as much as me and possibly you as citizens can do. Our governments are doomed anyway, given the shitty security policy they have, and likely the many COBOL mainframes still in use today. Honestly, the meddlings of Russia with the US elections doesn't seem too far-fetched, given this status quo. It actually surprises me that this kind of stuff doesn't happen more often, given that certain governments hire private pentesters yet can't secure their own infrastructure.
The Instagram API sucks a Lot.
Why the fuck I've to login with my account using OAuth2 to get posts of a PUBLIC account, it's so hard to make an authentication endpoint that doesn't require the user to enter his credentials in order to access PUBLIC content?
Fucking piece of shit5
I am turning 16 in 3 months and I want to start freelancing then. I want to earn money and get some experience .
I will still go to school until I have my a levels so I can go to university later.
Do you have any advice for an absolute freelancing beginner? I will probably make websites with HTML and CSS (of course, what the hell else) and react. Nodejs and mongodb for the Backend.
What should I do in these 3 months to prepare myself?
I want to build a portfolio website and learn more about node, especially how to do safe authentication in these 3 months, anything else? Also which websites would you recommend me?26
A friend has a small business and asked me if I could make him a small program. So why not, experience for me and I can help a friend out. (This started in ~mid 2016)
Started out as a WPF desktop application with many weird bugs and slow interface, into crashing the database on AWS (could not connect, could not get a backup). It was just hell and I kind of gave up on fixing it.
I always talked to him and said "yeah, I will do something better soon", but I was procrastinating and kept pushing it away from me. Then one day I said "f*ck it - lets go" and started coding on 2.0:
- WebApp with a complete new architecture (which I learned in the past few months)
- User authentication (JWT)
- ASP.NET Core Backend for web api
- Angular 4 Frontend w/ bootstrap
- Coded in like a week with 3-5 hours each day
Deployed around 6 months ago and he never had a complain. When I visited him I asked "how is your application doing?" - "great. it just works!".
My once most hated project turned into the most successful project in just a few months.2
fucking zoho and their fucking sign up and authentication process.
they need a mobile phone number for the sing up, alright fine, I provide. but after submitting the form, nothing fucking happened and i am redirected to the initial sign up page. fuck you.
try again and guess what, said my phone number is already used and i can try sign in with it. ok alright, i try to sign in using my number and my password. guess what? i am redirected back at the initital sign up form page. fuckkkkkkkkkk.
i try again with another number. and then this time, guess what? said the fucking email is already existed. jesus fucking fucking christ.
browse around their help desk and found this. https://help.zoho.com/portal/kb/...
sure I follow the advice and guess what? yeah i'm redirected back to the FUCKING GOD DAMN same page again.
I gave up and wanted to send them a reply on their help desk and try to log in using one of my other existing zoho accounts. GUESS WHAT? THEIR HELP DESK LOG IN IS NOT WORKING. ARRRRRRRRRRRRRRRRRRRRRRRRRRRRRR.
I click "Sign In". Login as User or Login as Agent dropdown appear. I click Login as User since my user account is already logged in. It nothing happened. It flashed and I am back at the help desk thread with no changes. It is still "Sign In" at the top. I fucking give up.5
Coolest thing I’ve built solo?
Damn, there’s been a lot of things over the years, but I guess the most used one I’ve made would be my voice activated tv remote - yes it’s real.
So in essence it’s a google home... yea I know spyware and all, but look it was free so I’m going to make use of it... err where was I, oh yea.
An IFTTT account which taps into the google assistant API and creates a webhook, although the authentication side of things is 0 to none, so had to put a api-key into the requests to at least have some layer of auth.
This webhook then hits a raspberry pi containing a PHP API to accept and authenticate the request in, digest this into KEY commands for the TV, and drops this into a Python script to connect to the TV over a web socket connection ( I found python more stable for this ) and sends the pre made key requests, it can even do multiple keys at a time... that was a pain.
So after all that, the end game becomes about a second from saying “hey google, change the tv channel to xxx”
This sick and twisted contraption is finished and the tv is my little bitch.
This has been built out to handle channels by name, number, volume up/down, sources switching to hdmi, tv, vga and a bunch of other things.
The things we do when we can’t find a tv remote for days....
Next up, getting it to launch Netflix app and going to a specified show / episode.. but may be to adventurous.
I just set up a UPlay account because I heard that AC Unity was free until 25th April. Fuck me, it's not free anymore so I guess it was "25th April NOT included". Anyway.
As a security-minded user, I directly set up 2-step login and they gave me recuperation codes, which I stored in a secure place, like I always do (seems to me like a single point of failure, but that's the classic and permanent convenience/security battle).
Then I received this in my mailbox...That's the digital equivalent of separating the state from religion but only electing priests as presidents. I'm quite flabbergasted.1
Client asked us to modify site made in some obscure CMS. Authentication on AJAX request is done by sending email and password as plaintext in header and then it would do md5 on server side5
I started programming when I was 14, because I was deeply enrooted in MMORPG hacking communities. It gave me an escape from real life, and I felt empowered by the skill to create something from nothing. My first language was Lazarus FPC, followed by VB.NET, C#, C++ ( managed and unmanaged non CLR ). As time went on, I found more ways to turn my "hacks" into software, and finally I began selling subscriptions which required me writing an authentication system.
After weeks of research, I began writing my own REST API in PHP using MySQL as my database. At this point I had an IPB forum up and running for a year, but with my newly acquired knowledge I was able to couple my API with my forum software. To properly distribute my API i had to learn NGINX to route my API to a subdomain.
Soon after I began writing my own portal for my authentication system, at which point I had become entirely enveloped in Web Development. I was 17 when I dropped my forum, I'm now 21 and freelancing web app consulting, day job as a QA automation developer.1
If your website has a login wall, my visceral reaction is to close the tab. After that, my rational reaction is to close the closed tab. Because fuck you.1
Changing authentication mechanism in SharePoint from windows identity to ADFS identity is stupidly complicated, especially for existing large farms with custom code.
On the plus side - just convinced the director this is stupid - saved myself, himself, and 1000 users a ton of misery.12
I was explaining client that it’s not secure to use zip code as a password for users authentication, and we should use something else.
So they write me an email, that we should not use password at all, and login only with username (10 digit long number).
It’s interesting how they think: if it’s not secure, then don’t use it at all.4
Three days after I purchased iPhone XS, I had to install a new modem at home. The phone wouldn’t connect to the wifi network in the higher frequency band. The guy who came to install the modem dished out the theory that the phone must be too damn old to support it. That burn!
PS: it connected almost a couple of seconds later that. As if it was some kind of extra layer of authentication. Well played Apple.7
When the site implements authentication through Facebook, but didn't expect you canceling your Facebook account afterwards.
Gsuite support sucks so bad, if you can, please stay far away from it or use it for simple stuff like authentication, if you get stuck you won't get help.
First I asked them:
What is the URL to authenticate Gsuite users using curl?
They said they don't know and it's outside the scope of support, and they told me to go to stackoverflow, I was lucky to only one user who knew the answer.
Then today, I asked them how to increase the access token expiry date since it's 1h, not enough if you are doing admin directory sdk integration (letting your users manage groups)
That my friends is not coding, there should be a setting for that, but again, outside the scope of support, ask on stackoverflow.
Regardless if Stackoverflow can answer or not, it's not their job, I'm a paid Gsuite user.
On the other hand, my company host on Azure, I know server administration, but if we face a server problem that will take me more than 5 minutes to solve, or if we need to patch something, I call the boss telling him to contact Azure and ask them to solve it.
We paid Azure for support so they do support, if they can't provide support then we would migrate to some cheap server on lowendbox.com
A user pays for support and only for support, and that's the least to expect from a big company.
Shame on Google. A company with a billion programmer and stupid support team that can't even forward technical email to some programmer to solve it.
Google doesn't need to hire new CEO to improve cloud services, they could start by hiring better support...2
I made Skype Bot which queries the data using wsdl authentication on our ticketing tool and send the data whoever has requested in skype itself(without logging or touching the ticketing tool).
Manager: Is that even possible?
Me: (In excitement) Everything is possible if you have the will.
Now, He wants me to work on his pet project. I dont know how to react!4
Why doesn't Twitter have a public API without authentication for simple stuff, such as reading tweets. One can do that without logging in on the website, why shouldn't code be able to do it.5
I've just bought 3 months sky ticket...
THEY ONLY ALLOW A 4-DIGIT NUMBERS ONLY "PASSWORD"?!?!
IN WHAT YEAR DO THEY LIVE???
AND THEY EVEN SEND IT TO YOU VIA EMAIL ALONGSIDE YOU USERNAME!
I guess their old windows server which handles their authentication would be overcharged when it'd handle real passwords.4
I find it funny that as soon as I disable password authentication on my server and enable key auth then all of the bots spamming my server with incorrect login requests instantly stop when they realise that they aren’t getting through any time soon. Also don’t ask why I don’t have Fail2Ban and a firewall set up.5
Stackoverflow has introduced the latest evolution in computer security - Dance Dance Authentication
Am I the only developer in existence who's ever dealt with Git on Windows? What a colossal train wreck.
1. Authentication. Since there is no ssh key/git url support on Windows, you have to retype your git credentials Every Stinking Time you push. I thought Git Credential Manager was supposed to save your credentials? And this was impossible over SSH (see below). The previous developer had used an http git URL with his username and password baked in for authentication. I thought that was a horrific idea so I eventually figured out how to use a Bitbucket App password.
2. Permissions errors
In order to commit and push updates, I have to run Git for Windows as Administrator.
3. No SSH for easy git access
Here's where I confess that this is a Windows Server machine running as some form of production. Please don't slaughter me! I am not the server admin.
So, I convinced the server guy to find and install some sort of ssh service for Windows just for the off times we have to make a hot fix in production. (Don't ask, but more common than it should be.)
Sadly, this ssh access is totally useless as the git colors are all messed up, the line wrap length and window size are just weird (seems about 60 characters wide by 25 lines tall) and worse of all I can't commit/push in git via ssh because Permissions. Extremely aggravating.
4. Git on Windows hangs open and locks the index file
Finally, we manage to have Git for Windows hang quite frequently and lock the git index file, meaning that we can't do anything in git (commit, push, pull) without manually quitting these processes from task manager, then browsing to the directory and deleting the .git/index.lock file.
Putting this all together, here's the process for a pull on this production server:
Launch a VNC session to the server. Close multiple popups from different services. Ask Windows to please not "restart to install updates". Launch git for Windows. Run a git pull. If the commits to be pulled involve deleting files, the pull will fail with a permissions error. Realize you forgot to launch as Administrator. Depending on how many files were deleted in the last update, you may need to quit the application and force close the process rather than answer "n" for every "would you like to try again?" file. Relaunch Git as Administrator. Run Git pull. Finally everything works.
At this point, I'd be grateful for any tips, appreciate any sympathy, and understand any hatred. Windows Server is bad. Git on Windows is bad.11
Admin home page secured well, but every CRUD page available without admin authentication on prod environment... for at least 3 weeks
So for those of you keeping track, I've become a bit of a data munger of late, something that is both interesting and somewhat frustrating.
I work with a variety of enterprise data sources. Those of you who have done enterprise work will know what I mean. Forget lovely Web APIs with proper authentication and JSON fed by well-known open source libraries. No, I've got the output from an AS/400 to deal with (For the youngsters amongst you, AS/400 is a 1980s IBM mainframe-ish operating system that oriiganlly ran on 48-bit computers). I've got EDIFACT to deal with (for the youngsters amongst you: EDIFACT is the 1980s precursor to XML. It's all cryptic codes, + delimited fields and ' delimited lines) and I've got legacy databases to massage into newer formats, all for what is laughably called my "data warehouse".
But of course, the one system that actually gives me serious problems is the most modern one. It's web-based, on internal servers. It's got all the late-naughties buzzowrds in web development, such as AJAX and JQuery. And it now has a "Web Service" interface at the request of the bosses, that I have to use.
The programmers of this system have based it on that very well-known database: Intersystems Caché. This is an Object Database, and doesn't have an SQL driver by default, so I'm basically required to use this "Web Service".
Let's put aside the poor security. I basically pass a hard-coded human readable string as password in a password field in the GET parameters. This is a step up from no security, to be fair, though not much.
It's the fact that the thing lies. All the files it spits out start with that fateful string: '<?xml version="1.0" encoding="ISO-8859-1"?>' and it lies.
It's all UTF-8, which has made some of my parsers choke, when they're expecting latin-1.
But no, the real lie is the fact that IT IS NOT WELL-FORMED XML. Let alone Valid.
THERE IS NO ROOT ELEMENT!
So now, I have to waste my time writing a proxy for this "web service" that rewrites the XML encoding string on these files, and adds a root element, just so I can spit it at an XML parser. This means added infrastructure for my data munging, and more potential bugs introduced or points of failure.
Let's just say that the developers of this system don't really cope with people wanting to integrate with them. It's amazing that they manage to integrate with third parties at all...3
Just posted a rant that BitBucket gave me a big Internal Server Error
Then I realized one of my extensions was overriding the authentication token (as I configured it to do that for a dashboard) and that was why BitBucket was inaccessible
Why do I keep doing this to myself
1. It's gonna be more and more specialized - to the point where we'll equal or even outdo the medical profession. Even today, you can put 100 techs/devs into a room and not find two doing the same job - that number will rise with the advent of even more new fields, languages and frameworks.
2. As most end users enjoy ignoring all security instructions, software and hardware will be locked down. This will be the disadvantage of developers, makers and hackers equally. The importance of social engineering means the platform development will focus on protecting the users from themselves, locking out legitimate tinkerers in the process.
3. With the EU getting into the backdoor game with eTLS (only 20 years after everyone else realized it's shit), informational security will reach an all-time low as criminals exploit the vulnerabilities that the standard will certainly have.
4. While good old-fashioned police work still applies to the internet, people will accept more and more mass surveillance as the voices of reason will be silenced. Devs will probably hear more and more about implementing these or joining the resistance.
5. We'll see major leaks, both as a consequence of mass-surveillance (done incompetently and thus, insecurely) and as activist retaliation.
6. As the political correctness morons continue invading our communities and projects, productivity will drop. A small group of more assertive devs will form - not pretty or presentable, but they - we - get shit done for the rest.
7. With IT becoming more and more public, pseudo-knowledge, FUD and sales bullshit will take over and, much like we're already seeing it in the financial sector, drown out any attempt of useful education. There will be a new silver-bullet, it will be useless. Like the rest. Stick to brass (as in IDS/IPS, Firewall, AV, Education), less expensive and more effective.
8. With the internet becoming a part of the real life without most people realizing it and/or acting accordingly, security issues will have more financial damages and potentially lethal consequences. We've already seen insulin pumps being hacked remotely and pacemakers' firmware being replaced without proper authentication. This will reach other areas.
9. After marijuana is legalized, dev productivity will either plummet or skyrocket. Or be entirely unaffected. Who cares, I'll roll the next one.
10. There will be new JS frameworks. The world will turn, it will rain.1
I'm in the 7th circle of hell. Building out an authentication system using a 3rd party vendor into our company's application.
Developing in PHP, running inside a docker container, using a Windows PC. Absolutely everything has gone wrong that could go wrong but PHPCS whining about a missing space between the "!" and variable name was the last straw.2
When you spend longer trying to work out why your background <div> refuses to cover the entire page, than you spent coding an entire user-authentication system in TypeScript for Angular 2.
Steps for making something that works become shitty, gmail and Microsoft edition:
1. Enforce non standards compliant authentication methods because you know client developers will have to bend to your will because you're fucking google
2. Let Microsoft develop a ldap wrapper with web authentication to load when you try to log in with a client.
3. As per usual, the Microsoft azure Authenticator crashes thunderbird immediately. Not even sure how they managed to do that
4. And we have suck.
So, a new web project came for some small layout changes, nothing to fancy.
It was on the hands of another company and the client didn't want to work with them anymore. Basic Magento with a custom theme.
As I was wondering through files, I found out that the old devs echoed, in ".phtml" files, contents from ".txt" files located in base directory. I was shocked and went forward with it. The core of Magento had tons of this "echo"s. Several minutes later I found out that they "coded" another administration panel besides Magento, that had "authentication" with hard-coded user/pass inside index.php and a session start. That admin panel just rewrote the contents of .txt files using textareas. Why/what/when the fuck..they've forgotten the admin password?!?!!!!
This was like 3-4 years ago.
Worst project i've seen, ever...
Wanna know about hacks? I'll tell you. There is a peace of software called SugarCRM. It has OAuth2 provider implementation. I was assigned to write OAuth2 consumer for it.
It turned out they just failed to make it right.
The list of hacks:
* Hack on standard Authentication header. They use custom.
* Hack on "scope". They send null which is standard violation. So it is replaced to empty string before response processing starts.
* This is my favorite. Refresh token simply doesn't work. So we need to store user's credentials in memory to be able to reauthenticate user transparently.4
So I had been developing a real estate website and developing a MLS feed parser. I had only 1 year experience at that time and parsing a XML feed was already complex enough. On top of it, the client wanted to automate feed download from the MLS provider through HTTP authentication. Managed to do it. Everything worked for 15 days and on 16th day the property location markers stopped appearing on Google maps. Turned out that address to lat-long reverse geocoding was failing because API limit exhausted. My bad, I coded it on view instead of caching the lat-long in database. Fixed it in a day and viola!
Attention guys and gals! If you are using grafana in your home setup, update it asap to 4.6.4 or 5.2.3. versions before those two are affected by an authentication bypass vulnerability. CVE 2018-15727
In the meanwhile, my nginx config is blocking everything but the LAN ips :)
Security is a joke. And people don't seem to get it. Especially Data mungers.
I've spent about half an hour trying to work out how to securely connect to power BI using PowerShell in a renewable manner for unattended access later on.
Every single example I've found seems to involve you storing $user and $password variables inside your script. If I'm lucky, they're going to pass them through ConvertTo-SecureString. And nobody talks about securely storing AD auth tokens, or using the Windows Credential Manager.
I know it's possible, but it's going to take me ages to work out how from all sorts of disparate sources...16
1. Setup an Amazon.com account.
2. Setup an Amazon Web Services account under the same e-mail address
3. Setup two-factor authentication for both systems.
4. Login to Amazon Web Services in a new browser session, and you'll be required to provide BOTH security tokens at login (Amazon.com first, then AWS second.)3
Is yubikey actually more secure than just super wide public key authentication? I mean cryptographically, let’s ignore the “2 different sources” factor unless that’s literally the only difference5
I'm sad that StackOverflow is removing OpenID support. I've run my own OpenID server for years, and I've slowly watched support get removed from all the sites I previously used it to login to.
Goodbye open, distributed, authentication standards.3
SO MAD. Hands are shaking after dealing with this awful API for too long. I just sent this to a contact at JP Morgan Chase.
1. I'm having absolutely no luck logging in to this account to check the Order Abstraction service settings. I was able to log in once earlier this morning, but ever since I've received this frustratingly vague "We are currently unable to complete your request" error message (attached). I even switched IP's via a VPN, and was able to get as far as entering the below Identification Code until I got the same message. Has this account been blocked? Password incorrect? What's the issue?
2. I've been researching the Order Abstraction API for hours as well, attempting to defuddle this gem of an API call response:
NOWHERE in the documentation (last updated 14 months ago) is there any reference to this^^ error or any sort of standardized error-handling description whatsoever - unless you count the detailed error codes outlined for the Hosted Payment responses, which this Order Abstraction service completely ignores. Finally, the HTTP response status code from the Abstraction API is "200 OK", signaling that everything is fine and dandy, which is incorrect. The error message indicates there should be a 400-level status code response, such as 401 Unauthorized, 403 Forbidden or at least 400 Bad Request.
Frankly, I am extremely frustrated and tired of working with poorly documented, poorly designed and poorly maintained developer services which fail to follow basic methodology standardized decades ago. Error messages should be clear and descriptive, including HTTP status codes and a parseable response - preferably JSON or XML.
This whole piece of garbage is junk. If you're big enough to own a bank, you're big enough to provide useful error messages to the developers kind enough to attempt to work with you.2
Just got handed a dozen servers. Documentation shows a (Linux) database cluster is using ldap authentication. I try logging in with my creds. No joy. I look up the root password and log in.
Not only is it not configured to use ldap, it's also not clustered.
I need more coffee.
How do you (not) secure your Rest based web service?
1. Chain it to shady organic authentication system built by a hoard of monkeys high on Tequila.
2. have secret keys that get copy pasted into config flat files, and index them on your code search engine.
3. make the onboarding extremely platform specific that you need 500 environment variables, 50 scripts, 5 fancy device presses and a tap dance to make a GET call to the service.
4. fish through 500 rotating log files that the authentication system generates for each API call made.
5. Leave traces all over the host so if you have to start over, you should sudo rm -rf / and set fire to your computer.
Started up KiTTY to connect to my virtual test server per usual when I couldn't establish a connection.
Nothing too unusual so I do the typical troubleshooting I make sure host, port and authentication is all correct and it is. So now I open the display for the virtual server and start looking at ip info, host info, checking ports and everything is completely fine.
Now I'm getting frustrated so I start running things like configtest in apache, using systemctl to check the services status, even restarting virtualbox in my windows 10 devpc. Still cannot connect!
I start feeling hopeless and just shut everything down, the whole operating system.
Computer boots up and I start my usual thing of creating workspaces, opening editors, starting servers, etc.
I open KiTTY again and launch my virtual test server..
Somethings you just can't fix without a reboot.
We had a project with a web app and an Android app. We split it out, he took the web and I was working on Android. He was very curious to do the project with me and very motivated at the beginning. We agreed on our first module that was user authentication. After some time when I told him that first module of app is ready and asked him on his progress, (When ever we had a talk he pretend like every thing is going fluently, though I continously told him ask for help if needed ) he opened a folder in vs code containing two files "index.html" and "style.css" and showed me the "login & sign up" design he was doing for days. I have no option but to appreciate his work. On that day I created new folder on my machine "web application" and started working.3
How the fuck does php type juggleling evaluate an variable as an integer on my system and passing all tests.
Then on the server as string, failing a typesafe comparison for authentication.8
My biggest challenge has been moving away from an unmaintainable Java/Tomcat/Spring Security application server to a Node.js/Express application server. That handles single sign on and two factor authentication. In 2 weeks.
I'm a front end dev. I'm sure it's fine 😓6
It's my first rant. So please ++1 me.
Now my rant:
In this semester I had a subject about system architecture. In this class, we must learn Java script, C# (and ASP.NET framework ), PHP (and Zend Framework 2), but in the classes is taught only UML and patterns. In the moodle of the subject we don't have any information about any of the languages and if we ask the teachers they don't know anything.
So we are all fucked10
Our key client-facing portal has a single untrained developer fumbling his way through with no code review, no build process and inputs from absolutely fucking everyone in the business. They make all changes to prod, they have exposed the unsecured dev server to call an API and all information is sent over unsecure plain text. The login authentication is a fucking GET request!
And I get lumped with explaining to angry clients that we have no fucking clue what we are doing, can barely ship an MVP and we are not putting any thought into privacy.
Oh well, I'm done with this fucking shit hole and am quitting this week. It can be someone else's problem to support the sinking ship2
Definitely andOTP, my two-factor authentication app for Android: https://github.com/andOTP/andOTP
The only thing cooler will be once I finished to rewrite it from scratch to get rid of the legacy code from before I forked it.7
I recently went to an office to open up a demat account
Manager: so your login and password will be sent to you and then once you login you'll be prompted to change the password
Me: *that's a good idea except that you're sending me the password which could be intercepted* ok
Manager: you'll also be asked to set a security question...
Me: *good step*
Manager: ...which you'll need to answer every time you want to login
Me: *lol what? Maybe that's good but kinda seems unnecessary. Instead you guys could have added two factor authentication* cool
Manager: after every month you'll have to change your password
Me : *nice* that's good
Manager: so what you can do change the password to something and then change it back to what it was. Also to remember it keep it something on your number or some date
Me: what? But why? If you suggest users to change it back to what it was then what is the point of making them change the password in the first place?
Manager: it's so that you don't have to remember so many different passwords
Me: but you don't even need to remember passwords, you can just use softwares like Kaspersky key manager where you can generate a password and use it. Also it's a bad practice if you suggest people who come here to open an account with such methods.
Manager: nothing happens, I'm myself doing that since past several years.
Me: *what a fucking buffoon* no, sir. Trust me that way it gets much easier to get access to your system/account. Also you shouldn't keep your passwords written down like that (there were some password written down on their whiteboard)
Manager: ....ok...so yeah you need sign on these papers and you'll be done
Me:(looking at his face...) Umm..ok4
Was recently in a motorcycle accident and haven't been cleared to go back to work yet so I'm trying to build my first Android app.
I don't know Java, XML, kotlin, Android studio, or what the fuck a Gradle is; but I figured I'd take my app idea and download Android studio then try winging everything from there.
Needless to say, I'm having a damn hard time lol. I have been watching firebase tutorials on YouTube to try and figure out how to add authentication to my app. I kinda got it working in the AVD. But my personal Google account has 2FA enabled so I can't seem to get the app to sign me out, or sign me back in. (I was able to authenticate once successfully.)
I have no idea if having 2FA enabled is even the problem. I tried turning on debugging and can't seem to figure out how to actually get the app to debug or get a debug console open.
I seriously feel like the world's biggest n00b right now. Going to go YouTube/Google how to get the debugging working. Then I'm off for a round of learning how to read a debug report!
Hahahaha... Kill me now -_-'2
DevRant-API-Docs Site Update:
Finished Auth System.
The Authentication System should be ready now. You can login/register and create questions/answers!
So the Q&A Section is fully functional now!
Please note that there may be bugs!
If you find one, please report it here:
Dude at work floats the idea of creating separate Github accounts for personal and work for security. My response:
While we're discussing options, we should also consider maintaining a list of users as a CSV^H^H^H MS Excel file, and install an authentication server that runs off the laptop of an "IT Administrator". That way it'll be super secure because hackers cannot access any system outside of working hours, as well as the days that said admin is off from work.3
Get a message from our teammate explaining o auth. First off, I mean come the fuck on. Second I was building our authentication for a fucking week. It's all around slack and the commit messages.
Then again when you don't even check the fucking repo ever, you won't know the progress. Yes, this is the jackass from my last rant. Sweetheart will only be able to be there 15 minutes before class ends today. Obviously, I'm not going as I don't care about the outcome of this shit at all at this point. I have access to the orgs and repos as the creator. Whenever I decide to get some real work done, I'll just ban his bitch ass.
I can't believe this fucker actually tried to explain o auth like he was talking to a child. I wrote back that he can look at the week long discussion we already had about authentication. Fucking idiot.
Company sends email notifying us we'd need to register for two factor authentication because it would be mandatory for all access to email within a week. However, it had to get manager approval and had a side effect of giving us access to work from home (which my manager hates). So, we send the request to him, explain the situation, he denies it and says "that can't be right! Let's do this: if you do in fact lose access to email, then I'll approve it". Well, we did lose it, and just spent two days without any access to email and it was a huge pain to get the registration process done because one of its steps involved getting a validation code from the email.1
How do you prevent your software being vulnerable to IP address spoofing? Authentication? Certificates? VPN? Nah, just check the MAC address field of every packet. Nobody ever spoofed a MAC address before, that's just impossible. I thought that in binary there were only ones and zeros, but I guess nobody told me about the special tamper-resistant ones and zeros that MAC address fields are made of.
Oh, once you've done that, don't forget to tell the marketing people to put it in a brochure as an "innovation" for everyone to see.
I should post more of the crap the idiots I work "with" (quotes, because I am only here in body not mind) say. Especially when it comes to network stuff.
Fucking hell the AWS IAM documentation is confusing as fuck. Trying to set up a fucking role is harder than cutting a rock with a fucking spoon.
And who the fuck thought it would be a good idea to allow a CLI user to run any command he's allowed to without any form of authentication??
Oh, set up MFA for the CLI you say? Good fucking luck with that, if you ever manage to figure out how to set that shit up!
Fuck this shit!2
WHY THE FUCK DO YOU FUCKING RETARDS USE TWO DIFFERENT AUTHENTICATION METHODS FOR THE PAYMENT AND THE CHECKOUT API AND DON'T EVEN DOCUMENT THIS SHIT PROPERLY!! 🖕2
So the contract for this big project with a client has some interesting content in it. I'm not sure if I can sign this in good faith.
Because I seem to be lacking guard dogs and a receptionist at my home office. Maybe I could build a force field for them.
And I'm not really looking forward towards having all my friends sign a document every time they visist.
5 PHYSICAL SECURITY
5.1 Adequate physical security perimeters (e.g. fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) shall be implemented to safeguard Information and information systems.
5.2 Supplier shall have a documented visitor policy and all visitors must be identified, registered, logged, and accompanied by an employee from Supplier.2
I just saw that Azure Devops asks you to run `curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash` to install their CLI.
Pipe something from the internet directly into a sudo shell? Are you nuts?8
I setup a Firebase project, and then remove the authentication completely, so I can send API call freely.
After 2 weeks I am still alive...
So I was having problem logging in to slack. It seemed like their two-factor authentication was not working. So I kept on pondering and pondering. Then suddenly a light bulb was lit in my brain. I said to myself, "what would an ordinary muggle do? They surely will click on this contact us button and raise a ticket with them." So that's exactly what I did.
so after a while slack did sent me 16 text messages together as a sweet reward of my trials. I was happily working in Slack and then I realised they in fact did answer my ticket. The only thing is I just needed to log in to get the answer I need. I am happily reminded I wasnt the only fuckwit left into existence...
Best debug ever?
Some years ago we had to do a web project as group. It was a cinema like website with backend and front-end.
So in the end we arrived at the presentation and while scrolling the code I found commented out some authentication controls 😅😆 (probably for debug reason lol)
Whatever, meanwhile, while I was talking with the professor two of my mates were whispering... Turns out they found what he mail service wasn't working. And what's best than fix it, push it to the Heroku server and restart all? XD
The professor noticed some little lag in a button and asked "what's happening?"
"oh, nothing we just restarted the server "
Basic REST server authentication: pass a valid username in the URL of your request and you can publish trade and market data that's used by other systems.
I think they're moving to oAuth now but... These developers are slow and only do things when a gun (Sr. Management) is held to their heads.
I'm working with a consultant group at my company to implement a new authentication strategy for our entire platform.
The senior dev lead from the consultant group has 25+ years consulting and claims to have written a web browser for the blind and all sorts of in-depth accessibility things.
Stakeholders tell us "Don't forget about accessibility compliance on this project"
Senior dev lead with all this claimed accessibility experience asks me, "What does accessibility mean?"2
Creating an secure authentication system is not that easy...
Especially if you create it for a community full of devs.
But I think I've found a secure solution.
Maybe some security experts on here could review the code after I'm finished.
Here's the GitHub repo but the auth system is not up yet:
What's the safest 2 factor authentication application for Android? It looks like some services prefer a specific application, will they only work with certain ones or will all work?3
A couple of weeks ago my work email got hacked, I found out because he/she was sending phishing mails to yahoo emailaddresses, but they couldn't be delivered because they were marked as phishing.
I've immediately changed my password and turned on two-factor authentication, shared my story with my boss and now we use two-factor authentication for every service where it is possible.2
I am trying to "invent" secure client-side authentication where all data are stored in browser encrypted and only accessible with the correct password. My question is, what is your opinion about my idea. If you think it is not secure or there is possible backdoor, let me know.
- test string (hidden, random, random length)
- password again
- hash test string with sha-512
- encrypt test string with password
- save hash of test string
- decrypt test string
- hash decrypted string with sha-512
- compare hashes
- create password hash sha-512 (and delete password from memory, so you cannot get it somehow - possible hole here because hash is reversible with brute force)
// DATA PROCESSING
- encrypt/decrypt with password hash as secret (AES-256)
EDIT: Maybe some salt for test string would be nice8
This is how my login and authentication works
Check for cookie on request
if cookie doesnot exist, send login page ( login )
1) check for credentials
2) if valid, set username's JWT as cookie
3) reload page
4) proceed for authentication
If cookie exist, decode JWT ( authentication )
1) check username
2) if username exist on database, send user panel
Anything wrong with this ?? What is the better way to do this6
That moment you setup 17 domains on sparkpost as a email delivery system
make your account secure with 2 factor authentication like a good infoSec enthusiast
Go on with your life
Having a Phone crash but nothing to worry because you made them backupz
once again go on with your happy life.
Having to setup a different bounce action on sparkpost
logging in to sparkpost to make the adjustments
opening google authenticator
realising the backup you restored was before you added the sparkpost entry
mailing sparkpost asking to deactivate 2factor authentication
Having them tell me that they have no access to Google authenticator so they can't help me and all they can do for me is delete my account if i answer their 7569357 questions that i entered a year ago ..
You have access to your database yes ? You can delete my account but you can't adjust a fcking Boolean column from true to false? #@?#&!
Why even offer a feature where you have apparently no control over. Stuff like this happens all the time and almost no one saves that fcking authenticator secret.
Make people use authenticators to keep the hackers out, forces them out instead.4
Why the fuck is debit cards that don't need a PIN for transactions even a thing? What is so difficult to understand or implement in a two factor authentication? Like do these companies have meetings where some fucktard proposes removing a crucial security feature and the others just nod approval?6
Hello, I’m considering building a web framework.
My ideal features would be:
Customizable authentication system(considering using a jwt lib)
Embedded DB(bolt db)
ORM( writing my own)
REST api to DB (via code generator)
Code generator(generation of models and views via cli)
GUI to db(some admin dashboard)
CORS(web service right?)
Ease of development
Fast prototyping of small-medium web services.
My question is, do i have to many things on my platter? Should i narrow it down into less featured framework? What feature should I focus on? How should i benchmark it? Should i write tests for absolutely everything or just for exported methods? What should i take into consideration when developing ORM API, Auth API...
The language is Go
Thank you for your input11
I've been fighting with my xmlrant.com hosting provider for a good several days now regarding enabling web deploy for my account.
According to their screenshot it all works, according to my various attempts still getting either 404 or 401 with the same login / server details!
So frustrating... It almost looks as though same authentication works differently for them locally and for me externally... Maybe domain name needs to be in FQDN format... Or smth else... Either way this will probably end up with them saying fuck off, all is working on our end.
And as well it might - it just might be my incompetence... *self-doubt creeping in*
But it's still frustrating nevertheless.
So far I need to settle for unreliable FTP deploy, which introduces big overhead as always copies entire deployment folder, even is only a few files are actually changed.
You know what Microsoft, I should've known. You offer an awesome opportunity to be a part of an amazing "machine learning" course. What happens? I can't get past the fucking login screen.
No error. Login authentication just hangs.
Serves me right thinking that Microsoft had their shit in gear for this type of take on.
I'm so sick and tired of piss poor systems that can't handle a simple authentication process 😣3
A project that is used across our company with multiple clients. It's huge, over 2million lines of code and 116 separate projects. Not a single piece of documentation. Took me three weeks to track down where the authentication occurred with visual debugging and mapping tools.2
It's almost 2 am now. I was up till now, trying to make pouchdb and couchdb cross-domain authentication work.
The whole replicable state of art needs a hero, the one no-backend solution that actually works and don't make you lose sleep.
Why can't I wrap my head around laravel enough to build an authentication system I've built before 😖😡😠
External Login Service and my app would be an OAuth2 client receiving an id token...and no there isn't a third party integration for this login service5
Wouldn't call it a feature. More like worst practice. Data manager (and my boss at the time) kept using our website as a way to host large files 3rd party vendors/partners could download instead of using one of the many secure transfer methods out there to send them data. This was sometimes extremely sensitive data. No authentication or security that I could find. I went ballistic on him after seeing that.
My bank just switched from RSA SecurID to SMS-based 2-factor authentication, claiming it offers "equal security".
Is it not common knowledge that SMS 2FA is a security joke?? What the fuck guys?!?
Service I was needed to integrate to our system had such poor documentation and a separate pricing tier to access their APIs...
... Not having it. Used Guzzle to perform both the authentication and their search page, then made wrote a function to web scrape the result.
Job done. 😎 And yes, I have no shame to say I love PHP.2
My phone got stuck in funky restart boot loop yesterday. The first 2 restarts was odd but after 3 cycles, I started panicking. Went on my PC, googled for all kinds of button combinations of power button, volume button, back button, and home button to get into fastboot, recovery and safe mode to see if I can clear stuff or at least get backup of my stuff. I also tried taking the battery out. Nothing works, except when I factory reset.
Everything was new again and as it booted up, I have to remember to change my authentication keys in LastPass, my private ssh key in Krypt. But fortunately, Google remembered all my apps and suggested if I wanted to install them again since it recognized my phone was an old phone. Thanks for tracking me Google. And now since its a reset, everything is clean, no cache, cookie, and some of my music files are all gone. Well at least its fast like before.3
Fuck I feel fucked up just for completing user account management, authentication, email verification, password reset. Securing all of this with ssl and checking for any security loopholes.
I can't believe this took me more than a couple months.
Well I was lazy and unmotivated.
I fucking hate crafting stupid ass routes in nginx.
I fucking hate making a nice responsive gui.
I have to design even the stupid html for the emails. Fuuuuck.
So much boilerplate on top of that with username and email validation.
I learnt regex 5 times over the past couple months, still not enough.
And now I actually have to build the functional part.
On the plus side I can reuse this stupid boilerplate if I can make it more modular and readable.
There's shit ton of comments to the point where I feel like an idiot for including so much info. It's like I've written it for a toddler to take over.
Gawd. Anyways it's over now. 50% I guess.
I can finish the rest of the server more quickly and then spend another year designing the Android application.
I'm really lazy in places where I have to design UI/UX. Although at this point it's kinda what could put my application at the top. (I'm lazy, I ain't bad.. I just hate implementing my ideas I wish I could just visualize and have it appear on my screen)
I do like parts of gui that involve little math problems that would make motion smooth and efficient.
Walking home from work gracefully,
minding my own business.
Swinging my umbrella gracefully,
With a slight crack of a grin on my face.
THEN THIS DUDE TRIES TO TAKE MY PHONE OUT OF MY POCKET! Non-gracefully!
Fuck poetic Justice, he ruined my happy thoughts,
I was planning an authentication decorator for a project am in love with
And the code was beautiful.
The phone fell on a wet footpath in the struggle,
Now my umbrella has mud on it!
Lately, I've been working in a web security company (mainly as a Support guy).
Going through tickets, I've found one golden gem, which helped me realising how dum customers are.
Since he's our customer, we try to keep stuff up-and-running at all times. If something goes bad, we fix it, and we need their passwords for stuff.
After the customer (somehow) got hacked again, he changed the password in panic.
Note the initial password was really, really good.
He emailed us the new password for "just in case".
The password is "hard-to-guess".
What. The. Actuall. Fuck.
Setting the password "12345", activating 2-step-authentication and sending his phone in, along with his finger so we can unlock it with touch id?2
Why must all the information about API authentication with Angular must be either outdated or shitty explained?
If anybody have some good, working angular+express server code, please share that to me...
I needed to implement user authentication on an android app during ny internship. It always authenticated and ran code for not authenticated user. Turned out I wrote else instead of an if else.
What do you guys desire from an API, apart from well-written documentation? One of the things I want to work on is a website with an API, and I want to know what you would want from one. Eg version numbers, error fields, authentication, stuff like that.2
Team are getting into using Machine learning for anomalous behaviour detection for authentication and traffic behaviour... It's so interesting and another useful tool in our security arsenal
Can you write me a sync plugin for this API. Wait the 'authentication' is with a 'key' in a plaintext unsecure GET request with no throttling? #omg
Many out there say you should use 2 factor authentication with everything, but personally i feel lile that would just turn your phone into a sigle point of failure.
Phisical security is my primary worry, because loosing your phone or having it stolen yould pretty much lock you out of all your accounts.
Another thing is i don't know as much about android security, and i wouldn't be confortable managing it.
I have 2FA active for some key services, but imho a strong password is usually enough. I think its far more more importat for your overall security to avoid passwords re-use.
What do you think? Do you have 2FA on all the time?9
Has anyone heard about Bench and Frappe framework?
It is a very good python, open source framework.
It sets up almost everything for you when you want to start a project.
I found this framework, when I was searching for an open source ERP built on python, since Odoo went commercial. -_-
After searching, I found Frappe framework. It is a small community, but the framework has potential in my opinion.
Just wanted to pinpoint this very good framework.
Now every time I want to start a new project, I do not need to to all the set ups, like database, user authentication, user permission, etc. The framework does it for you.
NOTE: I am not and I do not have any connection with the devs and this company. I am just a user of this framework, and just wanted to suggest to you and take a look.
Links: https://frappe.io/ , https://erpnext.com/3
New authentication system for a new type of login, I try to log in
Error everytime I try.
So I wait a little, like 10 min (the server is quite picky, thought it was it).
And then I try with another co-worker.
Token for App -> backend authentication is generated one time when the user signs up. Sniff it once and you've got access to the user account forever.
Passwords are hashed with one round of SHA1, no salt.
Everything including login data is sent over plain HTTP.
Luckily I got permission to fix that mess1
TL;DR: FFS Microsoft
So yesterday we were at the point in our project where adding a login system seemed like a good idea. This is an asp.net core mvc project and we use Materialize for our frontend.
So according to _the tutorials_ we could start a new project and add authentication in the prompt by pressing a button. As it created the project I thought it seemed nice and easy enough. After it had created the test solution I build it and, sure enough, in the top right corner there were a register and login <a>.
I checked them out and they were your bog standard form input input submit and all. Now I guessed I could look at how it's all programmed aaaaaaaaand
I saw a new folder located at Areas/Identity/Pages which had a _ViewStart.cshtml which contained three lines. There were also a database migration and in Startup.cs there were some database stuff, but other than that? Nothing. So where on earth was the login and register form located? Shit like that is frustrating ya know.
But oh well it seemed to work and I switched to our examn project where I found it was possible to scaffold the login system in a way that seemed nice.
Except, for some reason bootstrap and jquery decided to return to our project. FFS Microsoft!1
Damn feeling really happy. Finally I am able to understand and make my custom workable middleware in python. It took me 3-4 days to code authorization process 😓
Hey, instead of using simple authentication to talk to this vendor system, we want you to use personal authentication tokens that you can't generate because we never turned that feature of the system on.
Funny how every single one of my side projects fails due to authentication/authorization/user management. Yeah... Funny and stuff... Thats the right word for my discourage I think... Funny! It's funny!
(open for suggestions)4
Am I incredibly paranoid with my idea of multiple(>2)-factor-auth like fingerprint+yubikey+password+OTP aso?4
This was an effort to combine Gitlab, Github and Bitbucket with VSCode and git SSH authentication. SSH agent doesn't work, configured, added some code in .bashrc, seems fine. Then there was still ssh-askpass missing.
"ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directory"
WTF VSCode? Why do I need this crap?
However, installed it. Nevertheless, I'm still asked for my password every time when I synchronize using the GUI. Thank God everything was in docker containers/images. So at least there is no garbage left after every failed attempt.
I don't know how, but I finally made it that at least synchronization using the terminal works without a password.
Took me five hours to do this shit.
Now I just report the bug to Microsoft and then straight to McDonalds. I'm starving.1
Hey i want to make a chat application for production workload with more than 100000 simultaneous connection and more than 1000000 daily active user which will scale 100 times in coming 1 to 2 years for Android. I have oauth based user authentication. This chat should be able to authenticate and verify authtoken generated using the oauth. What should i use? Xmpp, mqtt or something else. Can anyone who has worked on chat application help me.6
Want to get your web-app authenticated,
using nodemailer on local host costs nothing but when your app wants to be deployed node mailer cries for a OAuth2.0 Authentication.......Really tired of getting the things fine as i am just a beginner.
Having so much fun with pug, and nodejs last week,
Building a demo OAuth 2.0 authentication server to simulate GitHub OAuth’s behaviour.
In the next step, I will deploy it on aws for more testing.
Blog on the way...🤞
BTW, they actually built a package for render pug to React components🙄
Azure, great development slots! Must have, now I can have developer, staging and production. The greatest no downtime when swapping a new server in....
Everything crashes? WTF?
OKAY, so swapping to a service that authenticates users makes the authentication part crash :/
Phew development slots ROLL BACK...
No the entire service was broken. Rolling back, all non authenticating controllers work, but the authentication never happens, so server is working, but the users cant use it. Fuck!
Delete everything. Recreate. The setting persists. WTF. Delete again, recreate, reinitialize, republish, it works as it should when tested phew.
Creating new service experiencing cant replicate. Hmm, okay must have been a glitch. Next, update, YEAH swap, no downtime!!!
*EXPLOSION* ..... RINSE AND REPEAT:/
When our app encounters an error, it shows an alert with an option to copy the error details to the clipboard, that includes the full stack trace, broadcasting to the world that we are coding in C#. Also, our page URLs show .aspx at the end, so anyone using it can see details of our implementation. Not exactly world-stopping since the desktop portal is only available on customer servers and the ipad app requires username/password AND pin authentication. But still....
So, something changed at our company not allowing me to connect with the correct network. Now this is barely a problem since I can still connect with another network, however the only thing I can't do now is push and pull from git... Every time I have to sync, I have to set up the hotspot on my phone. Apparantly, that's more often than I thought. Also, in order to work on the application I have to be connected to the company network because our application uses windows authentication, so I keep switching back and forth.1
Security issues I encountered:
- Passwords stored as plain text until last year.
- Sensitive data over http until last year.
- Webservice without user/pass authentication.
Java I hate you! I've been stuck on an authentication issue for weeks now and just figured out what was wrong. The probem was my variable wasn't STATIC so it was passing in an old auth header every time. Literally I've been skimming and modifying my code like crazy for like 2 weeks and this simple modifier changes everything! Java I hate you and can't wait to migrate my code base to kotlin!4
I'll have you know it only took me 3 months to learn the basics of lambda/aws, get server side authentication working, and get a basic login/logout page on an app
Never expected such a learning curve!1
Why there has to be So Many legs to the OAuth....
3 Legs... Wtf...
Make it a fkin...Octopus OAuth
Why so many legs to a Dumb API ??!1
Motherfucking peace of shit....
Dont know to whom I should direct this to .
Was creating a new login page for web app using Quasar(vue.js). Since my application have 2 different types of user, which also have different UI, and functionality.
One is written in vanilla ( and is quiet heavy) and the other one in vuejs ( though earlier it was written in vanilla too ). Login page too was written in vanilla which was working fine.
Now just yesterday I finished a prototype for the third type of user, which is also written in vuejs. Now I decided to re create login page using vuejs. Quiet small and easy to do. Finished it yesterday itself. Now since today's morning I am trying to configure it so that it this piece of shit just let me log in. It was authentication and verifying but not letting me log in.
( On server after authentication, I set cookies/token on clients browser and auto reload the page, so during next request to server/ or during reload, server will read the cookie/token and send the specific admin panel to user)
It was setting cookie, but not at the '/' path. Mother fucker.
It was setting cookie to the path I was sending login credentials ( which was different from '/', I.e.- /login/verify=password )
So it was setting cookie/token at '/login/verify=password'.
Even tried setting path for cookie at server. Read everything on internet. MF nothing worked. All I came across was, 'this is CORS' .... 'this is CORS'. Assholes, if it were CORS', how then I am able to make request to server and getting response without error
Only a hour ago, when I made get request to '/login/verify=password' I figured out, cookie is being sent to server for this path only. Then did some changes at server, so to send login credentials to '/'. Now that shit is working
Fucking waste of time. Wasted more than 6 hours. Asshole.
Btw, if you can suggest a better way to login, then please.
Anyone here implemented an oauth2 server in python?
I've been researching it for a fair bit, and it just seems like a giant swamp that I'd rather stay away from (ex: https://hueniverse.com/oauth-2-0-an...)
It also feels needlessly work intensive and (at least on the server side), underdocumented.
I'll probably be making my own custom solution.
So I was working on a web app for my university which was supposed to use their authentication system. After various headaches, not even the example given with the documentation was connecting to the credentials server and nobody could help me with this because the person who developed the system wasn't working anymore for the university. Weeks of work lost because they don't know how their own stuff works :@
The magic Apple Support:
A few days ago, I suddenly couldn't login to iCloud on my mac. I thought it was something that would be gone if I would try turning it back off and on again. Didn't work. Used the mac without bothering about it. I was too lazy to call the Apple Support and it didn't annoy me that much.
A day later, suddenly Spark (my email client) didnt work either, it asked me all the time to re-login into one of the accounts but "an authentication error occured". At that point I thought it was a problem with the keychain. Because i don't use email that often and the last time I should pay 30€ if I wanted to call Support (out of warranty), I just started using email on my phone.
Yesterday, MS Office (yes I use it and I like this Microsoft Product and I'm an Apple fanboy) wouldn't login either. I didn't call them.
Today, I had finally time to call them. They didn't want to charge me since I selected an Apple-Id Problem (and I think the Support Hotlines are free to call idk). The call from Ireland came 2 times and the connection didn't work (thanks iPhone). The third time, the moment the Support guy said Hello iCloud worked. A few second later Office and Spark worked again too. I don't know how these coincidences happen. Anyway, I am just happy my stuff works again and I don't have to use Google Docs and write my mails on my phone.
So. Spent most of the morning furiously trying to work out why I wasn't getting a reasonable response from my Rest Service "RS", calling it from some other system. Only got something vague along the lines of "value must not be null". Both systems are set up on my local machine, IIS bindings set up all correct and URLs and authentication settings double and triple checked. I was doing a lot of work on RS six months ago so it just had to be set up right.
Forgot I got a new machine a couple of months ago and never built the WS .dlls. -_-
Does anyone of you have experience with AdonisJS? I am not sure how to implement an authentication because i already have an existing API and would like to use this to authenticate a user...1
Thanks google for making it so fucking damn difficult to authenticate G Apps users and check their groups/org unit. Makes my fucking work so much harder! To make matters worse you decided that that if I want to get the information in a seprate call I have to use a seprate admin account to do it because apparently letting the user see it is to fucking hard.
This week, I worked on my side project. The basic idea of this project is to let everyone build software components in their favorite programming language without any need to learn any complicated protocols (such as CORBA or whatever).
It already worked good enough for some stand alone cases, but recently, I build a web app based on it.
So far, I write the code by myself. But I guess the project won't be as good as what it is right now without any help from everyone. Some fellow developers in real life and in devRant (especially @plugsut) really help me in order to write a better code. And I'm grateful for that.
Below is the specs of my project:
* Repository: https://github.com/goFrendiAsgard/...
* npm: https://npmjs.com/package/...
CREATING BOILER PLATE:
* Install Chimera-Framework (`npm install --global chimera-framework`)
* Create web project (`chimera-init-web <your-project-name>`)
RUN THE SERVER
* `npm start`
* `npm test`
* Database: MongoDB
* Supported Programming Language: CHIML + virtually any programming language.
* JWT Authentication: Fully tested.
* REST API with Whitehouse API standard (https://github.com/WhiteHouse/...): Fully tested.
* Total request performed for testing: 27
* Total assertion: 92
* Total testing time: 7 seconds
* Average response time: 217 miliseconds
* Write documentation for fellow developers
* Create GUI for mere mortals
Issues with google authentication cookies. Many 3rd party applications (like mindmup etc.) have already reported. Me too so many times.
Today I'm logged in with my google account. But !!! when I try to review a business on google search result or map, they're not able to sign me in.
Google doesn't like feedback or error reporting.5
My concern only goes so far...
‘Wow! Two factor authentication is not main stream... Are you f*cking kidding me? And you own bitcoin!’
‘No, I have ripple.’
‘Oh, well, not bothered then.’
Hey ranters, I want to setup a centralised auth backend that assigns multiple logins/API keys to a single user account which is managed through a Frontend application.
Background is we use multiple services each with their own login system and not all support a unified login/auth method for their API.
My approach is to setup a simple API/Auth backend that stores the users credentials plus multiple API-Keys of other services or their logins. When auth is successful the Frontend app may receive the associated credentials for the other backends to call their respective API. So the user can login once but the Frontend may access all backend services without the user noticing that their are other auths.
This should be a really general problem today. I'm really just diving into the topic of auth and Frontend, so I hope to get some guidence/overview from you. My questions are:
- Is my approach totally stupid?
- Are there good frameworks you'd recommend for such a setup?
- Is there a best practice which I've overseen so far?
- Resources you think are a must-read?
- Any other recommendations regarding security here?
So, what do you ranters think?
Guys I need to deploy a very simple authentication API service.
You register with a username (actually an ID with a determined format), a password and uuid. You login with your username and password and if credentials are correct you get back the uuid as a response (JSON or whatever the fuck).
If you forget your password, you can use your uuid (which is confidential, very long string) in some POST request to set a new password. If you forget your username, you use the uuid again in a GET request to get back your username.
I've been looking at a bunch of solutions online and I don't think they suit my purpose exactly and all require emails (Like Firebase, AUth0, etc.) So, let me get this straight: NO FUCKING EMAILS INVOLVED PLEASE.
The above are the EXACT requirements I need for my work (for a good cause too). I fucking hate 0-requirement exploratory research tasks and I'm plagued with those. Those requirements are the only way it should work. So again, NO EMAILS INVOLVED PLEASE.
Also, please note that I have never developed an API in my life. I feel like StackOverflow will be assholes about this so I am asking this here.
I know it is very easy to do and there are probably dozens of ways to do this. I just do not know how, documentations are vague and overwhelming (or I'm just a little stupid lately). Another thing is that I am not sure of how can I do this in the most secure way. Bonus if this can be dockerized.
I know I sound a little rude,so I am sorry. It is just my frustration and depressing times I am going through that's preventing from thinking straight.6
How do I go about JWT based authentication in Spring Security for rest APIs?
I work in nodejs environment, and I'd like to switch to Java/Spring in the next year or so.
My strategy was to implement, whatever I have learned in the professional field as a nodejs developer, in Spring's environment.
Currently I am stuck with JWT based authentication. In Spring's environment can't we use JWT as a standalone utility? Based on the documentation and tutorials, I have to use it with AuthorisationServer and ResourceServer which I need to implement using Spring oAuth2.1
Any guide/resources on building a small crud app with spring and angular? One with authentication would be preferred. Couldn’t find any with authentication.
Nessus SSL authentication through Kali Linux is next to impossible. I generated certificates through terminal and I still get error "SSL received a record that exceeded the maximum permissable length" (in Iceweasel).
Tried importing certs into separate Firefox browser and now just SSL handshake errors.7
Once on a project the authentication request for a service was done... through http... with the username and password as parameter in the URL... in plain text
Does anyone know a public API to test basic authentication other than github that return a token when the submission is successful1
Last weekend I started a project with a Angular front end and a WordPress backend.
The front end is for me so I can do the work faster. The backend is for the client that is slow at learning new technology. It's easiest to keep her WordPress setup
It's been a lot of fun setting up the jwt authentication but creating users has been a pain. I'm determined to work through it though.
Has anyone here else tried this? Any tips?4
my worst mistake was when I was using Ansible with AWS tags and I accidentally termianted a server that had been provisioned to handle users authentication and redirect them to their proper applications.
Need to create an internship portal for students and companies to register, sign in, post internships, apply for internships, browse internships and a minimal admin panel, for the entrepreneurship cell I'm college
(cuz the guy who was supposed to do didn't do jack shit in three months, so I have to make a quick one in three days)
Any suggestions on what should I use?
My current options are PHP and Node-Express, but I'm not fixated on either, and the minor details like the templating engine, how to store data, how to implement authentication etc...
I want to start learning to write a simple game server emulator in C#. The game works LAN but it gets LAN disconnected when internet drops so some sort of keepalive is implemented. I can copy the files to another device and it works online without a login etc so there is no online authentication but as soon as internet drops the LAN game goes down to so i need to emulate the online update server or something like that to prevent that from happening. (spotted with Wireshark etc)
I don't have much experience , just created a simple tcp client/server console app but in this case I ofcrs will only need a server one in combination with custom dns. Any tips on where to start? Does someone have an example game server emulator? or update server emulator?1
That glorious, amazing feeling when you discover that horrifying thing you've been looking up to has a library which makes dealing with the thing so much easier than having to send out twenty API requests for authentication etc.
Looking at you, Tweepy and Ansible's digitalocean modules :-)2
I am frustrated with the JWT token based authentication library I am using for my lumen(laravel) based backend. It is having lot of ongoing issues with infinite timed token(mobile apps) and others... Here is the link
If anyone has any suggestions for a good replacement for this it would be awesome because this is shitty in the support for the library nobody addressed the issues raised and threads are not even taken care about. It is so frustrating when you implement something but have to deal with the shortcomings of it, when it does not even do some basic things it is supposed to do. I feel bad saying it for somebody else's work. But, sometimes it has to be ranted out... That's the whole point of devRant. So yeah JWT based authentication library suggestions for laravel based backend. Because tymon-auth is shit.
Has anybody on here used UNLOQ as a passwordless authentication mechanism. Keen to know if anybody in the devRant community has heard about (or has any opinions of) their recent buyout.4
When your backend developer says the client has an issue on his virtual machine but has a bad track record of being incorrect and never checking if there is a conflict in the API that is causing authentication to fail for a feature and you then step through their code only to find the conflict in the API only to have them get mad at you for finding the problem after stating it's "Not my problem." I don't have time for this shit.
Um hey guys, so I was working with websockets in node.js and wanted to have some form of authentication. Did a bit of googling, read some docs and finally implemented something. It's just I am not sure if it is the right way. Can the experts give their 2 cents?
This is not a rant exactly, so if it comes under self promotion or irrelevant, please tell. 😃
I'm building a nodejs REST api with jwt token authentication for the first time. So far, it's been as smooth as butter. Any hiccups or gotchas I should worry about?
Anybody here implemented Dynamic Time Warping (DTW) algorithm? I need to implement it for a school project. Its basically an android application and want to authenticate users using this algorithm.
Will appreciate any help possible.2
Weekend 3 trying to configure user pool authentication with aws lambda/API gateway with SAM/cloudformation. What a disaster documentation is around this.
Whenever I post a question on stack overflow I get the views with 0 responses. Does anyone even use this garbage?
Seriously wth aws.
I got sucked into a rabbit hole with this.
when you made a custom ldap token based authentication, what is suitable for every projects of your workplace.
Does anyone know other cheap text messages (SMS) providers such as https://www.smsapi.com?
Quantity approx. 200-1000 messages per day, hard to estimate. Main use is sign up and two-way authentication.
The ones I found so far all start at $0.10 (for Europe) and $0.04 (USA).3
After a year and a half of working with what i love (nodejs microservices and bit of python) I have to update my php skills and refresh my memory with latest Laravel 😕 (I used it as an authentication/authorisation and REST backend for a react native app early 2016 and did not touch it since)
Passive Job hunting sux and yes PHP ain't my thing anymore 😔 i mean i have next to 6-8 years exp in it but given the choice... 😒
I used to love it (so many good memory with cakephp 😌🙄it teached me a lot early in my carrer) before I discover functional programming paradigm and got deep understanding of JS
Redoing our web apps to use SSO... Every single page within the app runs LDAP authentication. What is the point of signing in and having session cookies if you are reauthorization a logon on every page?!??? Now what seemed like a simple task of revamping the initial logon has turned into a hunting trip for LDAP queries and creating new sql tables
Single Sign on Authentication for a growing product suite? Sure, just validate the user's credentials in the dashboard and then pass their role to the product's web app via query parameter. No need for tokens or an auth server!
Any one else dissapointed in what direction Play (scala) is going? Jesus christ i cant even mock my authentication anymore without a shit ton of refactor...