Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜
Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.
First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.
Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.
Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.
Dealing with attacks and getting hacked.
Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.
linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)
How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!
One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)
Dealing with different kinds of attacks:
Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.
So yah, hereby :P39 -
You know who sucks at developing APIs?
Facebook.
I mean, how are so high paid guys with so great ideas manage to come up with apis THAT shitty?
Let's have a look. They took MVC and invented flux. It was so complicated that there were so many overhyped articles that stated "Flux is just X", "Flux is just Y", and exactly when Redux comes to the stage, flux is forgotten. Nobody uses it anymore.
They took declarative cursors and created Relay, but again, Apollo GraphQL comes and relay just goes away. When i tried just to get started with relay, it seemed so complicated that i just closed the tab. I mean, i get the idea, it's simple yet brilliant, but the api...
Immutable.js. Shitload of fuck. Explain WHY should i mess with shit like getIn(path: Iterable<string | number>): any and class List<T> { push(value: T): this }? Clojurescript offers Om, the React wrapper that works about three times faster! How is it even possible? Clojure's immutable data structures! They're even opensourced as standalone library, Mori js, and api is great! Just use it! Why reinvent the wheel?
It seems like when i just need to develop a simple react app, i should configure webpack (huge fuckload of work by itself) to get hot reload, modern es and jsx to work, then add redux, redux-saga, redux-thunk, react-redux and immutable.js, and if i just want my simple component to communicate with state, i need to define a component, a container, fucking mapStateToProps and mapDispatchToProps, and that's all just for "hello world" to pop out. And make sure you didn't forget to type that this.handler = this.handler.bind(this) for every handler function. Or use ev closure fucked up hack that requires just a bit more webpack tweaks. We haven't even started to communicate to the server! Fuck!
I bet there is savage ass overengineer sitting there at facebook, and he of course knows everything about how good api should look, and he also has huge ass ego and he just allowed to ban everything that he doesn't like. And he just bans everything with good simple api because it "isn't flexible enough".
"React is heavier than preact because we offer isomorphic multiple rendering targets", oh, how hard want i to slap your face, you fuckface. You know what i offered your mom and she agreed?
They even created create-react-app, but state management is still up to you. And react-boierplate is just too complicated.
When i need web app, i type "lein new re-frame", then "lein dev", and boom, live reload server started. No config. Every action is just (dispatch) away, works from any component. State subscription? (subscribe). Isolated side-effects? (reg-fx). Organize files as you want. File size? Around 30k, maybe 60 if you use some clojure libs.
If you don't care about massive market support, just use hyperapp. It's way simpler.
Dear developers, PLEASE, don't forget about api. Take it serious, it's very important. You may even design api first, and only then implement the actual logic. That's even better.
And facebook, sincerelly,
Fuck you.17 -
Da Fuck!?!
Yesterday I found some abnormal activity on my server, someone was trying to brute force my ssh as root since two days! Started raging and installed fail2ban (which automatically bans an IP if it fails to log X times and eventually sends me an email). Woke up this morning to find that a fucking Chinese guy/malware spent the whole night trying to brute Force me!
Fucking cunt! Don't you have any better to do!!
My key is a 32 characters long encrypted key, with the ban he can try 3 passwords /2 hours, good luck brute forcing it you bitch!
36 -
Imagine yourself exploring Medium, looking for some new awesome tools to try out.
You accidentally find the new, promising programming language. It called Blow. It promises itself to be “idiomatic”, “minimalistic”, “simple” and “handsome”. And it also compiles to Electron. You decide to give it a try.
It has its own package manager, simple and idiomatic – every package is “blow add” away. But it’s only three packages available: the “blowsay”, just like “cowsay”, the “this”, printing The Blow Manifesto and “blue”, which is simplistic, simple and minimalistic idiomatic handsome functional frontend framework built with simplicity in mind.
You want to build a todo app, so you type “blow add blue” and press enter.
Following Medium articles written by some guy wearing Ray-Bans, you managed to finally put a todo app together, after seven hours of straight up coding and fighting that simple and idiomatic syntax, trying to make it do what you need. Alright, it’s time to build it.
It has built-in task runner named “job”.
So you type “blow job todo”.
You spending three hours more doing “blow job this”, “blow job that”, trying to blow job everything you see. You’re tired and mad at those damn blow job hipsters created that. You literally suck at programming in that.
Everything falls apart. Things doesn’t work. And after another “ENOENT 0() 0x628 NOT_SUPPORTED”, you give up, admitting that you’ve really sucked at this.6 -
Today, one of my coworkers had to translate a bunch of pages to French ...
He did his job, committed, pushed, and asked someone to validate his branch in order to merge.
Tests didn't take long, the login screen was broken, because there was an there was an <input type="mot de passe"> ...
14 -
Guy I just met: so what do you do?
Me: I'm a developer
Guy: no way! I work for a software company so... (goes on to talk for 10 minutes trying to show off his knowledge of software)
Me: so what do you do there?
Guy: sales
Me: oh...
Just because you work for a software company does not mean you know shit about software. Don't try to build some erroneous common ground with me because you walked by a developer's desk one time, looked at his or her screen, and magically thought you could understand code.9 -
The brief history of Facebook open source:
- FB releases React under an oppressive licence that tells "woopsie, can't sue FB if you use React"
- a lot of money goes into making React popular to gain leverage from mass adoption
- VMware bans React in their company
- FB releases Flux to bring state management. It flops. Replaced by what some Russian student wrote in several evenings (Redux)
- Preact is released. It's faster than React, and it has MIT licence. Vue beats React in GitHub stars.
- Under mass pressure, FB changes React's licence to MIT. Initial plan to gain leverage fails spectacularly.
- FB releases Flow Types. It flops. Replaced by TypeScript.
- FB releases their own app market for React Native. It flops.
- FB releases Relay. It flops. Replaced by Apollo.
- FB tries to push React.Suspense for the whole JS landscape to obey and comply to how it works. Community says "Fuck You".
- FB releases react-native-web. It flops.
- Web Components are out in all browsers, adopted as a standard. React doesn't support them.
- Google releases Lit, a virtual DOM framework on top of Web Components to fuck with React. It's a massive success.
- React 18 is out. Still no Web Components support.
- (you are here)17 -
Supervisor: so you're going to write a perl script that will compile a jar that will be used to invoke a web service
Me: okay. What does the web service do?...
Supervisor: I'm not sure how it works. It'll just return a success or error code
Me: so I'm just going to invoke a black box?
Supervisor: that's a good way to think of it
Me: so how does the qa process work with this black box/how can we debug?
Supervisor: we don't have qa for it and we can't debug
What the fuck?!?!? You expect me to call a literal fucking black fucking box?!?! This isn't lambda calc you jabroni.2 -
Setup my port honeypot today finally, including port 22, then wrote a custom dashboard for some data tracking, feels great to have it open on my screen seeing the bans just roll in every 2 seconds of refresh, the highest hits are as expected from china, russia and india, also filed ~700 reports and already got 300 banned from their service. (mainly Microsoft Azure for whatever reason)
I wanted to first automate that (or atleast blacklist report to various IP lists via API), but then I was afraid that I'll be one day stupid enough to somehow get banned - don't want myself to get reported lol5 -
Not to get political, but apparently the political climate in the world leads to the following situation.
"I'm being a fucking evil lying asshole. But I'm actually a good guy, because I'm doing it as pseudo-scientific research to show how easy it is to be evil and dishonest"
https://zdnet.com/article/...
("Researchers" with an anti-FOSS motive attempting software supply chain attacks on Linux kernel)
What's next? "Scientists" killing puppies to show that, if someone was inclined to be that evil, puppies are weak and their necks snap easily?16 -
How Google loost its data Monopoly-
Present:
Step 1- US bans Huawei
Step 2- Google Bans Huawei
Step 3- China Gov helps Huawei get back on its feet
Future:
Step 4- Huawei makes their own OS to rival Google, the OS can run Android apps as well as IoS apps and has its own language/framework for developing new apps
Step 5- China bans Google from their market
Step 6- Chinese mobile manufacturers adopt the new OS
Step 7- China's population starts using the new OS i.e. country with the world's largest population starts using the new OS
Step 8- Chinese manufacturers like Xiaomi, Vivo, Oppo and OnePlus who already own approx 40% of India's smartphone market start distributing the new OS based phones in India. Factors like cheaper devices take this market share to 50%+
Step 9- Cry, cause the new OS is now being used by approximately 30% of the world's population.
Yeah, bring your hate in the comments but come back and talk to me in August 2022...12 -
I block ads because they're psychological warfare that corporations wage against me. I don't care how unobtrusive the ads are. I don't care if the ads don't track me. I grew up changing the channel on TV when ads came on, and ripping adverts out of magazines before sitting down to read them. I vote for billboard bans whenever I can. I have zero tolerance for ads of any sort.
Advertisers have no morals, they're completely depraved. They'll eagerly exploit a teenager's self-conscious body issues to sell useless beauty products. They sell sugar water to fat people and at every turn promote the rampant consumerist culture that is destroying our planet. They're lower than pond scum and I never want to see a single ad from them ever.
— mcpackieh6 -
I finally finished a project after weeks of not knowing what to do with my skills.
What that project is?
It's a discord bot that bans half of the members in a server. :/6 -
i rant that i live in a dictatorship with an idiot president who bans whatsapp and facebook to prevent protests (in reaction to having arrested opposition party members of parliament), and github (yes, github) to prevent the spread of a minister's leaked e-mails. now the government is seriously considering shutting down vpn services to prevent by-passing the bans.
on the other hand, it's a nice time and place to continue ms studies on ad-hoc networks - that is of course if i can avoid being arrested or killed before i even start my thesis.9 -
TL;DR: If you make a contest where people get to vote online fucking make it right!
And here's the story: I play in a local coverband to make some cash on the side and because I love making music. We entered a contest hosted by a local radio-station. The first round was determined by judges and now 5 bands remain and of those 5 only 3 get to be voted into the final round. In the final round every bands wins something: 3rd place 250€, 2nd place 750€ and first place 5000€.
Now that stupid dipshit of a web-designer of that radio-station made a website where you can vote and it only fucking sets a cookie. You can delete it and vote again. You don't need no E-Mail and nothing. It doesn't even block multiple votes from one IP. It doesn't do shit.
Even my bandmates (who don't work in IT) where smart enough to figure out that you can just delete the cookies...
I think that now every band except for one is cheating. (we have over 5000 votes and combined all bands have like 4000 FB-Likes and sometimes and Band gets like 400 more votes in an hour) This is such a fucking messup and I don't know what to do. Maybe they'll look into stats but if they're so stupid to make a contest like this in the first place, maybe they won't. And even if they look into the stats it wouldn't be fair to kick out a band with much votes because how the fuck would they know if the band themselves cheated or if it was a fan of the band or even an enemy of the band just to get them kicked out.
I'm afraid of talking to the radio-station as a part of one band because maybe the web-designer there just gets frustrated and bans us from the contest entirely.
This is just fucking frustrating.5 -
News like the "social score" travel ban in China really makes me hate social networking and how by developing better technologies we further the capability of orwellian governments to infringe human rights.
But the most depressing thing is we are in a similar watered down version of it, think about it; what you post, what you say, who you follow, what you read, the videos you watch, where you've worked everything follows you. You can't get a job at a company that disapproves your thoughts, study in a college who is more concerned about your ideology rather than teaching...we are slowly but surely becoming a "free" China.
Source: China to ban citizens with bad ‘social credit’ from some forms of travel http://go.newsfusion.com/security/...
3 -
Supervisor has me making a web app in this badass new stack called the LAP (linux, apache, php) stack because he would he would like the app to be "simple". He's spot on though.. having a three letter acronym saves so much time.... and then we don't need to worry about a database... or querying.... or efficiency.... or even the web app itself because clearly he expects the fucking code gods to come down and turn this piece of shit web app into a fucking masterpiece if he thinks this shit can be done based on a hacked together file management system. Please save me code gods4
-
On Skype.
[tldr: #muhPrivacy;]
You know, people hiring via Skype.
Gaming, seeing family or having long range relationships.
It's become a decent tool.
Then there is the Skype employee.
Opening a court case because in his work time, evaluating Skype calls - ON FUCKING OBSERVING SKYPING PEOPLE - he has to look at too much flesh (as in porn) for his salary level.
Like : the payment category states that you gotta be classed like 1,2 salary categories higher for such work.
So the first instance did not recognise the employees case, because they said its a state thing, or even higher.
Later instance evaluated the employee was right and decreed Microsoft / the NSA (whomever direct employees they are) to properly categorize their employees.
Therefore cost relatively exploded and an algorithm to detect nudity was built.
Wich is operational way earlier than Skypes TOS renewal mid 2018.
That also bans bad language and auto bans given accounts.
Talking about social credit..
in PROC (or prod, as they're known).
And btw: complaining about Google while posting Christmas gatherings on Instagram.. You get what I mean.
Honestly, I don't recall the sources. It's been a while.
I'd really appreciate a little compendium of this for historical reasons.
They will ask: what has brought us here? What is everyone an ultimate right/left/center/agnostic/religious fascist?
And we'll have it on paper. Or papyrus,.. even stone. As I don't know how far mighty people will go for their fortune.15 -
Whiteboard interviews. Would say "my first whiteboard interviews", but I think they will always have the magic to make developers feel stupid.1
-
i'm wondering how long it will take until marketeers/recruiters/"ad-people" will find this sacred place and ruin it for everyone...
i hope there is a "ban this asshole" button in the backend for...you know....just in case...5 -
How are there in 2019 still people thinking ip bans are a good/working way to ban people of of game servers/websites?6
-
Conversation in a debug meeting, after a series of confusing failures:
Senior dev: “This is stupid”
Junior dev: “Me too” -
Started a new job on Monday. STILL DON'T HAVE ACCESS TO THE FUCKING SERVERS I NEED TO ANYTHING. Holy fucking shit I'm annoyed. Fuck you corporate bullshit. I already feel like quitting.3
-
I want to access a webpage on a non-standard port.
On desktop, I can override port bans for Chromium-based browsers and Firefox.
On Android, I FUCKING CAN'T, FIREFOX' CONFIG VALUE USED ON DESKTOP DOESN'T DO ANYTHING ON ANDROID, ANY OTHER BROWSER ALSO DOESN'T HAVE ANY CONFIG FOR THIS, AAAAAAAAAAAAAAAAAAAAAAAAAA
Site's on port 21 because that's one of my school firewall's few allowed outbound ports, and I couldn't use 80/443 since a webpage is already running there.11 -
So Twitter managed to break its content censorship system so hard that when you tweet the word "Memphis" it insta-bans your account for 12h.
This is hilarious. I had an account lying around and sure thing, within a single page refresh I was banned for mentioning a city in the US.
In case anyone wonders, writing "Memphis" as ban repeal comment seems to have no effect ;)3 -
Looks like I got dislike-banned as well... eventhough I only used it where appropriate.
I understand that our almighty gods dfox and trogus implemented this to fight bots and mischievous downvote cunts, but why not inform the user affected by it?
I fucking hate these silent bans, just like Twatter and YouTwat do it... you feel like you posted something but in reality it disappears and you're not even aware of it.
Man, nowadays a lot of people behave like bots thus I can't blame The Algorithm™...3 -
if you want to encounter 400 lb angry virgin programmers go on r/Python and suggest they should add a static keyword to their classes.
They swarm out of the woodwork and take turns trolling you until a mod bans you for responding in suit.
Its amazing, the dumbest lack of language feature and they're like
'me no want the extra keystroke me like code that can lose peopel, me fo fucks no never, not gonna happen, you asshat, haha, now go bye now, *click*'
valid argument is python classes are lacking in decoration
this i suppose is ok overall, i mean they work. except the issue i was having the other day resulted from a variable not being DOUBLE DECLARED IN BOTH THE CLASS SCOPE AND INSIDE THE CONSTRUCTOR LIKE IT WAS A JS OBJECT BEING INTERPRETED AS A STATIC FIELD !
ADDITIONALLY IF THEY LIKE CONCISE WHY THE FUCK DO ALL THEIR CLASS METHODS REQUIRE YOU TO INCLUDE ===>SELF<== !!!!
BUT NOOOO TRY TO COMPARE SOMETHING SENSIBLE LIKE
MYINSTANCE.HI SHOULD NOT BE STATIC
MYCLASS.HI SHOULD BE STATIC AND THEY GET ALL PISSED
ONE ACTUALLY ACTED REJECTED FOR THE SAKE OF HIS LANGUAGE SAYING 'YOU WANT WHAT PYTHON HAS BUT YOU DON'T WANT PYTHON !'
...
...
...
I DIDN'T KNOW THEY MADE VIRGINS THAT BIG!40 -
One question about the GDPR:
Can one say you have to remove all Data about him including things like IP-Bans? Because then you could not punish someone for breaking your rules.
How is that handled?16 -
Been a really long time since I posted on here. Sucks when you get stuck in a lab that bans cellphones.
BUT I got a new job now. No classified stuff. I can actually talk about what I do specifically now!!! And after a week I can almost maybe do my job one day.7 -
This is going to have all manner of impact on everything in gaming
https://tweaktown.com/news/71842/...5 -
I was too lazy to download videos one by one so I created a script to download playlists and rename the downloaded files !
-
idk why, but why focus so much on internal stuff that never will be public...this is also my favorite quote
1 -
Had my dev job described as a "computer, desk job" in a condescending tone yesterday by a guy trying to convince me to join his pyramid scheme....
// TODO: come up with awesome rant about this so I can look badass2 -
It's done. Agile has taken over my life. The other day I looked outside and thought, "As a user, I can stand on my lawn without my feet disappearing." And that's how I decided to mow my lawn.
-
I think I need glasses (or at least more coffee) but every time I think about contributing to an open source project maintained by a "Comunity", i find out that I missed the smelly bits in theire massive coc that they want to ram down your throat.
Eigther I missed them every time or some fuck puts them in after I read them.
The first time it's about mostly Standart shit like: don't troll/flame/insult/detract. But than I start seeing: Sexism, Racism, xenophobia, hetotonormativity (wtf nodeJs)/homophobia insta ban. They even assert that you should apologize even if you did nothing wrong and your not allowed to stand your ground or your banned.
And if the mod pulls a fast one on your buddy, not allowed to be discussed in any public forum or your banned too.
What happened? I was sure that only the bigger repos had that shit (like the Linux kernel (that bans you for being pro trump). Have I missed something?
Fuck every repo that does that shit. They ain't gonna get my time or money.6 -
Is it just me or feeling the imposter syndrome, and blogging about it is super trendy at the moment ?3
-
Lend a dude a pen and he sits next to me clicking it nonstop...you can keep that pen if you leave, my friend1
-
I have accidentally closed so many windows trying to use ctrl-w instead of ctrl-f to search after spending days in nano.1
-
I am not a fan of programs that want to store their libraries in your home directory. It's alright if they store it in a hidden folder at least. I like my home directory to be nice and clean~~3
-
The moment when Facebook blocks your account for being a PC Hater and bans the name entirely for No Reason!
1 -
We have procedures in place, but nothing has been Enacted as of yet other than travel bans and inter division meeting. Pushing for all meetings to be phone or web. Day to day team internals have not been affected yet. There is discussion to split the teams up so not everyone in the office is at the office at the same time. Split via “shifts” so different project groups would work during different shifts to reduce contact with others. And then also working from home, some like it , I don’t because all my stuff I need is at the office, and the internet at my house isn’t capable of what I need. So the shifting works best for me. Kinda nice I like the 3rd shift option for software.
-
Starting my first dev job next week (except for freelance work) and I'm crazy nervous that I'm going to make some huge mistake and look really stupid. Did anyone else have these fears before their first dev job and, if so, how'd you stay at least a little confident?4
-
!rant
Right now i'm working as a volunteer developer for a discord server. I've recently been learning JDA (a Discord API java wrapper) and I wanted to get some experience in a more real world environment by working on a Discord Bot. What a mistake
The owner of the server has written some pretty messy, but solid code, and I was asked to build as sort of “punishment system” (warns, kicks, mutes, bans, all of which timed). It started off fine, me doing some work, getting some critic, all good. Soon, it started to get worse. At every point of the way, while i’m working I have him trying to make me add new features, and change massive existing ones even after i’ve done them and moved on with his permission! I keep telling him, “it’s a work in progress, please wait”, but it never stops.
I’m planning to resign, but I have to continue to dodge him and his “suggestions” as I simply want to finish my work, and get out. The reason I need to avoid his as, I feel that if I was to alert him I was to leave in advance, things would only get worse in the time while I stayed.
:/5 -
Hi everyone,
Does anyone have experience setting up email notifications for fail2ban?
I am trying to set sendmail MTA (mail transfer agent) to send an email with my gmail account when fail2ban bans an IP address but without success.
Any help is appreciated.6 -
For those of you who DO use PHP, regardless of whether you like it or not, have you ever used something like PEAR? And what are your thoughts?
I'm writing a fairly basic internal web app for our PMs and I'm looking for something similar to npm to save me some time/effort. I should also mention that my supervisor insists it be in PHP...6 -
Relevant now more than ever as we head to this horrible freeze of everything enjoyable to be replaced by warped and twisted trash spat out by a system of complex lies and perversity which aims at destroying the joys of natural and pedestrian perversity !
Only fans bans sex content !
https://mashable.com/article/...4
Top Tags
Weekly Rant
View