Why not have a game of DevSecOpoly? Doing DevOps and Security right!

My most awkward recruiter interaction?

Just graduated college and got 'suckered' by an programming position ad that turned out to be a recruiting company. It was fine since they charge the company for their services and not me.
After a couple of weeks of waiting (they initially promised I would/could have at least 3 interviews a week, which hadn't happened.) I decided to start looking again on my own, found a position, and I was hired.

About two months later I get a phone call:

<skipping the pleasantries>
R: "I see you are working for D, congratulations. I've started the paperwork for our reimbursement."
Me: "Reimburse for what? I found that job on my own."
R: "D is one of the companies we work with and when we submitted your resume, they told us you were already hired."
Me: "And?"
R: "And you signed a contract and now its time to pay. The fees only start at $500"
Me: "Not me. I have the contract, it states, in the second paragraph, I am not responsible for any hiring fees."
<couple of seconds of silence>
R: "Yes, but that is only if we negotiated the contact. Since you went behind our back, we couldn't start the process"
Me: "And?"
R: "And its a breach of contract."
Me: "I'm not a lawyer, I don't understand what you're saying. It says right here on the contract I signed, I don't pay any fees. No where does it say I'm not allowed to look for a job on my own. Right?"
R: "Um..yea..right..right...but you were hired by one of our contracted companies."
Me: "No way I would have known that. Maybe you should have set up an interview long before now."
<R is getting pretty angry at this point>
R: "I'm sure we gave you list of companies we work with. Contacting those companies is a breach of contract. Unless you want our lawyers to get involved, the fee is only $500. Failing to honor your side of the agreement and we'll be forced to contact your employer and begin garnishing your wage until the fee is paid. You don't want that, do you?"
Me: "There was no list and I am allowed to find a job on my own. Again, I'm not responsible for you not setting up an interview so do whatever you think you can do. Have a good night"
<I hang up>

About a week later..

Boss: "Got a phone call from XYZ Recruiting requesting a wage garnishment. Do you know anything about that?"
<I explain the situation>
Boss: "Oh good grief. We've worked with them a couple of times and we contact them on an individual basis for new hires. You're fine"
Me: "You're not going to garnish my paycheck?"
Boss: "No no no, that's not how this works. He was probably trying to scare you into paying their crazy fees."
Me: "What if they get their lawyers involved? I don't want to cause any trouble"
Boss: "Ha ha...XYZ Recruiting is a couple of guys in an office and we have lawyers on the 3rd floor who eat and breath this shit. They know that and you won't hearing from them again."

Data breach/leak again

OMG, security breach on devRant!!!
My password is shown in clear text near my avatar.

When doing a coding project for lawyers, hire a lawyer. That is all.

haveibeenpwned: MASSIVE SECURITY BREACH AT COMPANY X, MILLIONS OF RECORDS EXPOSED AND SOLD, YOUR DATA IS AT RISK, please change your password!

Company X website: Hey your password expired! Please change it. Everything's fine, wanna buy premium? The sun is shining. Great day.

In may this year, the new mass surveillance law in the Netherlands went into effect. Loads of people were against it with the arguments that everyone's privacy was not protected well enough, data gathered through dragnet surveillance might not be discarded quickly after the target data was filtered out and the dragnet surveillance wouldn't be that 'targeted'.

They were put into the 'paranoid' corner mostly and to assure enough support/votes, it was promised that:
- dragnet surveillance would be done as targeted as possible.
- target data would be filtered out soon and data of non-targets would be discarded automatically by systems designed for that (which would have to be out in place ASAP).
- data of non-targets would NOT be analyzed as that would be a major privacy breach.
- dragnet surveillance could only be done if enough proof would be delivered and if the urgency could justify the actions.

A month ago it was already revealed that there has been a relatively (in this context) high amount of cases where special measures (dragnet surveillance/non-target hacking to get to targets and so on) were used when/while there wasn't enough proof or the measures did not justify the urgency.
Privacy activists were anything but happy but this could be improved and the guarantees which were given to assure privacy of innocent people were in place according to the politicians... we'll see how this goes..

Today it was revealed that:
-there are no systems in place for automatic data discarding (data of innocent civilians) and there are hardly any protocols for how to handle not-needed or non-target data.
- in real life, the 'as targeted dragnet as possible' isn't really as targeted as possible. There aren't any/much checks in place to assure that the dragnets are aimed as targeted as possible.
- there isn't really any data filtering which filters out non-targers, mostly everything is analyzed.

Dear Dutch government and intelligence agency; not so kindly to fuck yourself.

Hardly any of the promised checks which made that this law could go through are actually in place (yet).

Fuck you.

To the point

I realize I've ranted about this before, but...

Fuck APIs.

First the fact that external services can throw back 500 errors or timeouts when their maintainer did a drunk deploy (but you properly handled that using caching, workers, retry handlers, etc, right? RIGHT?)...

Then the fact that they all speak a variety of languages and dialects (Oh fuck why does that endpoint return a JSON object with int keys instead of a simple array... wait the params are separated with pipe characters? And the other endpoint uses SOAP? Fuck I need to write another wrapper class around the client...)

But the worst thing: It makes developers live in this happy imaginary universe where "malicious" is not a word.

"I found this cloud service which checks our code style" — hmm ok, they seem trustworthy. Hope they don't sell our code, but whatever.

"And look at this thing, it automatically makes database backups, just have to connect to it to DigitalOcean" — uhhh wait...

"And I just built this API client which sends these forms to be OCR processed" — Fuck... stop it... there are bank accounts numbers on those forms... Where's that API even located? What company?

* read their privacy policy *

"We can not guarantee the safety of your personal data, use at your own risk [...] we are located in Russia".

I fucking hate these millennial devs who literally fail to get their head out of the cloud.

Somehow they think it's easier to write all these NodeJS handlers and layers around some API, which probably just calls ImageMagick + Tesseract on the other side.

If I wasn't so fucking exhausted, I'd chop of their heads... but they're like hydra, you seal one privacy breach and another is waiting to be merged, these kids just keep spewing their crap into easy packages, they keep deploying shitty heroku apps... ugh.

😖

Oh fuck and boy Jesus, how on earth is this still a thing 😦

MD fucking 5 is not a fucking “secure” crypto algorithm.

This site has 14 million breached accounts with fucking MD5 hashes.

I think I’ve had to much internet for today.

Uncle- What do you do?

Me- I'm a software engineer

Uncle- My brother's friend's son is also a software engineer.

Me- (so what am I supposed to do about it?) yes that's nice

Uncle- I have a great idea, u should implement, I'm just telling you, it is a revolutionary idea

Me- (oh fuck, not again) yes tell

Uncle- you should make a matrimonial site which tracks what people do on internet and tell their to-be-spouses about it

Me - (yeah, I'll get sued for breach of privacy, and it has got nothing to do with my current line of work, and will probably cause divorces before marriage) yes great idea uncle

Uncle- see I told you this billion dollar idea, u should do hard work and make it

Just WHY in god's name do all uncles think laptop is a magic box in which I just have to type their idea in and it will spit out a website/software in 2 minutes. I don't go around advising them about their line of work.

My client is trying to force me to sign an ethics agreement that would allow them to sue me if found in breach of it. At the same time they are scraping eBay's data without their consent and refuse to sign the licence agreement. Apparently they don't understand irony.

No, MD5 hash is not a safe way to store our users' passwords. I don't care if its been written in the past and still works. I've demonstrated how easy it is to reverse engineer and rainbow attack. I've told you your own password for the site! Now please let me fix it before someone else forces you to. We're too busy with other projects right now? Oh, ok then, I'll just be quiet and ignore our poor security. Whilst I'm busy getting on with my other work, could you figure out what we're gonna do with the tatters of our client's business (in which our company owns a stake) in the aftermath of the attack?

Omg, when does the Stupid stop? New Zealand just passed a law that empowers immigration officials to compel travellers to unlock their devices. Otherwise, you pay a hefty fine. They are also allowed to copy the data and do God knows what with.

The horrible invasion of privacy aside, it also brings with it some legal hurdles. What if you are making a presentation or report to an investor or someone you have a fiduciary obligation with. You are carrying IP bound by several NDA's and other funding red tape that would end your life if it got out. Are you in breach if the data gets copied by the gov officials? Worse yet you have zero control over what they do afterwards.

I don't think any of this inspires investor confidence.

Government needs to stop touching things!

Yesterday my father called me and asked if I'd have a look at his website to exchange his logo with a new one and make some string changes in the backend. Well, of course I did and hell am I glad I did it.
He had that page made a few years ago by some cousin of a friend who "is really good with computers", it's a small web shop for car parts and, as usual costumer accounts. Costumer Accounts with payment infos.
Now I've seen a lot of bad practices when it comes to handling passwords and I've surely done a few questionable things myself but this idiot took the cake. When a new account was registered his php script would read the login page, look for a specific comment and add a string "'account; password'," below into to a js array. In clear text. On the website. One doesn't even have to breach the db, it's just there, F12 and you got all the log ins.

Seriously, we really need a licensing system for devs, those were two or three years this shit was live, 53 accounts... Now I've gotta decipher this entire bowl of spaghetti just to see if he has done any more unspeakable things.

This happened quite sometime ago.

I received a client, reputable university in my country. After all the paper work was done, I was emailed access to one of their AWS server, FTP where the username and password were both admin. I didn't say much to them at that moment.. Maybe they had some precautions?

Over night I received another email, around 3am,

"Hi Uzair, we've monitored a breach while leaving FTP access open."

Well, that was sorta expected.
I received SFTP access to the server the following day,

username: admin,
password: @dmin

Paranoid Developers - It's a long one
Backstory: I was a freelance web developer when I managed to land a place on a cyber security program with who I consider to be the world leaders in the field (details deliberately withheld; who's paranoid now?). Other than the basic security practices of web dev, my experience with Cyber was limited to the OU introduction course, so I was wholly unprepared for the level of, occasionally hysterical, paranoia that my fellow cohort seemed to perpetually live in. The following is a collection of stories from several of these people, because if I only wrote about one they would accuse me of providing too much data allowing an attacker to aggregate and steal their identity. They do use devrant so if you're reading this, know that I love you and that something is wrong with you.

That time when...

He wrote a social media network with end-to-end encryption before it was cool.

He wrote custom 64kb encryption for his academic HDD.

He removed the 3 HDD from his desktop and stored them in a safe, whenever he left the house.

He set up a pfsense virtualbox with a firewall policy to block the port the student monitoring software used (effectively rendering it useless and definitely in breach of the IT policy).

He used only hashes of passwords as passwords (which isn't actually good).

He kept a drill on the desk ready to destroy his HDD at a moments notice.

He started developing a device to drill through his HDD when he pushed a button. May or may not have finished it.

He set up a new email account for each individual online service.

He hosted a website from his own home server so he didn't have to host the files elsewhere (which is just awful for home network security).

He unplugged the home router and began scanning his devices and manually searching through the process list when his music stopped playing on the laptop several times (turns out he had a wobbly spacebar and the shaking washing machine provided enough jittering for a button press).

He brought his own privacy screen to work (remember, this is a security place, with like background checks and all sorts).

He gave his C programming coursework (a simple messaging program) 2048 bit encryption, which was not required.

He wrote a custom encryption for his other C programming coursework as well as writing out the enigma encryption because there was no library, again not required.

He bought a burner phone to visit the capital city.

He bought a burner phone whenever he left his hometown come to think of it.

He bought a smartphone online, wiped it and installed new firmware (it was Chinese; I'm not saying anything about the Chinese, you're the one thinking it).

He bought a smartphone and installed Kali Linux NetHunter so he could test WiFi networks he connected to before using them on his personal device.

(You might be noticing it's all he's. Maybe it is, maybe it isn't).

He ate a sim card.

He brought a balaclava to pentesting training (it was pretty meme).

He printed out his source code as a manual read-only method.

He made a rule on his academic email to block incoming mail from the academic body (to be fair this is a good spam policy).

He withdraws money from a different cashpoint everytime to avoid patterns in his behaviour (the irony).

He reported someone for hacking the centre's network when they built their own website for practice using XAMMP.

I'm going to stop there. I could tell you so many more stories about these guys, some about them being paranoid and some about the stupid antics Cyber Security and Information Assurance students get up to. Well done for making it this far. Hope you enjoyed it.

The public seems to be worried a lot on the Facebook "data breach" yet doesn't bat an eye on a bigger website that has already been selling private data for more than a decade.

Google

Ah, I see you studies music in college! Why don't you work in information security!

Fucking phone company just sent me a notification, CCing all other business customers they have in Sydney. I am going to sign all those customers to a porn newsletter, and then advise them about the privacy breach.

Being responsible for a massive breach of personal & financial data.

Seriously, that crap scares me way more than any amount of downtime does.

So instead of using the budget of 7k$ to buy all the plugins the old developer needed, he torrented more than half of them and deployed the system

which ended up in 20 thousand users including companies reporting a breach, because avira etc reported some kind of drive-by scripts on the new website

what a fucking buffoon, the most annoying thing about this is, that all the plugins had a "license file", so I didn't even first get, where all that shit is coming from

So at work with the Macs we use, we have some guy come in after hours to service the Macs, and that means the security risk of leaving our passwords on our desks.

Not being a fan of this I tell my boss, he knows it's a risk and despite that he doesn't want this guy coming in while we're here.

Though my main problem is the Mac guy Steve is arrogant and thinks he's a know it all, and with the software I have on the Mac may end up deleting something important, I have git repo and all but I feel off just letting someone touch my computer without me being there.

I tell my boss about the software and stuff he just says contact Steve and tell him about it, to ignore the software and such, I say alright, I write up an email telling him not to touch the software listed and the folders of software documents (again it's all backed up).

No reply, I tell my boss and he says call him, I call him and he hangs up on me on the second ring!

Not sure if he's busy, but I left him a message, asking if he got my email, no reply and it's coming close to the end of the day (going to service Macs in the weekend)

I'm just not going to leave my info because if this guy can't check emails or even get back to someone why should I bother with this bullshit of risking my work.

From all the info I hear about him and my previous rants he's an arrogant prick who loves Macs.

Can't wait to leave this company, pretty sure leaving my password on my desk is a breach of our own security policy, and since 8-9 people are doing it, it's a major risk.

But he's friends with the CEO so apparently it's fuck our own security policy.

Watch out for these fucking bug bounty idiots.

Some time back I got an email from one shortly after making a website live. Didn't find anything major and just ran a simple tool that can suggest security improvements simply loading the landing page for the site.

Might be useful for some people but not so much for me.

It's the same kind of security tool you can search for, run it and it mostly just checks things like HTTP headers. A harmless surface test. Was nice, polite and didn't demand anything but linked to their profile where you can give them some rep on a system that gamifies security bug hunting.

It's rendering services without being asked like when someone washes your windscreen while stopped at traffic but no demands and no real harm done. Spammed.

I had another one recently though that was a total disgrace.

"I'm a web security Analyst. My Job is to do penetration testing in websites to make them secure."
"While testing your site I found some critical vulnerabilities (bugs) in your site which need to be mitigated."
"If you have a bug bounty program, kindly let me know where I should report those issues."
"Waiting for response."

It immediately stands out that this person is asking for pay before disclosing vulnerabilities but this ends up being stupid on so many other levels.

The second thing that stands out is that he says he's doing a penetration test. This is illegal in most major countries. Even attempting to penetrate a system without consent is illegal.

In many cases if it's trivial or safe no harm no foul but in this case I take a look at what he's sending and he's really trying to hack the site. Sending all kinds of junk data and sending things to try to inject that if they did get through could cause damage or provide sensitive data such as trying SQL injects to get user data.

It doesn't matter the intent it's breaking criminal law and when there's the potential for damages that's serious.

It cannot be understated how unprofessional this is. Irrespective of intent, being a self proclaimed "whitehat" or "ethical hacker" if they test this on a site and some of the commands they sent my way had worked then that would have been a data breach.

These weren't commands to see if something was possible, they were commands to extract data. If some random person from Pakistan extracts sensitive data then that's a breach that has to be reported and disclosed to users with the potential for fines and other consequences.

The sad thing is looking at the logs he's doing it all manually. Copying and pasting extremely specific snippets into all the input boxes of hacked with nothing to do with the stack in use. He can't get that many hits that way.

I’m LOLing at the audacity of one of our vendors.

We contract with a vendor to build and maintain a website. Our network security team noticed there was a security breach of the vendor’s website. Our team saw that malicious users gained access to our Google Search console by completing a challenge that was issued to the vendor’s site.

At first, the vendor tried to convince us that their site wasn’t comprised and it was the Google search Console that was compromised. Nah dude. Our Search Console got compromised via the website you maintain for us. Luckily our network team was able to remove the malicious users from our search console.

That vendor site accepts credit card payments and displays the user’s contact info like address, email, and phone. The vendor uses keys that are tied to our payment gateway. So now my employer is demanding a full incident report from the vendor because their dropping the ball could have compromised our users’ data and we might be responsible for PCI issues.

And the vendor tried to shit on us even more. The vendor also generates vanity urls for our users. My employer decided to temporarily redirect users to our main site (non vendor) because users already received those links and in order to not lose revenue. The vendor’s solution is to build a service that will redirect their vanity urls to our main site. And they wanted to charge us $5000 usd for this. We already pay them $1000 a month already.

WTAF we are not stupid. Our network service team said we could make the argument that they do this without extra charge because it falls in the scope of our contract with them. Our network team also said that we could terminate the contract because the security breach means they didn’t render the service they were contracted to do. Guess it’s time for us to get our lawyer’s take on this.

So now it looks like my stakeholders want me to rebuild all of this in house. I already have a lot on my plate, but I’m going to be open to their requests because we are still in the debrief phase.

This has been here for years already but with the recent data breach scandles which also highlights how they profit from me, u'd think they would cancel this small amount which is wronggfully charged to start with....

I've even tried ccontacting them about it... for years.... and they don't respond.... EVER...

So much for listening to users... clearly they don't...

So today I found a way to break into any Apple Mac (provided the exploit hasn't been fixed by the owner) and access all private files, as long as I have physical access to it, in less than 5 minutes.

After finding this, a quick Google on the method reveals this has been a workaround for years.

And to think I once praised Apple for their security standards.

Edit: this was done to an in-house Mac that my company own, and had been password locked by a member of staff who had been fired, but held important company documents on the computer. It was in no way a breach of privacy.

A few years ago I was in high school and used to have a small reputation of hacking things. I could hack, just would never hack any school networks or systems (reputation + notice that there was a breach is a bad combo since everyone would immediately suspect you).

Anyways one day the networks internet connection went down in the school district and I was the only one who used a laptop to take notes. So I quickly opened the terminal and ran Wireshark and said to the person to my right "see that button there? yeah I programmed this last night. anytime I press it I can shut down the network so the teacher can't reach her files (she famously only saved them online). *Long dramatic press* Wireshark started scanning the network so all the numbers and lines were going crazy as it viewed the packet info "Now just wait", soon the whole class knew what I had done through whispers and lo and behold a few minutes later and the teacher couldn't reach her files.

Everyone loved me for the rest of the year for saving them from the homework for the week the wifi network was out since it also ended up having to cancel two tests in the class, and a lot more homework and tests in all their other classes. Solidified my reputation and no one fucked with me from that day on.

At work, my closest relation is with the DBA. Dude is a genius when it comes to proper database management as well as having a very high level of understanding concerning server administration, how he got that good at that I have no clue, he just says that he likes to fuck around with servers, Linux in particular although he also knows a lot about Windows servers.

Thing is, the dude used to work as a dev way back when VB pre VB.NET was all the rage and has been generating different small tools for his team of analysts(I used to be a part of his team) to use with only him maintaining them. He mentioned how he did not like how Microsoft just said fk u to VB6 developers, but that he was happy as long as he could use VB. He relearned how to do most of the GUI stuff he was used to do with VB6 into VB.NEt and all was good with the world. I have seen his code, proper OOP practices and architectural decisions, etc etc. Nothing to complain about his code, seems easy enough to extend, properly documented as well.

Then he got with me in order to figure out how to breach the gap between building GUI applications into web form, so that we could just host those apps in one of our servers and his users go from there, boy was he not prepared to see the amount of fuckery that we do in the web development world. Last time my dude touched web development there was still Classic ASP with JScript and VBScript(we actually had the same employer at one point in the past in which I had to deal with said technology, not bad, but definitely not something I recommend for the current state of web development) and decided that the closest thing to what he was used was either PHP(which he did not enjoy, no problem with that really, he just didn't click with the language) and WebForms using VB.NET, which he also did not like on account of them basically being on support mode since Microsoft is really pushing for people to adopt dotnet core.

After came ASP.NET with MVC, now, he did like it, but still had that lil bug in his head that told him that sticking to core was probably a better idea since he was just starting, why not start with the newest and greatest? Then in hit(both of us actually) that to this day Microsoft still not has command line templates for building web applications in .net core using VB.NET. I thought it was weird, so I decided to look into. Turns out, that without using Razor, you can actually build Web APIs with VB.NET just fine if you just convert a C# template into VB.NET, the process was...err....tricky, and not something we would want to do for other projects, with that in we decided to look into Microsoft's reasons to not have VB.NET. We discovered how Microsoft is not keeping the same language features between both languages, having crown C# as the language of choice for everything Microsoft, to this point, it seems that Microsoft was much more focused in developing features for the excellent F# way more than it ever had for VB.NET at this point and that it was not a major strategy for them to adapt most of the .net core functionality inside of VB, we found articles when the very same Microsoft team stated of how they will be slowly adding the required support for VB and that on version 5 we would definitely have proper support for VB.NET ALTHOUGH they will not be adding any new development into the language.

Past experience with Microsoft seems to point at them getting more and more ready to completely drop the language, it does not matter how many people use it, they would still kill it :P I personally would rather keep it, or open source the language's features so that people can keep adding support to it(if they can of course) because of its historical significance rather than them just completely dropping the language. I prefer using C#, and most of my .net core applications use C#, its very similar to Java on a lot of things(although very much different in others) and I am fine with it being the main language. I just think that it sucks to leave such a large developer pool in the shadows with their preferred tool of choice and force them to use something else just like that.

My boy is currently looking at how I developed a sample api with validation, user management, mediatR and a custom project structure as well as a client side application using React and typescript swappable with another one built using Angular(i wanted to test the differences to see which one I prefer, React with Typescript is beautiful, would not want to use it without it) and he is hating every minute of it on account of how complex frontend development has become :V

Just wanted to vent a little about a non bothersome situation.

why people around me act like dump. i have recently worked with this site, which is written in php.

customer: (yelling) my website is hacked, fix it immediately
me : ok sir, we will restore your site immediately

after finishing talk with customer. i have checked website, there is no sign of website being hacked. i have checked server logs and website for security breach, there is no sign.

me: your website is not hacked, sir. can you please tell me where you have seen hacked page.
customer: look at those pages

after seen that page i facepalmed myself. it's a bug, person who created that page just splitted string without using any multibyte function, so page is showing with corrupted characters. i fixed it and problem solved. i have told about that bug, to the person who created that page.

me: hey you have used this function which is not able to handle multibyte characters, you should use multibyte character functions for that one.
person: every characters are the same. we shouldn't need to handle that way.

he is actually a senior developer. who don't even know the difference between unicode and ascii characters.

Just saw this:

Add comma's to your passwords to mess with the csv file they will be dumped in after a data breach

Not the worst, but probably the only one I can sort of explain & not get into trouble for NDA breach..

Umm.. here it goes.. wrong id returned from db procedure, tried to do something on db with that id and got exception that the id doesn't exist. Instead of checking why the procedure returns nonexistent id, he just wrapped everything in try catch without any logs.. & of course, didn't tell anyone about this.. o.0

I know, I know, code review could have prevented this, but holy fuck..
Guy's cv had more experience than I have now, so at the time, I didn't think I'd have to check every line of code he wrote, especially not for shit like this.

Today my fellow @EaZyCode found out a local Hosting Provider has a massive security breach.

He wrote an Plugin for Minecraft with an own file explorer and the ability to execute runtime commands over it.

We discovered that this specific hosting provider stores the ftp passwords one level above the FTP-Root. In FUCKING PLAIN TEXT! AND THE MYSQL PASSWORD TOO! And even more shit is stored there ready to be viewed by intelligent people...

It's one of the fucking biggest Hosting provider Germanys!

But, because EaZyCode has such a great mind and always find such bugs, I give him the title "Providers Endboss" today, he has earned it.

Loving you ❤️

Edit: we used SendMail with runtime commands and sended too many empty Spammails (regret noting)

When a client tells you to hard code the root creds to their server.

How do you celebrate GDPR? By having a breach

Fuck my life

developer makes a "missed-a-semicolon"-kind of mistake that brings your non-production infrastructure down.

manager goes crazy. rallies the whole team into a meeting to find "whom to hold accountable for this stupid mistake" ( read : whom should I blame? ).

spend 1-hour to investigate the problem. send out another developer to fix the problem.

... continue digging ...
( with every step in the software development lifecycle handbook; the only step missing was to pull the handbook itself out )

finds that the developer followed the development process well ( no hoops jumped ).
the error was missed during the code review because the reviewer didn't actually "review" the code, but reported that they had "reviewed and merged" the code

get asked why we're all spending time trying to fix a problem that occurred in a non-production environment. apparently, now it is about figuring out the root cause so that it doesn't happen in production.

we're ALL now staring at the SAME pull request. now the manager is suddenly more mad because the developer used brackets to indicate the pseudo-path where the change occurred.
"WHY WOULD YOU WASTE 30-SECONDS PUTTING ALL THOSE BRACES? YOU'RE ALREADY ON A BRANCH!"

PS : the reason I didn't quote any of the manager's words until the end was because they were screaming all along, so, I'd have to type in ALL CAPS-case. I'm a CAPS-case-hater by-default ( except for the singular use of "I" ( eye; indicating myself ) )

WTF? I mean, walk your temper off first ( I don't mean literally, right now; for now, consider it a figure of speech. I wish I could ask you to do it literally; but no, I'm not that much of a sadist just yet ). Then come back and decide what you actually want to be pissed about. Then think more; about whether you want to kill everyone else's productivity by rallying the entire team ( OK, I'm exaggerating, it's a small team of 4 people; excluding the manager ) to look at an issue that happened in a non-production environment.
At the end of the week, you're still going to come back and say we're behind schedule because we didn't get any work done.
Well, here's 4 hours of our time consumed away by you.

This manager also has a habit of saying, "getting on X's case". Even if it is a discussion ( and not a debate ). What is that supposed to mean? Did X commit such a grave crime that they need to be condemned to hell?

I miss my old organization where there was a strict no-blame policy. Their strategy was, "OK, we have an issue, let's fix it and move on."
I've gotten involved ( not caused it ) in even bigger issues ( like an almost-data-breach ) and nobody ever pointed a finger at another person.
Even though we all knew who caused the issue. Some even went beyond and defended the person. Like, "Them. No, that's not possible. They won't do such dumb mistakes. They're very thorough with their work."
No one even talked about the person behind their back either ( at least I wasn't involved in any such conversation ). Even later, after the whole issue had settled down. I don't think people brought it up later either ( though it was kind of a hush-hush need-to-know event )

Now I realize the other unsaid-advantage of the no-blame policy. You don't lose 4 hours of your so-called "quarantine productivity". We're already short on productivity. Please don't add anymore. 🙏

"Using MD5" !? What year are we in again?

NOTICE OF DATA BREACH

Dear Yahoo User,
We are writing to inform you about a data security issue that may involve your Yahoo account information. We have taken steps to secure your account and are working closely with law enforcement.
...
What Information Was Involved?

The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5)

I am doing some freelance work for a client who is thankfully mindful about security. I found out that they are so strict with their access because they had a huge data breach last year.

Today I was given access to their repo for connecting to their AS400. In the docker file the username and password were included and were the same for dev and prod. They also are performing no sql injection prevention. They are just joining strings together.

"This is now urgent we are in risk of breach of contract."

*travels an hour just to discuss*

"Oh don't worry, don't panick about it, so and so is probably sorting it. We most likely don't need it."

!Rant
The new bill passed the house for ISP to be able to sell data. This get me ticked off. I already ausme that ISP did it under the table. Doesn't make it right. Now it legal for them to breach our privacy. At what leave do i need to run my own internet just to feel safe. VPN can sell the data, ISP can sell data about you. I spend my life teaching how to protect people online and now I can't even say they are safe at home from someone with wrong intention. A quote​ comes to mind.
"Dear lord I need to see some change, because the man in the mirror is wearing a mask"
I shouldn't have to feel every time. I boot my PC, that I need to remind my self that what I'm doing now is being sold so someone can lable me. When will the common man learn to protect their privacy online; And where is the line in the sand?

It not all bad, this event has given me the itch to code. Just to spin some heads I'm going to make a script to make random Google query across the widest array of topics, so my profile is full of contradiction.

The few who read this have a nice day!

SELECT * FROM yahoo_user_passwords WHERE powned = null;

// 0 records found

Just found a breach somewhere in the university's meal booking system, that exposes some good 60K records of students, professors and staff orders and payments.

It's just that I am behind this shitty web UI with 20 rows per page table as the only option.
Now how 1337 is that?

The company that manages my ISA for Lambda emails on a regular basis to get you to update your income. I got annoyed by the frequency while I was employed so started filtering everything.

Though I’ve been up to date with reporting income to them and submitting tax documents, etc, I apparently missed some important emails.

Like the one on the 4th saying a third party provider flagged by account for employment with CompanyA and that I needed to submit my pay stubs for CompanyA.

I do not and have never worked for CompanyA. My husband works for CompanyA.

I also missed the email from the 12th saying I’m in breach of contract and owe them $19,091.65 immediately.

*head desk*

I’m so mad I can’t even.

Why did i check my email before going to sleep?

AND I POSTED RECENTLY SO I CAN’T EVEN RANT YET. *

*Waited it out

Debugging an API issue that causes max execution time breach on a friday afternoon..

Zomato was data breached!

I hate that the company that I work for has every hugging page blocked. I can't even download or use pip. For hug sake, I don't even have a project to work on and you stop me from working on any side projects?

I hope I get a call from the places I've applied for.

fellow dev thought he was being clever, hiding his private ssh keys inside image files on a public web server...

Company created an FTP account for me on one of their servers as they were lazy to fix file permissions.

24 hours later, they monitored a breach and closed the FTP account.

Just to add that the initial password that they sent me was super weak.

There are 2 kinds of websites:
1 - The bad kind where not accepting their cookies boots you off the site (And so are in breach of GDPR... IIRC)
2 - Sites that continue working, albeit in a degraded / suboptimal state, even when you refuse their cookies.

I wish more sites were of the second variety. I'm even the only person among my friends who actually bothers going through the consent forms and disallowing everything marketing-related.

OneTrust is good. It at least remembers my preferences.

Sooo... The ways my coworker fucks me:

Last week I have been working on setting up aWireGuard VPN server... Been trying for 4 FUCKING DAYS, the easiest VPN that has ever existed, 2 commands and that's it, I wasn't able to reach it, I checked every forum, tested every possible solution without success, checking ubuntu firewall but it was inactive... Nothing that should cause this. Why? 2 weeks ago we had a security breach and my coworker added a firewall from the cloud console with basic rules allowing only 3 ports, the port I was communicating with was blocked. He didn't bother to mention that he added an external firewall. And the junior me, not wanting to be a pain in the ass, and since that security breach wasn't my responsibility to fix, I didn't ask too many questions, just read the emails going back and forth and "learning" how to deal with that. Kill me please. Next mont a new guy is joining, we had a "quick meeting" of 30 minutes and he managed to make it 2 hours meeting. So a partner who lacks communication and a partner who talks a lot... Will be fun. And I probably should change my username... Is that even possible? @root?

No idea what the fuck just happened, but my home router just dropped the internet connection and started demanding that I change the admin (default) password.
Now, I know that default passwords are bad and all that, but why the fuck now? This thing has been sitting there for over a year, and it only decided to complain now?

There have been some weird things going on lately, and I'm starting to worry that some of my systems may have been compromised in some way... but I'm not sure what/how, nor how to look for it...

Any tips for identifying a breach and disaster recovery?

Why is everyone saying we should be doing DRY but we really end up defining the same shit everywhere?

Does separation of concern breach DRY principle?

I have dtos, entities, viewmodels all throughout different layers I have to define. I swear I've changed 8 files just to introduce a new field!!!

Had a client whom was using the staging system on my server as cdn, remote computing, etc... because his prod server was a cheap vhost while the vm was a beast compared to it. I shut it down without telling. I just got a call that his site is now slow a f and full of errors.

I kindly told him that there was a recent security breach called dirty cow. Then I told him that I shut the vm down because it would mean security risk for him since there are no patches available yet and only Power on again with there was work for me to do.

If you want resources pay for them

Windows just activated TPM on my Windows 10 computer on first of february 2024.
The main reason I stuck with Windows 10 was the sole reason of not wanting to upload my hardware-fingerprint to MS.
Well, guess they just got it themselves and now, disabling the TPM comes with a lot of downsides, as it is now holding my certificates hostage...

How many secret SSH keys has Apple already captured with their shiny new iCloud Clipboard Sync on Sierra?

How is it possible my netflix password got hacked when I never used it anywhere else and it's randomly generated? I saw some weird logins with random subtitles. Google password manager told me it's in some data breach, how do I find out from where? Haveibeenpwned didn't find anything. 😐

I just used a contact form of a local webshop. I couldnt enter my email address because it contains a +.

I contacted them to tell them about this issue and the response was it is because of security reasons. Since when is following specs a security breach? Unless their system is one leak I don't see how its possible.

Am I wrong or did they either lie or have a leak in their system?

Can't really say it's the most pissed off I've been probably at mild annoyance. So for the last two years I've been stressing that in order to do my job efficiently. I need handovers and documentation. It's a ball ache I know but definitely needed.

Well after not being listened too for the last two years we now are getting a documentation process. Why? Because a lack of documentation was the leading cause to a data breach.

Yeah I've been stressing that scenario for the last two years. But no one gave a damn until it happened.

Question to all those who have worked with software architecture: What is your approach when implementing architecture and design into actual software?

I find it very hard to translate UML diagrams and architectural requirements into working code and I feel like there is quite a big "gap" between the two. How to you breach that gap and manage to maintain a clean and comprehensive architecture in your project folders?

My email address appeared in a new data breach at gravatar. I thought that's exactly gravatar's purpose, to make my email address publicly known and provide an additional profile picture?

Prank idea: call a colleague's phone and if they don't have your number (you'll notice by the way they talk), they won't know it's you. Then try to convince them they've somehow created a data breach and you have access to their company's source code... 😈

Oh, and if they do have your number just say you accidentally called the wrong person.

recently noticed that Github is warning some users that their password has been compromised in a data breach by "HaveIBeenPwned". what is this about?

The NPC has stated that the personal data of atleast 2000 people was leaked after the attacks on the websites of the philippinian goverment on april 1, the data contains; names,adresses,passwords and school data.

Over 7 administrators of schools, universities and other goverment structures have been called out for not reporting on the leakage of personal info on public facebook groups and violaton of the NPC in under 72 hours.

The representatives of the next structures stood before the comission on the 23 and 24 of april

- Taguig City University

- Department of Education offices in Bacoor City and Calamba City

- the Province of Bulacan

- Philippine Carabao Center

- Republic Central Colleges in Angeles City

- Laguna State Polytechnic University

The agency has reported that none of the organisations had notified about the personal info leakage yet.

This is a good reminder that you should inform about security/personal info breaches everyone that might be related to it as soon as possible, even if it seems unecessary.

One of our senior colleagues in my last project at TCS had brought a pen drive with him, not sure why! He worked on a client system, which he believed was not monitored by TCS. So what he did was, he plugged in the pen drive in his computer and tried to copy some files from his pen drive to the computer. However, he wasn’t able to copy the files.

We weren’t aware of this until our project manager, who sits at the farthest end of the ODC shouted at the top of his voice, calling out his name. In front of the entire ODC, he was scolded since the HR team had called the manager informing that the machine assigned under this employee’s name has detected a security breach.

He had to explain the reason; where he said he wanted to copy some codes that he had to office machine in order to reduce his manual effort, which was probably very silly of him! For the next few days I hardly saw him inside the ODC, probably had to visit people to show cause or other things and was harrassed by our manager, insulted every time he passed by him.

He was not suspended although, maybe the manager or someone else saved him, although normally such violations would have seen him terminated.

My little journey of regrets:
I remember when I was fourteen, I opened a small gap the door of "programming". It were the first steps of html, tags and what they do, to be precise.
"May, looks good. Thanks for the glimpse. Cya"
For about the other half of my life only magic happened at my desktop.
And now I'm standing once again at the door of programming trying to breach it with nukes n shit.
"Giev me all the knowledge plx, teach me senpai! I will never ignore and betray you again!"

Great, passwords compromised, time to change all account details everywhere, fun and games....

So I just started using the app called Rmabox and it seems pretty useful. Actually I am ranting using the same app. Keeps all my social profiles at one place. But I am concerned about my privacy as well. Is it safe to use such apps which help you to manage all your social accounts at one place? Will that not create a single point of security breach?

I HATE THIS SLOWLY FUCKASS CHEAPIE COMPUTER IT'S SO SLOWWWWW
I can't focus and actually do antything you nasty typerfucker son of a breach and I have to do CSS with the biggest headache ever holy fucking adamantine shitty shit

Its normal if i drop some eyedrop at my new job ? My boss don't know anything of is network ... Cannot help me with noting no code no net... All the code is done already is a deep shit full of breach im fucking solo in a room face a brick wall no window ! Can i stay for 10 month at this place ?

Need to coding but have no cluse how to connect to a fucking database no user no password ...

Its the fucking hell here 👿😢

Start my code day, no bugs in sight,
Each line I write, like code's delight.

Second function, errors suppressed,
Silent fixes, my skills put to the test.

Third loop, logic numb, yet breaking,
A contradiction in every line I'm making.

Fourth bug, clinging like a leech,
In the grip of coding's caffeine breach.

Fifth syntax, thoughtless actions cascade,
A program's dance, in lines arrayed.

Sixth compile, colleagues say, 'Go home,'
But where's home in this code dome?

'They say home is where the heart is,
But my heart's in a million logic twists,
Which line shall I follow?
The optimized or the broken,
I cannot tell them apart.'

In the last bit of code, I saved my hope,
When debugging was still an option,
So go ahead and save yourself from glitches,
For you are worthy of a million exceptions.

The fellow one (hackers) should leave out dev accounts , BFAM we are.:D