Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Search - "cve"
Admin: "Wait, I noticed unusual traffic."
Me: "What is it?"
Admin: "Looks like we have a bot here."
Me: "A bot? Didn't know we are so popular."
Admin: "It makes constantly login requests through our API, it already surpassed 600.000! I will ban it right away."
Me: "wait, that just sounds like my bot.."
Admin: "DUDE, WTF? ARE YOU SERIOUS?"
When there is bug, you don't know of, it can end up quite embarrassing.10
A group of Security researchers has officially fucked hardware-level Intel botnet officially branded as "Intel Management Engine" they did so by gathering it all the autism they were able to get from StackOverflow mods... though they officially call it a Buffer Overflow.
On Wednesday, in a presentation at Black Hat Europe, Positive Technologies security researchers Mark Ermolov and Maxim Goryachy plan to explain the firmware flaws they found in Intel Management Engine 11, along with a warning that vendor patches for the vulnerability may not be enough.
Two weeks ago, the pair received thanks from Intel for working with the company to disclose the bugs responsibility. At the time, Chipzilla published 10 vulnerability notices affecting its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE).
The Intel Management Engine, which resides in the Platform Controller Hub, is a coprocessor that powers the company's vPro administrative features across a variety of chip families. It has its own OS, MINIX 3, a Unix-like operating system that runs at a level below the kernel of the device's main operating system.
It's a computer designed to monitor your computer. In that position, it has access to most of the processes and data on the main CPU. For admins, it can be useful for managing fleets of PCs; it's equally appealing to hackers for what Positive Technologies has dubbed "God mode."
The flaws cited by Intel could let an attacker run arbitrary code on affected hardware that wouldn't be visible to the user or the main operating system. Fears of such an attack led Chipzilla to implement an off switch, to comply with the NSA-developed IT security program called HAP.
But having identified this switch earlier this year, Ermolov and Goryachy contend it fails to protect against the bugs identified in three of the ten disclosures: CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707.
The duo say they found a locally exploitable stack buffer overflow that allows the execution of unsigned code on any device with Intel ME 11, even if the device is turned off or protected by security software.
For more of the complete story go here:
I post mostly daily news, commentaries and such on my site for anyone that wish to drop by there21
My father just told me that I'm not a good programmer, because there are kids out there, who are younger than me and know more programming languages.
Besides the fact that the number of programming languages one knows has nothing to do with programming skills, I just said: "I wanna see that kid.", because I already knew his answer.
"Well, I never said there are many of these kids."
The last year my school installed MagicBoards (whiteboard with beamer that responses to touch) in every class room and called itself "ready for the future of media". What they also got is A FUCKING LOW SPEC SERVER RUNNING DEBIAN 6 W/O ANY UPDATES SINCE 2010 WHICH IS DYING CONSTANTLY.
As I'm a nice person I asked the 65 y/o technician (who is also my physics teacher) whether I could help updating this piece of shit.
Teacher: "Naahh, we don't have root access to the server and also we'll get a new company maintaining our servers in two years. And even if we would have the root access, we can't give that to a student."
My head: "Two. Years. TWO YEARS?! ARE YOU FUCKING KIDDING ME YOU RETARDED PIECE OF SHIT?! YOU'RE TELLING ME YOU DON'T HAVE TO INSTALL UPDATES EVEN THOUGH YOU CREATE AN SSH USER FOR EVERY FUCKING STUDENT SO THEY CAN LOGIN USING THEIR BIRTH DATE?! DID YOU EVER HEAR ABOUT SECURITY VULNERABILITIES IN YOUR LITTLE MISERABLE LIFE OR SOUNDS 'CVE-2016-5195' LIKE RANDOM LETTERS AND NUMBERS TO YOU?! BECAUSE - FUNFACT - THERE ARE TEN STUDENTS WHO ARE IN THE SUDO GROUP IF YOU EVEN KNOW WHAT THAT IS!"
Me (because I want to keep my good grades): "Yes, that sounds alright."13
Why do people get so unbelievably greedy when there is something for free.
Like "it's a free game server host, let's just create 100 accounts so I can have 100 empty servers"
Or "you can get a free game key if you contribute a lot, so let's just spam until I get the key"
It's so painfully to watch.3
YouTube, I called it. I freaking called it! This is an old story, it was back when Cryptominer via browser became a thing.
Me: "How long do you thing it will take until YouTube advertisements will contain cryptominer?"
IT WAS A F*CKING JOKE YOUTUBE, I DIDN'T KNOW YOUR ADVERTISEMENT POLICIES ARE REALLY THAT BAD!
A month later, after I said it to an friend, I had increased lags with literally anything I was doing. After some days of research (because I didn't pay that much attention to it at first), I could pin down the cause to my YouTube tab in my browser (because I listen to 24/7 music livestreams). And I was like:
Me: "I bet this is because of cryptominer. I bet this is because of cryptominer."
Guess what. About two weeks later YouTube confessed. Cryptominer ads were possible.
I wonder how much money these companies made...4
as our services are completely free and we do not get paid for working, we beg you to understand, that there are some things you have to tolerate.
1. We are DEFINITELY not going to work 24/7 for you and answer immediately anytime. Only because it's 3pm in your country doesn't mean it's 3pm in our country!
2. We will NOT waste any time figuring out your gibberish and translate your language to our language or whatever, you have to be able to understand English anyways because our website and rules and everything is English!
3. Speaking of rules, READ THEM, I'm sick of explaining to you why you are banned, what do you think FAQs are made for?!
4. STOP SPAMMING AND TAGGING ME FFS. First we have a support chat so you can leave a message there and somebody will read it eventually AND SECONDLY I'M NOT THE ONLY SUPPORTER SO STOP BUGGING ME.
5. READ THE FUCKING MESSAGES I WRITE!
geez.. I just lost it for a second... okay.. gotta go now, I got 20 new messages since I started writing this rant.6
I arrived at 8am sharp today, SHARP, I usually arrive 2-3min earlier, so I can start with my actual work at 8am sharp, but traffic was rough and my scooter wouldn't turn on, so I wasn't able to.
Suddenly my boss calls me into his office, being all like "you are late everyday, you won't start work until 5 after 8 yadayada". Wtf?? You know I have a clock on my desk and I always check the clock when I'm arriving at work? (He has security cameras everywhere, so he can actually see me check the clock every morning). This morning I arrived at 8am sharp and the only reason why I started with work late is because he thought it's necessary to remind me to be at work in time. Now he expects me to start with work 5min early everyday, fuck off!20
Did the only sensible thing IMO and installed a Linux VM on that thing.
In case you don't know what this is about. Essentially at the hotel I'm staying at they have put iMacs in every room as a TV replacement. And some of them run an OSX version from 2011! That means there a quite a lot of known remote execution bugs known for these devices. You can't update them either because they reset after each reboot. Because I was sick of using Firefox 6 for watching videos I installed xubuntu on that thing. (God knows why the admin passwort is blank)3
Guy using VPN:
why would anybody use tor unless he hides something?
Me (using Tor):
why would anyone use VPN unless he hides something?
In my opinion there is no difference in using Tor than in using VPN, it's all about privacy. I would consider Tor as an free alternative for your everyday privacy needs, if you can't afford VPN, or am I wrong?22
Recently started at a new job. Things were going fine, getting along with everyone, everything seems good and running smoothly, a few odd things here and there but for the most part fine.
Then I decided to take a look at our (public facing) website... What's this? Outdated plugins from 2013? Okay, that's an easy fix I guess? All of these are free and the way we're using them wouldn't require a lot of refactoring...
Apparently not. Apparently, we can't even update them ourselves, we have to request that an external company does it (which we pay, by the way, SHITELOADS of money to). A week goes past, and we finally get a response.
No, we won't update it, you'll have to pay for it. Doesn't matter that there's a CVE list a bloody mile long and straight up no input validation in several areas, doesn't matter that tens of thousands of users are at risk, pay us or it stays broken. Boggles the fuckin' mind.
I dug into it a bit more than I probably should have (didn't break no laws though I'm not a complete dumbass, I just work for em) and it turns out it's not just us getting fucked over, it's literally EVERYONE using their service which is the vast majority of people within the industry in my country. It also turns out that the entirety of our region is running off a single bloody IP which if you do a quick search on shodan for, you guessed it, also has a CVE list pop up a fuckin' mile long. Don't get me started on password security (there is none). I hate this, there's fucking nothing I can do and everyone else is just fine sitting on their hands because "nobody would target us because we're not a bank!!", as if it bloody matters and as if peoples names, addresses, phone numbers and assuming someone got into our actual database, which wouldn't be a fuckin' stretch of the imagination let me tell you, far more personal details, that these aren't enticing to anyone.
What would you do in my situation?
What can I even do?
I don't want to piss anyone senior off but honestly, I'm thinkin' they might deserve it. I mean yeah there's nothing we can do but at least make a fuss 'cause they ain't gunna listen to my green ass.10
YAY.... fuck you Belkin!
Just found out my router is vulnerable to CVE-2017-14491.
For all you not following these issues, this one allows the attacker to intercept connections and perform a traffic hijack, or execute arbitrary code with unrestricted privileges as well as access all important and private data stored on the device aka: the devices login/password, the Wi-Fi passwords, and configuration data just by sending malformed DNS packets to the device.
Now this is all well and good, except Belkin haven't released firmware since 2013, which is strange... seeing how the damn thing was "NEW" out of the box in 2016.
Last time i buy a fucking router from these lousy assholes.
Anyone hear about the emergency patch that Microsoft just released? Its a RCE vulnerability CVE-2017-11937 which ironically targets all of Microsoft's security products.
Basically when Windows defender scans a specially crafted file the attacker can run code as the LocalSystem. Nice one Microsoft!2
Windows: No internet connection.
Me: Runs troubleshooter.
Windows: Problem found and resolved: Default Gateway Server is not available
Me: Wait.. since when can windows fix user input?!
Windows: Still no internet connection4
Recently I got an E-Mail from PayPal.de with the headline "Your account gets limited". Fun Fact: I don't have a PayPal account.
This Mail got me curious though, as it couldn't be a phishing mail, since I don't have a PayPal account in the first place, so I opened the e-mail just to get greeted by pure emptiness. It was completely empty. I thought to myself "oh no, is this some sort of new trick? Did I get infected by some sort of a weird hacky backdoor trojan already?!"
Original E-mail Address: NULL (never seen this before)
I then realized, that Thunderbird blocked the only content from this mail: a clickable image.
This is getting even more confusing the longer I examine this unique mail. The image is showing me a domain from a site completely unrelated from PayPal, so it was obviously no phishing, but I didn't trust this clickable image, so I looked up its hidden link to find an even more confusing redirection to not a picture upload site like the image suggests, but to a game key reselling site instead, like wtf? What was the whole point of this whole e-mail? Was this a weird try to make advertisements for more than one website? It wasn't even a ref-link or something like that. It was just weird, iunno.8
As usual a rather clickbait title, because only the chrome extensions (as always) seem to be vulnerable:
"Warning – 3 Popular VPN Services Are Leaking Your IP Address"
"Researchers found critical vulnerabilities in three popular VPN services that could leak users' real IP addresses and other sensitive data."
"VPN Mentor revealed that three popular VPN service providers—HotSpot Shield, PureVPN, and Zenmate"
"PureVPN is the same company who lied to have a 'no log' policy, but a few months ago helped the FBI with logs that lead to the arrest of a Massachusetts man in a cyberstalking case."
"Hijack all traffic (CVE-2018-7879) "
"DNS leak (CVE-2018-7878)"
"Real IP Address leak (CVE-2018-7880)"9
I rarely see emojis on devrant and most of the time I see them, they are used in a rather cringe-full way. There are some posts however, which use emojis in a way I like, for example to replace the client's name.
But my favorite emoji is still the shrug emoji, not the Unicode shrug emoji, but the *real* shrug emoji. ¯\_( ツ)_/¯10
I think I can learn English here.
I can also learn professional knowledge.
**I am a Korean.**
Android studio AVD powered pictures4
Attention guys and gals! If you are using grafana in your home setup, update it asap to 4.6.4 or 5.2.3. versions before those two are affected by an authentication bypass vulnerability. CVE 2018-15727
In the meanwhile, my nginx config is blocking everything but the LAN ips :)
Mother hugging systemd... Nobody asked tou to be born in a first place. Nobody asked you to solve problems we didn't have. And nobody asked you to open hugging backdoors in our systems!
"Why are you late?" "Because I patched the CVE in Imagemagick on all of our servers tonight." "Next time be on time!" *sigh*2
Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.
NSO group even sell a spyware application based on that vulnerability to governments.
Listen!!!!! I'm going to the toilet with my phone!!! Listen!!!3
Y'all might wanna update your Win7, Win8 amd Win Server 2008.
RDP RCE with a CVSS pf 9.8.
Okay, this is quite hard to explain properly, but I'm actually scared of my personal future.
In about a year, I finish school and I don't have a straight plan of what to do next. I want to work independently, preferably as a game dev, but I imagine that to be a hard task. I have thought of doing a bachelor's degree in game development, but the university I prefer to go to costs 20k€, which is a huge sum and I don't even know whether it would be actually worth it. The university states that 20% of all their graduated students work independently afterwards and they even offer you a flexible "loan" (not sure if it's the right term) you can pay off while you start working, but I fear I won't be able to pay it back, I cannot imagine making this much money any time soon after I start working independently as game dev. Additionally I fear I won't be able to keep my motivation up, since I struggle doing so already, on the other hand my lack of motivation could be caused by this toxic environment I live in.
I've also considered doing freelancing, but when I'm scrolling through the requests made, I never find something I am experienced in, I don't know what request is best to get started with freelancing.
I just don't know what to do in the future and I'm scared and considering to go to this university is probably pretty stupid already and I consider it as me ranting myself, because of my nonexisting self-esteem. So I don't know what to expect from this post, I just needed to share.1
If you discovered a vulnerability affecting multiple of the big dogs, would file a cve and report it immediately or have some *fun* first?
Starts search and replace.
Trys to replace a type in the whole Project.
Syntax Check: lol no, apparently everything is broken now, good job
(literally my whole project was marked red)
(project still marked red)
Syntax Check: lol what? Your code already looked like shit before, won't let you compile this.
It was a bug which breaks the syntax check after big replace requests. Had to start a new project and copy my code step for step, so it didn't break again. However I've forgotten to replace the type before I copy...
Another story regarding this shit:
IDE: oh, let me help you by replacing all old var names with the new one
IDE: oh shoot, didn't know it could break things
Wants to revert
IDE: did you think I would go through this mess again?! Do it yourself!3
It feels so great to check a box from your to-do list... even if it's as little as creating the project file.1
I'm finally going on vacation, which is good, but I already know there will be many stupid people writing me endless private messages about them being banned or their server not working correctly BECAUSE OF THEIR OWN SCRIPTS and they will spam me like they usually do although I WRITE THEM I'm out of the office but they don't care since they don't have other things to do than COMPLAINING ALL DAY.
Geez okay, I got to calm down, I'm on vacation, don't want *that* to ruin my mood.
It was stupid to ban all those people for breaking the rules today though, should have waited another week, so guess this one is on me.1
Definitely Android 8.0 is neat.
And it's faster.
I think Android has developed a lot.
Isn't that right?
Something you really should not do:
*adds a new feature*
*build & run*
*See no difference*
Me: "Hmm.. Maybe 1 is not the best test integer, let me pick something higher..."
*build & run*
*INTEGER OVERFLOW EXCEPTION*
Feel free to share your "let me choose anothee test integer"-stories, which gone terribly wrong.1
Any disposable e-mail address service:
"FIGHT THE SPAM"
"THANK YOU FIGHTING THE SPAM"
"YOU DID GOOD BY FIGHTING SPAM"
The users of disposable e-mail address:
*creates another spam account*
*creates another multiaccount in order to exploit a system*
Companies actually fighting spam:
Now there is even more spam to fight against. (which is not good)
About 2/3 of the accounts created daily on our website are spam accounts. We have to waste our time with this shit instead of actually improving our services. Since we do not track IP-Addresses and there are countless amounts of disposable e-mail domains AND there is still the option to create countless spam e-mail addresses within legit e-mail providers, there is no easy way of stopping this madness.
"Fight the Spam", you could start by deleting your shitty service or at least give us a list of all the domains you're using, srsly.
Symantec/Norton users please patch your AV immediately, problem that's listed in CVE-2016-2208, which can help you destroy your kernel.
I guess asking my friends for their opinion is part of my workflow and I really shouldn't do, because their reactions tend to be demotivating and frustrating all the time. As if I don't have enough to worry about already.
16h a day. I was late for a birthday present so I worked on it for as long as I could. It took me 2 months and I was not done in time...
I had eyestrain of death and all this trouble only for a freaking birthday present.
But the present was good, although it was incomplete.2
I would love to reschedule my whole life to live during the cool night time throughout the summer, but I can't because I don't live alone...
Guess I have to feel like garbage for the next few weeks...2
TL;DR I just recently started my apprenticeship, it's horrible so far, I want to quit, but don't know what to do next...
Okay, first of all, hey there! My name is Cave and I haven't been on here for a while, so I hope the majority of you is doing rather okay. I'm programming for 6 years now, have some work experience already, since I used to volunteer for a company for half a year, in which I discovered my love for integrations and stuff. These background information will probably be necessary to understand my agony in full extend.
So, okay, this is about my apprenticeship. Generally speaking, I was expecting to work, and to learn something, gaining experience. So far, it only involved me, reading through horrible code, fixing and replacing stuff for them, I didn't learn a thing yet, and we are already a month in.
When I said the code is horrible, well, it is the worst I have ever seen since I started programming. Little documentation - if any -, everywhere you look there is deprecated code, which may or may not been commented out, often loops or simply methods seem to be foreign for them, as the code is cluttered with copy paste code everywhere and on top of that all, the code is slow as heck, like wtf.
I spent my past month with reading their code, trying to understand what most of this nonsense is for, and then just deleting and rewriting it entirely. My code suddenly is only 5% or their size and about 1000 times faster. Did I mention I am new to this programming language yet? That I have absolutely no experience in that programming language? Because well I am new and don't have any experience, yet, I have little to no struggle doing it better.
Okay, so, imagine, you started programming like 20 years ago, you were able to found your own business, you are getting paid a decent amount of money, sounds alright, right? Here comes the twist: you have been neglecting every advancement made in developing software for the past 20 years, yup, that's what it feels like to work here.
At this point I don't even know, like is this normal? Did git, VSCode and co. spoil me? Am I supposed to use ancient software with ancient programming languages to make my life hell? Is programming supposed to be like this? I have no clue, you tell me, I always thought I was doing stuff right.
Well, this company is not using git, infact, they have every of their project in a single folder and deleting it by accident is not that hard, I almost did once, that was scary. I started out working locally, just copying files, so shit like that won't happen, they told me to work directly in the source. They said it's fine, that's why you can see 20 copies of the folder, in the same folder... Yes, right, whatever.
I work using a remote desktop, the server I work on is Windows server 2008, you want to make icons using gimp? Too bad, Gimp doesn't support windows server 2008, I don't think anything does anymore, at least I haven't found anything, lol.
They asked me to integrate Google Maps into their projects, I thought it is gonna be fun, well, turns out their software uses internet explorer 9.. and Google maps api does not support internet explorer 9... I ended up somehow installing CEF3 on that shit and wrote an API for it in JS. Writing the API was actually kind of fun, but integrating it in their software sucked and they told me I will never integrate stuff ever again, since they usually don't do that. I mean, they don't have a Backend as far as I can tell, it looks like stuff directly connects with their database, so I believe them, but you know... I love integrating stuff..
So at this point you might be thinking, then why don't you just quit? Well I would, definitely. I'm lucky that till December I can quit without prior notice, just need a resignation as far as I can tell, but when I quit, what do I do next? Like, I volunteered for a company for half a year and I'd argue I did a good job, but with this apprenticeship it only adds up to about 7 months of actual work experience. Would anybody hire somebody with this much actual work experience? I also consider doing freelancing, making a living out of just integrating stuff, but would people pay for that? And then again, would they hire somebody with this much experience? I don't want to quit without a plan on what to do next, but I have no clue.
Am I just spoiled, is programming really just like that, using ancient tools and stuff? Let me know. Advice is welcomed as well, because I'm at a loss. Thanks for reading.10
Today my ping caught me off-guard once again, but I will stop this madness for all eternity! Writing the ultimate ping tool, so I never have to fear high ping ever again.. well I cannot fix my f*cking internet provider, but my ping tool can warn me, even if it detects only the slightest inconsistency!
But first I have to figure out why my tool doesn't output the ping...
Every room at the Hotel I'm staying at has a Mac as a TV replacement. The thing is it runs a Mac OS X version from 2011. Any suggestions on what I should do next?2
Instead of using MySQL, I zipped a bunch of json files... It's fast, but definitely not reliable, I was young and stupid, I should finally getting started with mySQL, srsly.2
Somebody forgot to correctly match the external url on login success and failure, now google may use my cookies for the better good.
They want you to listen but they never give a shit about what you're talking themselves. This is why I have quit most of my friendships and practically replaced them with devrant, not sure if it was a good idea in the long run though...2
In the spirit of the latest dirty cow Linux cve lets hear dev rants favourite dirty Linux command
$ man touch