Apparently they didn't want to hear about my vulnerabilities I found because they blocked my IP address.

Seriously? I just wanted to do a disclosure of potential exploits / security issues

So devRant is an app where people come to break non disclosure agreements.

Long rant ahead.. so feel free to refill your cup of coffee and have a seat 🙂

It's completely useless. At least in the school I went to, the teachers were worse than useless. It's a bit of an old story that I've told quite a few times already, but I had a dispute with said teachers at some point after which I wasn't able nor willing to fully do the classes anymore.

So, just to set the stage.. le me, die-hard Linux user, and reasonably initiated in networking and security already, to the point that I really only needed half an ear to follow along with the classes, while most of the time I was just working on my own servers to pass the time instead. I noticed that the Moodle website that the school was using to do a big chunk of the course material with, wasn't TLS-secured. So whenever the class begins and everyone logs in to the Moodle website..? Yeah.. it wouldn't be hard for anyone in that class to steal everyone else's credentials, including the teacher's (as they were using the same network).

So I brought it up a few times in the first year, teacher was like "yeah yeah we'll do it at some point". Shortly before summer break I took the security teacher aside after class and mentioned it another time - please please take the opportunity to do it during summer break.

Coming back in September.. nothing happened. Maybe I needed to bring in more evidence that this is a serious issue, so I asked the security teacher: can I make a proper PoC using my machines in my home network to steal the credentials of my own Moodle account and mail a screencast to you as a private disclosure? She said "yeah sure, that's fine".
Pro tip: make the people involved sign a written contract for this!!! It'll cover your ass when they decide to be dicks.. which spoiler alert, these teachers decided they wanted to be.

So I made the PoC, mailed it to them, yada yada yada... Soon after, next class, and I noticed that my VPN server was blocked. Now I used my personal VPN server at the time mostly to access a file server at home to securely fetch documents I needed in class, without having to carry an external hard drive with me all the time. However it was also used for gateway redirection (i.e. the main purpose of commercial VPN's, le new IP for "le onenumity"). I mean for example, if some douche in that class would've decided to ARP poison the network and steal credentials, my VPN connection would've prevented that.. it was a decent workaround. But now it's for some reason causing Moodle to throw some type of 403.

Asked the teacher for routers and switches I had a class from at the time.. why is my VPN server blocked? He replied with the statement that "yeah we blocked it because you can bypass the firewall with that and watch porn in class".
Alright, fair enough. I can indeed bypass the firewall with that. But watch porn.. in class? I mean I'm a bit of an exhibitionist too, but in a fucking class!? And why right after that PoC, while I've been using that VPN connection for over a year?

Not too long after that, I prematurely left that class out of sheer frustration (I remember browsing devRant with the intent to write about it while the teacher was watching 😂), and left while looking that teacher dead in the eyes.. and never have I been that cold to someone while calling them a fucking idiot.

Shortly after I've also received an email from them in which they stated that they wanted compensation for "the disruption of good service". They actually thought that I had hacked into their servers. Security teachers, ostensibly technical people, if I may add. Never seen anyone more incompetent than those 3 motherfuckers that plotted against me to save their own asses for making such a shitty infrastructure. Regarding that mail, I not so friendly replied to them that they could settle it in court if they wanted to.. but that I already knew who would win that case. Haven't heard of them since.

So yeah. That's why I regard those expensive shitty pieces of paper as such. The only thing they prove is that someone somewhere with some unknown degree of competence confirms that you know something. I think there's far too many unknowns in there.

Nowadays I'm putting my bets on a certification from the Linux Professional Institute - a renowned and well-regarded certification body in sysadmin. Last February at FOSDEM I did half of the LPIC-1 certification exam, next year I'll do the other half. With the amount of reputation the LPI has behind it, I believe that's a far better route to go with than some random school somewhere.

Got a CTO at my Unity job that's younger than me, which by itself is fine, but the only reason this guy was put into that position was because the previous CTO left the company at the time where I was relatively new and he is the person most familiar with the codebase of our primary project than I was at the time.

I understood the decision at the time, but still, having a position of power being handed to them just as a matter of inheritance doesn't command my respect. Nevertheless, I withheld my judgement at the time to see how his leadership goes.

Not even 1 year in and this young CTO started making jabs at me, calling my code hard to read and incomprehensible, to my face, in front of everybody else.

Motherfucker, I don't find his code easy to read either but I went out of my way to frequently ask him, the previous CTO and other teammates to clarify what they wrote here and there. He on the other, made no attempt to ask me for clarification and instead waited until company meetings to air these grievances.

Our boss started to ask me to follow SOLID principles (even though he can't recite what that acronym means) due to complaint from the CTO guy, even though the CTO guy doesn't even follow SOLID himself! But I took the higher road and didn't flip it right back on him.

What I did propose in return though, is that the dev team start using pull requests and have a code review process if the CTO wants to sign off on everything that gets in the codebase. Sounds reasonable enough, right? Not for this guy! He immediately starts complaining that reviewing pull requests would be more work for him. Motherfucker, you refused to go to my table to ask for clarifications about my code yet still want to understand what goes on, then do code review.

It was at this point that I realized that this guy doesn't actually want me to write good, clear code. He wants me to write code HIS way so that he can understand. Yeah okay, I can accept that idea in isolation. Some open-source projects require contributors to follow certain coding convention to make the maintainers' job easier too. One project that immediately came to mind is "In-game Debug Console for Unity 3D" (disclosure: I am a contributor to this project)

But guess what?

THIS COMPANY DOESN'T HAVE A FREAKING CODING CONVENTION. NOT WRITTEN DOWN ANYWHERE. NOT EVEN A VOCAL ONE.

What this CTO guy wants from me is a complete blackbox.

To all fellow devs out there, I hope you don't work with a CTO like this, or become one.

“Hey - just calling you to give you an update”

Great - sorry can you refresh my memory what was this for?

“So I was about to put you through for a client but they’re no longer accepting CVs so just to update you that’s not happening”

Sorry, what was the client again?

“Oh I can’t say, but they’re no longer accepting CVs”

“...Thanks, goodbye.”

*So you call me to tell me that you can’t give my details to a client that you can’t disclosure....get off my line 🤬😡🤬*

Coolest project I ever worked on made me sign an NDA. 😜 non disclosure agreement 🤓

"One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users," according to the report of Bleeping Computer.

Vulnerability hunter Vinoth Kumar reported and later Starbucks responded it as "significant information disclosure" and qualified for a bug bounty. Along with identifying the GitHub repository and specifying the file hosting the API key, Kumar also provided proof-of-concept (PoC) code demonstrating what an attacker could do with the key. Apart from listing systems and users, adversaries could also take control of the Amazon Web Services (AWS) account, execute commands on systems and add or remove users with access to the internal systems.

The company paid Kumar a $4,000 bounty for the disclosure, which is the maximum reward for critical vulnerabilities.

Here's some of my favorite quotes from "The Mythical Man-Month":

"The bearing of a child takes nine months no matter how many women are assigned".

"The management question ... is not whether to build a pilot system and throw it away. You will do that. The only question is whether to plan in advance to build a throwaway, or to promise to deliver the throwaway to customers."

"I once knew a boss who invariably picked up the phone to give orders before the end of the first paragraph in a status report. That response is guaranteed to squelch full disclosure."

Prof introducing a batch of non-programmers to JavaScript.

Me: Ha! I'm going to ace this class.

Disclosure: Its an Art school, We're studying Multimedia Arts, and we have a couple of Web Development classes that focus on html, css, js, and php. (and I have been a web developer for 4 years)

recruiter: "perfect, you seem the kind of guy we're looking for this role. but can you explain this gap in your resume?"
me: "I'm sorry but I've signed an NDA(non-disclosure agreement)"

Do you guys worry about your non disclosure agreements at work? I use my personal computer at work so I do my own projects on the same computer as work but it makes me a bit uneasy. We're a broke startup and I'm lucky to have the job so I'm not going to ask for a computer.

Also, are you aware of it when you make rants- trying not to be too specific? Or are you not worried?

One of my insurance companies made me sign a legal disclosure that they no longer support Internet Explorer for paperless options. The end is in sight!

Sooo I've just learned that one of the new guys I'm helping train (And is a level below my role in seniority) is being paid approx. 12.9% higher than what I'm being paid; I got promoted a few months back (Been with the 'biz for over 4 years) and he was hired around the same time (A few months back). I learned this as we've both become good friends, and were on the topic personally and informally. Our salaries are not publically known outside of personal disclosure. My manager / HR is not aware that I know this. How do I bridge this with my employer?

Definitely landing the first real gig.

I've been writing software since I was 12 (full disclosure: early code consisted of C=64 BASIC). I learned C in high school. Contributed to a MUD in my 20's. But I never got a CS degree and didn't really understand how hiring works, so I limped along doing technical support for years. Years turned into decades.

About 2 years ago, I became an embedded support person inside a development team. I got to show off my skills, and the year effectively became a live interview. Last October I finally got the title.

On the positive side, by taking the long way around I missed out on some of the insanity of the software world in the 90s/00s.

Given an opportunity to develop an application for R&D. What do we do as a team? Let build it exactly the same way our current stack is built. (This app won't actually be used for anything useful, just an exercise for a fun R&D task)

It still amazes me with the number of developers that literally have the mindset, let's just do what we know & don't want to learn anything new.

Let's showcase new technologies? No. Let's create a serverless application? No. Let's create some microservices? No. Let's wrap the application in a Docker container so we can easily spin it up? No. Let's have multiple services that sit behind an API gateway? No. Let's for fucks sake at try a different design pattern? Why would we do that? Can we do anything differently? No.

No innovation, nothing - it just blows my mind. Everyone seems to think that the way the stack is built is how every application is. Sorry but a huge monolithic application that can't scale isn't how the other half live...

I don't know why the lack of wanting to try something new bothers be so much, but it does.

Had a real opportunity to showcase some cool tech, design patterns, new services in the cloud. Show not only other devs but upper management that there are alternative ways to develop. It's not like anything that I put together was "new or shiny" - I just wanted to do anything... Anything that isn't how currently do things.

Full disclosure, I'm not a great Dev - I'm pretty dam average but I'm always willing to try new techniques or approaches.

Published on BBC, GCHQ have set the challenge below. Would make a fun simple coding challenge. My thought is to brute-force, is there a more efficient way to solve it?

"Take the digits 1,2,3 up to 9 in numerical order and put either a plus sign or a minus sign or neither between the digits to make a sum that adds up to 100. For example, one way of achieving this is: 1 + 2 + 34 - 5 + 67 - 8 + 9 = 100, which uses six plusses and minuses. What is the fewest number of plusses and minuses you need to do this?"

Edit: disclosure: I believe the challenge has passed already and I'm too lazy to enter anyway so don't worry about me or anyone stealing ideas!

how long is the gap for responsible disclosure again? isn't it a week?
Cengage still hasn't gotten back to me at all on my case with them. It's been about that...