Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Very long story ahead!
Yesterday in the evening a friend of mine (calling him F from now on) became the target of something new to me...
Apparently one can fake his phone number through some fishy ways and call people with that number. Someone (we think we might know who it was, the why is at the end) did this yesterday to F.
Here's the whole story:
We were just talking together on a TeamSpeak Server (a program to talk to others on the internet) when suddenly another friend said: "F, why did you just call me three times in a row?" That was the first thing that was a bit suspicious. After that, F got calls from random numbers (even Afghanistan, we are German), and they said something like "Have fun with the police coming to your house". Then there was silence. 10 minutes later his phone rang and there were a ton of pizza delivery services in his town that apparently got pizza orders from him. Then there was silence, again. Suddenly someone with a hidden number called him, a woman's voice said they were the police and if F doesn't stop calling the police there will be consequences. F then told her what was going on but I think she didn't really care. She then wanted to know where F lives, but I told him not to say that, because if it is the police they can find it out by themself and if it's not, they don't need to know that.
Now, a short break: There is some fake information going around about where F lives. I can't remember when we found out but the attacker thought he would actually live there. No idea what happened at that location...
Now back to the story:
Time went by, nothing really happened. Suddenly F shouted: "There are blue lights outside! The police is here!" He muted his microphone and (the following is what he told us what happened) went down to the door (remember, he is 16) and there were two police men. They were asking about why he called the police. F explained what we knew until then, about number spoofing and stuff... They sent a more technical person to him, he understood what F was trying to explain. The police men drove away and he came back to tell us what happened. (Now we get back to what I heared myself.) The mom came in, screamed something that I couldn't understand, and F went offline. We searched who the attacker could have been. And we are pretty sure we found him. That guy connected to our Minecraft server (that's where I know F from) with his real IP, and his main account, which made it easy to search. He also got a static IP which means it doesn't change. We also got some information that in the recent days this guy was talking about VoIP spoofing and such stuff. Another friend of mine, a bit older, found some proofs and I think he will go to the police.
That's it. Thanks for reading.7 -
he: checkout my crazy FUD hack (a token stealer which turned out to be far more malicious than i anticipated)
me: executes it (yes in a VM)
windows defender: lemme delet this
he: ooh i forgot the word stub in there. microsoft detects that lemme fix that sends new file
me: here we go aga..
ms defender: nononono virus 117% delet this
he: i forgot it still!!
later i deactivated ms defender and analysed the traffic of the vm. in addition to stealing my fake tokens he also tried to read my Firefox/chrome history, IP.
when i asked him (2 days later) what this was all about in his "educational only" "token stealer" he threatened to
a) publish my IP
b) publish my browser history and with that my real name and address
b.0) when i asked him for proof he said he knows that my real name is "Roman Gräf" and i live in Frankfurt. (btw i do live in Frankfurt and that is in the profile of the discord server where he found me and i have the same username on discord as i have here)
c) to kill my machine and all my projects
got bored, blocked him, shut VM down. -
So one of my clients had a different company do a penetrationtest on one of my older projects.
So before hand I checked the old project and upgraded a few things on the server. And I thought to myself lets leave something open and see if they will find it.
So I left jquery 1.11.3 in it with a known xss vulnerability in it. Even chrome gives a warning about this issue if you open the audit tab.
Well first round they found that the site was not using a csrf token. And yeah when I build it 8 years ago to my knowledge that was not really a thing yet.
And who is going to make a fake version of this questionair with 200 questions about their farm and then send it to our server again. That's not going to help any hacker because everything that is entered gets checked on the farm again by an inspector. But well csrf is indeed considered the norm so I took an hour out of my day to build one. Because all the ones I found where to complicated for my taste. And added a little extra love by banning any ip that fails the csrf check.
Submitted the new version and asked if I could get a report on what they checked on. Now today few weeks later after hearing nothing yet. I send my client an email asking for the status.
I get a reaction. Everything is perfect now, good job!
In Dutch they said "goed gedaan" but that's like what I say to my puppy when he pisses outside and not in the house. But that might just be me. Not knowing what to do with remarks like that. I'm doing what I'm getting paid for. Saying, good job, your so great, keep up the good work. Are not things I need to hear. It's my job to do it right. I think it feels a bit like somebody clapping for you because you can walk. I'm getting off topic xD
But the xss vulnerability is still there unnoticed, and I still have no report on what they checked. So I have like zero trust in this penetration test.
And after the first round I already mentioned to the security guy in my clients company and my daily contact that they missed things. But they do not seem to care.
Another thing to check of their to do list and reducing their workload. Who cares if it's done well it's no longer their responsibility.
2018 disclaimer: if you can't walk not trying to offend you and I would applaud for you if you could suddenly walk again.2 -
Question: is it a red flag if I'm "not supposed to" blog about tips and tricks I've found at work (not even code level, just organization and general design patterns)? Reason given to me: "we need to be careful about due diligence and intellectual property for our investors to be satisfied". Am I working with idiots?9
-
FUCKING CHINESE SUPOSED IP CAMERAS...
First, they aren't Ip cameras, they are p2p cameras with different settings and more limited...
then took me 3 days to open 5 ports for 2 cameras, config the cameras, till they work.
YEY they finally work, can see them over the Internet (no default settings, even changed the Alias), have my Ip camera viewer on the Phone... but one doesn't activate on moviment.. in this 3 days only took 2 pictures with motion detection on and people passing in front of them... the other was working for like 5 minutes... giving black and white 7kb jpgs... after a few teeks... can't make it work again.
Now I have two cameras that I can see if my house is being robbed but no motion detection to warm me, or at least save some pictures on the server to serve as evidence (and maby finally get the team that is robbing one house a day, If they try to rob my house again...).
The cameras are very good as baby monitors or to play around, for 14$ and 20$... (love the 360º ball) , but as security cameras... Unless you have them connected to a security station and with a repeater close by... worthless...
Oh, and they may give me 1 good frame a second or lag to 10+seconds a frame...6 -
Got a scammer on my hook. Ideas welcome to fuck him/her over.
He/she confused me with someone else and messaged me acting as a support person of an exchange. I acted along and s/he is insisting on sharing account details.
Played along like a dumb internet noob and I think I got him to share his fake email id.
Now I'm thinking of ways to extract more details about him via email.
From top of my mind, these are some ideas I have:
- get his IP address
- zip bomb or something like that? But g mail is probably gonna detect that.
Ideally, If I could social engineer him to give his phone number, I could easily report him to police and find his identity.
Have you busted some scammers? Would appreciate some tips.6 -
I have just slept for a minimum of 5 hours. It is 7:47 PM atm.
Why?
We have had a damn stressful day today.
We have had a programming test, but it really was rather an exam.
Normally, you get 30 minutes for a test and 45 minutes for an exam.
In this "test" we have had to explain what 'extends' does and name a few advantages of why one should use it.
Check.
Read 3 separate texts and write the program code on paper. It was about 1 super class and 1 sub class with a test class in Java.
Check.
Task 3: Create the UML diagram of the code from above. *internally: From above? He probably means my code since there is no other code there. *Checks time*. I have about 3 minutes left. Fuck my life.*
Draws the boxes. Put the class names in each of them. A private attribute for the super class.
Teacher: Last minute!
Draw the arrow starting starting from the sub class to the super class.
Put my name on each written paper. And mentally done for the day. Couldn't finish the last task. Task 3.
During this "test", I heard the frustrations of my classmates. Seemed like everyone was pretty much pissed.
After a short discussion with the teacher who also happens to be the physics professor of a university nearby.
[If you are reading this, I hope that something bad happens to you]
The next course was about computer systems. Remember my recent rant about DNS, dhcp, ftp, web server and samba on ubuntu?
We have had the task to do the screenshots of the consoles where you proof that you have dhcp activated on win7 machine etc. Seemed ok to me. I would have been done in 10 minutes, if I would be doing this relaxed. Now the teacher tells us to change the domain names to <surnameOfEachStudent>.edu.
I was like: That's fine.
Create a new user for the samba server. Read and write directories. Change the config.
Me: That should be easy.
Create new DNS entries in the configs.
Change the IPv6 address area to 192.168.x.100-200/24 only for the dhcp server.
Change the web server's default page. Write your own text into it.
You will have 1 hour and 30 minutes of time for it.
Dumbo -ANGRY-CLIENT-: Aye. Let us first start screenshotting the default page. Oh, it says that we should access it with the domain name. I don't have that much time. Let us be creative and fake it, legally.
Changes the title element so that it looks like it has been accessed via domain name. Deletes the url and writes the domain name without pressing Enter. Screenshot. Done. Ok, let us move to the next target.
Dhcp: Change lease time. Change IP address area. Subnet mask. Router. DNS. Broadcast. Optional domain name. Save.
Switches to win7.
ipconfig /release
ipconfig /renew
Holy shit it does not work!
After changing the configs on ubuntu for a legit 30 minutes: Maybe I should change the ip of the ubuntu virtual machine itself. *me asking my old self: why did not you do that in the first place, ass hole?!*
Same previous commands on win7 console. Does not work. Hmmm...
Where could be the problem?
Check the IP of the ubuntu server once again. Fml. Ubuntu did not save when I clicked on the save button the first time I have changed it. Click on save button 10 times to make sure it really is saved now lol.
Same old procedure on win7.
Alright. Dhcp works. Screenshot.
Checks time. 40 minutes left.
DNS:It is your turn. Checks bind9 configs. sudo nano db.reverse.edu.
sudo nano db.<mysurname>.edu.
Alright. All set. It should work now.
Ping win7 from ubuntu and vice versa. Works. Ping domain name on windows 7 vm. Does not work.
Oh, I forgot to restart the bind9 server on ubuntu.
sudo service bind stop
" " " start
Check DNS server IP on win7. It looks fine.
It still doesn't work. Fuck it. I have only 20 minutes left. Samba. Let us do this!
10 minutes in. No result. I don't remember why. I already forgot why I have done for it. It was a very stressful day.
Let us try DNS again.
Oh shit. I forgot the resolver!
sudo nano /etc/resolv.conf
The previous edits are gone. Dumb me. It says it in the comments. Why did not I care about it. Fuck it.6 minutes left. Open a yt video real quick. Changes the config file. Saves it. Restarts DNS and dhcp. Closes the terminal and opens a new one. The changes do not affect them until you reopen them. That's why.
Change to win7.
Ping works. How about nsloopup.
Does not work.
Teacher: 2 minutes left!
Fuck it.
Saves the word document with the images in it. Export as pdf. Tries to access the directories of the school samba server. Does not work. It was not my fault tho. Our school server is in general very slow. It feels like they are not maintained and left alone like this in the dust from the 90s.
Friend gets the permission to put his document on a USB and give the USB to the teacher.
Sneaky me: Hey xyz, can you give me your USB real quick?
Him: sure.
Gets bombed with "do you want to format the USB?" pop-ups 10 times. Fml. Skips in a fast way.
Transfers the pdf. Plug it out. Give it back.
After this we have had to give a presentation in politics. I am done.6
Top Tags
Weekly Rant
View