Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "fake security"
So a fucking friend of mine makes me meet this fella who is a big shot according to his LinkedIn and please note has too much experience with Web Apps and Python
Me being naive actually trusted that and I meet him.
Fella: So what do you do?
Me: I am into Cyber Security nothing much I just do bug hunting for now
Fella: You know python will help you right?
Fella: You see you have to be a python programmer for anything you want to do in CS
Me: Me yeah I kinda know python actually I am more into Ruby from start so ( Around this time I kinda sensed that he is a fake tech guy he is a corporate asshole)
Fella: show me any of your work
Me: (So to show him one of the thing I was working on I open GitHub desktop app) Me explaining blah blah blah
*Fella is in shock*
So at this point I was thinking probably he is impressed and that's why the shock right?
No a big fucking no
Apparently he never heard about GitHub or git and got blown away by the interface.
And the friend who made me meet that guy is not my fucking friend anymore that prick can die for ruining my day18
I'm a member of an international hacker group.
As you could probably have guessed, your account [firstname.lastname@example.org] was hacked, because I sent message you from it.
Now I have access to you accounts!
For example, your password for [email@example.com] is [RANDOM_ALPHABET_HERE]
Within a period from July 7, 2018 to September 23, 2018, you were infected by the virus we've created, through an adult website you've visited.
So far, we have access to your messages, social media accounts, and messengers.
Moreover, we've gotten full damps of these data.
We are aware of your little and big secrets...yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..
But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!
I think you are not interested show this video to your friends, relatives, and your intimate one...
Transfer $700 to our Bitcoin wallet: 13DAd45ARMJW6th1cBuY1FwB9beVSzW77R
If you don't know about Bitcoin please input in Google "buy BTC". It's really easy.
I guarantee that after that, we'll erase all your "data" :)
A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.
Your data will be erased once the money are transferred.
If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.
You should always think about your security.
We hope this case will teach you to keep secrets.
Take care of yourself.
>> RE >>
Well f### you, thanks for telling my password which is obviously fake. I have sent your details to the local police department, shall rest in peace. Don't earn money by this kind of action. STUPID!19
OH MY GOD
WHO NAMES A CONFERENCE ROOM AFTER AN -ADDRESS-??
At my new job, we had all day training on Friday. It was emphasized many times that we should not be late. I look at the meeting invite many times, and it says [123 Fake], with Fake being a Very Well Known Street, and I see on Google Maps that there's an office building there. Great, we must have an off-site training facility to help our clients become certified in our product. It doesn't say which floor, but I assume the small space we have in that large office building will become evident once I check in with lobby security.
Friday morning comes, I get to the office building 20 minutes early, and try to check in. They've never heard of my company. Maybe there's a computer lab we rent out? No, they don't know anything about that. I don't have work email or slack set up on my phone yet, so who do I call? I try reception, no one answers. Eventually I call our customer support line.
I shouldn't be at 123 Fake St. I should be at the office. Because that's the name of the conference room!
YOU HAD ONE JOB, ROOM NAMER!
Last night my boyfriend and I tried to think of worse names for conference rooms. The only ones I could think of were "meeting canceled" (but with that, at least I would be in the correct fucking building!) or just naming every conference room "conference room". Here's the thing: there's not just one 123 Fake St room! There's two of them right next to each other! So you can easily show up and think, I remember I was supposed to be in this room, but which one?
And I'm not even the first person to make this mistake. CLIENTS have gone to the wrong building before because they get included on meeting invitations that include conference room names! WTF!
It's pretty common to have Chicago conference rooms named after neighborhoods, or iconic buildings, etc. But nobody is going to think, "meeting in Bucktown? I'll just wander around the neighborhood until I find people with laptops". It's obviously a conference room. BUT A FUCKING ADDRESS OF A NEARBY OFFICE BUILDING? It's not even an iconic of a building!
Names matter. I care a lot about names in code. I never realized it could apply to the physical world as well. So now I am on a mission to change the names of these Goddamm conference rooms so I'm the last person to be directed to the wrong fucking building.
OH, and I'm out $9 for a taxi ride and a pair of gloves that got lost in the taxi so that's GREAT.17
So... Some fake accounts on Twitter claimed to be Elon Musk and to give shitloads of Bitcoin to those who sent a little amount first. They stole... Wait for it... 180 grand.
That's basically your everyday 419 scam. Existing since before the internet, done with the names of Gates, Buffet, Bush, Obama...
They say "the big bad evil criminals and the poor little innocent victims" I say natural selection. Sorry, in those lion vs gazelle scenarios I always thought that it was fair, no matter how it went.
Just when did humanity get so brainless? Have we always been, is the internet just a catalyst for stupidity?
Just why the fuck must I be an infosec sheepdog instead of a wolf? Man, I could live the life, drink beer and smoke herb while working... Get up at 12, don't give a shit, no boss, no taxes, no social security payments that I don't see jack shit from, and the pay would be better to.
Thanks to mandatory password change, today:
- My windows account got locked because my phone kept logging into wifi using
- Google Hangouts were silently running in background with old session until I re-opened it. Work of others delayed by 4 hours due to missing message notifications.
- Docker for Windows lost credentials needed to use SMB mounts - 1h of debugging why my containers mount empty folders ( now I will know)
- Google G-Sync for Outlook asked for new password on outlook restart - few mails delayed.
All of that for sake of security that could be easily solved with 2FA instead, not faking that "I do not change number at the end of my password"
Users and Bosses.
I honestly don't know who is worse, the end user or the boss.
The boss thinks all you do is click a button and everything just works, so everything should take 30 minutes to complete, why on earth would it take a week to do something?
The user seems to think every tiny idea is the most important thing ever to add, so they tell said boss it must be added, and boss normally agrees.
I get it, Marge (Fake name), adding in a copy button because you're too dumb to press ctrl + c is way more important than updating the security after a Ransomware attack.
No boss, I can't add in 30 new things and make sure the security protocols are updated all before the meeting in 15 minutes.
If you think it's all so easy and just pressing buttons, why did you hire me? Anyone who can read and press a button should be able to do it....4
this just happened a few seconds ago and I am just laughing at the pathetic site that is Facebook. xD
4 years ago:
So I was quite a noobie gamer/hacker(sort of) back then and i had a habit of having multiple gmail/fb accounts, just for gaming, like accounts through which i can log in all at once in the same poker room, so 4/5 players in the game are me, or just some multiple accounts for clash of clans for donations.
I had 7-8 accounts back then. one had a name that translated to "may the dead remain in peace "@yahoomail.com . it was linked to fb using same initials. after sometime only this and 2 of my main accs were all i cared about.even today when i feel like playing, i sometimes use those accs.
2 years ago.
My dad is a simple man and was quite naive to modern techs and used to hang around with physical button nokia phones.But we had a business change, my father was now in a partnership in a restaurant where his daily work included a lot of sitting job and and casual working. So he bought a smartphone for some time pass.
He now wanted to download apps and me to teach him.I tried a lot to get him his own acc, but he couldn't remember his login credentials.
so at the end i added one of my own fake ID's(maythedead...) so he could install from playstore, watch vids on youtube and whatever.
The Actual Adventure starts now
Today, 1 hour ago:
I had completely forgot about this incident, since my parents are now quite modern in terms of tech.
But today out of nowhere i recieved an email that someone has JUST CHAINGED MY FB PASSWORD FOR ONE OF MY FAKE ACCS!?!??
what the hell, i know it was just a useless acc and i never even check my fb from any acc these days, but if someone could login into that acc, its not very difficult to track my main accs, id's, etc so i immediately opened this fb security portal and that's where the stupidity starts:
1)To recover your account they FUCKIN ASKS FOR A PHYSICAL ID. yeah, no email, no security question you have to scan your driving license or passport to get back to your account.And where would I get a license for some person named "may the dead remain in peace"? i simply went back.
2) tried another hack that i thought that will work.Closed fb help page, opened fb again , tried to login with my old credentials, it says" old password has been changed,please enter new password", i click forget password and they send an otp. i thought yes i won, because the number and recover mail id was mine only so i received it.
when i added the otp, i was first sent to a password change page (woohoo, i really won! :)) but then it sends me again to the same fuckin physical id verification page.FFFFFFFFFuck
3)I was sad and terrified that i got hacked.But 10 mins later a mail comes ,"Your Facebook password was reset using the email address on Tuesday, April 10, 2018 at 8:24pm (UTC+05:30)."
I tried clicking the links attached, hoping that the password i changed(point<2>) has actually done something to account.NADA, the account still needs a physical license to open:/
4) lost, i just login to my main account and lookup for my lost fake account. the fun part:my account has the display pic of my father?!!?!
So apparently, my father wanted to try facebook, he used the fake account i gave him to create one, fb showed him that this id already has an fb account attached to it and he accidently changed my password.MY FATHER WAS THE HACKER THE WHOLE TIME xD.
but response from fb?" well sir, if you want your virtually shitty account back , you first will have to provide us with all details of your bank transactions or your voter id card, maybe trump will like it"
So one of my clients had a different company do a penetrationtest on one of my older projects.
So before hand I checked the old project and upgraded a few things on the server. And I thought to myself lets leave something open and see if they will find it.
So I left jquery 1.11.3 in it with a known xss vulnerability in it. Even chrome gives a warning about this issue if you open the audit tab.
Well first round they found that the site was not using a csrf token. And yeah when I build it 8 years ago to my knowledge that was not really a thing yet.
And who is going to make a fake version of this questionair with 200 questions about their farm and then send it to our server again. That's not going to help any hacker because everything that is entered gets checked on the farm again by an inspector. But well csrf is indeed considered the norm so I took an hour out of my day to build one. Because all the ones I found where to complicated for my taste. And added a little extra love by banning any ip that fails the csrf check.
Submitted the new version and asked if I could get a report on what they checked on. Now today few weeks later after hearing nothing yet. I send my client an email asking for the status.
I get a reaction. Everything is perfect now, good job!
In Dutch they said "goed gedaan" but that's like what I say to my puppy when he pisses outside and not in the house. But that might just be me. Not knowing what to do with remarks like that. I'm doing what I'm getting paid for. Saying, good job, your so great, keep up the good work. Are not things I need to hear. It's my job to do it right. I think it feels a bit like somebody clapping for you because you can walk. I'm getting off topic xD
But the xss vulnerability is still there unnoticed, and I still have no report on what they checked. So I have like zero trust in this penetration test.
And after the first round I already mentioned to the security guy in my clients company and my daily contact that they missed things. But they do not seem to care.
Another thing to check of their to do list and reducing their workload. Who cares if it's done well it's no longer their responsibility.
2018 disclaimer: if you can't walk not trying to offend you and I would applaud for you if you could suddenly walk again.2
rant = Rant.STORY_TIME
This is still something funny me and my friends often remember.
There was once upon a time we were young and stupid, playing on the internet with fake credit card numbers, sometimes we had luck and the orders passed.
We were on the living room, checking who could put an order for a coffee machine, while another friend of mine was talking about the deep web and what he found there.
Suddenly, someone knocks really hard on the door... We went silent...
Me: "Who's there?"
Voice: Federal Police, open up!
I went blank, close my laptop as fast as possible, I thought of throwing it away through the window. My friends panicked, I had my laptop upside down, opening the lid to remove the HDD.
One of my friends stood up and went to the door, looked through the eyehole.
Friend: *whispering* The eyehole's covered!
We quickly stood up and looked at each other, like we were acknowledging our wrong doing and getting ready to face the consequences.
I took a deep breath and put the key in the door to open it. Sudden heavy knock again. I jumped and yelled "I'm on it, wait a minute!".
Slowly I opened the door... And there they were, another two of my friends.
F1: hey...what, what happened? Why are you so scared.
They stepped in while we told them what we were doing and they laughed their asses off.
We were shit scared, and those two were laughing.
So, nowadays, I don't even think about doing that kind of stuff again and I'm hoping to make a Master's degree in security...or electronics, whatever happens first.
The residence's notice says that if you have a high temperature and have traveled outside the country in the last 30 days, you will not be allowed to come inside and will be sent to the hospital instead which is probably crowded by now due to panic. I can't imagine how it feels like for the people who can't enter their own homes.
Imagine if work places were as strict as the security here? I know quite a few fuckers who would fake the death of their grandmothers just to skip work. Pretty sure someone is faking the virus right now and because everyone is so paranoid, he/she would be taken seriously.
The coincidence is funny. I've been reading "Rant" by Chuck Palahniuk last December. It's a ***story*** about a rabies super spreader who used to get himself bitten by all sorts of animals and insects to skip school. He would intentionally get himself bitten and use the venom of black widow spiders to get an erection. When he got the rabies from other encounters, he would spread it around town by eating everyone's pussy. And since one of the symptoms of rabies is a tingling sensation on the infected area, the doctors say those he infected didn't actually "suffer" until they eventually died. :) It's a good book. I love it. That guy speaks the language of the degenerates, fucking hilarious.
I'm just glad I didn't proceed with my Singapore trip but still, no thanks, I'm working from home. My entire body hurts from training for the last two days. I don't want people to get an idea. Now where can I find someone with rabies?
My school has a completely open SMTP server. A friend today who works for the tech department just showed me how anyone could fake an email. He did this by sending me an email as the president of the school, it looked legit. He told the security dudes but they can't secure it due to legacy systems. This is madness surely!?! Is open SMTP as bad as I think? (It is at least only accessible on the schools network).3
Some developers incopetence can be limitless. I found e-shop which uses creative but totally silly way of integrating with e-mails. See my last rant (they send e-mail with my 'From' to themselves). As I sent them delivery report (I have SPF enabled) and wrote them what is wrong, they apologized when I came to pick up the goods and were glad that I forwarded the report (otherwise my order would be quite delayed). But hey, everything is fine, they are working on new e-shop. I said great, hopefully it wouldn't be this messed up. And I was told that yeah, the new one will block .net and .com addresses right away. WHAT THE ACTUAL FUCK? How can somebody use their incompetence as a reason to screw up even more! So next time, I'll probably use my local e-mail with SPF enabled to tech them to blick all e-mails and do stuff properly.
So, got call from fake windows tech support (India) just minutes after syncing my github Gmail to Windows 10 mail app. Trolled along while recording the audio, until he told me which command he wanted me to run. The I hung up and did a security scan.
Figured I'd learn something instead of just hanging up right away 😎3