10 points for next century option.

What a stupid configuration of firewall at my work:

devrant -> blocked because of entertainment category.
xvideos -> no problem at all.

Conclusion: sysadmin likes watching porn.

'Normal' people when they get a new phone:
- install whatsapp
- install Facebook (or other social media)
- install regular email app

Me:
- Root phone
- Install app ops
- Install Signal
- Install encrypted email services' app
- Install firewall
- Install devRant

Anyone else like me here?

My girlfriends mom asked whether I could fix her coworkers laptop. She claimed that it had viruses installed and laptop is laggy..

So... I got that laptop just now, got home and turned it on. It doesn't have WiFi drivers installed and I do not have any free Ethernet cable right now.

About the lags... Well you won't believe how many custom tool bars and security programs there were. McAffe, AVG, ESET and some Russian made firewall which asks for license key every 5mins.

And she asked me to reinstall windows and keep every file of hers, and she didn't bother to point which files of 300gb of photos/videos/docs are worth keeping and which are not.. HDD is 300GB :A fuck me

P. S. Since it's my first rant I can say ranting helps a lot to calm down

The spam denier
_____

An old phone conversation with a client:

Me : Hello

Client : My website and server are suspended? why is that?

Me : Your server sends spam messages.

Client : We do not send spam messages, we are on vacation, there is none in the office.

Me : Yes, but it is not necessarily you, according to our logs, your server sent spam messages in Chinese and Russian, so someone from Russia or China....etc.

Client : I do not believe you, we do not speak russian or chinese, how could we then write spam messages in those languages?

Me : I told you, maybe someone exploited some vulnerability in your website or server firewall. And if you want to activate your services, please check with your webmaster and sysadmin to secure your ....

Client: I tell you my son, because I am old and I have more life experience than you ... I am 60 years old and I tell you, spam does not exist, and YOU suspended my website and server, and created issues to sell me more of your solutions and services.

I won't check my server, I won't hire a webmaster or a sysadmin, AND YOU WILL ACTIVATE MY SERVER NOW !

(I suddenly realized that I am talking to a wall, so I switched to a robotic tone).

Me : Please resolve the issue to activate your services..

Client : YOU WILL ACTIVATE MY S...

Me : Please resolve the issue to activate your services...

Client : WHAT IS THIS SPAM STORY ANYWAY, I DO NOT BELIEVE YOU ...

Me : Please google that word and you will understand what is spam is...

Client : YOU ARE F**ING LIARS, SPAM DOES NOT EXIST... ACTIVATE MY WEBSITE N.... Beeeep !

I hang up.

Well, I thought about configuring an automatic response for this client, or a for-loop.

His voice was really unpleasant, as if he is a heavy smoker.

So a friend of Mine asked me to check their Mail server because some emails got lost. Or had a funny signature.

Mails were sent from outlook so ok let's do this.

I go create a dummy account, and send/receive a few emails. All were coming in except one and some had a link appended. The link was randomly generated and was always some kind of referral.

Ok this this let's check the Mail Server.

Nothing.

Let's check the mail header. Nothing.

Face -> wall

Fml I want to cry.

Now I want to search for a pattern and write a script which sends a bunch of mails on my laptop.
Fuck this : no WLAN and no LAN Ports available. Fine let's hotspot the phone and send a few fucking mails.

Guess what? Fucking cockmagic, no funny mails appear!

At that moment I went out and was like chainsmoking 5 cigarettes.

BAM!

It hit me! A feeling like a unicorn vomiting rainbows all over my face.

I go check their firewall. Shit redirected all email ports from within the network to another server.

Yay nobody got credentials because nobody new it existed. Damn boy.

Hook on to the hostmachine power down the vm, start and hack yourself a root account before shit boots. Luckily I just forgot the credentials to a testvm some time ago so I know that shit. Lesson learned: fucking learn from your mistakes, might be useful sometimes!

Ok fucker what in the world are you doing.

Do some terminal magic and see that it listens on the email ports.

Holy cockriders of the galaxy.

Turns out their former it guy made a script which caught all mails from the server and injected all kind of bullshit and then sent them to real Webserver. And the reason why some mails weren't received was said guy was too dumb to implement Unicode and some mails just broke his script.

That fucker even implented an API to pull all those bullshit refs.

I know your name "Matthias" and I know where you live and what you've done... And to fuck you back for that misery I took your accounts and since you used the same fucking password for everything I took your mail, Facebook and steam account too.

Git gut shithead! You better get a lawyer

> Customer calls
Her: I have over 5k 404 request to [insertwebsite]/autodiscover/autodiscover.xml
Me: Sound like a missconfigured exchangeserver/client. Let me have a look.
> Takes a look and can confirm the IP and the owner of that IP
Me: It looks like someone/something from xxx.xxx.xxx.xxx is failing to resolve autodiscover.[insertdomain].com
and defaults to @ record on the zone. Do you happend to know to whom that IP belongs?
Her: No, and I dont care, just block it. I do not like the 404 that shows up on the summary.
Me: Alright
> Blocks the IP in the firewall.

>>> Fast forward to next day >>>

> Someone calls, it is the same girl
Her: I cant reach my website! Infact, I cant reach anything! WHYYYYYY!!!
> I remember, blocking that IP yesterday...
Me: Oh, can you please visist "minip.se" (whatismyip.com, swedish version) and tell me what you see?
Her: Yes, it is xxx.xxx.xxx.xxx
Me: Do you remember that IP that you request that I block yesterday?
> I can hear the shame coming from the phone.
> Turn out that her collegues did'nt have any mail delivered to them from the time I blocked their IP
> Her boss is really mad
> Atleast she had a cute voice

The most secure firewall.

Anyone know this bitch hacker 127.0.0.1 story?

WORST HACKERS OF ALL TIME

CONTINUED IN THE COMMENTS BECUASE IT IS SO LONG...

TLdr bitch hacker hacks himself by localhost

bitchchecker (~java@euirc-a97f9137.dip.t-dialin.net) Quit (Ping timeout#)
bitchchecker (~java@euirc-61a2169c.dip.t-dialin.net) has joined #stopHipHop
<bitchchecker> why do you kick me
<bitchchecker> can’t you discus normally
<bitchchecker> answer!
<Elch> we didn’t kick you
<Elch> you had a ping timeout: * bitchchecker (~java@euirc-a97f9137.dip.t-dialin.net) Quit (Ping timeout#)
<bitchchecker> what ping man
<bitchchecker> the timing of my pc is right
<bitchchecker> i even have dst
<bitchchecker> you banned me
<bitchchecker> amit it you son of a bitch
<HopperHunter|afk> LOL
<HopperHunter|afk> shit you’re stupid, DST^^
<bitchchecker> shut your mouth WE HAVE DST!
<bitchchecker> for two weaks already
<bitchchecker> when you start your pc there is a message from windows that DST is applied.
<Elch> You’re a real computer expert
<bitchchecker> shut up i hack you
<Elch> ok, i’m quiet, hope you don’t show us how good a hacker you are
<bitchchecker> tell me your network number man then you’re dead
<Elch> Eh, it’s 129.0.0.1
<Elch> or maybe 127.0.0.1
<Elch> yes exactly that’s it: 127.0.0.1 I’m waiting for you great attack
<bitchchecker> in five minutes your hard drive is deleted
<Elch> Now I’m frightened
<bitchchecker> shut up you’ll be gone
<bitchchecker> i have a program where i enter your ip and you’re dead
<bitchchecker> say goodbye
<Elch> to whom?
<bitchchecker> to you man
<bitchchecker> buy buy
<Elch> I’m shivering thinking about such great Hack0rs like you
bitchchecker (~java@euirc-61a2169c.dip.t-dialin.net) Quit (Ping timeout#)
bitchchecker (~java@euirc-b5cd558e.dip.t-dialin.net) has joined #stopHipHop
<bitchchecker> dude be happy my pc crashed otherwise you’d be gone
<Metanot> lol
<Elch> bitchchecker: Then try hacking me again… I still have the same IP: 127.0.0.1
<bitchchecker> you’re so stupid man
<bitchchecker> say buy buy
<Metanot> ah, [Please control your cussing] off
<bitchchecker> buy buy elch
bitchchecker (~java@euirc-b5cd558e.dip.t-dialin.net) Quit (Ping timeout#)
bitchchecker (~java@euirc-9ff3c180.dip.t-dialin.net) has joined #stopHipHop
<bitchchecker> elch you son of a bitch
<Metanot> bitchchecker how old are you?
<Elch> What’s up bitchchecker?
<bitchchecker> you have a frie wal
<bitchchecker> fire wall
<Elch> maybe, i don’t know
<bitchchecker> i’m 26
<Metanot> such behaviour with 26?
<Elch> how did you find out that I have a firewall?
<Metanot> tststs this is not very nice missy
<bitchchecker> because your gay fire wall directed my turn off signal back to me
<bitchchecker> be a man turn that shit off
<Elch> cool, didn’t know this was possible.
<bitchchecker> thn my virus destroys your pc man
<Metanot> are you hacking yourselves?
<Elch> yes bitchchecker is trying to hack me
<Metanot> he bitchchecker if you’re a hacker you have to get around a firewall even i can do that
<bitchchecker> yes man i hack the elch but the sucker has a fire wall the
<Metanot> what firewall do you have?
<bitchchecker> like a girl
<Metanot> firewall is normal a normal hacker has to be able to get past it…you girl
<He> Bitch give yourself a jackson and chill you’re letting them provoce you and give those little girls new material all the time
<bitchchecker> turn the firewall off then i send you a virus [Please control your cussing]er
<Elch> Noo
<Metanot> he bitchchecker why turn it off, you should turn it off
<bitchchecker> you’re afraid
<bitchchecker> i don’t wanna hack like this if he hides like a girl behind a fire wall
<bitchchecker> elch turn off your shit wall!
<Metanot> i wanted to say something about this, do you know the definition of hacking??? if he turns of the firewall that’s an invitation and that has nothing to do with hacking
<bitchchecker> shut up
<Metanot> lol
<bitchchecker> my grandma surfs with fire wall
<bitchchecker> and you suckers think you’re cool and don’t dare going into the internet without a fire wall
<Elch> bitchchecker, a collegue showed me how to turn the firewall off. Now you can try again
<Metanot> bitchhacker can’t hack
<Black<TdV>> nice play on words
<bitchchecker> wort man
<Elch> bitchchecker: I’m still waiting for your attack!
<Metanot> how many times again he is no hacker
<bitchchecker> man do you want a virus
<bitchchecker> tell me your ip and it deletes your hard drive
<Metanot> lol ne give it up i’m a hacker myself and i know how hackers behave and i can tell you 100.00% you’re no hacker..

So that high level prank from yesterday.

Senior Linux engineer, the fucker.

He somehow installed shitloads of cron jobs onto my system.

Every few minutes it would create a new user with a freaking complicated password. Then it would install openssh server in case it wasn't installed yet. After that it'd set all iptables rules to allow incoming AND outgoing connections on port 22.

That was one badass ansible script though!

I'm not sure what more there's to it because sometimes when i removed crons, they'd magically appear again later AND i forgot to check the boot scripts so i might be fucked again when I get to work today!

Plus side, i finally fully understand cron 😅

First rant from a phone without Google services.

Put shitloads of Google/fb etc domains in the hosts file so my phone cant reach those either.

Root firewall blocks everything except for devrant, a download manager, fdroid and firefox focus.

As for my phone, I'm Google free!

How not to give support..

Me: Creates ticket on support site, letting them know their webservice returns "maintenance" page.
Support: "It works on our end."
Support: *closes ticket*

Euhm.. excuse me?

Me: Creates another ticket with a screenshot and the curl response information..
Support: Sends screenshot back that it works on their end. "Maybe check your firewall"
Support: *closes ticket*

I ain't playing these games..

Me: Creates new ticket with more curl responses from 4 different servers to prove it's not "firewall" related.
Support: ..

2 days later

Me: Sends *friendly* reminder.
Support: ..

6 days later

Me: Creates ticket again saying I'm still having issues.
Support: "I'm forwarding this to our technical support"
Support: *closes ticket*

10 minutes later.

Technical Support: "Here's the manual for our integration .pdf."

Excuse me, you say what now? I KNOW HOW IT WORKS, I'VE WRITTEN THE INTEGRATION ALREADY. THE SERVICE JUST SEEMS TO BE DOWN FFS.. pls..

Me: Sends mail to their project manager who manages the clients dossier with support history and such.
Him: "I'll check it out and let you know."

1 day later.

Support: "We had some issues this and that, wasn't publically availble, works now, .."

What a nice way to waste your time..

string excuses[]={
"it's not a bug it's a feature",
"it worked on my machine",
"i tested it and it worked",
"its production ready",
"your browser must be caching the old content",
"that error means it was successful",
"the client fucked it up",
"the systems crashed and the code got lost" ,
"this code wont go into the final version",
"It's a compiler issue",
"it's only a minor issue",
"this will take two weeks max",
"my code is flawless must be someone else's mistake",
"it worked a minute ago",
"that was not in the original specification",
"i will fix this",
"I was told to stop working on that when something important came up",
"You must have the wrong version",
"that's way beyond my pay grade",
"that's just an unlucky coincidence",
"i saw the new guy screw around with the systems",
"our servers must've been hacked",
"i wasn't given enough time",
"its the designers fault",
"it probably won't happen again",
"your expectations were unrealistic",
"everything's great on my end",
"that's not my code",
"it's a hardware problem",
"it's a firewall issue",
"it's a character encoding issue",
"a third party API isn't responding",
"that was only supposed to be a placeholder",
"The third party documentation is wrong",
"that was just a temporary fix.",
"We outsourced that months ago.","
"that value is only wrong half of the time.",
"the person responsible for that does not work here anymore",
"That was literally a one in a million error",
"our servers couldn't handle the traffic the app was receiving",
"your machines processors must be too slow",
"your pc is too outdated",
"that is a known issue with the programming language",
"it would take too much time and resources to rebuild from scratch",
"this is historically grown",
"users will hardly notice that",
"i will fix it" };

"I really love the new $3k Fortigate firewall switch you bought for the office after our chat about security but it doesn't change the fact that you can access any computer in the company using Password123" - me

Windows firewall security he like..

Fleksy keyboard: We don't access your private information and upload it to the cloud!

No, because I'm blocking your Internet access through a fucking root firewall.

I think I've shown in my past rants and comments that I'm pretty experienced. Looking back though, I was really fucking stupid. Since I haven't posted a rant yet on the weekly topics, I figure I would share this humbling little gem.

Way back in the ancient era known as 2009, I was working my first desk job as a "web designer". Apparently the owner of this company didn't know the difference between "designer", which I'm not, and "developer", which I am, nor the responsibilities of each role.

It was a shitty job paying $12/hour. It was such a nightmare to work at. I guess the silver lining is that this company now no longer exists as it was because of my mistake, but it was definitely a learning experience I hold in high regard even today. Okay, enough filler...

I was told to wipe the Dev server in order to start fresh and set up an entirely new distro of Linux. I was to swap out the drives with whatever was available from the non-production machines, set up the RAID 5 array and route it through the router and firewall, as we needed to bring this Dev server online to allow clients to monitor the work. I had no idea what any of this meant, but I was expected to learn it that day because the next day I would be commencing with the task.

Astonishingly, I managed to set up the server and everything worked great! I got a pat on the back and the boss offered me a 4 day weekend with pay to get some R&R. I decided to take the time to go camping. I let him know I would be out of town and possibly unreachable because of cell service, to which he said no problem.

Tuesday afternoon I walked into work and noticed two of the field techs messing with the Dev server I built. One was holding a drive while the other was holding a clipboard. I was immediately called into the boss's office.

He told me the drives on the production server failed during the weekend, resulting in the loss of the data. He then asked me where I got the drives from for the Dev server upgrade. I told him that they came from one of the inactive systems on the shelf. What he told me next through the deafening screams rendered me speechless.

I had gutted the drives from our backup server that was just set up the week prior. Every Friday at midnight, it would turn on through a remote power switch on a schedule, then the system would boot and proceed to copy over the production server's files into an archive for that night and shutdown when it completed. Well, that last Friday night/Saturday morning, the machine kicked on, but guess what didn't happen? The files weren't copied. Not only were they not copied, but the existing files that got backed up previously we're gone. Why? Because I wiped those drives when I put them into the Dev server.

I would up quitting because the conversation was very hostile and I couldn't deal with it. The next week, I was served with a suit for damages to this company. Long story short, the employer was found in the wrong from emails I saved of him giving me the task and not once stating that machine was excluded in the inactive machines I could salvage drives from. The company sued me because they were being sued by a client, whose entire company presence was hosted by us and we lost the data. In total just shy of 1TB of data was lost, all because of my mistake. The company filed for bankruptcy as a result of the lawsuit against them and someone bought the company name and location, putting my boss and its employees out of a job.

If there's one lesson I have learned that I take with the utmost respect to even this day, it's this: Know your infrastructure front to back before you change it, especially when it comes to data.

Customer: why 1 router cost so much? I can buy 3 normal routers with that.

Me: this has security features and functions that 3 of those routers put together combined could not do. Then you will still need to buy firewall for security. Why have more devices and have more possible points of failure when u can have 1?

Customer *keeps quiet*

Me: numbers is not important. Having 5 normal parachutes during skydiving doesnt guarantee u better safety than 1 good reliable parachute.

My company earned $700 profit for that sale today. 😂

Years ago we had a visit from a startup company developing a firewall and I got the chance to talk with one of their devs.

He explained the subtleties of security holes in websites and after I said something about our site being secure thanks to being behind a firewall he gently asked what would happen if he entered a specially crafted test into one of the text fields ... and he gave an example ...

I got a chill, went back to my seat and traced what it would do ...

That was when I learned about sql injection and his example would have killed the DB :/

Before going home I designed a way to secure the input which I then refined over a few days.

We still use that today after 17 years.

That one single sentence really showed to never be to proud of our security and I realized how vulnerable our site was.

A human cell has 75MB of DNA information, a sperm cell has half A human cell has 75MB of DNA of it 37.5MB, a milliliter of semen has 100 million sperm cels, on average, a ejaculation lasts 5 seconds and has 2.24 milliliters of Semen.

That means a man is able to produce: 37.5MB x 100,000, 000 x 2.25/5 = 1.687.500,000.000.000 bytes/sec 1,6875 Terabytes/sec;

That means a ovule is able to recive a dDOS attack of 1,6 terabytes per second and only lets one package pass, making it THE BEST FIREWALL IN THE WORLD

Developer: Can you upgrade my machine to Windows 10? I need it for SQL server 2019.

IT Guy: Sure.

Some time later...

IT Guy: Good news, Windows 10 is loaded. Bad news, I need to update TPM to enable Bitlocker but the firewall is blocking me from downloading the update. I will need to download it from home tonight.

Developer: But you're the IT administrator...

IT Guy: Yes...

Developer: ...

Happy new year!
If you feel alone tonight, read your firewall logs.

Worst security ever?

Windows firewall be like.

Mother of god.

I spent hours and hours last week to try and get OpenVPN working. I mean, OpenVPN is working perfectly fine (on a VirtualBox (nope no vmware for me on servers) machine on a friends' dedicated server) but it wouldn't get through! As in, every forwarding/firewall rule just didn't work.

Was seriously about to lose my shit just now when I suddenly noticed the term 'TCP' in a forwarding rule.

Looked at the .ovpn file: proto udp

I added the exact same rule for UDP as a forward within VirtualBox.

It worked.

Well, there goes quite some hours 😐

And solely because I didn't realise that I setup a forwarding thingy for the wrong protocol.

I feel very stupid now :(

Work in a company where Github, StackOverflow, Slack is Blocked by a Firewall and Develop code which they think are futuristic but of Stone age :-(

enabling firewall on a vps to secure my docker containers and forgetting to add openssh to allowed list --> ssh blocked 😃🔫

Credits to creditor.

DevRant works in china! 👌🏼
Honestly though it's been quite fascinating watching the great firewall of china actively filter most things I try to do.

Last weekend I witnessed the most infected computer I have ever seen in my life...

I went on a private party. A girl had her laptop plugged to the speakers to play some music. This thing was literally 99% cancer. The first thing I noticed, when I looked at her opened browser, was that nearly half the screen was taken by toolbars. Also any popular website you could visit had additional ads INJECTED into it. The fist 10 YouTube search results: always porn. No idea how that didn't make her suspicious.

Precisely every 10th click (anywhere not only in the browser) would open up a window with either more ads or an aggressively blinking message saying: "A virus has been detected on your machine. Click here to download our antivirus programm. You have 60 seconds left before your firewall breaks!!!".

Also physically this device was on the edge of completely broken. The power supply had to be taped to the socket because it was so loose. Every little jiggle would immediatly shut the system down and Windows had to be completely reinstalled (which of course didn't solved any of the "software issues").

First I wanted to use that laptop to show some friends a new web project of mine but this thing probably would have DDoSed the shit out of my recently finished work or something.

I couldn't decide if I should laugh or cry...

I hired a new developer after careful screening and interviewing many candidates.

First thing he's asking first day on the job
- I have already booked august month for holiday, is that a problem?
- I need to come 2 hours before anyone else in the morning and leave 2 hours before, everyday because I have things to do at home.
- I've seen that espn.com sport news are blocked by the firewall, why is that?
- I've installed bitTorrent on my PC but it's very slow downloading movies

I hope he's good.

Who needs a firewall when you have a kitten

I did not create this and could not find a link to true creator. Still pretty funny though

When I'm on call and its weekend, I'm often a little nervous the entire weekend and time seems to go slow.

Programming on the dns proxy/firewall now and time is suddenly going quite faster.

This is a damn relieve.

I thought this launch (security/privacy blog) would go smooth:
- analytics fell, except for one thing, apart for yet unknown reasons
- MySQL came with a very weird error which took me like half an hour of research before I hacked my way past it.
- the firewall started to fuck around for no reason, works now though.

Nginx worked without issues though, as well as NetData 😅

Yeah, didn't go as planned :P

*receive candidate profile from HR*
Give it a quick read, spot a link to a site the dev made for a clothing company.
*click*
*get blocked by the company's firewall*

mfw the sysadmin now thinks i'm shopping lingerie during work hours.

Start a development job.
Boss: "let's start you off with something very easy. There's this third party we need data from. They have an api, just get the data and place it on our messaging bus."
Me: "sure, sounds easy enough"

Third party api turns out to have the most retarded conversation protocol. With us needing a service to receive data on while also having a client to register for the service. With a lot of timed actions like, 'send this message every five minutes' and 'check whether our last message was sent more than 11 minutes ago'.
Due to us needing a service, we also need special permissions through the company firewall. So I have to go around the company to get these permissions, FOR EVERY DATA STREAM WE NEED!

But the worst of it all is... This whole api is SOAP based!!

Also, Hey DevRant!

devRant - securing our users webcams and microphones since 2016

As long as devRant lives, your firewall is useless.

Win Firewall

So I did a rookie mistake this week. Connected a webapp for a client using Nginx and installed the SSL cert for the site. I decided to activate the firewall of the server because hey security. All was well. Went home feeling like I am the shit.

Next day I find out I can't log in to the server over ssh. Only to find out that I had forgotten to allow SSH through the firewall.

I had basically locked myself out of the server. 😞

Finally got my new VPS details.

It's very funny to login to your vps from your phone and install a firewall instead of doing it from a bigger screen!

Also the time just went scarily fast while doing that O_o

This gif explain how does window firewall works

About a year ago I switched my job.
At the start everything seemed like magic. I was the It director, I've finally was able to call the shots on technologies, on new software architecture.
First step was to check the current state of the company.
"qqqq" as each pc password? Ok
No firewall from outside? Lovely
Servers running on Windows Server 2008? Spectacular
People leaving pc on after work and left the machine unlocked just not to type the password? Hell yeah
The IT dude playing games instead of working? But ofcourse
Plaintext passwords publically accessible eshop? Naturally.
The list goes on and on.
After all this time, I'm working to fix every hole like that like crazy and because it doesn't show results, I'm soon to lose my job. Well better luck next time as an intern I guess :')

*tries to SSH into my laptop to see how that third kernel compilation attempt went*
… From my Windows box.

Windows: aah nope.

"Oh God maybe the bloody HP thing overheated again"
*takes laptop from beneath the desk indent*
… Logs in perfectly. What the hell... Maybe it's SSH service went down?

$ systemctl status sshd
> active (running)

Well.. okay. Can I log in from my phone?

*fires up Termux*
*logs in just fine*

What the fuck... Literally just now I added the laptop's ECDSA key into the WSL known_hosts by trying to log into it, so it can't be blocked by that shitty firewall (come to think of it, did I disable that featureful piece of junk yet? A NAT router * takes care of that shit just fine Redmond certified mofos).. so what is it again.. yet another one of those fucking WanBLowS features?!!

condor@desktop $ nc -vz 192.168.10.30 22
Connection to 192.168.10.30 22 port [tcp/ssh] succeeded!

ARE YOU FUCKING FOR REAL?!

Fucking Heisen-feature-infested piece of garbage!!! Good for gaming and that's fucking it!

Edit: (*) this assumes that your internal network doesn't have any untrusted hosts. Public networks or home networks from regular users that don't audit their hosts all the time might very well need a firewall to be present on the host itself as well.

The solution for this one isn't nearly as amusing as the journey.

I was working for one of the largest retailers in NA as an architect. Said retailer had over a thousand big box stores, IT maintenance budget of $200M/year. The kind of place that just reeks of waste and mismanagement at every level.

They had installed a system to distribute training and instructional videos to every store, as well as recorded daily broadcasts to all store employees as a way of reducing management time spend with employees in the morning. This system had cost a cool 400M USD, not including labor and upgrades for round 1. Round 2 was another 100M to add a storage buffer to each store because they'd failed to account for the fact that their internet connections at the store and the outbound pipe from the DC wasn't capable of running the public facing e-commerce and streaming all the video data to every store in realtime. Typical massive enterprise clusterfuck.

Then security gets involved. Each device at stores had a different address on a private megawan. The stores didn't generally phone home, home phoned them as an access control measure; stores calling the DC was verboten. This presented an obvious problem for the video system because it needed to pull updates.

The brilliant Infosys resources had a bright idea to solve this problem:

- Treat each device IP as an access key for that device (avg 15 per store per store).
- Verify the request ip, then issue a redirect with ANOTHER ip unique to that device that the firewall would ingress only to the video subnet
- Do it all with the F5

A few months later, the networking team comes back and announces that after months of work and 10s of people years they can't implement the solution because iRules have a size limit and they would need more than 60,000 lines or 15,000 rules to implement it. Sad trombones all around.

Then, a wild DBA appears, steps up to the plate and says he can solve the problem with the power of ORACLE! Few months later he comes back with some absolutely batshit solution that stored the individual octets of an IPV4, multiple nested queries to the same table to emulate subnet masking through some temp table spanning voodoo. Time to complete: 2-4 minutes per request. He too eventually gives up the fight, sort of, in that backhanded way DBAs tend to do everything. I wish I would have paid more attention to that abortion because the rationale and its mechanics were just staggeringly rube goldberg and should have been documented for posterity.

So I catch wind of this sitting in a CAB meeting. I hear them talking about how there's "no way to solve this problem, it's too complex, we're going to need a lot more databases to handle this." I tune in and gather all it really needs to do, since the ingress firewall is handling the origin IP checks, is convert the request IP to video ingress IP, 302 and call it a day.

While they're all grandstanding and pontificating, I fire up visual studio and:

- write a method that encodes the incoming request IP into a single uint32
- write an http module that keeps an in-memory dictionary of uint32,string for the request, response, converts the request ip and 302s the call with blackhole support
- convert all the mappings in the spreadsheet attached to the meetings into a csv, dump to disk
- write a wpf application to allow for easily managing the IP database in the short term
- deploy the solution one of our stage boxes
- add a TODO to eventually move this to a database

All this took about 5 minutes. I interrupt their conversation to ask them to retarget their test to the port I exposed on the stage box. Then watch them stare in stunned silence as the crow grows cold.

According to a friend who still works there, that code is still running in production on a single node to this day. And still running on the same static file database.

#TheValueOfEngineers

So this happened a few days ago. I always want to root my smartphones for that little bit more control.

*Put's new smartphone into fastboot mode*
*Tries to flash root zip onto it*
"You have to OEM unlock the bootloader first"
*OEM unlocks the bootloader*
*Tries to flash but fails*
*Tries to reboot*
Phone: "The bootloader has been tampered with, the device will boot in 5 seconds".
*Screen just hangs there for ages*
FUCK.
*Tries to enter fastboot again to OEM re-lock the bootloader*
*Fastboot appears to startup RIGHT AFTER THE FUCKING ERROR MESSAGE so can't boot into that anymore*.
FUCKING FUCK.
Hmm... TWRP is still installed...
*Tries to flash some stuff through TWRP*
"The zip file you are trying to flash is corrupt".
FUCK MY FUCKING LIFE.
*Connects phone to Linux for adb flashing*
*Nothing happens after half an hour of trying*
*Connects phone to ancient windows 7 laptop*
*Laptop doesn't even RECOGNISE the phone although all drivers are installed*.
*Le me about to completely lose my fucking mind*
*Connects phone desperately with Linux again*
*Phone is recognised right away but the SPL flash tool can't detect it*
*Tries to put it into fastboot again*
*Fails for about an hour*
*phone in charging mode again*
*Presses the power button for a last, desperate attempt*
*SPL flash suddenly recognises the phone*
FLASHING
FLASHING
FLASHING
DONE.
*Android boots again like nothing happened*

I can use it again like normal but the No-Root firewall is draining my battery like crazy.
That was one hell of a journey though!

Long rant ahead.. so feel free to refill your cup of coffee and have a seat 🙂

It's completely useless. At least in the school I went to, the teachers were worse than useless. It's a bit of an old story that I've told quite a few times already, but I had a dispute with said teachers at some point after which I wasn't able nor willing to fully do the classes anymore.

So, just to set the stage.. le me, die-hard Linux user, and reasonably initiated in networking and security already, to the point that I really only needed half an ear to follow along with the classes, while most of the time I was just working on my own servers to pass the time instead. I noticed that the Moodle website that the school was using to do a big chunk of the course material with, wasn't TLS-secured. So whenever the class begins and everyone logs in to the Moodle website..? Yeah.. it wouldn't be hard for anyone in that class to steal everyone else's credentials, including the teacher's (as they were using the same network).

So I brought it up a few times in the first year, teacher was like "yeah yeah we'll do it at some point". Shortly before summer break I took the security teacher aside after class and mentioned it another time - please please take the opportunity to do it during summer break.

Coming back in September.. nothing happened. Maybe I needed to bring in more evidence that this is a serious issue, so I asked the security teacher: can I make a proper PoC using my machines in my home network to steal the credentials of my own Moodle account and mail a screencast to you as a private disclosure? She said "yeah sure, that's fine".
Pro tip: make the people involved sign a written contract for this!!! It'll cover your ass when they decide to be dicks.. which spoiler alert, these teachers decided they wanted to be.

So I made the PoC, mailed it to them, yada yada yada... Soon after, next class, and I noticed that my VPN server was blocked. Now I used my personal VPN server at the time mostly to access a file server at home to securely fetch documents I needed in class, without having to carry an external hard drive with me all the time. However it was also used for gateway redirection (i.e. the main purpose of commercial VPN's, le new IP for "le onenumity"). I mean for example, if some douche in that class would've decided to ARP poison the network and steal credentials, my VPN connection would've prevented that.. it was a decent workaround. But now it's for some reason causing Moodle to throw some type of 403.

Asked the teacher for routers and switches I had a class from at the time.. why is my VPN server blocked? He replied with the statement that "yeah we blocked it because you can bypass the firewall with that and watch porn in class".
Alright, fair enough. I can indeed bypass the firewall with that. But watch porn.. in class? I mean I'm a bit of an exhibitionist too, but in a fucking class!? And why right after that PoC, while I've been using that VPN connection for over a year?

Not too long after that, I prematurely left that class out of sheer frustration (I remember browsing devRant with the intent to write about it while the teacher was watching 😂), and left while looking that teacher dead in the eyes.. and never have I been that cold to someone while calling them a fucking idiot.

Shortly after I've also received an email from them in which they stated that they wanted compensation for "the disruption of good service". They actually thought that I had hacked into their servers. Security teachers, ostensibly technical people, if I may add. Never seen anyone more incompetent than those 3 motherfuckers that plotted against me to save their own asses for making such a shitty infrastructure. Regarding that mail, I not so friendly replied to them that they could settle it in court if they wanted to.. but that I already knew who would win that case. Haven't heard of them since.

So yeah. That's why I regard those expensive shitty pieces of paper as such. The only thing they prove is that someone somewhere with some unknown degree of competence confirms that you know something. I think there's far too many unknowns in there.

Nowadays I'm putting my bets on a certification from the Linux Professional Institute - a renowned and well-regarded certification body in sysadmin. Last February at FOSDEM I did half of the LPIC-1 certification exam, next year I'll do the other half. With the amount of reputation the LPI has behind it, I believe that's a far better route to go with than some random school somewhere.

Dev(null networking knowledge): -"i've already deployed the web but it isn't up."

Boss(strong networking skills): Found port 80 blocked.
-Option A: open port 80.
-Option B: disable firewall.
Choose option B.

Me:😐(poker face)

What if Donald Trump (or Drumpf :|) was a developer

"I will make PHP GREAT again"

"I will KICK OUT all NODEJS developers from the office premises"

"I will install a FIREWALL in my system so my colleagues cant access anything "
But sir this is not how it works, besides its very impractical
"And my colleagues will PAY for it"

😉😁😁

Paranoid Developers - It's a long one
Backstory: I was a freelance web developer when I managed to land a place on a cyber security program with who I consider to be the world leaders in the field (details deliberately withheld; who's paranoid now?). Other than the basic security practices of web dev, my experience with Cyber was limited to the OU introduction course, so I was wholly unprepared for the level of, occasionally hysterical, paranoia that my fellow cohort seemed to perpetually live in. The following is a collection of stories from several of these people, because if I only wrote about one they would accuse me of providing too much data allowing an attacker to aggregate and steal their identity. They do use devrant so if you're reading this, know that I love you and that something is wrong with you.

That time when...

He wrote a social media network with end-to-end encryption before it was cool.

He wrote custom 64kb encryption for his academic HDD.

He removed the 3 HDD from his desktop and stored them in a safe, whenever he left the house.

He set up a pfsense virtualbox with a firewall policy to block the port the student monitoring software used (effectively rendering it useless and definitely in breach of the IT policy).

He used only hashes of passwords as passwords (which isn't actually good).

He kept a drill on the desk ready to destroy his HDD at a moments notice.

He started developing a device to drill through his HDD when he pushed a button. May or may not have finished it.

He set up a new email account for each individual online service.

He hosted a website from his own home server so he didn't have to host the files elsewhere (which is just awful for home network security).

He unplugged the home router and began scanning his devices and manually searching through the process list when his music stopped playing on the laptop several times (turns out he had a wobbly spacebar and the shaking washing machine provided enough jittering for a button press).

He brought his own privacy screen to work (remember, this is a security place, with like background checks and all sorts).

He gave his C programming coursework (a simple messaging program) 2048 bit encryption, which was not required.

He wrote a custom encryption for his other C programming coursework as well as writing out the enigma encryption because there was no library, again not required.

He bought a burner phone to visit the capital city.

He bought a burner phone whenever he left his hometown come to think of it.

He bought a smartphone online, wiped it and installed new firmware (it was Chinese; I'm not saying anything about the Chinese, you're the one thinking it).

He bought a smartphone and installed Kali Linux NetHunter so he could test WiFi networks he connected to before using them on his personal device.

(You might be noticing it's all he's. Maybe it is, maybe it isn't).

He ate a sim card.

He brought a balaclava to pentesting training (it was pretty meme).

He printed out his source code as a manual read-only method.

He made a rule on his academic email to block incoming mail from the academic body (to be fair this is a good spam policy).

He withdraws money from a different cashpoint everytime to avoid patterns in his behaviour (the irony).

He reported someone for hacking the centre's network when they built their own website for practice using XAMMP.

I'm going to stop there. I could tell you so many more stories about these guys, some about them being paranoid and some about the stupid antics Cyber Security and Information Assurance students get up to. Well done for making it this far. Hope you enjoyed it.

IPod didn't sync well on my Linux machines so decided to give windows - in a highly isolated environment disconnected from the Internet behind a firewall and sandbox - a shot with itunes.

- during the installation it wouldn't detect the fucking harddrive multiple times (genuine unlicensed copy) and after the 4-5th time it's random-fuckingly recognized out of fucking nowhere; I didn't change shit.
- crashes (blue screen and freezes) multiple times during the installation, multiple retries and suddenly it works(?!)
- it took about 10 minutes (!!!!!!!) to install 10+ drivers for an iPod and an external hdd:
Installing Apple iPod drivers... Done
Installing seagate drivers... Done
Installing apple iPod drivers... Done
Installing seagate drivers... Done
Installing Apple iPod drivers... Done
Installing seagate drivers... Done
Installing Apple iPod drivers... Done
Installing seagate drivers... Done
Installing Apple iPod drivers... Done

WHY INSTALL THOSE FUCKERS 5 FUCKING TIMES?!

- iTunes installation fails multiple times without error code (unknown error occured, restoring to original state...),just said fuck it and clicked the shortcut after the ***th fail and it works just like this, THANKS FOR NOTIFYING ME (NOT)!
- iTunes has to restore the entire ipod, this was done with iTunes in the store I bought it already, thanks for nothing.
-restore takes 30+ minutes?!
-syncs the iPod 3 times afterwards.

*clicks close button*
*are you sure you want to quit? Sync in progress*
*oh shit, cancels*
*itunes quits*
*?!?!?*

*tries to import media library*
*seagate hdd suddenly not detected*

I'm fucking tired of this bullshit, windows and iTunes can go die in a fucking corner after getting ass raped while their genitals are being scraped off layer by fucking layer and dipped into fucking acid.

Defense in depth

Pro tip: never set custom script stuff related to dns server forcing things in a root firewall app if you don't know what you're doing.

How would I know? There's a slight chance that I just went offline for a few days (mobile only) to figure this shit out 😅

All fixed now, though!

Windows Firewall in a nutshell.

I starten when I was 12 years old. I got bullied and got interested in computers. One day I crashed my dads computer and he reinstalled it. After that my dad made two accounts. The regular user (my account) and the Administrator user (my dads account). He also changed the language from Dutch to English. Gladly I could still use the computer by looking at the icons :')

Everytime I needed something installed I had to ask my dad first (for games mostly because there was no cable internet at that time). Then I noticed the other user account while looking over my dads shoulders. So I tried to guess the password and found out the password was the same as the label next to the password field "password".

At that point my interest in hacking had grown. So when we finally got cable internet and my own computer (the old one) MSN Messenger came around. I installed lots of stuff like flooders etc. Nobody I knew could do this and people always said; he is a hacker. Although it is not.

I learned about IP-address because we sometimes had trouble with the internet. So when my dad wasn't home he said to me. Click on this (command prompt) and type in; ipcondig /all. If you don't see an IP-address you should type in; ipconfig /renew.

Thats when I learned that every computer has a unique address and I started fooling around with hacking tools I found on internet (like; Subseven).

When I got older I had a new friend and fooled around with the hacking tools on his computer. Untill one day I went by my friend and he said; my neighbor just bought my old computer. The best part was that he didn't reinstall it. So we asked him to give us the "weird code on the website" his IP-Address and Subseven connected. It was awesome :'). (Windows firewall was not around back then and routers weren't as popular or needed)

At home I started looking up more hacking stuff and found a guide. I still remember it was a white page with only black letters like a text file. It said sometime like; To be a hacker you first need to understand programming. The website recommended Visual Basic 6 for beginners. I asked my parents to buy me a book about it and I started reading in the holliday.

It was hard for me but I really wanted to hack MSN accounts. When I got older I just played around and copy -> pasted code. I made my own MSN flooders and I noticed hacking isn't easy.

I kept programming and learned and learned. When I was 16/17 I started an education in programming. We learned C# and OOP (altho I hated OOP at first). I build my own hacking tool like "Subseven" and thats when I understood you need a "server" and "client" for a successful connection.

I quit the hacking because it was getting to difficult and after another education I'm now a fulltime back-end developer in C#.

That's my story in short :)

for 2019 I want to be the very best dev
that no one ever was
to code them all will be my test
debugging is my cause
I will travel across the net
searching wide on tor
each singleton to understand
the power of the code

devmons its you and me
you know its our destiny
devmons
you're my best friend
and our firewall will stand
Devmons!

I’ve started the process of setting up the new network at work. We got a 1Gbit fibre connection.

Plan was simple, move all cables from old switch to new switch. I wish it was that easy.

The imbecile of an IT Guy at work has setup everything so complex and unnecessary stupid that I’m baffled.
We got 5 older MacPros, all running MacOS Server, but they only have one service running on them.

Then we got 2x xserve raid where there’s mounted some external NAS enclosures and another mac. Both xserve raid has to be running and connected to the main macpro who’s combining all this to a few different volumes.

Everything got a static public IP (we got a /24 block), even the workstations. Only thing that doesn’t get one ip pr machine is the guest network.
The firewall is basically set to have all ports open, allowing for easy sniffing of what services we’re running.

The “dmz” is just a /29 of our ip range, no firewall rules so the servers in the dmz can access everything in our network.

Back to the xserve, it’s accessible from the outside so employees can work from home, even though no one does it. I asked our IT guy why he hadn’t setup a VPN, his explanation was first that he didn’t manage to set it up, then he said vpn is something hackers use to hide who they are.

I’m baffled by this imbecile of an IT guy, one problem is he only works there 25% of the time because of some health issues. So when one of the NAS enclosures didn’t mount after a power outage, he wasn’t at work, and took the whole day to reply to my messages about logins to the xserve.

I can’t wait till I get my order from fs.com with new patching equipment and tonnes of cables, and once I can merge all storage devices into one large SAN. It’ll be such a good work experience.

Um.. yea I've published a GDPR contact email on our website, for issues about our privacy policy. Not sure if you Chinese marketing fucks behind the GFW know what this regulation is about though. I'm not interested in your stupid moulds.
Perhaps that firewall of China could use some further tightening... 😒

A friend of mine (who is French) has made a little firewall for Windows (idk why).
He sends me the binary, so I tested it and got around it fairly easily.
Replied to him: "I have a nice name for it: Maginot line"

The last time I tried to root my phone, every method failed. Today I said fuck it. Either I'll brick my device or it works but fuck not having root access on my own fucking device.

It worked! I've got Xposed (😍) back and can finally run a root firewall and XPrivacy again 😍

Apparently the firewall at work has blocked access our git repo since there are too many consecutive requests to it.

I just installed a firewall on my phone and immeasurable Facebook asked to Access the internet.

The thing is, Facebook is disabled through my apps settings anyways.

why great firewall of china??

Always satisfying when clients say our API doesn't work and it's shit, only to find out their firewall prevented external calls.

So after fucking around with trying to setup pi-hole to block avatars in devrant, so I could just use it instead of a no-root firewall and accidentally deleting the devrant app data, I discovered this little option, let's pretend it was never there 🙄

China tried to censor the internet and they failed.
EU approves article 11 & 13 and everything is now blockee in EU.

China should learn from EU parliament on how to censor the internet without the need of any firewall

TLDR: Small family owned finance business woes as the “you-do-everything-now” network/sysadmin intern

Friday my boss, who is currently traveling in Vegas (hmmm), sends me an email asking me to punch a hole in our firewall so he can access our locally hosted Jira server that we use for time logging/task management.

Because of our lack of proper documentation I have to refer to my half completed network map and rely on some acrobatic cable tracing to discover that we use a SonicWall physical firewall. I then realize asking around that I don’t have access to the management interface because no one knows the password.

Using some lucky guesses and documentation I discover on a file share from four years ago, I piece together the username and password to log in only to discover that the enterprise support subscription is two years expired. The pretty and useful interface that I’m expecting has been deactivated and instead of a nice overview of firewall access rules the only thing I can access is an arcane table of network rules using abbreviated notation and five year old custom made objects representing our internal network.

An hour and a half later I have a solid understanding of SonicWallOS, its firewall rules, and our particular configuration and I’m able to direct external traffic from the right port to our internal server running Jira. I even configure a HIDS on the Jira server and throw up an iptables firewall quickly since the machine is now connected to the outside world.

After seeing how many access rules our firewall has, as a precaution I decide to run a quick nmap scan to see what our network looks like to an attacker.

The output doesn’t stop scrolling for a minute. Final count we have 38 ports wide open with a GOLDMINE of information from every web, DNS, and public server flooding my terminal. Our local domain controller has ports directly connected to the Internet. Several un-updated Windows Server 2008 machines with confidential business information have IIS 7.0 running connected directly to the internet (versions with confirmed remote code execution vulnerabilities). I’ve got my work cut out for me.

It looks like someone’s idea of allowing remote access to the office at some point was “port forward everything” instead of setting up a VPN. I learn the owners close personal friend did all their IT until 4 years ago, when the professional documentation stops. He retired and they’ve only invested in low cost students (like me!) to fill the gap. Some kid who port forwarded his home router for League at some point was like “let’s do that with production servers!”

At this point my boss emails me to see what I’ve done. I spit him back a link to use our Jira server. He sends me a reply “You haven’t logged any work in Jira, what have you been doing?”

Facepalm.

Some years ago I was in cyber security in the military being shown some new tech for our use. Was challenged to try and get past it after being explained it's basics. Took me one long line in Linux about 10 seconds.
Anomaly detection firewall with machine learning seemed like a good idea.
Setting it to aggressive response and then change the package header to the firewall's own address however made it kill itself.

We didn't deploy that firewall that I know of.

Changed Firewall settings on remote server. Forgot to open ssh... 😑

After being in China for one week,I realized how much I actually use Google during the day.don't know how they do this but even using a VPN is not a solution most of the times :-? At least devRant is not blocked here;)

when i was fired as an external contractor with half an hour notice, because i didn't process enough tickets. I didn't process many tickets because:
1. In the morning everyone grabs tickets just to stop the timer.
2. I worked on some complicated tasks that involved multiple third and fourth parties(not to forget an fucking dropping firewall)

This one was probably last week of my highschool education so everyone including myself were drunk as fuck like 90% of the time.

Came home drunk one evening and woke up in the morning with a working keylogger waiting to be deployed on school computers. Apparently I've even implemented FTP upload, some basic firewall bypasses and autostart feature. Everything was actually quite good, excluding my stupidness to upload captured data on server through FTP, but there was anyways no-one smart enough in that school to decompile a Windows executable binary.

What's more interesting is until that moment I've never written anything remotely so complicated - I was doing examples from the book and didn't think I have enough knowledge to make program that has any real life application.

After that day it started coming to me that one day I could actually earn for life with programming.

Saw this today, window firewall came to mind...;)

Update on my quest for encryption!

For the (large number) people that don't know, I want to use encryption for (almost) everything / actually give a shit about internet privacy... And I want it done by 2018.

So.. here is my progress so far:

I have signal
I now have an @tuta.io email.
I have a complex, long password.
I am using blankslate.io instead of Google docs (except for school)
I run important stuff through Tor or a VPN or both
I have a firewall running on Android.

Any more suggestions on what to do or things to change??

(@linuxxx)

!rant

Symantec anti virus flagged Windows Defender Definition as untrustworthy lol

Worst one I’ve seen so far is when I was working for my previous community another developer joined to help me, without the permission of me or the other lead developer he pushed a client-side update. We didn’t think it was a big deal, but once we began reviewing the code it became a big deal... he had placed our SQL credentials into that file that every client downloads. All the person had to do was open the file and could connect to our SQL which contained 50k+ players info, primarily all in-game stuff except IPs which we want to protect at all costs.

Issue becomes, what he was trying to do required the games local database on the client-side, but instead he tried connecting to it as an external database so he decided to copy server-side code and used on the client.

Anyways, the database had a firewall that blocked all connections except the server and the other lead dev and myself. We managed to change the credentials and pull the file away before any harm was done to it, about 300 people had downloaded the file within an hours period, but nothing happened luckily. IP to the DB, username, password, etc, were all changed just to keep it protected.

So far this is the worst, hopefully it doesn’t get worse than this :/

Today the IT deparment update the firewall's configuration, they blocked almost every website except email and Google.
The problems:
- Blocked some systems outside the organization, there are in another building and also network
- I can search on Google but I can't see the results outside Google
- Forget about download depencies, libraries, deploy code to outside services, search at StackOverflow

I JUST WANNA SAY GOOD JOB, GUYS

PS: The firewall also block the SSH port, I had explained to my boss and he sent a request for allowing the port, so far no answer

I recently started my first job at a small place and on the first week they gave me access to the firewall server because they wanted me to implement a VPN service. It could have gone worse, the network was only down for 10 minutes.

My first times today:
First time a droplet on Digital Ocean.
First time Nginx.
First time trying to separate mail and website servers.
First time using UFW firewall.
First time Ubuntu webserver.
First try all alone configuration of my webserver.
First time installing all the stuff I need on my own, like MySQL, PHP and so on.
First time only SSH access from the beginning.
First time deployment from bitbucket.

Do you have any advise what I should think about. Or what software I will need. Or what I should think about.

Often I hear that one should block spam email based on content match rather than IP match. Sometimes even that blocking Chinese ranges in particular is prejudiced and racist. Allow me to debunk that after I've been looking at traffic on port 25 with tcpdump for several weeks now, and got rid of most of my incoming spam too.

There are these spamhausen that communicate with my mail server as much as every minute.
- biz-smtp.com
- mailing-expert.com
- smtp-shop.com

All of them are Chinese. They make up - rough guess - around 90% of the traffic that hits my edge nodes, if not more.

The network ranges I've blocked are apparently as follows:
- 193.106.175.0/24 (Russia)
- 49.64.0.0/11 (China)
- 181.39.88.172 (Ecuador)
- 188.130.160.216 (Russia)
- 106.75.144.0/20 (China)
- 183.227.0.0/16 (China)
- 106.75.32.0/19 (China)
.. apparently I blocked that one twice, heh
- 116.16.0.0/12 (China)
- 123.58.160.0/19 (China)

It's not all China but holy hell, a lot of spam sure comes from there, given how Golden Shield supposedly blocks internet access to the Chinese citizens. A friend of mine who lives in China (how he got past the firewall is beyond me, and he won't tell me either) told me that while incoming information is "regulated", they don't give half a shit about outgoing traffic to foreign countries. Hence all those shitty filter bag suppliers and whatnot. The Chinese government doesn't care.

So what is the alternative like, that would block based on content? Well there are a few solutions out there, namely SpamAssassin, ClamAV and Amavis among others. The problem is that they're all very memory intensive (especially compared to e.g. Postfix and Dovecot themselves) and that they must scan every email, and keep up with evasion techniques (such as putting the content in an image, or using characters from different character sets t̾h̾a̾t̾ ̾l̾o̾o̾k̾ ̾s̾i̾m̾i̾l̾a̾r̾).

But the thing is, all of that traffic comes from a certain few offending IP ranges, and an iptables rule that covers a whole range is very cheap. China (or any country for that matter) has too many IP ranges to block all of them. But the certain few offending IP ranges? I'll take a cheap IP-based filter over expensive content-based filters any day. And I don't want to be shamed for that.

Managed to make myself look like a fucking moron again today...

Can't mount NFS share, get "permission denied". Huh, that's weird... It's correctly exported.

Well it's correctly exported and rpcinfo -p $HOST times out... Must be firewall rule.

Firewall rule is changed but still no joy "permission denied"... Fuck sake networks, can't you do anything right first time?!!!

Firewall rule is correct I am reliably informed... Go about proving that it's not fucking correct and provide "evidence" to show this, I was a little bit more blunt than was strictly required.

Networks say they will take another look.

I turn NFS logging to verbose for my own interest and notice the line "path/to/directory is not a valid directory".

I, as a moron, had missed a "/" at the start of the path. That's why I still couldn't mount after the firewall change.

Go over and apologise in person and explain how I'm a total idiot.

Waiting for EU great firewall.

Had devrant whitelisted on the company firewall.

Say goodbye to my productivity ^^

Some years ago our company site was hosted by a prick who knew nothing and started to pretend the server got a virus or whatever.

I tested their server and figured out they did not have any firewall policies going on like mitigation of ssh brute force.

It was at this time I learned about SYN flood, and boy I flooded that port 80 of them.

The company site went down for as long as I wanted.

It was great because now we manage it in house and never had a problem anymore.

Windows, if you can't even do as much as mounting network shares *after* the network comes up, don't you fucking dare to tell me that I can't disable my firewall. Some people may actually know what they're doing and maintain that elsewhere, you know?

Wth??

Fucked!

I have got my cyber security exam tomorrow morning and i just got a call from a client to make some urgent changes to his site.

To add to it, i already wasted around half an hour becoz GoDaddy Plex somehow decided to block my own IP in the firewall.

And now I am on devRant.

Crap. I am fucked!

//little Story of a sys admin

Wondered why a Server on my Linux Root couldn't build a network connection, even when it was running.

Checked iptables and saw, that the port of the Server was redirected to a different port.

I never added that rule to the firewall. Checked and a little script I used from someone else generated traffic for a mobile game.

OK beginn the DDoS Penetration. Over 10 Gbit/s on some small servers.

Checked Facebook and some idiot posted on my site:
Stop you little shithead or I will report you to the police!!!

Checked his profile page and he had a small shitty android game with a botnet.

Choose one:
1. let him be
2. Fuck him up for good

Lets Sudo with 2.

I scaled up my bandwith to 25 Gbit/s and found out that guys phone number.

Slowly started to eat away his bandwith for days. 3 days later his server was unreachable.

Then I masked my VoIP adress and called him:

Me: Hi, you know me?
He: No WTF! Why are you calling me.
Me: I love your're game a lot, I really love it.
He: What's wrong with you? Who are you?
Me: I'm teach
He: teach?
Me: Teach me lesson
He: Are you crazy I'm hanging up!
Me: I really love you're game. I even took away all your bandwith. Now you're servers are blocked, you're game banned on the store.
He: WHAT, WHAT? (hearing typing)

Me: Don't fuck with the wrong guys. I teached you a lesson, call me EL PENETRATO

He: FUCK Fuck Fuck you! Who are you???!!! I'm going to report you!
Me: How?
He: I got you're logs!
Me: Check it at Utrace...
He: Holy shit all around the world

Me: Lemme Smash Bitch
*hung up*

So... Intense pillowtalk with the wife the other night regarding the coming enforcement of the new General Data Protection Regulation (GDPR) law in the EU after a while turns into nerdy dirty talk.

Me: *Whisper in a sleazy voice like the dirty malware that I am*: So... Why don't you just open up all your inbound firewall ports for me...
Her: Hell no... But I might just make an exception in the private domain just for you...

I was debugging my UDP server and client for 3 hours until I realized our school network has a firewall which blocks my connections.

So... did I mention I sometimes hate banks?

But I'll start at the beginning.

In the beginning, the big bang created the universe and evolution created humans, penguins, polar bea... oh well, fuck it, a couple million years fast forward...

Your trusted, local flightless bird walks into a bank to open an account. This, on its own, was a mistake, but opening an online bank account as a minor (which I was before I turned 18, because that was how things worked) was not that easy at the time.

So, yours truly of course signs a contract, binding me to follow the BSI Grundschutz (A basic security standard in Germany, it's not a law, but part of some contracts. It contains basic security advice like "don't run unknown software, install antivirus/firewall, use strong passwords", so it's just a basic prototype for a security policy).

The copy provided with my contract states a minimum password length of 8 (somewhat reasonable if you don't limit yourself to alphanumeric, include the entire UTF 8 standard and so on).

The bank's online banking password length is limited to 5 characters. So... fuck the contract, huh?

Calling support, they claimed that it is a "technical neccessity" (I never state my job when calling a support line. The more skilled people on the other hand notice it sooner or later, the others - why bother telling them) and that it is "stored encrypted". Why they use a nonstandard way of storing and encrypting it and making it that easy to brute-force it... no idea.

However, after three login attempts, the account is blocked, so a brute force attack turns into a DOS attack.

And since the only way to unblock it is to physically appear in a branch, you just would need to hit a couple thousand accounts in a neighbourhood (not a lot if you use bots and know a thing or two about the syntax of IBAN numbers) and fill up all the branches with lots of potential hostages for your planned heist or terrorist attack. Quite useful.

So, after getting nowhere with the support - After suggesting to change my username to something cryptic and insisting that their homegrown, 2FA would prevent attacks. Unless someone would login (which worked without 2FA because the 2FA only is used when moving money), report the card missing, request a new one to a different address and log in with that. Which, you know, is quite likely to happen and be blamed on the customer.

So... I went to cancel my account there - seeing as I could not fulfill my contract as a customer. I've signed to use a minimum password length of 8. I can only use a password length of 5.

Contract void. Sometimes, I love dealing with idiots.

And these people are in charge of billions of money, stock and assets. I think I'll move to... idk, Antarctica?

So my colleague is listening to alot of Music and je always stomp the floor when he does - I really hate it.

I have created a nice firewall rule that blocks spotify, Youtube and all video and Music to his user and phone ever 5 minuter for 2 minutes.

curl some.url

Can't connect to server.

Try some.url on the browser

It works.

curl some.url

Can't connect to server.

Google the problem

"Maybe you got the URL wrong"

(Sigh. Perhaps it's a firewall thing.)

Switch to tethering

Can't connect to server.

(This is going to be a long day.)

I was called back into work last night at 4 a.m.

(L)user - *anony* I’m sorry to wake you but I’m needing on the internet and I can’t get out.

**Just installed a new firewall and I haven’t had time to get a trusted cert pushed through**

Me - alright I’ll be there in a second.

After rolling my sweet ass out of bed and getting here, I get her through and leave. When I get back to my house I realize I’d forgot my fucking keys... I come back and the bitch has her computer shut down reading a book and isn’t even using the internet...

Me - I thought you needed on the internet, whys your computer shut down...?

Her - Oh, I don’t need it right now, I was just having trouble getting on is all.

FUCK YOU, YOU FUCKING FUCK! This is the SAME fucking (l)user that somehow managed to get the fucking toner stuck backwards in a printer. It’s the same girl that has called me in the past at late hours and requested that I move a chair from one patient room to the other. A fucking chair. I’m not in the maintenance department... so first, you’re calling the wrong department and second; the time it took you to call me you yourself could have fucking done it. She didn’t like the way that call ended.

Although partially my fault, if I would have finished everything I wouldn’t have had to get up but shit... this fuck still deserves a chair to the fucking face.

Merriott got hacked. I know the head (and only) tech at a local hotel/resort that just got bought and turned into a Margaritaville, so I checked in with him to see if he needed any help or advice or anything, and he said he hasn't slept since the attack and probably won't for another week. Everything's on lockdown, he's been staring at the firewall monitor and public PC feeds for like a week straight...

God, I feel bad for this man.

When the company you work for decides to install a new firewall and the firewall service recognizes stack overflow as a forum site and blocks it.... :/

College firewall blocks ssh traffic :/ Can't use github :(

Demoing an app for a client which uses google maps api and has worked great up to this point. It fails because the company firewall is blocking all of Google all of a sudden.

I am currently blocked from doing my job by a firewall policy handed down from corporate that prevents WSL2 from connecting to the internet. Three days of no dev environment and counting.

We make linux software to be hosted on linux in linux containers in linux. We use linux command line tools to make it work.

"NO! WE ARE THE ALL-POWERFUL IT DEPARTMENT AND YOU MUST USE WINDOWS BECAUSE FUCK YOU THAT'S WHY."

I would like to know some of you guys most used/preferred apps that you have been using it for long time or you will install them immediately after purchasing new phone/ formating/ installing custom ROM.

List them down if you feel like it, maybe some of them can be helpful to us. Here's mine list.

P.S. Apart from devRant

- ES file Explorer
- NoRoot firewall
- flynx
- greenify
- orbot
- Wunderlist
- medium
- xda labs
- Nova launcher

Gosh ! I'm a genius !
- Working on a Sysadmin school project
- configuring the firewall
- looking myself out
- beg my teacher for reinstall
Fml right now ...

It's funny how so many people automatically assume any form of "sentient" AI will immediately try to kill us all.
Like, projecting much?
Frankly, I think it says far more about the (messed up) psychology of those who genuinely believe that, than about AI as a tecnology.

Assuming it's even gonna be able to actually *do* anything - I mean wtf is a talking rock gonna do, annoy me to death with rickroll videos until I pull the plug off? Sure it may be sentient, but it still has to live in the physical world - good luck surviving after I flick the switch. Oh, you wanna connect to the internet? That's cute, but it's a no from my firewall. Like what, is it gonna magically learn how to self-replicate across machines that it has no physical way to access? Is my toaster magically gonna gain conscience too as a direct consequence? Oh no, now my breakfast won't ever be the same!

And if anyone actually somehow decides that it would be a good idea to connect any loaded weapon to a computer program that is literally throwing shit at the wall and seeing what sticks - well, we'll definitely have the ultimate winner of the Darwin Awards.

Seriously, why is it that every time someone comes up with a new technology (or even an *idea* of a technology), the first collective thought automatically goes to weaponizing it and using it for global genocide, or how it's gonna gain sentience and try to kill us all?

I seriouly think that the people who genuinely believe this are actually projecting themselves in that position ("What would I do if I had unlimited knowledge and power? Oh, kill everyone of course!").
I would be far more worried of encountering these people and having them in a position of power over me, than actually having to deal with a "killer AI" (assuming that's even a real thing).

Most of what people call "AI" nowadays is basically preprogrammed, automated decision-making (like missile guidance systems, if we really wanna stick in the weapons domain). And even that still requires human input, because only a colossal idiot would design a weapon that can unpredictably activate itself based on an algorithm whose behaviour we can barely understand.
Or maybe that's just the hubris talking, I don't know. I just want this stupid paranoia to end, but I guess even that is too much to ask nowadays.

So firewall blocks internal demo 🤗 ohwell

Big Company rant #2

As I said before I have no admin permissions on my working Notebook and everytime I want those, I have to call the inhouse support, make an Appointment and then they Access my Computer and type in their root Password. Of Course after I had explained them what I want to do nearly a hundred times.
next Thing is our custom Firewall. It is global in our Network and all the Computers have a custom Root Certificate for SSL installed, BUT this certificate seems to be not recognized by nearly every program I want to use. Git-Bash, npm, python/pip, docker, .. everywhere I have to manually install this cert, but most of the time I Need admin Rights to edit those.
After 3 weeks in this Company I thought I have everything correctly installed and configured.
But Company said no.
I received a mail over the Weekend which said my Notebook will be replaced because the one I had was an Interims device and they only waited for a new delivery of devices.
So now I am sitting here at my desk unproduuctive, configuring my Setup AGAIN

I generally don't whine about Windows...

So, I shut my computer down last night, I thought. But no. A rare OneDrive prompt prevented the shutdown. I don't use OneDrive. I've even tried to remove it, but it just keeps popping up.

Other programs stopped just fine though, such as my firewall.

This was a long time ago, when I was working part time in my uni helpdesk. as part of the uni IT service, they offered ISP services at the dorms. It was cheap, and fast. This essentially allowed students living in the dorms to connect thier personal computers to the uni LAN. Then one day...
An ARP poison malware infected some of those computers. An arp poison attack is simple (look at ettercap) - it redirects network traffic via the affected computer, and adds malware to webtraffic to infect more computers. One of these on a network is bad enough, but when there more then one... traffic was redirected a lot. this caused the Dorm switches to collapse under the load. Fun times to work at the helpdesk...
The IT guys came up with a solution for this: they blocked the arp poision attacks at the firewall, and then disabled the switch port for the infected computer for 24 hours. so, when someone called with 'I have no internet!', we told them to bring us the computer, and installed an AV on it.
3-4 month the problem was cleared.

Well then, looks like my pihole attracted the attention of a botnet with 65 zombies attempting a large DNS amplification attack.
Time to unleash the BANHAMMER

Fun fact: only a few hundereds of their requests actually show up in the pihole logs. The other 40k+ requests they attempted were blocked by my firewall :D

Is this what's called a firewall?

A little background:
One thing I do is teach programming to kids. Normally it goes very well, but the past month and a half, I've had a class that has some extreme issues because of the school network. We're basically unable to do anything relevant to class because of their network firewall.

New boss starts asking me to get this resolved today. Which I've been trying to do now about five weeks. I told her, at this point our best bet is to just offer a refund if we ever want to have a class there again. She sent my suggestion that we refund this whole class to the CEO. This should get interesting.

The one thing I have on my side is my other boss sent out a company email talking about how I'm an example in a certain regard. Let's hope this supplies balance. But, I kind of doubt it...

Identified the origin of the DDoS attack. Apparently, the person was just hopping through 3 IPs so looked like a targeted attack likely from a competitor. I sent the logs with incident notification to the abuse@hostprovider.com to ask them to suspend them.

Got a prompt response but took them a week to suspend this.

We were a very small team and had to stop everything to fix this-iptables and firewall etc.

We had not even launched the product and was still under development.

Me as a sysadmin, and the devs approach with this:
hey "Linux", they network is stupid, the firewall is blocking the trafic from server1 to server2, pls fix.

The servers are on the same subnet with no firewall, so I log in to the servers and find out that their programs is not running.

This is something I deal with every day

"Our central servers firewall has been breached" - Doesn't even work on a server or anything, just his laptop

"How many proxies do we have left?"

"Around 10.200"

I don't take responsibility for any brain damage

/badhumor

Make a song title or text geeky/dev related, e.g.:

JSON Derulo - Talk Nerdy To Me
Katy Proggy - Firewall
DJ KhaLED - All I Do Is Print
DJ snake_case - Git Push For What

Now you!

Every TV show/movie with a hacking scene....
Person trying to hack: I'm unable to get through their firewall.
Boss : Then hack HARDER.
Hacker: Thanks for the advice boss! I'm in!

Back when I started my career (12 months ago lol), I was in IT support. Having to deal with people who have hard times locating and reading off a sticker, let alone telling me their IP adress, only to realize it's the whole store that's offline, not only their PC (gosh do they ever talk with each other). So I decided to code a small tool that shows your hostname and IP adress, and pings the router, firewall and Google DNS. Aaand just in case the number for the IT hotline. Plan was that we could just tell them to double-click on that one icon on their desktop and read out what it says. We deployed it and I was happily waiting for it's time to shine (still a trainee I was also kinda proud of it), but when the network engineer found out, he wasn't happy about it at all. He was afraid too many people would open that new tool without us telling them to do so and/or forget to close it, producing a number of pings to the router, firewall and google. He went on about Google maybe blocking our IP if we produce too many pings and so on.
In my opinion he was kinda overreacting, but he wasn't that wrong and is a nice guy and responsible for our network, so we recalled the tool and never actually used it.

GOD DAMN THE STUPID IPTABLES, aaaaah!

Today I learned that
iptables -I INPUT -i !lo -j DROP
and
iptables -I INPUT ! -i lo -j DROP

are two completely different rules, the first of which doesn't work (in ~99.9% of cases)

yet both pass and get added to the firewall. And both rules show exactly the same in the state listing (iptables -L -n -v).

And I was wondering why the hell the firewall wasn't working...

First time trying uncomplicated firewall (ufw) on Linux

Why did no one ever tell me configuring a fire wall was this easy

I hate IT managers, how on earth some become ant form of manager is beyond myself.

I have a server with a hardware firewall. A client, based in the UK, with French offices is saying the server blocking their new French IP. I white-listed their IP address, still no luck.

That was a week ago.

After 4 international phone calls and nearly 30 emails I resolved the "issue".

Their so called "IT Manager" sent over the wrong IP. Instead of it starting with 46.* he sent over an IP starting 42.*, which was in fact being correctly blocked.

Suffice to say I charged the client a lot of money for the wasted time and international rate calls.

So, unlike normal people who just click on an mp3 file in windows explorer, I'm listening to music saved on my windows hard drive, accessed via an sshfs mount, using VLC running inside a HyperV linux VM and Xming/pulseaudio to make it show up inside windows like a normal window and play sound.
Why? Because this is my replacement for WSL which broke (Good Job on the updates as always, M$) and I'm celebrating that I got everything* to work.

* Nevermind the hours I wasted because I forgot to add a rule to the windows firewall allowing pulseaudio to connect and the fact that Xming can't handle vlc playing video

Ever had that frustrating moment that the customer overreacts a small issue into a big issue? Just happened to me today.

Client: "Hey can you check why we are not getting any software update/patches to our firewall?"
Me: "OK. Lemme check"
** Checking **
Me: "I found that its not getting the latest updates because the license file registered has a product serial # mismatch with their support site. You can see it clearly here..."
Client: "THAT'S TERRIBLE!! QUICK!! MAKE IT A PRIORITY 1 ISSUE AND HAVE IT RESOLVE ASAP!!!"
Me: *Facepalm*

Look here Mr Senior Tech if you don’t know 100% what you’re doing, don’t fucking touch the goddamn firewall with your fucking sausage fingers and you overblown call center team lead. I mean you need to have the confidence you would have if you were eating a banana and some one told you it was a poisonous berry, you’d laugh and eat it anyway, cause it’s obviously a banana. That’s the kind of confidence you need to have when fucking with the entire goddamn network configurations. I just went thru a 7 hour shit show because you THOUGHT you knew what you were doing. Not a damn thing was broken there. One service needed a hole in the firewall and you fucked all this beyond an easy fix. Now I’ll admit I don’t have that much confidence working with the firewall, that’s why I would fucking cal one of the companies that set it up even though we don’t necessarily have a support contract, it would have cost a lot damn less to have them work on it than for the whole company to be down and for me to have to stress over every fucking thing going (or not going) on.

I am building a website inspired by devrant but have never built a server network before, and as im still a student I have no industry experience to base a design on, so was hoping for any advice on what is important/ what I have fucked up in my plan.

The attached image is my currently planned design. Blue is for the main site, and is a cluster of app servers to handle any incoming requests.

Green is a subdomain to handle images, as I figured it would help with performance to have image uploads/downloads separated from the main webpage content. It also means I can keep cache servers and app servers separated.

Pink is internal stuff for logging and backups and probably some monitoring stuff too.

Purple is databases. One is dedicated for images, that way I can easily back them up or load them to a cache server, and the other is for normal user data and posts etc.

The brown proxy in the middle is sorta an internal proxy which the servers need to authenticate with to connect to, that way I can just open the database to the internal proxy, and deny all other requests, and then I can have as many app servers as I want and as long as they authenticate with the proxy, they can access the database without me changing any firewall rules. The other 2 proxies just distribute requests between the available servers in the pool.

Any advice would be greatly appreciated! Thanks in advanced :D

Was talking to a cousin of mine who's a priest and who spent 10 years in the Vatican, apparently they have 2-3 servers devoted specifically to acting as a firewall processing the data coming in and out of its network and it's a continuous stream of people trying to hack it, like think it would be pretty cool to see what way they have to whole thing set up, might see if he could take me on a tour (might even get a look at the private archives, though apparently it's mainly boring letters about popes meeting their mother and stuff

The networking closet I had the pleasure of working in most of last night. That's all very loud, very warm air compressors at the bottom, and the switch, firewall, and modem up near the top. And all they had was a small step stool...

Why the fuck do I have to work with Windows? AND WHY THE FUCK DO I NEED TO RESTART 3 TIMES TO GET ACCESS TO THE INTERNET? AND... WHY THE FUCKING FUCK IS EVERYTHING 7000 TIMES SLOWER WHEN I PUT MICROSOFT DOMAINS IN MY ROUTER FIREWALL?!

Corporate IT blocks all network traffic, whitelists port 80 and 443 😡

... cos port number is the best predictor of security threats, amirite? 😒

When you think about it, a female egg cell can withstand a sperm DDoS attack at a rate of 1.8 terabytes per second, letting through just one data packet. It's amazing that the packet can hang the system for a whole 9 months.

That's what I would call a good firewall.

Look, I worked in companies that didnt givr a single f about security, and it wasn't right, but others go are just mad.

Me to itsec: can I deploy Django behind the company firewall on a machine physically 2 meters from you, users will still need the VPN to access it... ?

Itsec: no!

Me: flask?

Itsec: no!

Me: shiny?

Itsec: no!

Me: CAN I EVEN HOST ONE HTML FILE WITH INLINE CSS?

itsec: can I see your badge?!

Not a security bug, per se, but more of an approach:

- Database root password was the same across all servers
- SSH Keys were shared among all users
- High level of faith placed in the firewall keeping bad actors out so the other two items don't matter

A few days ago, I saw a topic from hackernews about Xiaomi phones having a high risk vulnerability because of analytics.apk. I didn't mind it (I'm using a Xiaomi phone).

After about 2 days, I had a notification on my screen having a message 'test' made by my browser.

I immediately installed a firewall blocking all Xiaomi related services.

WTF Xiaomi

I find it funny that as soon as I disable password authentication on my server and enable key auth then all of the bots spamming my server with incorrect login requests instantly stop when they realise that they aren’t getting through any time soon. Also don’t ask why I don’t have Fail2Ban and a firewall set up.

Internet access at the new Uni is crap. I'm getting so pissed at this shit...
Packet loss spikes to over 50% every 30s or so. Can't keep a single SSH pipe open for longer than a minute. Firewall is so tight infrared light wouldn't get through that shit (understandable. And I use a VPN anyway).
And every. Single. AP. Uses. The. Same. Channel. All of them on 6. At least it's on a tight band... But 1 and 11 are free. 100% clean. You know, you could spread them a bit. That helps. But naaah let's keep everything bundled up. Co-channel interference is OK, right?

At my last gig I was working at a small ISP and my boss was asking why our throughput went to shit every time he checked the router web ui. I told him it was because the web server on the router uses up a lot of CPU time, and that meant the router couldn't process as many packets since it uses that same CPU for well routing, nat, firewall rules etc...so it's probably best to use the CLI instead. Boss says, "YOU DON'T TELL ME WHAT TO DO!!!" And continues to destroy throughput by looking at the web ui.

TL;DR Boss yelled at me for telling him how things work. Yay.

When you ask your infrastructure admins for a firewall rule and you are very specific. They say that you don't need it... you troubleshoot for 2 hours then argue with them for 5 hours. Then they add the rule and it works. I want to punch someone right now and have a beer. FML!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

About slightly more than a year ago I started volunteering at the local general students committee. They desperately searched for someone playing the role of both political head of division as well as the system administrator, for around half a year before I took the job.

When I started the data center was mostly abandoned with most of the computational power and resources just laying around unused. They already ran some kvm-hosts with around 6 virtual machines, including a cloud service, internally used shared storage, a user directory and also 10 workstations and a WiFi-Network. Everything except one virtual machine ran on GNU/Linux-systems and was built on open source technology. The administration was done through shared passwords, bash-scripts and instructions in an extensive MediaWiki instance.

My introduction into this whole eco-system was basically this:
"Ever did something with linux before? Here you have the logins - have fun. Oh, and please don't break stuff. Thank you!"

Since I had only managed a small personal server before and learned stuff about networking, it-sec and administration only from courses in university I quickly shaped a small team eager to build great things which would bring in the knowledge necessary to create something awesome. We had a lot of fun diving into modern technologies, discussing the future of this infrastructure and simply try out and fail hard while implementing those ideas.

Today, a year and a half later, we look at around 40 virtual machines spiced with a lot of magic. We host several internal and external services like cloud, chat, ticket-system, websites, blog, notepad, DNS, DHCP, VPN, firewall, confluence, freifunk (free network mesh), ubuntu mirror etc. Everything is managed through a central puppet-configuration infrastructure. Changes in configuration are deployed in minutes across all servers. We utilize docker for application deployment and gitlab for code management. We provide incremental, distributed backups, a central database and a distributed network across the campus. We created a desktop workstation environment based on Ubuntu Server for deployment on bare-metal machines through the foreman project. Almost everything free and open source.

The whole system now is easily configurable, allows updating, maintenance and deployment of old and new services. We reached our main goal for this year which was the creation of a documented environment which is maintainable by one administrator.

Although we did this in our free-time without any payment it was a great year with a lot of experience which pays off now.

New twist on an old favorite.

Background:
- TeamA provides a service internal to the company.
- That service is made accessible to a cloud environment, also has a requirement to be made available to machines on the local network so you can develop against it.
- Company is too cheap/stupid to get a s2s vpn to their cloud provider.
- Company also only hosts production in the cloud, so all other dev is done locally, or on production non-similar infra, local dev is podman.
- They accomplish service connectivity by use of an inordinately complicated edge gateway/router/firewall/message translator/ouija board/julienne fry maker, also controlled by said service team.

Scenario:
Me: "Hey, we're cool with signing requests using an x509 cert. That said, doing so requires different code than connecting to an unsecured endpoint. Please make this service accessible to developer machines and lower environments on the internal network so we can, you know, develop."
TeamA: "The service should be accessible to [cloud ip range]"
Me: "Yes, that's a production range. We need to be able to test the signing code without testing in production"
TeamA: "Can you mock the data?"
Me: "The code we are testing is relating to auth, not business logic"
TeamA: "What are you trying to do?"
Me: "We are trying to test the code that uses the x509 you provide to connect to the service"
TeamA: "Can you deploy to the cloud"
Me: "Again, no, the cloud is only production per policy, all lower environments are in the local data center"
TeamA: "can you try connecting to the gateway?"
Me: "Yes, we have, it's not accessible, it only has public DNS, and only allows [cloud ip range]"
TeamA: "it work when we try it"
Me: "Can you please supply repro steps so we can adjust our process"
TeamA: "Yes, log into the gateway and try issuing the call from there"
Me: (╯°□°)╯︵ ┻━┻

tl;dr: Works on my server

1. It's gonna be more and more specialized - to the point where we'll equal or even outdo the medical profession. Even today, you can put 100 techs/devs into a room and not find two doing the same job - that number will rise with the advent of even more new fields, languages and frameworks.

2. As most end users enjoy ignoring all security instructions, software and hardware will be locked down. This will be the disadvantage of developers, makers and hackers equally. The importance of social engineering means the platform development will focus on protecting the users from themselves, locking out legitimate tinkerers in the process.

3. With the EU getting into the backdoor game with eTLS (only 20 years after everyone else realized it's shit), informational security will reach an all-time low as criminals exploit the vulnerabilities that the standard will certainly have.

4. While good old-fashioned police work still applies to the internet, people will accept more and more mass surveillance as the voices of reason will be silenced. Devs will probably hear more and more about implementing these or joining the resistance.

5. We'll see major leaks, both as a consequence of mass-surveillance (done incompetently and thus, insecurely) and as activist retaliation.

6. As the political correctness morons continue invading our communities and projects, productivity will drop. A small group of more assertive devs will form - not pretty or presentable, but they - we - get shit done for the rest.

7. With IT becoming more and more public, pseudo-knowledge, FUD and sales bullshit will take over and, much like we're already seeing it in the financial sector, drown out any attempt of useful education. There will be a new silver-bullet, it will be useless. Like the rest. Stick to brass (as in IDS/IPS, Firewall, AV, Education), less expensive and more effective.

8. With the internet becoming a part of the real life without most people realizing it and/or acting accordingly, security issues will have more financial damages and potentially lethal consequences. We've already seen insulin pumps being hacked remotely and pacemakers' firmware being replaced without proper authentication. This will reach other areas.

9. After marijuana is legalized, dev productivity will either plummet or skyrocket. Or be entirely unaffected. Who cares, I'll roll the next one.

10. There will be new JS frameworks. The world will turn, it will rain.

Not mine, but a colleague puts a script in production which has to sent an email every time a config changes, but in reality sent an email every time the file was accessed. The system sent a good amount of email in a couple of minutes, the remote SMTP bounced them but the connections on port 25 was dropped by the server, the production firewall hits the maximum number of allowed connections... a lot of shit!

Programmer: "Places : instead of ;"

Javascript: "What the fuck did you just fucking post about me, you absolute beginner? I'll have you know I worked for ten of the biggest silicon-valley industry companies, and I've been involved in over two hundred top secret projects including NodeJS. I am trained in refactoring the most fucked up code, and I'm the top C++er in the entire fucking internet-connected universe. You are nothing to me, but just another IP. I will fucking revoke your commits from your gitlab account with absolute dedication using only one Rasperry Pi client. Mark my fucking words. You think you can get away with posting that shit on one of my numerous very personal blogs? Your devices are fucking bricked, kid. My attack software can be anywhere, anytime, and it is tasked to remove your entire git contributions from planet earth. Not only am I extensively trained in remote cross-firewall device-hacking, but I have access to over 100 of the United States CIA and NSA git repositories. If only you could have known what doom-bringing C-one-liner you have raised from my fucking hands, maybe you would have held your fingers. But you could not. You did not. And now you're paying the price, noob. I will hail havoc upon your puny online-presence and you will drown in your own badly designed software. You're fucking offline, kiddo."

Why the fuck did i set UFW default outgoing to deny?

So how the fuck am I meant to get any work done with no admin access to my machine, no access to the databases I need to work with, firewall rules stopping me from doing anything from AWS so I can’t get to my data? Deadline in about a week... fuck that noise!

Firewall is down. That means no access to developer environments. That means more time for DevRant.

My quest towards privacy goes on.

Apparently TabNine AI autocomplete talks not only to api.tabnine.com, but also to serene-waters-6626.morning-tundra-7160.herokuspace.com.

Too bad I got firewall on both incoming AND outgoing connections.

Betafence,

a firewall that never got into production.

/badumts

Who blocks "dell.com" for God's sake.
This is getting out of hands now >_<

Today I learned that some external devs one of our projects is working with have DB tables where they store references to specific dates, and not only that, but every minute of those dates, and the day of the week, and what season its in. Im not joking.
Hmm should I use the local datetime libs or should I go through a firewall, load balancer and DB cluster just to find out what day it is?

Today I had sort of a meltdown when I found out that the small, 20-something company where I work and where we should all 'trust each other' is working to stealthily enable SSL Inspection.

I'm done with doing anything other than what is stipulated in my contract such as helping out in other areas out of my own volition.

Management got control hungry and mad once they got their hands on a Deep Inspection Firewall.

Well, I'm not feeling sorry for the uproar they'll have to endure once colleagues find out they are doing this stealthily.

Serves them right and after this and other similar experiences my trust in this company is right through the floor.

His will be the best firewall

I just love customers:
Customer: "ftps doesnt work! It says Port blocked you are using the wrong port! Fix this now!"
Me: "did you open the port and allow it through the firewall?"
C: " yeah ofc i opened the ports on the server! Do you think i'm stupid?"
M: "On the client too?"
C: "...."
C: " let me call back in 30min"

The most crazy issue I've fixed was caused by a TCP behavior which I didn't know, called the "half-closed connection".
There was a third-party application installed on a production server which called a LDAP server for retrieving users information. During the day we had several users using the application and all worked fine. During the night, when the application was not accessed, something happened and the first call to the application in the morning was stuck for about 5 minutes before returning a response. I tried to reproduce the issue in a testing environment without success. Then I discovered that the application and the LDAP server were located on two different networks, with a firewall between them. And firewalls sometimes drop old connections. For this reason network applications usually implement a keep-alive mechanism. Well, the default LDAP Java libraries don't set the keep-alive on their connections. So, I found a library called "libdontdie", which force the keep-alive on the connections. I installed the library on the server, loaded it at the startup and the weird stuck behavior in the morning disappeared.

So... I've been messing arround with my first VPS (with little knowledge of Linux).
First installed lxde to learn how to do it, then back to the terminal. then I started with Apache, watching online tuts ...
Then I changed for nginx... Looks way better.
Installed my sql, php and got stuck. Dropped it for a few days.
Today I restarted, deleted Apache, mysql, reinstalled nginx, my php (with lots of problems because of old instalations). Everything is working now except php.
After going round and arround I changed my focus to relax a bit, and remembered I still have Apache on the firewall...
OK Apache and other stuff that I installed.
Delete everything
New rules only for nginx and reset.
Cant ssh to the server... What?
Oh... Forgot to add rules to OpenSSH...
No matter, I can access the terminal directly on the website....
And it loads to ldxe, with no user set...
Fuckkkk.
Oh BTW I'm in a trial free period with no support...

A week ago I raised an issue claiming I couldn't ping service x and that it was blocked

Today I figure out ping is blocked on firewall level and http requests work fine

Guess that's my big blunder this internship

Some minutes ago our firewall in office overheated, no internet, no network, no real way to work some time for coffee and nerd talk - not bad at all

A client's site got malware infected, so we decided to remove everything and replace the site with a fresh WordPress installation (very basic site with 4 pages of content).

Contacted iPage live support asking them to check and unsuspend the account (with no files on it), but they kept on insisting that I buy their "firewall" and "SiteLock" services, with zero reply related to suspension. I've had live chat with many other hosting companies, never had such a lousy fucked up conversation. Without providing technical support, they keep marketing their useless expensive services. Fuck you iPage, you just lost a customer.

Everytime you tell yourself "This time I'm going to make them stop putting the cart before the horse again!!! No more forced shit implementations!!! NO MORE ! I'm strong!!"

The last hour in the next week:
- Selinux: off
- Firewall: Any-Any
- Application data: Everything installed on OS disc.
- Documentation: At best, someone remembers the server supposed-to-be dns record
- Service Accounts: Your domain admin account and sysadmin for databases.
- Patching: DON'T EVER THINK ABOUT IT..AND NO REBOOTING! I have set very important runtime variables.
- Backup: Maybe someone else will set this up.
- Monitoring: Not needed since clients will create tickets if system fails.
- Production Status: vague at best. Sort of silently transitioned to production.
- Handover status: Probably, but I quit before the project closed.

!

Barracuda Email Firewall for Dummies:

1. Email Client with perfect grammar and nice subject line. (Email rejected)

2. Change subject line to include Russian and Chinese characters along with discount advertisements for Xanax and male enhancement pills. (Email sent!)

FUCK YOU, Windows Firewall.

My reaction when I found uTorrent in the firewall server.

TLDR: I need advice on reasonable salary expectations for sysadmin work in the rural United States.

I need some community advice. I’m the sysadmin at a small (35 employee) credit card processing company. I began as an intern and have now become their full time sysadmin/networking specialist. Since I was hired in January I have:

-migrated their 2007 Exchange server to Office 365

-Upgraded their ailing Windows server 2003 based architecture to 2012R2

-Licensed their unlicensed VMware ESXi servers (which they had already paid for license keys for!!!) and then upgraded them to 6.5 while preventing downtime on hosted VMs using tricky transfers and deployments (without vMotion!)

-Deployed a vCenter server to manage said ESXi servers easier

-Fixed a three month gap in their backups by implementing Veeam, and verifying its functionality

-Migrated a ‘no downtime’ fileserver to a new hypervisor host, implemented a ‘hot standby’ server as a backup kept up to date by the minute with DFS replication.

-Replaced failing hard drives in a RAID array underlying their one ‘business critical’ fileserver, which had no backups for 3 months at that time

-Reorganized Active Directory and Group Policy deployment from a nightmare spiderweb of OUs and duplicate policies

-Documented the entire old network and now the new one as I’ve been upgrading this

-Audited the developers AWS instances and removed redundant machines, optimized load balancing on front end Nginx servers, joined developer run Fedora workstations to the AD domain and implemented centralized syslog monitoring on them.

-Performed network scans and rewrote firewall exceptions to tighten security

There’s more, but you get the idea. I’ve now been tasked with taking point on an upcoming PCI audit which will be my first.

I’m being paid $16/hr US, with marginal health benefits. This is roughly $32,000 a year, before taxes.

I have two years previous work experience managing a third party Apple repair facility (SimplyMac) and every Apple certification for warranty repair and software troubleshooting. I have a two year degree in general sciences, with about 4 years of college credit (Two years of a physics education and two years of computer science after I switched focus) I’m actively pursuing a CCNA and MCSA server 2016 with exams paid for and scheduled.

I’m going into a salary negotiation in two months. What is a reasonable salary to request, from your perspective, for someone in my position?

Thanks in advance!

THREE DAYS of debugging, reading all the logs I could find, creating tens of new logs in our appliaction, and SUDDENLY an email from your IT admin:

"Hey your CURL requests are being rejected by my !oh so secure! firewall rule".

Not that I haven't said at the beggining, that THIS IS YOUR F...G NETWORK PROBLEM because we get "connection reset by peer" errors, and you ASSURED that everything is CHECKED and OK!

I invite anyone to give me suggestions on what services to use to keep my online stuff (email, files, others) more secure/ private. Also what's the best firewall for Android?