Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "insecure"
Apple rejected my app, because they throught there was a frickin Windows phone on my loading screen.
How insecure can you be?30
Its Friday, you all know what that means! ... Its results day for practiseSafeHex's most incompetent co-worker!!!
We've had a bewildering array of candidates, lets remind ourselves:
- a psychopath that genuinely scared me a little
- a CEO I would take pleasure seeing in pain
- a pothead who mistook me for his drug dealer
- an unbelievable idiot
- an arrogant idiot obsessed with strings
Tough competition, but there can be only one ... *drum roll* ... the winner is ... none of them!
*audience member: what?*
*audience member: no way!*
*audience member: your fucking kidding me!*
Sir calm down! this is a day time show, no need for that ... let me explain, there is a winner ... but we've kept him till last and for a good reason
You see our final contestant and ultimate winner of this series is our good old friend "C", taking the letters of each of our previous contestants, that spells TRAGIC which is the only word to explain C.
Oh I assure you its no laughing matter. C was with us for 6 whole months ... 6 excruciatingly painful months.
We needed someone with frontend, backend and experience with IoT devices, or raspberry PI's. We didn't think we'd get it all, but in walked an interviewee with web development experience, a tiny bit of Angular and his masters project was building a robot device that would change LED's depending on your facial expressions. PERFECT!!!
... oh to have a time machine
Working with C:
- He never actually did the tutorials I first set him on for Node.js and Angular 2+ because they were "too boring". I didn't find this out until some time later.
- The first project I had him work on was a small dashboard and backend, but he decided to use Angular 1 and a different database than what we were using because "for me, these are easier".
- He called that project done without testing / deploying it in the cloud, despite that being part of the ticket, because he didn't know how. Rather than tell or ask anyone ... he just didn't do it and moved on.
- As part of his first tech review I had to explain to him why he should be using if / else, rather than just if's.
- Despite his past experience building server applications and dashboards (4 years!), he never heard of a websocket, and it took a considerable amount of time to explain.
- When he used a node module to open a server socket, he sat staring at me like a deer caught in headlights completely unaware of how to use / test it was working. I again had to explain it and ultimately test it for him with a command line client.
- He didn't understand the need to leave logging inside an application to report errors. Because he used to ... I shit you not ... drive to his customers, plug into their server and debug their application using a debugger.
... props for using a debugger, but fuck me.
- Once, after an entire 2 days of tapping me on the shoulder every 15 mins for questions / issues, I had to stop and ask:
Me: "Have you googled it?"
C: "... eh, no"
Me: "can I ask why?"
C: "well, for me, I only google for something I don't know"
Me: "... well do you know what this error message means?"
C: "ah good point, i'll try this time"
... maybe he was A's stoner buddy?
- He burned through our free cloud usage allowance for a month, after 1 day, meaning he couldn't test anything else under his account. He left an application running, broadcasting a lot of data. Turns out the on / off button on the dashboard only worked for "on". He had been killing his terminal locally and didn't know how to "ctrl + c a cloud app" ... so left it running. His intention was to restart the app every time you are done using it ... but forgot.
- His issue with the previous one ... not any of his countless mistakes, not the lack of even trying to make the button work, no, no, not for C. C's issue is the cloud is "shit" for giving us such little allowances. (for the record in a month I had never used more than 5%).
- I had to explain environment variables and why they are necessary for passwords and tokens etc. He didn't know it wasn't ok to commit these into GitHub.
- At his project meetups with partners I had to repeatedly ask him to stop googling gifs and pay attention to the talks.
- He complained that we don't have 3 hour lunch breaks like his last place.
- He once copied and pasted the same function 450 times into a file as a load test ... are loops too mainstream nowadays?
You see C is our winner, because after 6 painful months (companies internal process / requirements) he actually achieved nothing. I really mean that, nothing. Every thing was so broken, so insecure / wide open, built without any kind of common sense or standards I had to delete it all and start again ... it took me 2 weeks.
I hope you've all enjoyed this series and will join me in praying for the return of my sanity ... I do miss it a lot.
"Oh, he is asking that much money for this website? I will create that for only $250 with WordPress. He is just trying to use you"
You fucking wanker. What you don't understand is that you are pushing the companies to a fucking black hole that they won't be able to recover from.
He shows an example of a website which takes 30 sec to load. It's full of hundreds of dreadful plugins. He chose the shittiest stock pictures to make it look "pretty".
When I point out his fucking shite website takes this long to load, he says if the company wants to make the website fast, they will need buy the premium plan of CloudFlare. WHAT THE FUCK are you even talking about?
Not only that, the example website, doesn't even have any SSL. He is saying that the other company didn't want to pay for the SSL. Ever heard of fucking StartSSL or LetsEncrypt?
It's people like you who is responsible for making half of the web an insecure, slow, low-performance space which is prone to hacking.
WordPress was made for blogging. KEEP IT THAT WAY. Stop trying to make your high-performance CMS or eCommerce website with this shite.17
Imagine what a coder Gordon Ramsay might be like:
Your alghoritm is so FUCKING slow, I'd rather to try to brute force a 20 characters long alphanumeric password!
This app is more insecure than an average teenager!
If your code was a spaghetti it would be a fucking health hazard!15
this isn't even a tech thing. it just fucking bamboozled me. I overheard a conversation today.
> "duuuude you gotta make a better password that shit is insecure af"
> "bruh i did, i googled it"
> "googled what?"
> "how to make a good password"
> "so how longs your password?"
> "not long, it's bob2"
> "where's your capital?"
> "I made the '2' capital"
> "so you capitalized a number…"
thank god he walked away. he even told him his fucking password. ignorance.10
So, i tried to demonstrate my roommate how many people push their credentials to github by searching for "password remove" commits.
I decided to show him the file and noticed something interesting. A public IP, and mysql credentials.
I visit the IP and what do i see there, a directory listening with a python script, with injects the database into a webpage (???) and a log of all http requests. Lots of failed attacks aiming at the PHP CGI. Still wondering how they failed on a python server 🤔🤔🤔
Edit phpmyadmin to connect to the mysql database. Success.
Inserted a row telling him the his password is on github. Maybe i should also have told him how to actually remove it. 😅
Yes, root can login from %
This is how far i can get with my current abilities.
Scary how insecure this world is.5
It was fun to watch my entire high school (~1200 people) freak out when I ran "net send * Big brother is watching you..." on what I found to be an insecure computer in my high school's library. Every single computer in the building displayed the pop up message. The town's IT director even showed up to figure out what happened.
I was caught, but they were more happy it wasn't a hacker, and that I discovered that the IT firm the town hired totally botched properly implementing network security, so I was let off the hook.5
sudo apt-get random-tool
Traceback (most recent call last):
Aborting because there's a fork in the spoon compartment on line 43 in main
Error this script only works on Python 2.7 and maybe 4.1 on line 59 in main
Missing symbols when trying to decipher Sumerian recipe for steamed vegetables on line 67 in main
Cannot open shared object: Your OS is a bully and is hiding my files on line 98 in main
Are you sure all directories matching ^(/)?([^/\0]+(/)?)+$ are in your $PATH on line 268 in main
Your computer is kind of vibrating in an annoying way on line 332 in main
Failing because I'm feeling insecure please hold me on line 587 in main
I'm feeling confused about my sentience when running TensorFlow models on line 682 in main
HAS ANYONE EVER MANAGED TO JUST FUCKING INSTALL A PYTHON BASED APPLICATION WITHOUT DEBUGGING RANDOM COMPUTER STATE SHIT AND DEPENDENCIES FOR THREE HOURS?16
So today (or a day ago or whatever), Pavel Durov attacked Signal by saying that he wouldn't be surprised if a backdoor would be discovered in Signal because it's partially funded by the US government (or, some part of the us govt).
Let's break down why this is utter bullshit.
First, he wouldn't be surprised if a backdoor would be discovered 'within 5 years from now'.
- Teeny tiny little detail: THE FUCKING APP IS OPEN SOURCE. So yeah sure, go look through the code! Good idea! You might actually learn something from it as your own crypto seems to be broken! (for the record, I never said anything about telegram not being open source as it is)
- The server side code is closed (of signal and telegram both). Well, if your app is open source, enrolled with one of the strongest cryptographic protocols in the world and has been audited, then even if the server gets compromised, the hackers are still nowhere.
- Metadata. Signal saves the following and ONLY the following: timestamp of registration, timestamp of the last connection with the server (both rounded to the day so not on the second), your phone number and your contact details (if you authorize it) (only phone numbers) in HASHED (BCrypt I thought?) format.
There have been multiple telegram metadata leaks and it's pretty known that it saves way more than neccesary.
So, before you start judging an app which is open, uses one of the best crypto protocols in the world while you use your own homegrown horribly insecure protocol AND actually tries its best to save the least possible, maybe try to fix your own shit!
*gets ready for heavy criticism*20
I wonder why banks are always so terribly insecure, given how much money there's for grabs in there for hackers.
Just a while ago I got a new prepaid credit card from bpost, our local postal service that for some reason also does banking. The reason for that being that - thank you 'Murica! - a lot of websites out there don't accept anything but credit cards and PayPal. Because who in their right mind wouldn't use credit cards, right?! As it turns out, it's pretty much every European I've spoken to so far.
That aside, I got that card, all fine and dandy, it's part of the Mastercard network so at least I can get my purchases from those shitty American sites that don't accept anything else now. Looked into the manual of it because bpost's FAQ isn't very clear about what my login data for their online customer area now actually is. Not that their instruction manual was either.
I noticed in that manual that apparently the PIN code can't be changed (for "security reasons", totally not the alternative that probably they didn't want to implement it), and that requesting a forgotten PIN code can be done with as little as calling them up, and they'll then send the password - not a reset form, the password itself! IN THE FUCKING MAIL.
Because that's apparently how financial institutions manage their passwords. The fact that they know your password means that they're storing it in plain text, probably in a database with all the card numbers and CVC's next to it. Wouldn't that be a treasure trove for cybercriminals, I wonder? But YOU the customer can't change your password, because obviously YOU wouldn't be able to maintain a secure password, yet THEY are obviously the ones with all the security and should be the ones to take out of YOUR hands the responsibility to maintain YOUR OWN password.
Banking logic. I fucking love it.
As for their database.. I reckon that that's probably written in COBOL too. Because why wouldn't you.23
So I was at work and send to another location (distribution centers) and in the lunch break my guider for that day and I started a conversation about servers etc (he appeared to do loads of stuff with that). He recommended me all those programs but I didn't recognize anything so I asked him what kinda servers he ran. He runs a lot of Windows servers. No problem for me but I told him that I am into Linux servers myself.
Guy: "Linux guy, eh? That system is considered to be so secure but in reality it's insecure as fuck!".
Me: (If he would come up with real/good arguments I am not going to argue against that by the way!) Uhm howso/why would you think that?
Guy: "Well all those script kiddies being able to execute code on your system doesn't seem that secure.".
*me thinking: okay hold on, let's ask for an explanation as that doesn't make any fucking sense 😐*
Me: "Uhm how do you mean, could you elaborate on that?"
Guy: "Well since it's open source it allows anyone to run any shit on your system that they'd like. That's why windows rocks, it doesn't let outsiders execute bad code on it.".
Seriously I am wondering where the hell he heard that. My face at that moment (internally, I didn't want to start a heated discussion): 😐 😲.
Yeah that was one weird conversation and look on open source operating systems...25
I fucking hate Internet of Things, I think that it's a ridiculous idea to connect things, that work perfectly fine, to the internet.
The 'convenience' you get is minimalistic and most of the time non existent.
It is also often insanely insecure and expensive. The burdans it brings with it most of the time just outweigh the positive sides of it.
Now today happened something that made me hate it even more. Today was the First Lego Lego (Lego competition with ev3 robots, etc.) and one part of the tournament is to find a solution for a given problem. This year the general topic was hydro-dynamics and so the problem was how you can reduce water usage and 'save' water.
Our idea was to make reusable coffee cups and give them to the local coffee shops. One time use paper cups use take around 400ml water when produced) Basically you buy a cup once for 5 bucks and you get your coffee served in it. After drinking the coffee you return the cup to a local cafe and get a chip as pawn. When you buy your next coffee, you give them your chip and get it served in another reusable cup. The are at the moment already around 1000 cups going around the city.
Now this was our idea and we got ranked third. I am not too mad about our rank but what really drives me fucking mad is the team who ranked first.
Their idea was to make a pump (using an arduino) and a humidity sensor which you stick into a plant and the pump pumps water when the plant is too dry.
However (you probably guessed it already) they went a step further and connected it to the internet. They also made a web 'interface' for it so you can control the pump with your smartphone / computer / smartwatch / tv / whatever the fuck is connected to the internet nowadays 'thanks' to the iot 'revolution'.
So it is a pump that waters your plant when it is too dry BUT it is also connected to the internet.
WHY THE FUCK DOES THIS HAVE TO BE CONNECTED TO THE INTERNET.
"Oh look it is connected to the internet, wow awesome, oh it is also 'smart'. oh cooool. Nice I don't have to water my plants anymore"
A funny thing is that one of my friends built basically the same thing without connecting it to the internet. He built a small box with a pump and a humidity sensor that measures if the dirt is too dry and then waters the plant. It checks every few hours and the also is a small 16x2 LCD and a knob that you can turn to control how much water it should give the plant each time it waters it. He built it and I programmed it for him. Works perfectly fine and I don't see any reason why there should be any need to connect something like this to the internet.
Anyway we got ranked third, they first. I guess we should connect our coffee cups to the internet in some way ...18
Working on the notes service and I'm still at the signup/login/password reset part.
Spending hours on thinking the process through, trying to think of any possible weaknesses in the system and writing patches right away.
I find it funny how thinking through every step (code-wise and user-wise) gives a very broad overview of how secure/insecure this thing is.
I fucking love doing this.40
Fingerprint sensor is insecure
-gf can open your phone when you are asleep
-same with chloroform, unconscious, then use fingers
-can cut your fingers if it leads to that.
Fine I agree....but how secure is the face ID ??
-all of the same points can be applied to it.28
When I managed to minimize the processing time of the project I'm currently handling. It went down from 30min-1hr to 7min-15mins. The project owner was so happy, said it made his life easier. I was told I did a good job by my manager.
I feel like a real dev then and there. So whenever I'm having a bad day, feeling insecure, I try to remember that day when I was able to do something right. :)
Everyone keeps staring at me on the train 😓 what have I done 😓
I'm just a Insecure dev leave me alone!3
Hashedram's compilations #1
List of most annoying website designs.
1) Pages with AUTO PLAYING VIDEOS.
Yes I'm looking at you Netflix. Along with every news website known to man. I'm looking to read a fucking article, so why would you even waste your money and bandwidth trying to shove a video of some shit I don't care about in my face, and make it follow me as I scroll down like a fucking insecure puppy. Also, fuck you Instagram.
2) Pages that redirect once immediately after you visit them, thereby fucking with the browser history and the BACK BUTTON just leads back to the same fucking site.
I mean, just why. Did you think I would just go "Hey the back button doesn't work so let's stay on the site and read their awesome content"?
3) Sites showing things in a SLIDESHOW, when it actually should be in a list.
Slideshows are for progressive stories or for showing lists where you don't care about what's in them. Top 10 foods that reduce weight. Slideshow 1/15. Fuck you.
4) LOOKS LIKE YOU'RE USING AN AD BLOCKER
Yes. Yes I am. No I will not turn it off for you, you narcissistic snowflake fuck. And don't even try to guilt shame me into turning it off, because I know you're just going to bombard me with videos of sexy singles in the area if I do.
5) Pages where I see the first 3 lines of an article and have to SUBSCRIBE to see more.
Yes. Brilliant fucking idea. A user wants to see what your site has to offer, so within the first three seconds, don't show him exactly that.
6) Looking up an article and having to read through the entire motivational life story of the author.
I just want to know how to boil eggs, not read about your journey across Africa learning how to make difference recepies using boiled rhino dung.
7) CLICK BAIT.
Title: School boy designs blockchain machine learning game engine
Actual Content: Tic tac toe program made using linked lists7
Had a discussion with a developer about security. His software transfers all user data (password and files) unencrypted, so anyone can grab them with wireshark. I told him that this is a severe issue. He said no its no problem because if you get hacked its your own fault, because you probably used an insecure network. NO ! YOU FUCKING MALADJUSTED SHEEP-MOLESTING OBJECT OF EXECRATION, YOU SHOULD ALWAYS ENCRYPT SENSITIVE USERDATA NO MATTER WHAT NETWORK YOU USE. FUCKING KILL ME ALREADY.
Not implementing encryption is one thing but then acting like its no problem is a fucking nother one. Why do people not understand that security of userdata is important???11
SON OF A BITCH!!
I JUST REALIZED ONE WEBSITE I USED HAS HAD HTTPS DISABLED FOR LIKE THREE MONTHS WHAT THE LITERAL FUCK IVE TYPED A PASSWORD IN THERE AND THERE WAS LITTLE TO NO INDICATION I JUST NOTICED OUT OF THE CORNER OF MY EYE THAT ITS INSECURE JUST THIS EVENING
SIDE BAR TOTALLY UNRELATED WHY THE FUCK DO WEBSITES THINK ITS ACCEPTABLE TO ASK FOR COLOR PHOTOGRAPHS OF YOUR DRIVERS LICENSE WHEN SIGNING UP? WHO THE LIVING HELL WOULD DO THAT?
FUCK THIS WORLD MAN I WANT TO SEND ALL OF THESE ASSHOLES TO GUANTANAMO BAY FOR THE REST OF THEIR MISERABLE FUCKING LIVES12
I really dont get it when people cry over "when sending password in emails".
Had a customer today that wants us to send credentials on WhatsApp instead because it is "secure" instead of email, because email is insecure... .29
Someone should make a messaging app called the "insecure messenger"
It's main purpose would be, to be that opposite of something like signal or riot.im
The app would let you message your friends. But it would transmit messages over plaintext using http.
Then there would be a second screen that shows a basic Wireshark (or tshark) output so that you can see your plaintext messages being sent and received.
But of course.. someone would download the app without understanding what they are doing and get their shit hacked..22
This dev goes "I connect using plain FTP over a VPN to update why can't you!?"
Because it's unsecure you fucking idiot.
His FTP server can't even do secure connections. Some how.
Guess I have a new site to take over 😏6
What is this ?
U call this wireless security??
Anyway what is the best way of securing hotspots in the airports , hotels , ... ?11
Since this category is called rant/story, let me tell you a story today.
I went paragliding above the turqoise colored "dead beach" of Fethiye.
And boy was that awesome.
I was very insecure about flying first. I have such an anxiety. While moving up towards the "Babadağ" Mountain which is 2000 meters above the sea level, my hands began to Shake. We reached the Clouds. The pilot told me everything will be fine. He is doing that since 2006 and has 4 medals for Turkey's best long distance flyer and he also was a stunt man.
We ran down the Cliff. And as my butt was pushed against the seat, my anxiety began to lower itself.
We even did some stunts, but I do not have them on tape.
Those having such anxiety problems should definitely try this out! Really! :)10
TL;DR I'm fucking sick and tired of Devs cutting corners on security! Things can't be simply hidden a bit; security needs to be integral to your entire process and solution. Please learn from my story and be one of the good guys!
As I mentioned before my company used plain text passwords in a legacy app (was not allowed to fix it) and that we finally moved away from it. A big win! However not the end of our issues.
Those Idiot still use hardcoded passwords in code. A practice that almost resulted in a leak of the DB admin password when we had to publish a repo for deployment purposes. Luckily I didn't search and there is something like BFG repo cleaner.
I have tried to remedy this by providing a nice library to handle all kinds of config (easy config injection) and a default json file that is always ignored by git. Although this helped a lot they still remain idiots.
The first project in another language and boom hardcoded password. Dev said I'll just remove before going live. First of all I don't believe him. Second of all I asked from history? "No a commit will be good enough..."
Last week we had to fix a leak of copyrighted contend.
How did this happen you ask? Well the secure upload field was not used because they thought that the normal one was good enough. "It's fine as long the URL to the file is not published. Besides now we can also use it to upload files that need to be published here"
This is so fucking stupid on so many levels. NEVER MIX SECURE AND INSECURE CONTENT it is confusing and hard to maintain. Hiding behind a URL that thousands of people have access to is also not going to work. We have the proof now...
Will they learn? Maybe for a short while but I remain sceptic. I hope a few DevrRanters do!7
I've found and fixed any kind of "bad bug" I can think of over my career from allowing negative financial transfers to weird platform specific behaviour, here are a few of the more interesting ones that come to mind...
#1 - Most expensive lesson learned
Almost 10 years ago (while learning to code) I wrote a loyalty card system that ended up going national. Fast forward 2 years and by some miracle the system still worked and had services running on 500+ POS servers in large retail stores uploading thousands of transactions each second - due to this increased traffic to stay ahead of any trouble we decided to add a loadbalancer to our backend.
This was simply a matter of re-assigning the IP and would cause 10-15 minutes of downtime (for the first time ever), we made the switch and everything seemed perfect. Too perfect...
After 10 minutes every phone in the office started going beserk - calls where coming in about store servers irreparably crashing all over the country taking all the tills offline and forcing them to close doors midday. It was bad and we couldn't conceive how it could possibly be us or our software to blame.
Turns out we made the local service write any web service errors to a log file upon failure for debugging purposes before retrying - a perfectly sensible thing to do if I hadn't forgotten to check the size of or clear the log file. In about 15 minutes of downtime each stores error log proceeded to grow and consume every available byte of HD space before crashing windows.
#2 - Hardest to find
This was a true "Nessie" bug.. We had a single codebase powering a few hundred sites. Every now and then at some point the web server would spontaneously die and vommit a bunch of sql statements and sensitive data back to the user causing huge concern but I could never remotely replicate the behaviour - until 4 years later it happened to one of our support staff and I could pull out their network & session info.
Turns out years back when the server was first setup each domain was added as an individual "Site" on IIS but shared the same root directory and hence the same session path. It would have remained unnoticed if we had not grown but as our traffic increased ever so often 2 users of different sites would end up sharing a session id causing the server to promptly implode on itself.
#3 - Most elegant fix
Same bastard IIS server as #2. Codebase was the most unsecure unstable travesty I've ever worked with - sql injection vuns in EVERY URL, sql statements stored in COOKIES... this thing was irreparably fucked up but had to stay online until it could be replaced. Basically every other day it got hit by bots ended up sending bluepill spam or mining shitcoin and I would simply delete the instance and recreate it in a semi un-compromised state which was an acceptable solution for the business for uptime... until we we're DDOS'ed for 5 days straight.
My hands were tied and there was no way to mitigate it except for stopping individual sites as they came under attack and starting them after it subsided... (for some reason they seemed to be targeting by domain instead of ip). After 3 days of doing this manually I was given the go ahead to use any resources necessary to make it stop and especially since it was IIS6 I had no fucking clue where to start.
So I stuck to what I knew and deployed a $5 vm running an Nginx reverse proxy with heavy caching and rate limiting linked to a custom fail2ban plugin in in front of the insecure server. The attacks died instantly, the server sped up 10x and was never compromised by bots again (presumably since they got back a linux user agent). To this day I marvel at this miracle $5 fix.1
Don't burn other devs just because you don't like their solution. Discuss empower and stop being a total prick. People should look up to you because they respect you not because you put them down!6
Here is my list of horrible techs which are common in my current and previous workplace which should be extinct ASAP:
Java Swing desktop apps
C# Windows Forms desktop apps
Shitty insecure php web apps
Micorsoft Access DB
Closed Linux-based appliances which lack many basic GNU software and are forbidden to tamper with
Every single Symantec product
Post yours below19
My mobile provider doesn't allow me to set a password that contains any other symbol than letters and numbers for the website where you can look at how much data you consumed (and can order new data, change plans, etc.). Are you kidding me. This is making shit insecure, you fucks!17
So my ISP decided it was ok for them to log into my router remotely and re enable the wifi.
I turned it off for a reason and no your excuse that it will improve my upload speed is bullshit you stupid patronising fucking shithead.
I'm now seriously looking into cancelling my service with you because you don't respect your customers or their wishes.
Also I'm guessing there's a default backdoor password into the router as I changed all the passwords I could find. Meaning the whole thing is horribly insecure.11
me: the source code is currently store on GitHub and we use GitHub Actions after each updates to compile your code into binary before deploying to your servers
client: storing source code on GitHub (external server) is insecure and breaks compliance
me: so i guess you will need to have a copy of the source code on all your servers and build them directly there (too cheap to have a separate build server) instead of using GitHub Actions
me: keep in mind that all your certificates and tokens are going to be store as plain text in all your servers so if a hacker gain access to anyone of your servers, they will have access to everything.
client: yeah, this is in compliance to our security policy4
I'm fed up of this shit. I'm a Bachelors student and I study in a class where no student wants to study. Like literally none. You'd think someone studying Bachelors degree would have some sense. But no. Not a fucking one of them. Our class requires a minimum number of students to attend to smoothly run the class. I am the CR and I can't convince them enough to even meet that level. How am I gonna get through these two years? I try to say something, everybody snaps at me for being a smartass. Which I'm clearly not. These are the same people who come at me when the courses to do finish in time. I am alone. I am getting too weak to stand against them. My self esteem is declining day by day. I am really insecure.13
I've just been given a beautiful turd of a PC with only 512MB RAM to get ready for someone in the residence. Way too small for any modern Windows or even Linux with a halfway decent GUI. And the user doesn't have any technical background so I highly doubt that they'll be able to maintain a Linux system. Windows XP is full of security issues but it might just be able to run on that craptop. Due to me knowing that it's a vulnerable system though, I've got an ethical issue with that. Windows XP is insecure but at least the user would be able to use it.. and Linux is secure but it'd never get updated, and I really don't want that guy to come knock on my door every time he wants to install a piece of software.. the guy fucking stinks! What would you do in a situation like that?31
I am DONE with this woman.
Background: we're a team of 3 developers and I'm the junior in this team and I've been in this shit for a year now. 2 months ago the team leader left for another project and I had to stand in for him in every responsibility against the PM and other teams.
Now I not only had to endure this insecure woman but I was also supposed to work with her! Fast-forward to today, the team leader is back and I thought I could put my headphones on and work peacefully at last.
I've found out she's sent a faulty code to production - no big deal - and said that over chat (although she's sitting right behind me):
Me: We need to fix this.
Me: *giving some details about the issue*
Her: Your attitude is important when you ask me to do something. Whenever you're writing to me you're typing on your keyboard like you're going to break it on my head.
*me not knowing what to say at this point because we had something stupid like this before*
Me: So you're offended by the sound my keyboard makes? (I have mx brown switches by the way and they're not even loud)
Her: No you're typing too fast when you're writing to me. The sound echoes in the office.
Can you fucking believe this shit? I hate people that think they can educate me but have no idea how to rationally respond to situations and take responsibility! I didn't even say anything!
And she's been saying to me she hadn't had a problem with any other people for gazillion years who knows how long and why would she cause a problem now! And thinks I am the problem, fuck YOU!
Since you don't like receiving orders why hadn't you taken the place when the fucking guy went for another project but I had to take all the responsibility? I know why you fucking entitled bitch.
Because you HAD NO IDEA AND YOU STILL DON'T.
So shut the fuck up and do as I say.
When you ask the IT-Department of a company collab with Microsoft, why you aren't allowed to use Firefox instead of IE.
The answer is: "It's insecure because it's open source"
YOU FUCKING KIDDING ME INSECURE ??? IT IS MORE SECURE AS IE!!! INSECURE BECAUSE OPEN SOURCE? THAN LET'S USE CHROME OR OPERA INSTEAD BUT NOT IE3
Clicking "forgot my password" and getting a mail with my password in clear text. Sending a mail and asking why they don't care about security. The answer I'm getting is "it's a feature, makes things easier". Yeah...3
Qualifications and experience require to start a WordPress consultancy/brand agency:
• Be a marketing/people person.
• No technical requirements required.
Hate seeing others get clients and delivering half-assed solutions and deploying outdated and even insecure versions of everything.5
The number of people who responded to this with bile such as “yeah but how well” or “i bet she can only write hello world”.
Its sad that this attitude still exists in our industry. If you havent seen the story she responded by clarifying that she is on the iOS tutorial team for Raywenderlich, and has a bachelors degree with a double major in Computer Science. But she shouldnt have to explain that just because shes a woman. Are people that insecure about their knowledge that they need to resort to demeaning other peoples? for shame.17
Those managers who think that Microsoft is the only platform and believe that Linux is insecure - fuck off. I don't want to use azure, you ass.3
In july chrome will mark all http-pages as not secure and firefox will follow.
Worst of all, those insecure pages won't be allowed to access the microphone and other features any more. What will i do in cafes now?12
Started talk on a contract to build out a web payments portal, and ended up with a security contract instead. After initial probing, which I do to all prospective clients, I told them I would not work with a company that is as insecure as them.
They hired me for analysis and now want me to make them a plan.
They also fired their entire security division for not doing their job.
What the fuck is 2020 turning into...12
Quote: "It's both insecure and resource intensive"
Then he went that only if the script is free he would see what it is to run it.
He also said that he would never allow any js file that comes from google even jquery...
I wouldn't live in an isolated world just to be 100% secure, I want my good user experience xD11
I am currently working on my Master's thesis in the R&D department of a company that builds&sells mechanical appliances. Obviously a part of the thesis is outlining the various approaches.
Me: * Headphones on, browsing competitor's website for citeable content*
*Le boss approaches, starts looking at my screen*
B: Are you honestly preferring their approach over ours?!
M: *sets down headphones* What dou you mean?
B: *Begins rant about unfair competitors, how I dare consider defecting to a competitor*
M: Uhm.. I was just looking for sources so that i coukd write about different approaches...
B: Oh. Carry on then. *leaves*
M: *scratches head, opens devRant, begins typing*1
So I have too many posts for wk110. It's sad. Here we go. I got a bad grade on an assignment for a hello world program in college. How do you write a hello world program that successfully prints hello world and not get 100 percent?
The teacher insisted that we write a console "hello world" program in C++, on windows. If he can't read hello world, you fail. So you must add `system("pause")` at the end so the window stays open. One problem: system() is horribly insecure and im stubborn. I refused to write exactly what he wanted, like everyone else did, because I try to not write code I know is unsafe. So I ended my script with cin.get() which also pauses for input. Unlike pause however it can't be any key, it reads a line, so you must hit enter. This was "unfavorable behavior" and ultimately I got something like a high C, low B grade. Only person to not get 100%8
I hate being so insecure. I don't start developing an idea because I think I won't be able to do it, I don't code together with someone who is better than me because I think they'll make fun of me or think I'm doing it wrong, I don't speak up in class even though I probably, definitely, know the answer. I feel like I'll never get anywhere if I remain this way. Anyone have some advice? Thanks13
Perhaps more of a wishlist than what I think will actually happen, but:
- Everyone realises that blockchain is nothing more than a tiny niche, and therefore everyone but a tiny niche shuts up about it.
- Starting a new JS framework every 2 seconds becomes a crime. Existing JS frameworks have a big war, until only one is left standing.
- Developing for "FaaS" (serverless, if I must use that name) type computing becomes a big thing.
- Relational database engines get to the point where special handling of "big data" isn't required anymore. Joins across billions of rows doesn't present an issue.
- Everyone wakes up one day and realises that Wordpress is a steaming pile of insecure cow dung. It's never used again, and burns in a fire.9
Fuck Microsoft and the windows dev team! Fuck the person who thinks it's a bright idea to force users to download updates on their fucking insecure OS.
I live in a shitty substandard country where the cheapest mobile data plan is roughly $7.5 for 7.2gb for a month.
After several weeks of Windows auto downloading updates I don't need, I disabled the updates on several fronts using tutorials found online until yesterday, the fucking thing still found a way to download updates over 6gb, I didn't suspect a thing until I got notification that my data plan is exhausted and I immediately checked windows update and saw a fucking download meter of 76% downloaded. The data was suppose to last for 4-5 days, all gone within 3 hours span.
Fuck whoever thought it is a nice idea to force users to download shitty updates, leave me with the fucking old unstable version, if I get a malware I know how to find my way out you fucking goofs at microfuckingsoft!!14
After a few weeks of being insanely busy, I decided to log onto Steam and maybe relax with a few people and play some games. I enjoy playing a few sandbox games and do freelance development for those games (Anywhere from a simple script to a full on server setup) on the side. It just so happened that I had an 'urgent' request from one of my old staff member from an old community I use to own. This staff member decided to run his own community after I sold mine off since I didn't have the passion anymore to deal with the community on a daily basis.
O: Owner (Former staff member/friend)
D: Other Dev
O: Hey, I need urgent help man! Got a few things developed for my server, and now the server won't stay stable and crashes randomly. I really need help, my developer can't figure it out.
Me: Uhm, sure. Just remember, if it's small I'll do it for free since you're an old friend, but if it's a bigger issue or needs a full recode or whatever, you're gonna have to pay. Another option is, I tell you what's wrong and you can have your developer fix it.
O: Sounds good, I'll give you owner access to everything so you can check it out.
Me: Sounds good
*An hour passes by*
O: Sorry it took so long, had to deal with some crap. *Insert credentials, etc*
Me: Ok, give me a few minutes to do some basic tests. What was that new feature or whatever you added?
O: *Explains long feature, and where it's located*
Me: *Begins to review the files* *Internal rage wondering what fucking developer could code such trash* *Tests a few methods, and watches CPU/RAM and an internal graph for usage*
Me: Who coded this module?
O: My developer.
Me: *Calm tone, with a mix of some anger* So, you know what, I'm just gonna do some simple math for ya. You're running 33 ticks a second for the server, with an average of about 40ish players. 33x60 = 1980 cycles a minute, now lets times that by the 40 players on average, you have 79,200 cycles per minute or nearly 4.8 fucking cycles an hour (If you maxed the server at 64 players, it's going to run an amazing fucking 7.6 million cycles an hour, like holy fuck). You're also running a MySQLite query every cycle while transferring useless data to the server, you're clusterfucking the server and overloading it for no fucking reason and that's why you're crashing it. Another question, who the fuck wrote the security of this? I can literally send commands to the server with this insecure method and delete all of your files... If you actually want your fucking server stable and secure, I'm gonna have to recode this entire module to reduce your developer's clusterfuck of 4.8 million cycles to about 400 every hour... it's gonna be $50.
D: *Angered* You're wrong, this is the best way to do it, I did stress testing! *Insert other defensive comments* You're just a shitty developer (This one got me)
Me: *Calm* You're calling me a shitty developer? You're the person that doesn't understand a timer, I get that you're new to this world, but reading the wiki or even using the game's forums would've ripped this code to shreds and you to shreds. You're not even a developer, cause most of this is so disorganized it looks like you copy and pasted it. *Get's angered here and starts some light screaming* You're wasting CPU usage, the game can't use more than 1 physical core, and after a quick test, you're stupid 'amazing' module is using about 40% of the CPU. You need to fucking realize the 40ish average players, use less than this... THEY SHOULD BE MORE INTENSIVE THAN YOUR CODE, NOT THE OPPOSITE.
O: Hey don't be rude to Venom, he's an amazing coder. You're still new, you don't know as much as him. Ok, I'll pay you the money to get it recoded.
Me: Sounds good. *Angered tone* Also you developer boy, learn to listen to feedback and maybe learn to improve your shitty code. Cause you'll never go anywhere if you don't even understand who bad this garbage is, and that you can't even use the fucking wiki for this game. The only fucking way you're gonna improve is to use some of my suggestions.
D: *Leaves call without saying anything*
TL;DR: Shitty developer ran some shitty XP system code for a game nearly 4.8 million times an hour (average) or just above 7.6 million times an hour (if maxed), plus running MySQLite when it could've been done within about like 400 an hour at max. Tried calling me a shitty developer, and got sorta yelled at while I was trying to keep calm.
Still pissed he tried calling me a shitty developer...
New role in the company, now I finally work in security, and I love it.
Walking by the IoT lab while talking to my new boss, my eyes have hearts in it and my boss notices it.
He asks: "do you fancy electronics?"
Me: "i love electronics"
We agree, talking with the head of IoT, in securing their gateways with our knowledge.
A dream came true. Two of my favorite subjects together, electronics and security.
Temporal jump, few weeks later, still no formal engagement in this work.
We got invited to give a speech in a university by the head of IoT about gateways's security.
During his presentation he talks about universities and their (obviously free) contributions to his products.
Our radar was up, he was trying to give our job to university students.
Obviously we didn't give the whole speech with our suggestions, and we avoided the core parts of the speech.
Well done, sir.
I do not completely disagree with his approach, but I'm not sure the resulting product would be secure enough.
University students where I live only have theoretical approach to the subject, I'm afraid they will leave holes in the product.
Now I'm split.
From one point of view I hope they leave many bugs, so that I can then work on it and fix it.
From the other point of view I hope they do a great job, so that my company does not make a bad impression in the Internet of Insecure Things..
Furthermore, how do I behave now?
I really wanted to start this new project, we were talking about building a new hardened OS for the IoT, and I already started writing hardened drivers, functions, and implementing hardware security between sensors and gateways.
Kubernetes, or rather a lack of learning material.
I'm one of these deep dive guys and have noticed a pretty nasty pattern in K8s tutorials.
What annoys me? When I'm unable to reach at least intermediate level within 5 hours.
What upsets me about K8s tutorials? They're literally clickbait. They don't address the topic.
I've the feeling that everyone with a basic understanding of K8s calls themselves expert, yet being unable to answer basic, practice oriented questions.
I'll give you a few questions I couldn't find in several 5 hours sessions.
> Great, you've shown me how to setup an insecure load balancer, how tf should I configure my DNS configuration then, and what about SSL? I ain't use AWS.
> Great, you've shown me how to setup persistent storage, but are using the easy route and just use an AWS bucket?
> Great, you've shown me how to setup a dynamic website. Why did you hardcode that link to the API Server tho?
.. and more limitations due to K8s itself:
> Fuck! This tutorial is outdated but exactly what I'd need.
> Fuck! This tutorial uses an external provider (e.g. AWS, GCP) to do the otherwise rather complex task he advertised in the title of the article (related to K8s bc they don't implement features themselves).
> Fuck! This tutorial uses the newest version of K8s, but it still doesn't work bc of weird ass reasons.13
Code comments #1: A way to document bad code that wasn't reduced to it's essentials and thus unreadable. Bad.
Code comments #2: A way to explain for non-programmers how the code works. Wrong place.
Code comments #3: Company policy. No one really knows why, but others do that, so we better do it to. The management sucks.
Code comments #4: Because some hip methodology/guru describes how to document code. After a few years, when the methodology has been (unofficially) forgotten, everyone still comments the code the same way. The old management sucked.
Code comments 5#: For insecure programmers who want to convince them self they understand the code they've written. Maybe apply at McDo?
Code comments #6: Some programmers are apparently paid by lines of code. Possibly understandable.
// Comments, anyone?8
I was asked to fix a critical issue which had high visibility among the higher ups and were blocking QA from testing.
My dev lead (who was more like a dev manager) was having one of his insecure moments of “I need to get credit for helping fix this”, probably because he steals the oxygen from those who actually deserve to be alive and he knows he should be fired, slowly...over a BBQ.
For the next few days, I was bombarded with requests for status updates. Idea after idea of what I could do to fix the issue was hurled at me when all I needed was time to make the fix.
Dev Lead: “Dev X says he knows what the problem is and it’s a simple code fix and should be quick.” (Dev X is in the room as well)
Me: “Tell me, have you actually looked into the issue? Then you know that there are several race conditions causing this issue and the error only manifests itself during a Jenkins build and not locally. In order to know if you’ve fixed it, you have to run the Jenkins job each time which is a lengthy process.”
Dev X: “I don’t know how to access Jenkins.”
And so it continued. Just so you know, I’ve worked at controlling my anger over the years, usually triggered by asinine comments and decisions. I trained for many years with Buddhist monks atop remote mountain ranges, meditated for days under waterfalls, contemplated life in solitude as I crossed the desert, and spent many phone calls talking to Microsoft enterprise support while smiling.
But the next day, I lost my shit.
I had been working out quite a bit too so I could have probably flipped around ten large tables before I got tired. And I’m talking long tables you’d need two people to move.
For context, unresolved comments in our pull request process block the ability to merge. My code was ready and I had two other devs review and approve my code already, but my dev lead, who has never seen the code base, gave up trying to learn how to build the app, and hasn’t coded in years, decided to comment on my pull request that upper management has been waiting on and that he himself has been hounding me about.
Two stood out to me. I read them slowly.
“I think you should name this unit test better” (That unit test existed before my PR)
“This function was deleted and moved to this other file, just so people know”
A devil greeted me when I entered hell. He was quite understanding. It turns out he was also a dev.3
After submitting a registration form I noticed the site is served over plain HTTP. Their marketing site is served encrypted, but login and register are not! What the fuck!!!
I contacted them so I might have a continuation to this rant if I'm not satisfied with their answers.
A new update has been made to dr!
For us lazy People:
You can now make a file at ~/ called .dr.conf
In the first line of the file, put your username
In the second line, put your password
Dr will now automatically log in
(Yes I know this is insecure)
Also, for installation:
Anyone else hates those tutorials that go in a direction for pages and pages, then suddenly they tell you that while that works, it's inefficient and insecure. THEN WHY THE FUCK DID YOU NOT TALK ABOUT THE PROPER WAY??? You don't teach people to drive a car blindfolded.3
Just went to book something online. About to click the "Pay" button and noticed the page wasn't secure. Who the hell, in 2017, captures credit card details via insecure 'http'??? And 'https' worked on the home page but not the payment page!! Backed out of that, messaged them and we'll see if anything comes of it.3
Despite common sense, I think technology is not making our lives easier. It's just build chaos on top of chaos.
Take server-side programming for instance.
First you have to find someone to host your thing, or a PaaS provider. Then you have to figure out how much RAM and storage you need, which OS you're going to use. And then there's Docker (which will run on top of a VM on AWS or GCP anyway, making even less sense). And then there's the server technology: nginx, Apache (and many many more; if, that is, you're using a server at all). And then there are firewalls, proxies, SSL. And then you go back to the start, because you have to check if your hosting provider will support the OS or Docker or your server. (I smell infinite recursion here.)
Each of these moving parts come with their own can of worms in terms of configuration and security. A whole bible to read if you want to have the slightest clue about what you're doing.
And then there's the programming language to use and its accompanying frameworks. Can they replace the server technology? Should you? Will they conflict with each other and open yet another backdoor into your system? Is it supported by your hosting provider? (Did I mention an infinite recursion somewhere?)
And then there's the database. Does it have a port to the language/framework of your choosing? Why does it expose an web interface? Is it supposed to replace your server? And why are its security features optional again? (Just so I have to test both the insecure and the secure environments?)
And you haven't written a single line of code yet, mind you.4
Why everyone is happy about Google clip? It's the single most scary instance of a big brother appliance that exists today. What are they going to do with the data? They say it's save memories of your kid or your dog. There's already something like that. It's called a brain and paying attention to your damn life. I don't want to be saved in your shitty memories just bc you are so insecure about remembering your fuck*ng memories.
I'm sorry for the outburst but that sh*t is solving a problem nobody had and it's getting applauded like those heaven's gate motherf*ckrs that say that life is improved by these shitty beliefs.26
Just learnt perfectly what the below joke means:
'I wanted to improve the world, but they wouldn't give me the source code'
I really don't understand why the world is full of obsolete processes that people fight against daily when changing things ever so slightly could take the weight of the world off their shoulders. The same thing goes for my work, I work in finance, and we use a remote app built in Windows forms (not xaml or wpf, the original forms) and it's insecure, slow, buggy, and crashes whenever you press ESC (yes, really). Even worse, I've offered to rewrite their whole network for nothing, just the improvement to people's lives. And they say no! WELL FUCK YOU FOR BEING A PLAGUE ON THE FUCKING WORLD! Why do people insist on staying behind the times when the world could be such a beautiful place?!?3
FUCK YOUR PASSWORDS
FUCK YOUR PASSWORD REQUIREMENTS.
FUCK YOU thinking you are the most important site in the universe so of course everyone will remember their password mangled beyond the original intention/recognition by your idiotic requirements!
I want to have an insecure password? MY PROBLEM.
I want to have the same password everywhere so I don't have to go through the idiotic "forgot my password" dance each time I try to login into your page? MY PROBLEM!
You're not the most important site in the universe.
I'm getting seriously fed up with this idea in general.
WHAT THE FUCK. Why did nobody come up with nothing better yet?
And the password storages and autocompletions don't count, that's a plaster on top of idiotic paradigm, nothing else.
...how is there nothing more sensible, still, after 18+ years?5
So last night a friend randomly found a raw not-yet-installed WordPress instance on a public domain that he found on a Facebook site (it was already linked for I don't know how long, but just not installed).
He told me about it and, being the guy I am, I signed up an account on some free MySQL hosting website, set up a database and used it for that WordPress site.
I then left a kind little note on the front page for the admin telling him that I just saved his ass since others could've done the same but posted racist shit or something and, also, told him not to use WordPress.
Even though I had no bad intentions, I used proxies and VPN connectsions because you never know how these people might react.
Hopefully they'll learn from it 😇
I don't know what you did yesterday, but i did make my company throw away 2 months of progress.
It all started in the beginning, since that i've made numerous complaints about the workflow or code and how to improve it. I've been told off every time, and every time i either told the boss who agreed in the end or wrote code to prove myself. Everything was a hassle and my tasks weren't better.
Team lead: you'll do X now, please do that by making Y.
Me: but Y is insecure, we should do Z.
Team lead: please do Y
Later it turns out Y is impossible and we do Z in the end...
Team lead: please do W now
Me, a few days later: i've tried and their server doesn't give http cors headers, doing W in the browser is impossible
Team lead, a few days later: have you made progress on W?
Me: * tells again it's impossible and uploads code to prove it *
Team lead: * no response *
After that i had enough. Technically i still was assigned to do W, but i used my time to look over the application and list all the things wrong with it. We had everything, giant commits, commented out code, unnecessary packages, a new commit introduced packages that crashed npm install on non-macs, angularjs-packages even though we use angular, weird logic, a security bug, all css in one file even though you can use component-specific css files...
I sent that to my boss, telling him to let the backend-guys have a look at it too and we had a meeting about this. I couldn't attend but they agreed with me completely. They decided to throw away what we have already and to let one of the backend-guys supervise our team. I guess there will be another talk with the team lead, but time will tell.
It feels so good having hope to finally escape this hellish development cycle of badly defined task, bad communication and headache-inducing merges.
When you spend 6 hours figuring out how to best encrypt/decrypt your unimportant website cookies just because you don't want people to see how bad you are at naming stuff :x
I wish I could read my code on other people's screens. I wouldn't sound like such an idiot whenever I leave my desk. *sigh*2
So I just recently had the pleasure to set up a Rails environment for a friend on Windows. I haven't used Windows in about 5 or 6 years, and the person I had to set it up for doesn't know much about programming at all.
I all went fine at first, install database, devkit thingy and git. Then set up the project itself. And there is where the problems started.
First windows would refuse to use SSL, because of some weird bug in the Windows version of rubygems. The suggested upgrade did not work so I had to switch some gem sources to insecure connections, but at least it did install everything correctly.
Alright, I thought, that's not _that_ bad, everything is running now.
Later again he sent me another screenshot.
His Antivirus spyware was messing with the asset pipeline. (╯°□°）╯︵ ┻━┻
This was the point where I just said "FUCK IT, i'll just put everything into a fucking VM and let him use that".
I should have done that in the first place.
Long story short:
Setting up a development under Windows is painful.
Do yourself a favor and just use a VM.3
Hmm...recently I've seen an increase in the idea of raising security awareness at a user level...but really now , it gets me thinking , why not raise security awareness at a coding level ? Just having one guy do encryption and encoding most certainly isn't enough for an app to be considered secure . In this day an age where most apps are web based and even open source some of them , I think that first of all it should be our duty to protect the customer/consumer rather than make him protect himself . Most of everyone knows how to get user input from the UI but how many out here actually think that the normal dummy user might actually type unintentional malicious code which would break the app or give him access to something he shouldn't be allowed into ? I've seen very few developers/software architects/engineers actually take the blame for insecure code . I've seen people build apps starting on an unacceptable idea security wise and then in the end thinking of patching in filters , encryptions , encodings , tokens and days before release realise that their app is half broken because they didn't start the whole project in a more secure way for the user .
Just my two cents...we as devs should be more aware of coding in a way that makes apps more secure from and for the user rather than saying that we had some epic mythical hackers pull all the user tables that also contained unhashed unencrypted passwords by using magix . It certainly isn't magic , it's just our bad coding that lets outside code interact with our own code .
Am I the only one who thinks OSX is stupidly insecure unless you encrypt the whole disk? I mean, how dumb is it to boot into safe moot and provide a root shell without prompting for credentials?28
Hotel wifi: Weak signal of a slow wifi that works once per 10 minutes
*goes to diff hotel*
New hotel wifi: Weak but stable signal that is fast and works all the time; admin:admin1
A conversation between an offshore developer and his manager at a fortune 500:
I'm a software developer and the company I work for is a vendor for $manager's and $offshore_dev's company. They provide endless hours of entertainment/terror. Recently, we've been trying to convince them that they need to stop sending sensitive information plaintext over HTTP and set up TLS/HTTPS which has led to tons of fun conversations such as this one they had during a conference call:
* $manager: "Did $offshore_dev implement TLS1.2?"
* $offshore_dev: "Yes, we enabled a parameter in the code to enable TLS1.2 in the code but according to $me's email, this requires HTTPS in order to work."
* $manager: "No this works, we're using TLS in $other_application right now."
* $offshore_dev: "Well, $manager, it's implemented but it currently doesn't encrypt anything as such."
* $manager: "Okay, HTTPS is in the roadmap in the next quarter, we can move forward without this for now."5
TLDR; Default admin login on WEP encrypted WLAN router for getting free stuff at my hair stylist studio.
Free WLAN in my hair stylist studio: They had their WEP key laying around in the waiting area. Well, I am not very happy with WEP, thought that they never heard of security. Found the default GW address, typed it into my browser and pressed Enter, logged in with admin/1234 and voila, I was root on their ADSL router 😌 Even more annoyed now from such stupidity I decided to tell the manager. All I told him was: You use a default login on your router, you give the WiFi password for free, WEP is very very insecure and can be hacked in seconds, and do you know what criminals will do with your internet access? He really was shocked about that last question, blank horror, got very pale in just one sec. I felt a little bit sorry for my harsh statement, but I think he got the point 😉 Next problem was: he had no clue how to do a proper configuration (he even didn't knew the used ISP username or such things). Telled me that 'his brother' has installed it, and that he will call him as soon as possible. Told him about everything he should reconfigure now, and saw him writing down the stuff on a little post-it.
Well, he then asked me what he can pay me? Told him that I don't want anything, because I would be happy when he changes the security settings and that is pay enough. He still insisted for giving me something, so I agreed on one of a very good and expensive hairwax. Didn't used it once 😁
Some weeks later when I was coming back for another hair cut: Free WLAN, logged in with admin/1234, got access and repeated all I did the last time once more 😎
HOW CAN YOU NOT LEARN FROM FAILS??2
when you have to use one language inside of another, and you basically have to call functions allowing you to call the other's language function within it, and you get the hell confused, since it gets harder and harder to see what is what and who can call who and how, and the compiler ofc. won't say anything about it since it only cares about the main language you are in and not the nesting of the other...
I just have no idea what I'm doing right now, or if my thought process and understanding of this is even close to where it is supposed to be.
D: I'm just confused and insecure about this right now....
time for experiments to figure this out, and get the hang of it13
Look, I get it. Wordpress sucks. It’s bloated. It’s slow. It’s not elegant. It’s a nightmare to debug and code for. The plugin ecosystem is an insecure, confusing mess of outdatedness and issues.
We can all agree that in a perfect world all power to determine everything about a website, from the code to the content, would be in our power as developers. But we don’t live in a perfect world. People want convenience, even at the cost of performance and security, and they will inevitably resent technologists who refuse to give it to them. We do ourselves and our customers a disservice when we only do what we feel is in our own best interests or preferences and not what will help them with their realities.
Yes, it sucks. Yes, it’s a pain. Yes, it’s in demand and there’s nothing any of us can do to change that.
And that’s all I have to say about that.5
Fucking mongodb... the name is really fitting "mongol db"..
I get that a NoSQL db can be very useful but holy crap mongodb is shit..
Even better is the security.. holy shit it's insecure..
"Just use the configuration to only allow 127.0.0.1" stfu that shit apparently doesn't work on fucking centos..
And yes my customer did get hacked
And yes they did blame me
And yes I did have a backup5
So my brother went back to school today. Now, during the 5 years I was there they had the most shit security on their IT systems, but aparently now they have fucked up their ssl. If you try to load the https page it comes up with the warning saying its an invalid certificate, but once you click it, it doesn't even load the school website, it loads this random page. Clicking on the buttons then take you to a page under their domain provided by another school. Going to this schools website, the https seems to be broken in the exact same way. It wouldnt be so bad, but it can confuse the hell out of people who type https before a url, and thos who dont realise and end up on the insecure site will need to provide passwords over an insecure connection. I am so glad im out of that place, they had such crap IT and everything was so easy to break.1
A random story that just popped back into my head while reading another rant:
Long ago, we developed our own webmail platform at the request of clients. After it was finished, it was never updated and eventually turned into an outdated insecure steaming pile of crap. Up until ~2015, it looked like the first iteration of AOL Mail from the 1990s (and it functioned as such too.) Years, we decided to sunset the platform, and allotted 6-months or so to transition all the active users off the platform and over to an alternative email provider. We had to call each client multiple times and send multiple emails with a deadline detailing when the service would be shut down, and we'd explain that if they didn't transition over to a new service and transfer all their emails before that date, then the emails would be lost forever. Lo and behold, a handful of clients ignored our repeated contact attempts, and we shut down their email service (as we told them that we would.) Of course, they called screaming and panicking "OUR EMAIL IS DOWN OUR EMAIL IS DOWN WE'RE LOSING MONEY FIX IT NOW!!!!," and we told them "We attempted to contact you multiple times, and you neglected to return our numerous calls or emails. We're happy to help you transition your old email addresses to this new provider, but because you neglected to follow the cushy deadline we provided you, all of your emails are gone."
Of course, they denied having ever received our calls/emails, and we'd have to provide them with our outgoing call recordings to prove that we did in fact contact them multiple times. Then they'd blame the mishap on their secretary, who would blame it on the intern, who would blame it on the IT guy, who would blame it on the janitor, and so on and so forth.
Moral of the story: always keep outgoing call recordings when you're sunsetting a product.1
that feel when I am the only one in team who knows at least one framework.. and coworkers refuse to learn and instead copy and paste code parts from old, insecure apps into new apps... 😐1
left work last night at 4am, leaving the laptop at the office disgustes. now i feel insecure for leaving it there on a sunday2
Refactoring is like dating. You have to remember stuff, maybe you're insecure and you may have to overcome yourself to actually do it.
But when it works out, it's great.2
Is there a language that makes it difficult to write insecure web backend stuff? PHP seems to be the opposite of this.4
During one of our 'pop-up' meetings last week.
Ralph: "The test code the developers are checking in is a mess. They don't know what they are doing."
var foo = SomeLibrary.GetFoo();
Fred: "Ha ha..someone should talk to HR about our hiring practices. These people are literally driving the company backwards."
Me: "I think unit testing is complete waste of time."
- You could almost see the truck hit the wall and splatter watermelon everwhere..took Ralph and Fred a couple of seconds to respond
Fred: "Uh..unit testing is industry best practice. There is scientific evidence that prove testing reduces bugs and increases code quality"
Ralph: "Over 90% of our deployments are rolled back because of bugs. Unit testing will eliminate that."
Me: "Sorry, I disagree."
- Stepping on kittens wouldn't have gotten a worse look from Fred and Ralph
Fred: 'Pretty sure if you ask any professional developer, they'll tell you unit testing and code coverage reduces bugs.'
Me: "I'm not asking anyone else, I'm asking you. Find one failed deployment, just one, over the past 6 months that unit testing or code coverage would have prevented."
- good 3 seconds of awkward silence.
Ralph: "Well, those rollbacks are all mostly due to server mis-configurations. That's not a fair comparison."
Me: "I'm using your words. Unit tests reduces bugs and lack of good tests is the direct reason why we have so many failed deployments"
Boss: "Yea, Ralph...you and Fred kinda said that."
Fred: "No...we need to write good tests. Not this mess."
Me: "Like I said, show me one test you've written that would have prevented a rollback. Just one."
Ralph: "So, what? We do nothing?"
Me: "No, we have to stop worshiping this made up 80% code coverage idol. If not, developers are going to keep writing useless test code just to meet some percent. If we wrote device drivers or frameworks for other developers maybe, but we write CRUD apps. We execute a stored procedure or call a service. This 80% rule doesn't fit for code we write."
Fred: "If the developers took their head out of their ass.."
Me: "Hey!..uh..no, they are doing exactly what they are being told. Meet the 80% requirement, even if doesn't make sense."
Ralph: "Nobody told them to write *that* code."
Boss: "My gosh, what have you and Fred been complaining about for the past hour?"
- Ralph looks at his monitor and brilliantly changes the subject
Ralph: "Oh my f-king god...Trump said something stupid again ..."
At that point I put my headphones on went back to what I was doing. I'm pretty sure Fred and Ralph spent the rest of the day messaging back-n-forth, making fun of me or some random code I wrote 3 years ago (lots of typing and giggling). How can highly educated grown men (one has a masters in CS) get so petty and insecure?7
DevRant doesn't let you choose the protocol for your website. Seeing http:// on my profile makes me feel insecure.6
Lecturer: SOAP is insecure...
In interview: Any disadvantages you see with SOAP?
Me: The last i read SOAP is insecure. Im abit rusty with this knowledge
Interviewer: ahhh okay, SOAP is actually secure...
DAMN YOU LECTURER!3
Once I participated in a vacation kayak tour. Some other kid was sure that it was not possible to dual-boot as each OS installed would take up 100% CPU load for a brief moment when turning the machine on. This turned into a serious argument spanning the entire vacation. The fact that I had a working windows/GNUlinux install on a friend‘s PC did not convince him.
Me being an insecure pre-teen made sure to send him video evidence when I got back home (never received a reply ofc).
Looking back, I‘m not sure whether he was dumb or I just got trolled really well.2
Each time I login at GitHub and take
a look at featured repos, also when I realize the huge server destroyer bug it's just a misplaced line.
Sometimes I look at some repos and I'm scared to contribute...never contributed once.1
I had to create an account on a website. I used LastPass to generate a strong password. I entered it and got the following message:
"Password must be between 8 and 16 characters and must have special characters (? , ! & #) and numbers"
My password was 20 characters, me annoyed to generate a 16 character password. Filled it in and got the same error. That was it for me.
Who dafuq limits a password to 16 characters, that's fucking nothing. It did not accept all special characters, only the ones that were showed (like 5 or so).
And here comes the worst part...
It's a bank website! I had to create the most most most insecure password in history for it to work.8
Not a rant but I kinda wanted to see if anyone else feels the same way and might have advice on how to overcome this:
So I work as a student in research. Meaning there is not much documentation and things are chaneging fast, some things are also fairly complicated.
I have a really good supervisor.
However. I am super scared of asking about how things work. Whenever we discuss things and she notices I'm insecure about how something works, she explains it to me patiently. No probs. But insead of asking I just try out random stuff for hours. Having no clue about how things work and what I'm doing. In the end she is able to explain the issue to me within a minute.
The thing is, I think that trying to figure stuff out on my own, is the right approach. Not daring to ask questions or express my theories is really bad. I get super anxcious. Most of the time my theories and assumptions are correct. I just never dare to voice them.
The irony is, that I'm perfectly fine whenever I talk about or hold presentations which are not CS related. But if I have to do that on a CS topic I just die. I freezze, stutter, everything.... T_T
Like come on. They can't do anything to me except correct me... jeez.2
Started testing brutforce and dictionary attacks on md5 hashes just to see how really insecure it is. So I moved on to phppass hashes (for wordpress passes and what not), put in a set of rules and wordlists. Went from processing Mhz on the gpu with previous settings to Khz with current setting, either this is some heavy shit or something is very wrong with my gpu 😅 (used hashcat for this fyi)
This is the story of probably the least secure CMS ever, at least for the size of it's consumer base. I ran into this many years ago, before I knew anything about how websites work, and the CMS doesn't exist anymore, so I can't really investigate why everything behaved so strangely, but it was strange.
This CMS was a kind of blog platform, except only specially authorised users could view it. It also included hosting. I was helping my friend set it up, and it basically involved sending everybody who was authorized a email with a link to create an account.
The first thing my friend got complaints about was the strange password system. The website had two password boxes, with a limit of (I think) 5 characters each. So when creating a account we recomended people simply insert the first 5 characters in the first box, and the rest in the second. I can not really think of a good explanation for this system, except maybe a shitty way to make sure password are at least 5 characters? Anyway, since this website was insecure the password was emailed to you after the account was created. This is not yet the WTF part.
The CMS forced sidebar with navigation, it also showed the currently logged in users. Except for being unreadable due to a colorful background image, there where many strange behaviors. The sidebar would generally stay even when navigating to external websites. Some internal links would open a second identical sidebar right next to the third. Now, I think that the issue was the main content was in an iframe with the sidebar outside it, but I didn't know about iframe's back then.
So far, we had mostly tested on my friends computer, which was logged in as the blog administrator. At some point, we tried testing with a different account. However, the behavior of sidebars was even stranger now. Now internal links that had previously opened a second, identical sidebar opened a sidebar slightly different from the first: One where the administrator was logged in.
We expirimented somewhat, and found that by clicking links in the second sidebar, we could, with only the login of a random user, change and edit all the settings of the site. Further investigation revealed these urls had a ending like ?user=administrator2J8KZV98YT where administrator was the my friends username. We weren't sure of the exact meaning of the random digits at the end, maybe a hash of the password?
Despite my advice, my friend decided to keep using this CMS. There was also a proper way to do internal links instead of copying the address bar, and he put a warning up not to copy links to on the homepage. Only when the CMS shut down did he finally switch to a system where formatting a link wrong could give anybody admin access.
Today I noticed how incredibly insecure IBANs are.
You give it to anyone who wants to transfer money to your bank account, and all you need to perform a transaction is an IBAN, the account holders name and his signature.
So anyone who has your IBAN, your name and your signature (which all can occur in a single mail) can just send himself money from your account, cash out and move away. Noone can prove that it wasn't you who did the transaction and you couldnt find the guy.
And this is what all the banks in Europe use? What am I missing here?... how can a system this important be this insecure?10
How can I ask my coworkers for feedback without coming off as insecure?
A year and a half ago I got my first job as a remote developer when I was 30. I've done web and IT related jobs before but not full time development. Everything was fine for the first 10 months and then I started getting negative reviews, that my productivity rate is much lower than the rest of the team. I felt really sad and stressed, which led to a minor breakdown, which led to my contract being changed from a full time employee to a contractor that gets paid by the (estimated) hour. After a bit of research, I found out that my productivity rate was low because I was the only developer following our "One test per pull request" policy, which was obviously cancelled at some point, but nobody informed me. I didn't bring this up to my boss because I didn't want to make my manager and coworkers look bad. Working as a contractor isn't so good because a lot of times my features are delayed because of external factors I can't control(code reviews, testers, tests randomly breaking). I want to find out if I'm a bad developer or if the company is trying to cut costs by taking advantage of my insecurity and inexperience.3
My new project: a camera sends an image of the electricity clock to a server that does ocr and submits the value to the electricity company on the 5th of every month
Current progress: spent 4 hours trying to get emails to work in scala when i found on an obscure forum that you have to enable insecure app access in your gmail to use smtp14
I recently celebrated a rather significant birthday and it got me to thinking what's changed about me over the years.
Young me: Feared that I wasn't a supremely talented software developer and completely insecure about it.
Older me: I know I'm not a supremely talented software developer... and that's ok.1
I just fucking need a method that returns the data from a fucking API call in NodeJS.
Why, two fucking hours later, is this shit not done, when in Python, this would be a two-minute job?
And let me fucking add that "console.log" in an example of async code is FUCKING USELESS.9
Because of a ridiculous strict server environment (where even PHP was not allowed) he proposed that I could connect over Skype to do my stuff in typo3, which than could be exported to plain html to run on their server.
SSH or even remote desktop would be to insecure.3
So we are migrating between different hosts so I write a nice script to move two pieces of encrypted data between the two, one over ssh, the other over https to two separate end points. One boss says can’t do that as it is insecure because they come from the same script!
Another boss objected that I wrote a script to dump databases in bash rather than like his in PHP even all his PHP does is run the same bash commands, I just took out the middleman and made it faster.
So I feel like I tend to copy and paste literally everything. Does this mean I am a terrible programmer? And I wouldn't be able to complete simple tasks without infringing on others work.1
While trying to fall asleep, I came to the conclusion that a solution to privacy would be an encrypted p2p messenger. You'd need a dns-like system that can tell the peers how to contact their communication partners. Then I searched for one, and there was a good looking one, but it wasn't open source. looks secure otherwise, but perfection looks different.
Can anyone recommend something similar to kripter/tell me why it would be secure/insecure to use their service instead of, say, signal? Not that I truly NEED this, but I at least want to try it :)5
Everybody saw this coming! A privacy breaching telegram vulnerability!
So the time has come for me to officially say "Fuck IE".
The potential client, one of the major hospital chain in the country, wants the site to work in Internet Explorer. Can't believe they are still clinging on stupid IE because Google Chrome is insecure 😂
There is no way all the charts and graphs we made would work in IE.
To top it off, the "bluffon" boss came up with idea of using flash to display this features on IE.
It's fucking 2017!!9
My worst job interview was also my first. It was a group interview with 5 other candidates and it was also recorded on video. It was a nightmare as I was 18 and very insecure. It was basically a self-praising contest. I dont even know why I applied to that shit job..
It’s hard keeping your girlfriend satisfied when you’re being pressured to code with less to no bugs. I mean, doesn’t she understand that computers are stunningly stupid, and you have to explain to them every last tiny step that you want them to do, and your explanation can't have any mistakes in it. And why this is the fundamental cause of buggy and insecure software😣4
I'm one month of finishing college, I have failed to pass an intership in a company I would have loved to join and I'm kind of insecure about what is made for me to be doing in the future.
So far.. I.m like a bit of front-end but not so much, I'm like now a bit of programming but I have a hard time underdtanding its logic and I struggle daily to learn to live. Wish to get into workouts aswell but I'd like to do so for getting healthier instead of good looking. Yet, i feel pretty healthy even tho I smoke a lot of pot..7
I recently became manager of the student radio at my university. Our servers are extremely old and insecure, so I am currently working on getting some new servers up hosted by the university’s IT department as a replacement.
Meanwhile, a few days ago someone unauthorized have fucking accessed our server, deleted /home folder and a bunch of other shit, then cleared the history of the user. Why the fuck what someone do that? What the fuck did they achieve? What is the fucking point? That fucking piece of shit left his IP address though when he signed out from the server...
I just don’t fucking get why the fuck someone would do that? They don’t achieve a fucking shit about it, only fucks with us trying to save the radio from dying.4
I don't like windows since it's proprietary and insecure, but dual boot it for games and never had problems with windows update.3
I never had a fight. And I mean never at all, not just dev-related.
I'm not sure that this is a good thing.
Sometimes I wonder, does this mean that I'm a good diplomat, or that I'm not relevant enough to argue with?1
I'll soon start as a web dev intern, I'm looking forward to it, though I'm also a bit anxious/insecure about it.
Do you guys have any tips for my intern period etc?7
A very satisfactory debugging happened to me not long ago, when I discovered that assignement in C++ and Python doesn't work exactly the same.. I never took courses in Python so I had no way of knowing. I'm a self taught programmer, so I also always feel a bit insecure about my skills.
What made it really satisfying was that when I finally googled it, it was only to confirm the "diagnosis" that I had already made. I felt like years of struggles got me somewhere, now I feel a bit less insecure about my knowledge and skills in programming. :)
I currently need to register an account on a website to download their SDK. I was a little startled, when I noticed, that the input type of their password field was 'text' instead of 'password'.
Well, I think I know why they did this. It's probably because firefox throws A HUGE FUCKING WARNING, when the input from a password field is going to be transmitted via http! Just sent them an email to inform them about the issue. I'm definitely not going to use their http-transmitted contact form that requires me for whatever reason to enter my full address. Yes, I could enter a fake one, but I don't really want to transmit anything to this site...1
Do employer also feel insecure if their employe is very progressive, hyperactive?
Like if he is a good employee then he can get a good offer and can leave current job anytime.1
My date cancelled today because of not feeling well, we are gonna meet up (maybe) in the next few days. That totally not made me feel insecure in any way nononono.....2
If you have a blog, How do you decide what to write and publish on it? And, How do I motivate myself to write posts?
Context: I created my blog/website on 29 September 2017. I had a few ideas on writing blog posts(Condition variables in Go, Serverless related stuff and a whole bunch of posts related to wireguard) but every time I have tried write a post, I learn there is someone else who has already written a post on it and probably better than what I could have done, So what is really the point of writing it? And, I feel very insecure about writing posts, I feel like, If I do write a post, every one will know, I don't know anything about **anything**. :( I know about imposter syndrome, But I don't think I have that. I work with a lot of realllly smart people and I don't know as much as them. So, I am actually an imposter.
edit: I am usually active on Telegram, IRC and I try to help out people. It's easier for me to help people in communities like that but doing the same thing with a blog makes me very uncomfortable.2
I’m nearing the end of my first year of a 2 year SE program at college. I’m considering leaving at the end of this year and looking for a job, but I don’t have much of a portfolio and feel insecure about my ability to make it in this industry. I know it’s probably just impostor syndrome, but it’s a really hard feeling to shake. It’s a trade college, so the program is designed to have students work ready by the end, but there is a certificate for having completed the first year even though most students do both years.
I spoke with an alum of the program who left after one year to work, and he strongly suggested I stay for the 2nd year, but wasn’t clear on why he thought that.
So what I wanna know is, from folks in the workforce, do you think I should stick it out for the last year and then look for work? Or would I be ok to just... go and start looking for a job now?3
Need some advise from all you clever devs out there.
When I finished uni I worked for a year at a good company but ultimately I was bored by the topic.
I got a new job at a place that was run by a Hitler wannabee that didn't want to do anything properly including writing tests and any time I improved an area or wrote a test would take me aside to have a go so I quit after 3 months.
Getti g a new job was not that hard but being at companies for short stints was a big issue.
My new job I've been here 3 months again but the code base is a shit hole, no standardisation, no one knows anything about industry standards, no tests again, pull requests that are in name only as clearly broken areas that you comment on get ignored so you might as well not bother, fake agile where all user stories are not user stories and we just lie every sprint about what we finished, no estimates and so forth, and a code base that is such a piece of shit that to add a new feature you have to hack every time. The project only started a few months back.
For instance we were implementing permissions and roles. My team lead does the table design. I spent 4 hours trying to convince him it was not fit for purpose and now we have spent a month on this area and we can't even enforce the permissions on the backend so basically they don't exist. This is the tip of the iceberg as this shit happens constantly and the worst thing is even though I say there is a problem we just ignore it so the app will always be insecure.
None of the team knows angular or wants to learn but all our apps use angular..
These are just examples, there is a lot more problems right from agile being run by people that don't understand agile to sending database entities instead of view models to client apps, but not all as some use view models so we just duplicate all the api controllers.
Our angular apps are a huge mess now because I have to keep hacking them since the backend is wrong.
We have a huge architectural problem that will set us back 1 month as we won't be able to actually access functionality and we need to release in 3 months, their solution even understanding my point fully is to ignore it. Legit.
The worst thing is that although my team is not dumb, if you try to explain this stuff to them they either just don't understand what you are saying or don't care.
With all that said I don't think they are even aware of these issues somehow so I dont think it's on purpose, and I do like the people and company, but I have reached the point that I don't give a shit anymore if something is wrong as its just so much easier to stay silent and makes no difference anyway.
I get paid very well, it's close to home and I actually learn a lot since their skill level is so low I have to pick up the slack and do all kinds of things I've never done much of like release management or database optimisation and I like that.
Would you leave and get a new job?2
I can't recall what platform it was, but upon trying to change my password it would tell me that the new password was too similar to the previous one... :/1
I need help understanding secured PayPal Express Checkout via my Webshop.
So I basically try to make a lizens system. At the web shop you can add an Server IP and buy my stuff for it. Now I don't know what to do about checking out. I want to use Express Checkout via PayPal but the JS API provided by PayPal seems pretty insecure.
Now should I use the Official PayPal API or should I use an PHP API found on the Internet?
And other things that could help my Webshop are welcome to!2
Ie8 is the oldest browser I'll support. Come to me for anything older and I'll refuse. Even then it's a hassle.
Honestly. It's so old and insecure and someone comes to me asking to support ie 6. Really? I mean, a photography site doesn't need to support that old of a browser.4