I was activating virtualenv in powershell when my younger brother came in.

Me: *all nervous* please don't think I'm hacking or trying to set off a bomb. (He always thinks I'm hacking and tells on me.)

Brother: *silent*

Me: *even more nervous* I don't want my laptop to get taken away. Don't tell on me and say I'm hacking, because I'm not.

Brother: Oh, I know you're not hacking this time.

Me: You do? *relieved.*

Brother: Yeah, because this time it's a blue background, not a black one.

Me: Oh, haha. So you're only scared of things such as these? *opens CMD and Git Bash* you know, just because it's dark themed, doesn't mean it's malicious. Besides it—

Brother: oooOooOh! You're hacking again! I'm telling on you!

*Note to self: Never use dark theme in front of the ignorant again.)

The year is 2025
vlcInstall.exe
"You already have videos, the trusted and safe media player for windows 10"
AtomInstaller.exe
"You already have vscode, the better and lighter editor for windows 10"
SteamInstaller.exe
"You already have Microsoft solitare, a fun, better game for windows 10"
*googles c++ tutorials*
"Try c#, safer and robust language for developers, oh and did we forget to mention use bing?"
*downloads arch iso*
"This file has been marked malicious by windows defender. Oh and we updated your bios to allow only windows bootloader. You're welcome."

Started talking with someone about general IT stuff. At some point we came to the subject of SSL certificates and he mentioned that 'that stuff is expensive' and so on.

Kindly told him about Let's Encrypt and also that it's free and he reacted: "Then I'd rather have no SSL, free certificates make you look like you're a cheap ass".

So I told him the principle of login/registration thingies and said that they really need SSL, whether it's free or not.

"Nahhh, then I'd still rather don't use SSL, it just looks so cheap when you're using a free certificate".

Hey you know what, what about you write that sentence on a whole fucking pack of paper, dip it into some sambal, maybe add some firecrackers and shove it up your ass? Hopefully that will bring some sense into your very empty head.

Not putting a secure connection on a website, (at all) especially when it has a FUCKING LOGIN/REGISTRATION FUNCTION (!?!?!?!!?!) is simply not fucking done in the year of TWO THOUSAND FUCKING SEVENTEEN.

'Ohh but the NSA etc won't do anything with that data'.

Has it, for one tiny motherfucking second, come to mind that there's also a thing called hackers? Malicious hackers? If your users are on hacked networks, it's easy as fuck to steal their credentials, inject shit and even deliver fucking EXPLOIT KITS.
Oh and you bet your ass the NSA will save that data, they have a whole motherfucking database of passwords they can search through with XKeyScore (snowden leaks).

Motherfucker.

A quite severe vulnerability was found in Skype (at least for windows, not sure about other systems) allowing anyone with system access (remote or local) to replace the update files skype downloads before updating itself with malicious versions because skype doesn't check the integrity of local files. This could allow an attacker to, once gaining access to the system, 'inject' any malicious DLL into skype by placing it in the right directory with the right file name and waiting for the user to update (except with auto updates of course).

From a company like Microsoft, taking in mind that skype has hundreds of millions of users worldwide, I'd expect them to take a very serious stance on this and work on a patch as soon as possible.

What they said about this: they won't be fixing it anytime soon as it would require a quite big rewrite of skype.

This kinda shit makes me so fucking angry, especially when it comes from big ass companies 😡. Take your fucking responsibility, Microsoft.

The perfect example of misinformation appeared on a Dutch news site today.

It said that thousands of sites had the 'secure' *mark* due to running https but weren't actually secure because they were malicious.

Those cunts are mixing up the thing called a connection with fucking content/what happens on a site.

And those Russians are spreading fake information, right? You didn't even have examples of that and now you're doing it yourself.

Me: *listening to some random semi-obscure track on spotify, liking it, add it to playlist*

Come home, girlfriend playing the same track. "Yeah I've had that in my playlist for two weeks now". Our accounts are not linked in any way, and I only use Spotify on a PC at work, while my girlfriend only uses it at home.

It might just be coincidence, or us having similar tastes.

But the issue is that it's getting more and more difficult to know whether me and my girl are spiritually linked unique snowflake soulmates who are so perfectly in sync with each other, or whether an algorithm suggestively linked us both that song based on scraped location and behavior data.

And whether it matters. Maybe it matters. I don't know yet.

In twenty years maybe humans will be unsure whether it was a wonderful coincidence bordering on cosmic fate that you ran into your new love, or whether Google purposefully drove you towards the same lunch cafe at a specific time because it calculated that she was the perfect candidate to strengthen your susceptibility to advertisements over the coming decade.

Malicious AI will not come into lives bearing guns.

It will not instantly take all of our jobs and enslave us.

It will just know you better than you know yourself, it will know everyone around you better than you know them, and it will play incredible mind games. It will not be designed with malicious intent, just perfectly execute on top of the malicious systems we already have, and even arise as an emergent property within new systems.

It will rarely be clearly visible, but you will increasingly say to yourself: "That's odd, I was just thinking about that". It will detect depression from a smile, physical attraction from a glance, reliability from patterns in your voice and illness from the bloodflow in your cheeks.

It will not just make our cars autonomous, it will make our lives autonomous. It will protect us, decide for us, keep revenues and human satisfaction in a "balanced maximized" state, it will make everything feel easy, slightly abuse us, and when one of us suddenly crashes at 140 mph into depression, debt or addiction it will prove impossible to know whether the humans or the algorithms were at fault.

I'm incredibly afraid and excited about the coming 10 years.

people often forget the real first rule of programming: "All user input is malicious."

Example #1 of ??? Explaining why I dislike my coworkers.

[Legend]
VP: VP of Engineering; my boss’s boss. Founded the company, picked the CEO, etc.
LD: Lead dev; literally wrote the first line of code at the company, and has been here ever since.
CISO: Chief Information Security Officer — my boss when I’m doing security work.

Three weeks ago (private zoom call):
> VP to me: I want you to know that anything you say, while wearing your security hat, goes. You can even override me. If you need to hold a release for whatever reason, you have that power. If I happen to disagree with a security issue you bring up, that’s okay. You are in charge of release security. I won’t be mad or hold it against you. I just want you to do your job well.

Last week (engineering-wide meeting):
> CISO: From now on we should only use external IDs in urls to prevent a malicious actor from scraping data or automating attacks.
> LD: That’s great, and we should only use normal IDs in logging so they differ. Sounds more secure, right?
> CISO: Absolutely. That way they’re orthogonal.
> VP: Good idea, I think we should do this going forward.

Last weekend (in the security channel):
> LD: We should ONLY use external IDs in urls, and ONLY normal IDs in logging — in other words, orthogonal.
> VP: I agree. It’s better in every way.

Today (in the same security channel):
> Me: I found an instance of using a plain ID in a url that cancels a payment. A malicious user with or who gained access to <user_role> could very easily abuse this to cause substantial damage. Please change this instance and others to using external IDs.
> LD: Whoa, that goes way beyond <user_role>
> VP: You can’t make that decision, that’s engineering-wide!

Not only is this sane security practice, you literally. just. agreed. with this on three separate occasions in the past week, and your own head of security also posed this before I brought it up! And need I remind you that it is still standard security practice!?

But nooo, I’m overstepping my boundaries by doing my job.

Fucking hell I hate dealing with these people.

Site (I didn't build) got hacked, lots of data deleted, trying to find out what happened before we restore backup.

Check admin access, lots of blank login submissions from a few similar IPs. Looks like they didn't brute force it.

Check request logs, tons of requests at different admin pages. Still doesn't look like they were targeting the login page.

We're looking around asking ourselves "how did they get in?"

I notice the page with the delete commands has an include file called "adminCheck".

Inside, I find code that basically says "if you're not an admin, now you are!" Full access to everything.

I wonder if the attack was even malicious.

Privacy & security violations piss me off. Not to the point that I'll write on devRant about it, but to the point that coworkers get afraid from the bloodthirsty look in my eyes.

I know all startups proclaim this, but the one I work at is kind of industry-disrupting. Think Uber vs taxi drivers... so we have real, malicious enemies.

Yet there's still this mindset of "it won't happen to us" when it comes to data leaks or corporate spying.

Me: "I noticed we are tracking our end users without their consent, and store not just the color of their balls, but also their favorite soup flavor and how often they've cheated on their partner, as plain text in the system for every employee to read"

Various C-randomletter-Os: "Oh wow indubitably most serious indeed! Let's put 2 scrumbag masters on the issue, we will tackle this in a most agile manner! We shall use AI blockchains in the elastic cloud to encrypt those ball-colors!"

NO WHAT I MEANT WAS WHY THE FUCK DO WE EVEN STORE THAT INFORMATION. IT DOES IN NO WAY RELATE TO OUR BUSINESS!

"No reason, just future requirements for our data scientists"

I'M GRABBING A HARDDRIVE SHREDDER, THE DB SERVER GOES FIRST AND YOUR PENIS RIGHT AFTER THAT!

(if it's unclear, ball color was an optimistic euphemism for what boiled down to an analytics value which might as well have been "nigger: yes/no")

I realize I've ranted about this before, but...

Fuck APIs.

First the fact that external services can throw back 500 errors or timeouts when their maintainer did a drunk deploy (but you properly handled that using caching, workers, retry handlers, etc, right? RIGHT?)...

Then the fact that they all speak a variety of languages and dialects (Oh fuck why does that endpoint return a JSON object with int keys instead of a simple array... wait the params are separated with pipe characters? And the other endpoint uses SOAP? Fuck I need to write another wrapper class around the client...)

But the worst thing: It makes developers live in this happy imaginary universe where "malicious" is not a word.

"I found this cloud service which checks our code style" — hmm ok, they seem trustworthy. Hope they don't sell our code, but whatever.

"And look at this thing, it automatically makes database backups, just have to connect to it to DigitalOcean" — uhhh wait...

"And I just built this API client which sends these forms to be OCR processed" — Fuck... stop it... there are bank accounts numbers on those forms... Where's that API even located? What company?

* read their privacy policy *

"We can not guarantee the safety of your personal data, use at your own risk [...] we are located in Russia".

I fucking hate these millennial devs who literally fail to get their head out of the cloud.

Somehow they think it's easier to write all these NodeJS handlers and layers around some API, which probably just calls ImageMagick + Tesseract on the other side.

If I wasn't so fucking exhausted, I'd chop of their heads... but they're like hydra, you seal one privacy breach and another is waiting to be merged, these kids just keep spewing their crap into easy packages, they keep deploying shitty heroku apps... ugh.

😖

Why do viruses make computers so slow...? Why can't their programmers implement them efficiently...?

It's like they're trying to be malicious...

My first testing job in the industry. Quite the rollercoaster.

I had found this neat little online service with a community. I signed up an account and participated. I sent in a lot of bug reports. One of the community supervisors sent me a message that most things in FogBugz had my username all over it.

After a year, I got cocky and decided to try SQL injection. In a production environment. What can I say. I was young, not bright, and overly curious. Never malicious, never damaged data or exposed sensitive data or bork services.

I reported it.

Not long after, I got phone calls. I was pretty sure I was getting charged with something.

I was offered a job.

Three months into the job, they asked if I wanted to do Python and work with the automators. I said I don't know what that is but sure.

They hired me a private instructor for a week to learn the basics, then flew me to the other side of the world for two weeks to work directly with the automation team to learn how they do it.

It was a pretty exciting era in my life and my dream job.

Insecure... My laptop disk is encrypted, but I'm using a fairly weak password. 🤔

Oh, you mean psychological.

Working at a startup in crisis time. Might lose my job if the company goes under.

I'm a Tech lead, Senior Backender, DB admin, Debugger, Solutions Architect, PR reviewer.

In practice, that means zero portfolio. Truth be told, I can sniff out issues with your code, but can't code features for shit. I really just don't have the patience to actually BUILD things.

I'm pretty much the town fool who angrily yells at managers for being dumb, rolls his eyes when he finds hacky code, then disappears into his cave to repair and refactor the mess other people made.

I totally suck at interviews, unless the interviewer really loves comparing Haskell's & Rust's type systems, or something equally useless.

I'm grumpy, hedonistic and brutally straight forward. Some coworkers call me "refreshing" and "direct but reasonable", others "barely tolerable" or even "fundamentally unlikable".

I'm not sure if they actually mean it, or are just messing with me, but by noon I'm either too deep into code, or too much under influence of cognac & LSD, wearing too little clothing, having interesting conversations WITH instead of AT the coffee machine, to still care about what other humans think.

There have been moments where I coded for 72 hours straight to fix a severe issue, and I would take a bullet to save this company from going under... But there have also been days where I called my boss a "A malicious tumor, slowly infecting all departments and draining the life out of the company with his cancerous ideas" — to his face.

I count myself lucky to still have a very well paying job, where many others are struggling to pay bills or have lost their income completely.

But I realize I'm really not that easy to work with... Over time, I've recruited a team of compatible psychopaths and misfits, from a Ukranian ex-military explosives expert & brilliant DB admin to a Nigerian crossfitting gay autist devops weeb, to a tiny alcoholic French machine learning fanatic, to the paranoid "how much keef is there in my beard" architecture lead who is convinced covid-19 is linked to the disappearance of MH370 and looks like he bathes in pig manure.

So... I would really hate to ever have to look for a new employer.

I would really hate to ever lose my protective human meat shield... I mean, my "team".

I feel like, despite having worked to get my Karma deep into the red by calling people all kinds of rude things, things are really quite sweet for me.

I'm fucking terrified that this peak could be temporary, that there's a giant ravine waiting for me, to remind me that life is a ruthless bitch and that all the good things were totally undeserved.

Ah well, might as well stay in character...

*taunts fate with a raised middlefinger*

I hope I'll be able to release the new/refreshed version of the security/privacy blog today.

Feel free to test stuff out and report back when it breaks!

Also, feel free to pentest it. The only thing I ask is to, if you find any vulnerabilities, report them instead of passing them to malicious people/abusing them.

And yes, post sorting will be fixed ;)

10 years ago, I found a vulnerability in the connection between an insurer I was working for, and the network of databases of municipalities. I was only a hacker in so far as kids who watched Hak5 are considered hackers, so I always carried this laptop with a fake access point, package sniffer, wep crack, sslstrip, etc with me.

The vulnerabilities allowed me to register a new identity, for which I requested a passport.

Walking up to the town hall desk with two passports with different names, both mine, was pretty cool.

I did not do anything malicious, and was hired to fix the issues (wep encryption on insurers trusted wifi, and municipality postgres gave write access to all third parties)

For a few days I was the coolest kid in school though!

I programmed a random credit card generator at school and saved it to my :F drive which is the private drive for students to save stuff to. That night I tried accessing my account and it had notified me that it had been locked. I went into school the next day and was called into the office, the principal and Tech Administrator were there waiting for me and asked what the file was. The Tech Administrator tried to describe to me what he found
"This gen.html file seems to be malicious and puts our school at risk. It seems to be some sort of malware and stuff like that is prohibited at school."
Now me sitting in the chair listening to this, laughing in my head just said "okay" and nodded my head because he is the type of person to argue forever. They came to the conclusion to unlock my account by the end of the semester.
Just goes to show that it doesn't take much to get a Tech Admin position at a school.

During a recruitment procedure I was provided a IDE to solve some programming questions. The computer had a bunch of fuck all anti virus including avast, mcafee, it stopped every execution and scanned it for like 10sec.
McAfee fucking deleted the program for no reason giving a malicious code alert on a normal c++ program.

I called the sys Admin to inspect, guess what he did.

Fucking uninstall McAfee. Woow.

A Month ago...
Me: when are you going to complete the report
Friend: we can do it in minutes
Me: you can't Ctrl + c and Ctrl +v as there is plagiarism check
Friend: we have spin bot
Me: you do that now itself . if something happens? You can join me .
Friend: just chill

Now ...
Me: done with report
Friend: feeding it to spin bot!

Feeds text related to database security....

Spin bot:
Garbage collector == city worker
SQL statements == SQL explanation
SQL queries == SQL interrogation
SQL injection == SQL infusion
Attack == assault
Malicious == noxious
Data integrity == information uprightness
Sensitive == touchy
.....
Me: told you so...
**spin not == article rewriter

Malicious Subtitles ?!?!? What's next malware in my coffee ?

My school fucking blocked duckduckgo today.

I'm not surprised, I knew this would happen eventually because this school is a prison and the administrators feel that they have to know your every fucking move.

Honestly I thought it was pretty funny too because I don't know anybody else at school using ddg, which means they probably just saw this one kid getting around being tracked and said "that damn kid." (Imagine I'm waving my finger around condescendingly like an old woman.)

It also could just be that they saw me using an unfamiliar url more than normal and assumed it was malicious or some kind of distraction. But I'm willing to bet money they just didn't like that they couldn't track me.

> Be me
> Desperate for a driver
> Find nothing useful
> Oh a GitHub repo, hmmh
> '𝐃𝐨𝐰𝐧𝐥𝐨𝐚𝐝 𝐡𝐞𝐫𝐞 ===> tinyurl.com/XXXXXX'
> Nope
> It's time to report!

Context:

- The url is a redirect chain to a phishing site

- Repo is completely empty except for a single folder with 1000+ files all named after drivers, with the same 'download' link, and probably scraped website text at the bottom (probably to increase searchability)

- The 'user' joined just a couple days ago and has no other repos

Everyone that says you can't get viruses in Linux because only .exe compiled programs can contain malicious code or some bullshit like this is a fucking retarded

Sorry I had to say it

I had a dream that I was installing some sort of package and the PM warned that it was a known malicious package and I was like "This must be a mistake, no it isn't" so I installed it anyways and then an ASCII-Art Michael Jackson started dancing on my screen to loud music and I shut down the computer and woke up and panicked because I didn't have any backups

A bot just made 519 pull requests with malicious Makefile code to get a github actions server to send a curl to a random host.

It's gonna be one of those days

So we ordered a piece of software from external software house becouse I was low on time and we needed it asap.

So. Long story short, their software was bugged as hell, they deny all the bugs and they have their BDD that they done and anything we say about it like "feature XYZ is broken on firefox" they will deny it "becouse it wasn't on BDD" or "let's get on call" (in which +- 6-7 people participate from their side and we of course have to pay them for this...)

So they fixed like 20% of bugs (mostly trivials/minors) Application is fairly small scope. You have integration with like 3 endpoints on arbitary API, user registration/login, few things to do in database (mainly math running from cron).

They done it in ASP so I don't know the language and enviroment so can't just fix it myself.

2 days ago (monday) they annoyed me to point where I just started to break things. For starters I found that every numeric input is vunrable to integer overflow (which is blocker). I figured most of fields are purefect opportunity to XSS (but I didn't bother to do JS... anything but not JS...). I figured I can embed into my name/surname/phone (none validated) anything in HTML...

So for now we have around 25 bugs, around 15 of them are blockers.

They figured it's somehow our fault that it's bugged and decided to do demo with us to show off how perfectly it works. I'm happy to break their demos. I figured I will register bunch users that have name - image with fixed/absolute position top:0;left:0 width/height 100% - this will effectively brick admin panel

Also I figured I can do some addotional sounds in background becouse why not. And I just dont know what to put in. It links to my server for now so I can freely change content of bricked admin panel.

I have curl's ready to execute in case they reset database.

I can put in GIFs or heck, even videos, dosen't really matter. Framework escapes some things for them so at least that. But audio/image/video works.

Now I have 2 questions:
- what image + audio combo will work the best (of course we need to keep it civil). Im thinking finding some meme with bugs or maybe nuclear logo image with some siren sound
- am I evil person?

Edit:

I havent stated this clearly:

"There is no BDD that describes that if user inserts malicious input server should deny it" - that's almost literally what we get from them....

So the school I visit blocks TeamViewer in their network for the reason that you could bring in malicious stuff.
They happily allow USB sticks though so that doesn't seem right.
Whatever, I used AnyDesk to get stuff from my PC at home (and I never got caught, otherwise I wouldn't have been able to ever use a school's computer again).

he: checkout my crazy FUD hack (a token stealer which turned out to be far more malicious than i anticipated)
me: executes it (yes in a VM)
windows defender: lemme delet this
he: ooh i forgot the word stub in there. microsoft detects that lemme fix that sends new file
me: here we go aga..
ms defender: nononono virus 117% delet this
he: i forgot it still!!

later i deactivated ms defender and analysed the traffic of the vm. in addition to stealing my fake tokens he also tried to read my Firefox/chrome history, IP.
when i asked him (2 days later) what this was all about in his "educational only" "token stealer" he threatened to
a) publish my IP
b) publish my browser history and with that my real name and address
b.0) when i asked him for proof he said he knows that my real name is "Roman Gräf" and i live in Frankfurt. (btw i do live in Frankfurt and that is in the profile of the discord server where he found me and i have the same username on discord as i have here)
c) to kill my machine and all my projects
got bored, blocked him, shut VM down.

iPhones are ridiculously picky when it comes to finding a mate- um charger. And knowing why doesn't really make it any easier to understand why. If anything it baffles me more.

So, let's start with appliances that are not phones. Think Bluetooth headsets, keyboards, earbuds, whatever. Those are simple devices. They see 5V on the VCC line and 0V on ground, and they will charge at whatever current they are meant to. Usually it will not exceed 200mA, and the USB 2.0 spec allows for up to 500mA from any USB outlet. So that's perfectly reasonable to be done without any fuss whatsoever.

Phones on the other hand are smarter.. some might say too smart for their own good. In this case I will only cover Android phones, because while they are smarter than they perhaps should be, they are still reasonable.

So if you connect an Android phone to the same 5V VCC and 0V ground, while leaving the data lines floating, the phone will charge at 500mA. This is exactly to be within USB 2.0 spec, as mentioned earlier. Without the data lines, the phone has no way to tell whether it *can* pull more, without *actually* trying to pull more (potentially frying a charger that's not rated for it). Now in an Android phone you can tell it to pull more, in a fairly straightforward way. You just short the data lines together, and the phone will recognize this as a simple charger that it can pull 1A from. Note that shorting data lines is not a bad thing, we do it all the time. It is just another term for making a connection between 2 points. Android does this right. Also note that shorted data lines cannot be used to send data. They are inherently pulled to the same voltage level, probably 0V but not sure.

And then the iPhones come in, Thinking Different. The iPhones require you to pull the data lines to some very specific voltage levels. And of course it's terribly documented because iSheep just trying to use their Apple original white nugget charger overseas and shit like that. I do not know which voltage levels they are (please let me know!), but it is certainly not a regular short. Now you connect the iPhone to, say, a laptop or something to charge. An Android phone would just charge while keeping data transmission disabled (because they can be left floating or shorted). This is for security reasons mostly, preventing e.g. a malicious computer from messing with it. An iPhone needs to be unlocked to just charge the damn thing. I'm fairly sure that that's because the data lines need to be pulled up, which could in theory enable a malicious computer to still get some information in or out of it. USB data transmission works at at least 200mV difference between the data lines. It could be more than that. So you need to unlock it.

Apple, how about you just short your goddamn data lines too like everyone else? And while you're at it, get rid of this Lightning connector. I get it, micro USB was too hard for your users. I guess they are blind pigs after all. But USB-C solved all of that and more. The only difference I can think of is that the Lightning connector can be a single board with pads on either side on the connector, while in USB-C that could be at the socket end (socket being less common to be replaced). And at the end of the day, that really doesn't matter with all the other things that will break first.

Think Different. Think Retarded. Such tiny batteries and you can't even fucking charge them properly.

devRant competition - can you convince someone that you're hacking?
Requirements:
Windows (Linux is too easy)
You must use genuine windows command line and the following commands:
color 0a (if this isn't supported in your windows os, you can change it in properties)
cd C:\
tree

The point of this is to see how easily you can convince someone you're hacking/doing something malicious. No prize or anything, I just want to see how ignorant those muggles are.

> 14 years old
> Read about worms
> Making virus sounds cools
> Decided to make one
> Dreamed how I would use it on my friends
> Made a "virus" that looks for all the exe files and append "malicious" content
> Ended up messing my own system

This story makes me feel that I was
1) dumb
2) slow af( took me days to read/write properly)

One of those has changed now 😜

My company compromises SSL certificates in the name of "security". I can't even use Gmail because Google has identified my intranet as a malicious network executing a man in the middle attack. So they break security in the name of security.

This isn’t gonna be a random because I do eventually get to a Tech and YouTube related topic.

YouTube is actually killing itself with all of the dumbass rules they’re implementing. Trying to child proof or limit educational content is genuinely a shit policy. The reason so many gaming channels are switching to twitch because it doesn’t try to censor you.

But now I don’t know if you’ve heard but YouTube updated their guidelines and they’re no longer allowing content that teaches people about Hacking essentially (and I hate putting it like that but I can’t remember the exact words they used Hacking just summarizes it) which is fucking ridiculous like what the fuck else, are they gonna stop allowing lock picking videos?

YouTube has always been an amazing FREE resource for people learning Programming, Cyber Security, IT related fields, and even shit like lock picking, cooking, car stuff, and all that stuff. Even sometimes when the tutorials aren’t as detailed or helpful to me they might be exactly what someone else needed. And Cyber Security can be a difficult topic to learn for free. It’s not impossible far from it, but YouTube being there was always great. And to think that a lot of those could be taken down and all of the Security based channels could either lose all revenue or just be terminated is terrifying for everyone but more so them.

A lot of people and schools rely on YouTube for education and to learn from. It’s not like YouTube is the only resource and I understand they don’t want to be liable for teaching people that use these skills for malicious purposes but script kiddies and malicious people can easily get the same knowledge. Or pay someone to give them what they want. But that’s unfair to the people that don’t use the information maliciously.

It’s the same for the channels of different topics can’t even swear and it’s ridiculous there’s so many better options than just banning it. Like FUCK kids nowadays hear swearing from their older siblings, parents, friends, and TV it’s inevitable whether someone swears or not and YouTube is not our parents, they aren’t CBS, so stop child proofing the fucking site and let us learn. Fuck.

TLDR YouTube is banning educational hacking videos and are being retarded with rules in general

I'm looking forward to natural language programming.

The ability to code by explaining what you want to happen and having a neural network work out the fine details in an optimal fashion with evolutionary techniques.

I look forward to the super AI. I don't think they will necessarily be evil, however above a certain point we would seem like ants to them... And when was the last time you checked if there was an ant where you were to put your foot? It's not malicious... It's just not worth your or their time.

Managed to get a fucking meterpreter shell without human help for the first time today!
It was a VulnHub challenge, for the record, but damn that felt good!

For those who don't know; this is a remote command execution thing ran on compromised systems by (malicious) attackers using the Metasploit framework.

I have done tons of pentesting but not on system level so this is quite an accomplishment for me 😊

We just got into a malicious bots database with root access.

So guard duty gave us some warnings for our tableau server, after investigating we found an ip that was spamming us trying all sorts. After trying some stuff we managed to access their MySQL database, root root logged us in. Anyway the database we just broke into seems to have schemas for not only the bot but also a few Chinese gambling websites. There are lots of payment details on here.

Big question, who do we report this to, and what's the best way to do so anonymously? I'm assuming the malicious bot has just hyjacked the server for these gambling sites so we won't touch those but dropping the schema the bot is using is also viable. However it has a list of other ips, trying those we found more compromised servers which we could also log in to with root root.

This is kinda ongoing, writing this as my coworker is digging through this more.

My company just acquired another company from some losers.
Gotta load their pittance database onto our thing.
Their entire "Technology Department" is one old fart.
One even older fart runs their accounting.
I asked the IT boomer for their accounting data.
He tells me to get the head accountant.
The head accountant says they do not have any historical accounting data.
I threaten to call the (equivalent of the) IRS on them.
They give up, admit that they do have some historical data. But they attempt to pull a "malicious compliance" on me, send me a pallet full of old receipts, on paper.

I do what I have done one hundred times before, I go to the closest community college (equivalent) and ask/bribe a teacher to offer the most trustworthy kids some pretty pennies to scan all those files for me.
A dozen of them barely took a week to do it using their not-so-bad camera phones.
It all for about the same price as a couple of older-but-still-good iPhones.
Then it's on to some simple OCR and data normalization tasks.

This morning I had another meeting with the losers, the first since I told them their "data" had just arrived in the mail (but a couple weeks after that). They log in for the meeting all smug, thinking we would ask for more time to load their data, and it would be my team's fault for any delays.
Then the regional business evaluator logs in and said he reviewed their financials yesterday and we have a lot to talk about.
I will remember their "just got punched in the gut" faces forever :)

School's windows installations had the UAC set to lowest.
Anyone could install malware or fiddle with important settings.

Oh by the way, the same school who's gData found it funny to go through my USB drive and delete all executables and all my code because it was "possibly malicious".

Started installing random crap and messing with people in retaliation.
Was fun.
Until I got caught.
Good thing I compiled a list of security flaws earlier on.

From that day on, everytime I messed up, I sold them two security vulnerabilites to let me off the hook.
These included access to all kinds of drives in the windows network, accessing other PCs desktop, literally uninstalling random printers from the network etc..

Fun time.

I’m LOLing at the audacity of one of our vendors.

We contract with a vendor to build and maintain a website. Our network security team noticed there was a security breach of the vendor’s website. Our team saw that malicious users gained access to our Google Search console by completing a challenge that was issued to the vendor’s site.

At first, the vendor tried to convince us that their site wasn’t comprised and it was the Google search Console that was compromised. Nah dude. Our Search Console got compromised via the website you maintain for us. Luckily our network team was able to remove the malicious users from our search console.

That vendor site accepts credit card payments and displays the user’s contact info like address, email, and phone. The vendor uses keys that are tied to our payment gateway. So now my employer is demanding a full incident report from the vendor because their dropping the ball could have compromised our users’ data and we might be responsible for PCI issues.

And the vendor tried to shit on us even more. The vendor also generates vanity urls for our users. My employer decided to temporarily redirect users to our main site (non vendor) because users already received those links and in order to not lose revenue. The vendor’s solution is to build a service that will redirect their vanity urls to our main site. And they wanted to charge us $5000 usd for this. We already pay them $1000 a month already.

WTAF we are not stupid. Our network service team said we could make the argument that they do this without extra charge because it falls in the scope of our contract with them. Our network team also said that we could terminate the contract because the security breach means they didn’t render the service they were contracted to do. Guess it’s time for us to get our lawyer’s take on this.

So now it looks like my stakeholders want me to rebuild all of this in house. I already have a lot on my plate, but I’m going to be open to their requests because we are still in the debrief phase.

Doing compulsory cyber security training and it's like "if you click a malicious link report it to the IT helpdesk" I and I click agree knowing full well the closest thing to IT we have is me...

This morning I was looking in our database in order to solve a problem with a user registration and I accidentally noticed some users registered with unusual email addresses (temporary mail services, Russian providers and so on...).
I immediately thought about malicious users so I dug into the logs and I found that the registration requests started from an IP address belonging to our company (we have static IP addresses). My first reaction was: «OMG! Russian hackers infiltrated into our systems and started registering new users!»
So, I found the coworker owning the laptop from which the requests were sent and I went to him in order to warn him that someone violated his computer.
And he said: «Ah! Those 7 users? Yeah, I was doing some tests, I registered them. My email address was already registered so I created some new ones».
Really, man? Really? WTF

Fuck you Intel.
Fucking admit that you're Hardware has a problem!

"Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data"

With Meltdown one process can fucking read everything that is in memory. Every password and every other sensible bit. Of course you can't change sensible data directly. You have to use the sensible data you gathered... Big fucking difference you dumb shits.

Meltown occurs because of hardware implemented speculative execution.
The solution is to fucking separate kernel- and user-adress space.
And you're saying that your hardware works how it should.
Shame on you.

I'm not saying that I don't tolerate mistakes like this. Shit happens.
But not having the balls to admit that it is because of the hardware makes me fucking angry.

So one of my clients got their wordpress site hacked and basically just redirects to scam links and well.. I looked at in the server file manager and their are like three directories with this wordpress site (not clones but the same?) one in the root, a version in a folder called old and another in temp.. with 3 separate wp databases.. DNS entries had malware redirects, the wp-content folder was writable to the public and contained a temp folder with tons of encoded malware and ip links to malicious sites.. there was encoded malware in index.php, has like 20+ plugins, oh and the theme uses a dynamic web builder so the code is basically unreadable in source and scattered.. and the redirects seem to happen randomly or at least on a new session or something. Oh.. and did I mention there are no backups? 😃

I learned recently that you can inject SQL lines in some fields like Passwords or usernames on some websites. (Hacky hacky)

At work there is this intra website that is used to manage the parts of the radios and computers we repair.
Each piece has a specific number, and there is a tree with every pieces for each radio/computer.

When we get to repair one, we gotta change the pieces virtualy on the website. Sadly sometimes, the virtual pieces aren't marked like they followed the whole Radio from the place they come to the place we repair (we need it to replace the piece). People are just not doing their job, so we have to send emails and call for them do it so we can repair it. (This is already fucked up.)

Today, I had to replace a piece, but it was marked like it's not there. I called the guy, and it seems like he is on a vacation for weeks. My superior was super annoyed due to the urge of this task.

Guess who managed to change the _mainlocation_ of the _piece_ in the _radiopieces_ table. (Not actual names, you malicious cunt)

I spent 3 hours looking for the name of the fields and table. I don't know how many times I had to refresh the dam page to see I failed once again.
Hopefully I didn't have to guess all of them. Also the joy when I realised I succeed !!!

No one bats a eyes, and I'm here, feeling infinitely superior, as I might get punished for wanting to do my job.
I know it's basic moves to some of you, but dam it felt good.

Conclusion: Do what you have to, specially when it takes 5 minutes and people need it.

Is anyone else get irritated while upgrading apps and seeing changelogs as:
1. minor improvements
2. performance boost
3. information not provided by the dev
4. repeating changelogs from the past few updates.

just tell me what minor improvement u fixed?
where performance is boost?
how can I trust if tomorrow you decide to add some malicious code.

I don't know but it really irritates me. Sometimes I don't even upgrade the app until they have something in the changelog.

Maybe because I am getting old now.

I feel fucked, I feel fucked right up in the ass.

Remember that app I had to do to get the job? I found out the other candidates weren't even able to install Android Studio and that their deadline was postponed. And that they weren't able to complete the app.

I did everything with a really good design, solid programming, even added animations and made it so the recyclerview loads 15 items at a time while you scroll down smoothly. I. DID. EVERYTHING IN ONE DAY. I missed a good night of sleep.

I didn't get the job. They gave it to a fucker that was a web developer. I saw his app. It was really crappy (I'm not being petty or malicious, it was really bad from a dev point of view and a user point of view).

I feel. Disappointed. in this unfair world. And honestly I feel disappointed to the point that I don't even know if I should be a developer anymore. I feel betrayed by the hopes and the good feeling I got from the oportunity.

Hmm...recently I've seen an increase in the idea of raising security awareness at a user level...but really now , it gets me thinking , why not raise security awareness at a coding level ? Just having one guy do encryption and encoding most certainly isn't enough for an app to be considered secure . In this day an age where most apps are web based and even open source some of them , I think that first of all it should be our duty to protect the customer/consumer rather than make him protect himself . Most of everyone knows how to get user input from the UI but how many out here actually think that the normal dummy user might actually type unintentional malicious code which would break the app or give him access to something he shouldn't be allowed into ? I've seen very few developers/software architects/engineers actually take the blame for insecure code . I've seen people build apps starting on an unacceptable idea security wise and then in the end thinking of patching in filters , encryptions , encodings , tokens and days before release realise that their app is half broken because they didn't start the whole project in a more secure way for the user .

Just my two cents...we as devs should be more aware of coding in a way that makes apps more secure from and for the user rather than saying that we had some epic mythical hackers pull all the user tables that also contained unhashed unencrypted passwords by using magix . It certainly isn't magic , it's just our bad coding that lets outside code interact with our own code .

Ublock orgin the improved version of adblock, access less RAM and filters better than adblock.

Reason I'm posting this, is that I saw a post about adblock and how some people really don't like it anymore as it doesn't block all of the ads like it used to.

Just hoping to save some people from malicious popups/annoying ads.

I don't get much spam, but when I do, I rant about how badly those mails are crafted.

I mean, yeah, for non-devs or typical old people, those badly made Google fake mails (that use the old Google logo, the logo in Times New Roman or something) or ISP / phone company mails with malicious attachments may look good enough.

But, seriously, if I were a dev paid to create spam mails, they would look like the real deal, if I may say so myself, as I would actually put some effort in them.

What do you think? Wouldn't spam made by real developers like us be "better"?

Maybe send some examples from inside your junk box 🤔

Got to talking with someone in our company about AI generated code. I said we still have to audit the code, understand how it works, and ensure there isn't any nefarious libraries or code in what is produced. Like what we "should" be doing when we find libraries on the web. I explained how people will purposely create libraries that are spoofs of other libraries, but have malicious code embedded in them. It doesn't take much to imagine someone using a sketchy AI to push this kinda code.

How do you reasonably fight this if we start increasingly relying on generated code by AI? So I suggested we need an AI to review AI generated code. Then we need an AI to review the AI that reviews the AI generated code. Then...

Apache Tomcat vulnerability "GHOSTCAT" allows read conduct files and implant web shells. All versions in the last 13 years vulnerable.

According to Security Researcher of Chaitin Tech : Due to a flaw in the Tomcat AJP protocol (the channel for Tomcat to connect to the outside, pass them to the corresponding web application for processing and return the response result of the request), an attacker can read or include any files in the webapp directories of Tomcat.

For example, An attacker can read the web-app configuration files or source code. In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through "GHOSTCAT" vulnerability.

Apache Tomcat has officially released versions 9.0.31, 8.5.51, and 7.0.100 to fix this vulnerability.

One of our customers wants our mobile app to log out the user after 15 minutes of inactivity because of SeCuRiTy…

Why? The phones protect the apps with their hardware encryption from any malicious access.
And we are not dealing with super sensitive data here like some banking app or so.

Why do some people want to have bad UX for no reason?

> day 3439
> I have become the reviewer, there is no longer such thing as a programmer, just a reviewer
> the copilot AI was renamed "The Pilot"
> I sit and read through thousands of lines of code a day adding missing new line characters and adding semi-colons for paranoid dev leads
> reviewed a hello world function today
> instead of, return "Hello World!", it said "Goodbye World! >:)"
> I fixed it and submitted a PR
> this has been happening more and more lately
> apparently it's more efficient to fix the bugs of a malicious AI during pull reviews then it is for humans to make the programs
> congress just signed a bill last week allowing "The Pilot" to work on nuclear launch code
> I hope I don't mess up

I was wondering how a sysadmin would know if the user sending malicious traffic is the real attacker or his account has been hacked ?
(Also probable that the attacker has faked his mac address to user's device)

I really need to vent. Devrant to the rescue! This is about being undervalued and mind-numbingly stupid tasks.

The story starts about a year ago. We inherited a project from another company. For some months it was "my" project. As our company was small, most projects had a "team" of one person. And while I missed having teammates - I love bouncing ideas around and doing and receiving code reviews! - all was good. Good project, good work, good customer. I'm not a junior anymore, I was managing just fine.
After those months the company hired a new senior software engineer, I guess in his forties. Nice and knowledgeable guy. Boss put him on "my" project and declared him the lead dev. Because seniority and because I was moved to a different project soon afterwards. Stupid office politics, I was actually a bad fit there, but details don't matter. What matters is I finally returned after about 3/4 of a year.

Only to find senior guy calling all the shots. Sure, I was gone, but still... Call with the customer? He does it. Discussion with our boss? Only him. Architecture, design, requirements engineering, any sort of intellectually challenging tasks? He doesn't even ask if we might share the work. We discuss *nothing* and while he agreed to code reviews, we're doing zero. I'm completely out of the loop and he doesn't even seem to consider getting me in.

But what really upsets me are the tasks he prepared for me. As he first described them they sounded somewhat interesting from a technical perspective. However, I found he had described them in such detail that a beginner student would be bored.
A description of the desired behaviour, so far so good. But also how to implement it, down to which classes to create. He even added a list of existing classes to get inspiration or copy code from. Basically no thinking required, only typing.

Well not quite, I did find something I needed to ask. Predictably he was busy. I was able to answer my question myself. He was, as it turns out, designing and implementing something actually interesting. Which he never had talked about with me. Out of the loop. Fuck.

Man, I'm fuming. I realize he's probably just ignorant. But I feel treated like his typing slave. Like he's not interested in my brain, only in my hands. I am *so* fucking close to assigning him the tasks back, and telling him since I wasn't involved in the thinking part, he can have his shitty typing part for himself, too. Fuck, what am I gonna do? I'd prefer some "malicious compliance" move but not coming up with ideas right now.

Mozilla will update the browser to DNS-over-HTTPS security feature to all Firefox users in the U.S. by default in the coming weeks.

According to the report of TechCrunch : Whenever you visit a website ; even if it's HTTPS enabled, the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. DNS-over-HTTPS or DoH encrypts the request so that it can not be intercepted or hijacked in order to send a user to a malicious site. These unencrypted DNS queries can also be used to snoop on which websites a user visits. The feature relies on sending DNS queries to third-party providers such as Cloudflare and NextDNS which will have their DoH offering into Firefox and will process DoH queries. Mozilla also said it plans to expand to other DoH providers and regions.

Daylight savings time is one of the most malicious concepts ever foisted onto mankind.

Aren't you, software engineer, ashamed of being employed by Apple? How can you work for a company that lives and shit on the heads of millions of fellow developers like a giant tech leech?
Assuming you can find a sounding excuse for yourself, pretending its market's fault and not your shitty greed that lets you work for a company with incredibly malicious product, sales, marketing and support policies, how can you not feel your coders-pride being melted under BILLIONS of complains for whatever shitty product you have delivered for them?
Be it a web service that runs on 1980 servers with still the same stack (cough cough itunesconnect, membercenter, bug tracker, etc etc etc etc) incompatible with vast majority of modern browsers around (google at least sticks a "beta" close to it for a few years, it could work for a few decades for you);
be it your historical incapacity to build web UI;
be it the complete lack of any resemblance of valid documentation and lets not even mention manuals (oh you say that the "status" variable is "the status of the object"? no shit sherlock, thank you and no, a wwdc video is not a manual, i don't wanna hear 3 hours of bullshit to know that stupid workaround to a stupid uikit api you designed) for any API you have developed;
be it the predatory tactics on smaller companies (yeah its capitalism baby, whatever) and bending 90 degrees with giants like Amazon;
be it the closeness (christ, even your bugtracker is closed and we had to come up with openradar to share problems that you would anyway ignore for decades);
be it a desktop ui api that is so old and unmaintained and so shitty, but so shitty, that you made that cancer of electron a de facto standard for mainstream software on macos;
be it a IDE that i am disgusted to even name, xcrap, that has literally millions of complains for the same millions of issues you dont even care to answer to or even less try to justify;
be it that you dont disclose your long term plans and then pretend us to production-test and workaround-fix your shitty non-production ready useless new OS features;
be it that a nervous breakdown on a stupid little guy on the other side of the planet that happens to have paid to you dozens of thousands of euros (in mandatory licences and hardware) to actually let you take an indecent cut out of his revenues cos there is no other choice in a monopoly regime, matter zero to you;
Assuming all of these and much more:
How can you sleep at night with all the screams of the devs you are exploiting whispering in you mind? Are all the money your earn worth?

** As someone already told you elsewhere, HAVE SOME FUCKING PRIDE, shitty people AND WRITE THE FUCKING DOCS AND FIX THE FUCKING BUGS you lazy motherfuckers, your are paid more than 99.99% of people on earth, move your fucking greasy little fingers on that fucking keyboard. **

PT2: why the fuck did you remove the ESC key from your shitty keyboards you fuckshits? is it cos autocomplete is slower than me searching the correct name of a function on stackoverflow and hence ESC key is useless? at least your hardware colleagues had the decency of admitting their error and rolling back some of the uncountable "questionable "hardware design choices (cough cough ...magic mouse... cough golden charging cables not compatible with your own devices.. cough )?

So I decided to start using NoScript in Firefox recently, and it's been the most wonderful and annoying experience.

Wonderful - Easy to use whitelist on a domain basis makes it easy to un-break websites I trust while keeping potential malicious JS from other domains out.'

Annoying - Now I get why all the graybeards on Hacker News hate what the modern web has become

tl;dr; A co-worker and I had an disagreement on our package structure. They went straight to our team lead instead of trying to solve this in our team and by that letting me do my job.

Do I overreact by assuming that this was malicious?

A co-worker asked me to do their code review today. There was nothing really wrong there, mainly something a bad generator created.

However at one point we had a disagreement about the naming structure of the packages. We both agreed to disagree, so I thought we could bring that up in the next daily, as it's something the team should agree on.

Shortly after that, they told me on Slack, that they relayed the matter to our team lead to get their opinion. Wtf.

My role in the team is that of a technical lead. Even though I like to discuss such topics in the team and not straight up dictate decisions.

By going directly to our team leader, they basically circumvented the whole team. This really rubs me wrong the way.

Maybe I'm just overreacting?

Some blocker like uBlock origin should come pre-installed by now. I mean at least the malicious stuff could get blocked and the online world could be a bit more safe. Legit, not-in-the-face ads are still okay at times, I guess :/

Callum, not everything is a "useless fad" just because you don't like it. I understand that you think AWS lambda functions are "just an expensive con for morons", but for our batch processing use case they really do make a lot of sense.

Running some numbers to show they cost 10x more for a completely unrelated always-on service with a completely different request pattern is either naive, stupid, or malicious, and considering you're meant to be a principle architect, I'm really not sure what's worse 🤦‍♂️

Spent hours troubleshooting an internal app that had zero logging today. It would just terminate, no exceptions, no feedback to the debugger, NOTHING.

Turned out to be the damn corporate virus scanner blocking "malicious" behaviour. Good thing my desk is so heavy or I woulda flipped it...

Gamemaker studio 2's 2019 roadmap just got released.. Still no Linux IDE (FFS) but it only took them how many years to realise that not every developer is a malicious cunt and give us the ability to disable to sandbox file system?!

I swear they add and change stuff that is so trivial instead of focusing on the engines major problems and absent features, eg. Can't use SVG graphics, the need to be exported in flash (SWF) because you know, makes sense?

A few days ago our server was compromised due to an outdated Jenkins version. The malicious user installed a crypto miner on the server... The same day that it was found I told management that I'm interested in helping out with the server. Since then, nothing happened... No updates, no security measures, no nothing (except for the removed crypto miner and updated Jenkins software)

Oh well only a matter of time before another hack...

Question to some (who work way way way longer than me) med - seniors, should I make a big deal out of this? And keep pressure on it. Or should I just leave it be and wait for the next comprised server? I know devrant is not a Q&A service, but some dev to dev advice is much appreciated.

- incognito

My brother wanted me to post:
Devrant is so secure, it even blocks passwords. Look here is mine ***************

I was curious to how many would fall for it. But I was afraid It could be seen as malicious intent

What's worse than WordPress? WordPress + WooCommerce! What's worse than WordPress + WooCommerce? WordPress + WooCommerce + PayPal! What other more shitty software could we possibly add? Some malicious virus hidden somewhere in the millions of free WordPress plugins most of which are not even full open-source? Who can possibly review and maintain that rummage table of outdated crap code?

Another case of "couldn't you've told me BEFORE I started working on this?"

I'm making a training in Unity3D for a client, and they want it to integrate with their learning management system (LMS).
I made a simple SCORM package that gets the userID and then uses a custom URL scheme to launch the app with the user data from the LMS.

Tested on multiple platforms, all works perfectly fine.

Than, during a meeting, some says they "can't download it". I ask "which browser are you using?" and he says "I'm using the LMS app."
... the LMS has an APP?

So I start figuring out ways to launch the system default browser from within a app's embedded browser, and nothing so far has worked.
target=_system, nope.
all kinds of weird javascript shenanigans, but the LMS APP browser just blocks everything.
Probably to protect students from malicious software that could be injected in courses, but now I'm stuck trying to find a workaround for this too.

But what sucks the most is that this happened DAYS BEFORE THE DEADLINE!
Well, at least the deadline won't be my problem anymore soon.

CORS is shit
Stupid useless shit that protects from nothing. It is harmful mechanism that does nothing but randomly blocks browser from accessing resources - nothing more.

Main idea of CORS is that if server does not send proper header to OPTIONS request, browser will block other requests to that server.

What does stupid cocksuckers that invented CORS, think their retarded shit can protect from?
- If server is malicious, it will send any header required to let you access it.
- If client has malicious intents - he will never use your shit browser to make requests, he will use curl or any ther tool available. Also if server security bases on something as unreliable as http headers it sends to the client - its a shit server, and CORS will not save it.

Can anyone give REAL examples when CORS can really protect from anything?

The dangers of PHP eval()

Yup. "Scary, you better make use of include instead" — I read all the time everywhere. I want to hear good case scenarios and feel safe with it.

I use the eval() method as a good resource to build custom website modules written in PHP which are stored and retrieved back from a database. I ENSURED IS SAFE AND CAN ONLY BE ALTERED THROUGH PRIVILEGED USERS. THERE. I SAID IT. You could as well develop a malicious module and share it to be used on the same application, but this application is just for my use at the moment so I don't wanna worry more or I'll become bald.

I had to take out my fear and confront it in front of you guys. If i had to count every single time somebody mentions on Stack Overflow or the comments over PHP documentation about the dangers of using eval I'd quit already.

Tell me if I'm wrong: in a safe environment and trustworthy piece of code is it OK to execute eval('?>'.$pieceOfCode); ... Right?

The reason I store code on the database is because I create/edit modules on the web editor itself.

I use my own coded layers to authenticate a privileged user: A single way to grant access to admin functions through a unique authentication tunnel granting so privileged user to access the editor or send API requests, custom htaccess rules to protect all filesystem behind the domain root path, a custom URI controller + SSL. All this should do the trick to safely use the damn eval(), is that right?!

Unless malicious code is found on the code stored prior to its evaluation.

But FFS, in such scenario, why not better fuck up the framework filesystem instead? Is one password closer than the database.

I will need therapy after this. I swear.

If 'eval is evil' (as it appears in the suggested tags for this post) how can we ensure that third party code is ever trustworthy without even looking at it? This happens already with chrome extensions, or even phone apps a long time after reaching to millions of devices.

*One Month Ago*
Project Manager: we have allocated these two workstations for you to extract data (set) from malicious files, they are off the network. I though would also prefer a seperate laptop for this project you can take this one (pointing towards the newish laptop on the table)
Me: (i declined his offer because i didn't wanted to carry two laptops everywhere) I'm going to use my own laptop, but I'll be using a sand box or virtual machine.
*Fast Forward to Today*
Accidentally ran a script outside the sandbox, which due to some unknown reasons ended up executing a bunch of malicious files I only realised my mistake when my antivirus started to go bonkers FML.
P.S. both of those PCs are now connected network because of me.
Fingers crossed

Did you ever had to integrate a fucking "API" that is done via mail bodies?

Fuck this shit! Who need responses about success or failure?! Guess this will take a long time to test this fucking piece of garbage... We don't get a test system, we need to test this with the production system of the other company. I hope their retarded application crashes when receiving malicious mails.

Not speaking about security, I bet everyone can send a mail to their stupid mail address and modify their data 🙈

And inside of this crap mail you also have to send the name, street and email of their company. Why do you fucking need this information?!

well that's curious... Apparently, when uploading a csv file via bot, Slack now appends a .py suffix to it.

I wonder what's the logic behind it. Trick as many users as possible into executing potentially malicious code?

The database column contains values, yet there is nothing in the code that inserts or updates the values in that column.

I'm not sure if the original author of this program wrote bad code or was some kind of malicious wizard. What I do know is that it scares me.

My group set up a Linux Dev server. We got hacked by Chinese hackers. We set it up again but even more secure with only people inside the uni can access it. We got hacked again.Turns out one of the modules in a container was using an outdated CentOS version. P.S The malicious file on the server was called kk.love.

What does the most malicious code you ever written do?

I hate systemic problems.

I hate that a stable housing situation and perfect weather and luck are required to work.

I hate that malcontents and malicious people fucked people out of their jobs.

I hate rolling and cancerous financial ruin coming from scammers ponzi schemes and corrupt people who only care about lining their own pockets.

I hate that being middle class is a nightmare of anxiety because nothing is guaranteed.

I hate the lack of services to quickly without stupid catches get a person on their feet.

I hate the retarded take on things these fuckers created to make these problems worse.

I hate hardcore drug addicts and pushers fucking up benefits and services for honest people.

I hate whores stealing houses apartments and jobs by selling their asses and children to old fucked up perverted diseased scum.

I hate schedules that make it hard to get places.

People who drive everywhere because public transportation sucks.

Public transportation sucking because people suck up oil and destroy car after car

Basic housing not being available so people can be safe at night and find jobs.

I hate wars that suck money out of my country

I hate parents that fuck up the next generation by abusing their children

I hate the parents who fucked up the current generation making this time period miserable

I hate people not facing facts about basic necessities

I hate decaying buildings that cost more to repair because no one maintains them

I hate sprawling shit houses that could be combined into towers

And most of all

I hate people taking extreme liberties in destroying my own telling me I have to be careful what I say and I hate fucking liars

When Github deletes your account because you've used "Malicious Code" in a private repo. (Chrome Password Reader).

Low-end smartphones sold to Americans with low-income via a government-subsidized program contain unremovable malware, security firm Malware bytes said in a report.

According to the report of ZdNet: The smartphone model is Unimax (UMX) U686CL, a low-end Android-based smartphone made in China and sold by Assurance Wireless. The telco sells cell phones part of a government program that subsidizes phone service for low-income Americans. "In late 2019, we saw several complaints in our support system from users with a government-issued phone reporting that some of its pre-installed apps were malicious," Malwarebytes said in a report. The company said it purchased a UMX U686CL smartphone and analyzed it to confirm the reports it was receiving.

Seriously, I got given a project that someone else was working on, it's beind and they're on long term sick. I did the project as discussed. My manager has decided he wants it done differently, wasting about a week of work. This is the same manager that complained about my rate of closing tickets. 2 weeks ago.

Malicious compliance time, I'm closing the current ticket and creating a new one for the new work.

Today i received a hard drive contraining one million malicious non-PE files for a ML baed project.
It's going to be a fun week.

Just had a so called "cyber security" seminar in college today.
The guy who claimed to be a trainer or somewhat network security guy or something behaved enigmatically with utter consistency. He obviously claimed to know facebook hax0ring though.
They were basically there to advertise their complete crap: csksrc.org
(Ethical Hax0ring Course) (also claimed their site to be 99.9% secured - GREAT!)
After obtaining a ISO*** standard cert or after taking multiple sessions on "advanced ethical hacking" if you go about telling peeps in colleges that: "The single way to hax0r a facebook account is CSRF!" "Will hack your facebook account by MITM through malicious WiFi Ap." Then, NO neither I want your shitty cert nor do I want to be in your team and create the next level of "advanced ethical hax0ring - CEH course". Reason why I get cringed when peeps start about their certs and the ISO*** value it contains. What ISO value does your brain cells contain though?

USB ports are such a vulnerability.
Using a device as cheap as a Teensy you can easily execute whatever malicious software you'd like on a person's computer.

IOS keyboard is utter garbage. IOS as a whole is utter garbage, but the keyboard is the cream of the crop of garbage.

Wasting a user's time and destroying/changing the user's input against their wishes is malicious design of the highest order and this dumpster fire excels in it.

Type something completely valid and autocomplete changes it to something that doesn't makes sense. It not only gives you a terrible suggestion half the time, it will also change previous parts of the sentence that it somehow allowed you to keep. If you reject its suggestion, it deletes your current word and previous word(s), instead of restoring it to what it was before it made the terrible suggestion, like every other keyboard does.

Need to go back and adjust your sentence? If you tap it will hijack the cursor and highlight the nearest word it doesn't like instead of moving the cursor where you touch. If you accidentally hit a character on the cramped and unusable keyboard, congrats, you get to type the word again.

I know about hold space to drag the cursor.

I don't want Apple to decide for me that I actually wanted to go to the closest word it doesn't like, or the current word, or the next word based on a dice roll. I want the cursor to go where I tap. Like literally every other input device functions.

Want readily accessible numbers and punctuation? lol no

I know there's gboard, but compared to Android it's also almost unusable. This leads me to believe the keyboard is little more than a skin over the IOS keyboard engine, like Safari, another IOS dumpster fire. But, it is slightly better than the stock keyboard, which isn't saying much.

I yearn, minute by minute, for the time I can ditch this dumpster fire for a real phone.

Need a serious help as I can't find a solution to this. My Google search (homepage + results) changes the language to a regional one on every refresh. I want it back to English, I even changed search language setting and the account language for all apps to english. When it hinted, "some apps don't have the same language" in a toast message, I updated that too.

Now I don't understand what is causing this. Here's what I tried. I reinstalled chrome. Removed all my extensions. Used the chrome malicious software detection. Used a different browser- Edge.

I see this is a problem with my Google account as this only happens after I sign in. The language automatically changes to a random regional language, but the search language settings still show English selected.

I checked all the apps authorized with my account but there's nothing suspicious there.
I added "?hl=en" to the url as a temporary fix but that doesn't really help much if I'm on another device. I also found some video suggesting to add "/ncr" to the url. It somehow fixed this for like 10 secs. and then I refreshed to see- back to the same problem.

I tried looking for similar issues and even asked a question on google forums but no luck. Somehow after an hour of repeating the same process of switching the language in settings, it seemed like it got fixed. Until now, where I logged into another device and the issue is back.

Any help? Please? Thanks. :)

I’m having this issue for the online marketplace I’m working on the side. It’s blockchain tech where you can purchase normal goods and services(no, not like Amazon or Fiverr, eww, this one’s more inclined with promoting organic growth for small businesses and freelancers).

I’m stuck with what solution is in the best interest of the user and the business for the long-term.

The dilemma about anonymity, online freedom and privacy is yes, it protects users from predators and attackers, but then, it’s harder for authorities to hunt down people who uses platforms for malicious intent, and also, digital footprint is helpful during litigation as evidence.

You don’t know who to trust.

-There is nothing to differentiate normal users with spammers, scammers, etc.
-There is no accountability for if they break the rules. They can easily delete and create a new account.

Platforms, communities big or small are plagued with these.
There are a lot of people out there who would rather project their insecurities on other people than to seek therapy.

Also, how platforms uses psychology tricks to make platforms addicting, it’s safe to assume that it’s bound to get toxic. Fixation on these platforms, leads to other needs being neglected or people forget to stay present.

Another thing, automated moderation is not that effective as there are still biases in data and human verification is still required. But then, human moderators get exposed to extreme violence, gore, etc that leads to poor mental health. (see Facebook got sued by moderators)

Also, I’ve had a recent experience where some unstable dev was stalking and harassing me. During that turmoil, I’ve found the many loopholes in every platform out there and how crappy their support is. Like they’ll just say, “make your account more secure”, bitch it’s your platform not providing enough security, your blocking feature means nothing coz anyone can still create accounts and message anyone.
It happened like February-August (it ended coz I quit going online and made private all my accounts). UGH I MISS ALL MY FRIENDS THO. FUCK THAT DUDE. He deserves to be in jail TBH

Lol if this product booms, now u know the back story lololol

rant.type = Rants.PrivacyAdvice;

Just for the ones using chrome and did not inspect their settings for a while: I just discovered, that there is a "Clean computer" point at the end of the settings where an option can be set where to send system settings, processes, malicious software, your life, you, your family, your house, everything to Google. Also why the fuck does Google start developing there own virus scanner now... Just WTF!!!

I realized that my mood swings based on how my gf behaves. She is one of the few triggers

If she is sad depressed angry or disrespectful towards me i am no longer in a positive mood, it kills the whole vibe. On the contrary if she is happy acts feminine behaves normally and is respectful towards me i also become happy and in a better mood

Bad mood does not stop me from doing my work, but depending on how terribly bad it becomes, it may or may not impact my coding and work life. Since the main and central tool for coding is my brain and mental state, not physical muscles, Once the central part of anyone's tool (thats used to get the job done) is attacked or threatened, it weakens the person's ability to perform as good as they have been, or worse, completely blocks them off from performing well

This is one of my biggest fears; Anyone who's capable, intentionally or not, of weakening the central part of my tool for work (in this case mind and mental state), begins to gain power and leverage over me (hold on this is actually a brilliant idea to have in mind, a malicious way to exploit and leverage the target victim is by attacking the central tool they use to get the work done)

However i am a mentally strong person (due to way too much trauma from school, solving extreme difficulty coding problems, hoes and financial struggles), but it does not help if i am attached to a person who i have feelings towards, a person who became the second half of me, "the better half". It is difficult to reject or all of a sudden stop loving the person who you loved for years or months. Such person can more easily attack my central tool

My question is--does anyone know how to protect the central tool from anyone being able to exploit or weaken it? For example if my gfs bad behavior puts me in a bad mood, how to prevent that from happening? How do i not care? Or how do i care but still not let it affect my mood in a negative light? If that makes sense

Is there any chance that Linux open source distributions such as Ubuntu would hide malicious code or backdoor or similar thing in their code and simply hide it in their release publication?

I ordered a USB Rubber Ducky!! I'm not going to do anything malicious with it, I just want to experiment with it and see what it can do for me!

I had a colleague, who built a bunch of smaller systems for the company I'm working in. He didn't want to waste his time building a "perfect" system (which I generally agree with, the question is just where to draw the line).

But because it took him so long to build the prototype, usually it went into production without being hardened (like basic input validations were missing. It wouldn't allow anything malicious, but instead of a validatiom error it'd just 500).

When he left, literally less then a week later, one of his systems, which was a prototype and nobody except him could maintain, because it was done in a fancy new technology, which wasn't even v1 at that time and their documentation said, it's production ready when we release v1. Anyway, that one system started crashing just few days after him leaving. Another Dev and me tried to fix it, but every time we touched it, it just got worse.

At some point, we gave up and just configured a cron job to reboot it every 12h. He could have probably fixed it, but to us it was just black magic.

Anyhow, this rent isn't about him, AFAIK all the systems still working, as long as you provide the correct input. Nor is it about the management decisions, which lead to this Frankenstein service on live support, which we had to increase, to be restarted every 8 hours, 6h, 4h, 3h, .....

It's about the service itself, which I'm looking forward to every day, when the rewrite will be done and I can nuke the whole git repository.

I was even thinking about moving all the related files onto a USB stick and putting that on 🔥, once we're done rewriting it....

Maybe next month or in 2. Hopefully before we'll have to configure the cron job to restart the service every couple minutes....

I keep having these ideas of a steam like interface for transfering money and buying virtual items, but I can't for the life of me figure out how i would go about it other then a basic flask mongo db set up which would be ripe for malicious attacks

Classiflying hack tools as virus on windows defender or whatever puts in risk users that want to hack some device but have to disable user defender to use them (and could potentially download malicious software bundled together or inside the hack tool)

WTF OPPO?

Why assume it's "malicious" when I'm the one that rooted my own phone?

It's even more ridiculous when I'm prompted to SIGN IN OPPO account to maintain the root status. Who's the fucking malicious one now?

This piece of shitty pink notification permanently stuck onto my drawer and I can't seem remove it. GG fucking WP but I'm just going to live with it.

Me: Assigned to do some NoSQL injections test cases in December on Jira by product owner.

After asking him about it, he said it can be vague and it’s only for developers to get an idea. I also have this restriction where I can’t really keep actually data or databases in our test sample application, so I could only mock mongodb. Product owner says just mongo is fine.

I do it. Now it’s January, product owner away for a month we so director is managing it. She then schedules me to talk to database team. I show them the very simple test cases which essentially just inject payloads I found online into different parameters specified in test case. They say if that’s it. I say yes. They say what’s the point of this. I said that it’s probably to test your database clients and ensure they’re rejecting bad Malicious input? They then keep asking but I’m just the dev and tell them the product owner is away. Then the guy calls my test case essentially useless and the others agree. Then they tell me to do it for other databases which I can’t mock like couchbase even tho my PO said it’s fine for mongo only.

Am I just being silly here? I am pretty new to working in a dev environment so please feel free to be blunt.

My email account started sending malicious links to my 6 year old addressbook.
Only noticed it because most of the email adresses in it do not exist anymore. Now I am fucking worried about my semsitive data in my mail account. Wtf...

Hi fellow devRanters, I need some advice on how to detect web traffic coming from bad/malicious bots and block them.

I have ELK (Elastic) stack set up to capture the logs from the sites, I have already blocked the ones that are obviously bad (bad user-agent, IP addresses known for spamming etc). I know you can tell by looking at how fast/frequently they crawl the site but how would I know if I block the one that's causing the malicious and non-human traffic? I am not sure if I should block access from other countries because I think the bots are from local.

I am lost, I don't know what else I can do - I can't use rate limiting on the sites and I can't sign up for a paid service cause management wants everything with the price of peanuts.

Rant:

Someone asked why I can't just read through the logs (from several mid-large scale websites) and pick out the baddies.

*facepalm* Here's the gigabytes log files.

Microsoft is responsible for protecting the Office 365 physical and virtual infrastructure and ensuring availability. Although Microsoft addresses certain security threats, it cannot prevent all malicious threats. Businesses are responsible for protecting their data. This means that if a business’s Office 365 data is compromised or corrupted, it is not Microsoft’s job to restore the data outside of the Software Licensing Terms. To protect data, businesses need to make sure they have office 365 disaster recovery and recovery plans in place