Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "much security"
-
!rant
After over 20 years as a Software Engineer, Architect, and Manager, I want to pass along some unsolicited advice to junior developers either because I grew through it, or I've had to deal with developers who behaved poorly:
1) Your ego will hurt you FAR more than your junior coding skills. Nobody expects you to be the best early in your career, so don't act like you are.
2) Working independently is a must. It's okay to ask questions, but ask sparingly. Remember, mid and senior level guys need to focus just as much as you do, so before interrupting them, exhaust your resources (Google, Stack Overflow, books, etc..)
3) Working code != good code. You are an author. Write your code so that it can be read. Accept criticism that may seem trivial such as renaming a variable or method. If someone is suggesting it, it's because they didn't know what it did without further investigation.
4) Ask for peer reviews and LISTEN to the critique. Even after 20+ years, I send my code to more junior developers and often get good corrections sent back. (remember the ego thing from tip #1?) Even if they have no critiques for me, sometimes they will see a technique I used and learn from that. Peer reviews are win-win-win.
5) When in doubt, do NOT BS your way out. Refer to someone who knows, or offer to get back to them. Often times, persons other than engineers will take what you said as gospel. If that later turns out to be wrong, a bunch of people will have to get involved to clean up the expectations.
6) Slow down in order to speed up. Always start a task by thinking about the very high level use cases, then slowly work through your logic to achieve that. Rushing to complete, even for senior engineers, usually means less-than-ideal code that somebody will have to maintain.
7) Write documentation, always! Even if your company doesn't take documentation seriously, other engineers will remember how well documented your code is, and they will appreciate you for it/think of you next time that sweet job opens up.
8) Good code is important, but good impressions are better. I have code that is the most embarrassing crap ever still in production to this day. People don't think of me as "that shitty developer who wrote that ugly ass code that one time a decade ago," They think of me as "that developer who was fun to work with and busted his ass." Because of that, I've never been unemployed for more than a day. It's critical to have a good network and good references.
9) Don't shy away from the unknown. It's easy to hope somebody else picks up that task that you don't understand, but you wont learn it if they do. The daunting, unknown tasks are the most rewarding to complete (and trust me, other devs will notice.)
10) Learning is up to you. I can't tell you the number of engineers I passed on hiring because their answer to what they know about PHP7 was: "Nothing. I haven't learned it yet because my current company is still using PHP5." This is YOUR craft. It's not up to your employer to keep you relevant in the job market, it's up to YOU. You don't always need to be a pro at the latest and greatest, but at least read the changelog. Stay abreast of current technology, security threats, etc...
These are just a few quick tips from my experience. Others may chime in with theirs, and some may dispute mine. I wish you all fruitful careers!221 -
Hey everyone,
First off, a Merry Christmas to everyone who celebrates, happy holidays to everyone, and happy almost-new-year!
Tim and I are very happy with the year devRant has had, and thinking back, there are a lot of 2017 highlights to recap. Here are just a few of the ones that come to mind (this list is not exhaustive and I'm definitley forgetting stuff!):
- We introduced the devRant supporter program (devRant++)! (https://devrant.com/rants/638594/...). Thank you so much to everyone who has embraced devRant++! This program has helped us significantly and it's made it possible for us to mantain our current infrustructure and not have to cut down on servers/sacrifice app performance and stability.
- We added avatar pets (https://devrant.com/rants/455860/...)
- We finally got the domain devrant.com thanks to @wiardvanrij (https://devrant.com/rants/938509/...)
- The first international devRant meetup (Dutch) with organized by @linuxxx and was a huge success (https://devrant.com/rants/937319/... + https://devrant.com/rants/935713/...)
- We reached 50,000 downloads on Android (https://devrant.com/rants/728421/...)
- We introduced notif tabs (https://devrant.com/rants/1037456/...), which make it easy to filter your in-app notifications by type
- @AlexDeLarge became the first devRant user to hit 50,000++ (https://devrant.com/rants/885432/...), and @linuxxx became the first to hit 75,000++
- We made an April Fools joke that got a lot of people mad at us and hopefully got some laughs too (https://devrant.com/rants/506740/...)
- We launched devDucks!! (https://devducks.com)
- We got rid of the drawer menu in our mobile apps and switched to a tab layout
- We added the ability to subscribe to any user's rants (https://devrant.com/rants/538170/...)
- Introduced the post type selector (https://devrant.com/rants/850978/...) (which will be used for filtering - more details below)
- Started a bug/feature tracker GitHub repo (https://github.com/devRant/devRant)
- We did our first ever live stream (https://youtube.com/watch/...)
- Added an awesome all-black theme (devRant++) (https://devrant.com/rants/850978/...)
- We created an "active discussions" screen within the app so you can easily find rants with booming discussions!
- Thanks to the suggestion of many community members, we added "scroll to bottom" functionality to rants with long comment threads to make those rants more usable
- We improved our app stability and set our personal record for uptime, and we also cut request times in half with some database cluster upgrades
- Awesome new community projects: https://devrant.com/projects (more will be added to the list soon, sorry for the delay!)
- A new landing page for web (https://devrant.com), that was the first phase of our web overhaul coming soon (see below)
Even after all of this stuff, Tim and I both know there is a ton of work to do going forward and we want to continue to make devRant as good as it can be. We rely on your feedback to make that happen and we encourage everyone to keep submitting and discussing ideas in the bug/feature tracker (https://github.com/devRant/devRant).
We only have a little bit of the roadmap right now, but here's some things 2018 will bring:
- A brand new devRant web app: we've heard the feedback loud and clear. This is our top priority right now, and we're happy to say the completely redesigned/overhauled devRant web experience is almost done and will be released in early 2018. We think everyone will really like it.
- Functionality to filter rants by type: this feature was always planned since we introduced notif types, and it will soon be implemented. The notif type filter will allow you to select the types of rants you want to see for any of the sorting methods.
- App stability and usability: we want to dedicate a little time to making sure we don't forget to fix some long-standing bugs with our iOS/Android apps. This includes UI issues, push notification problems on Android, any many other small but annoying problems. We know the stability and usability of devRant is very important to the community, so it's important for us to give it the attention it deserves.
- Improved profiles/avatars: we can't reveal a ton here yet, but we've got some pretty cool ideas that we think everyone will enjoy.
- Private messaging: we think a PM system can add a lot to the app and make it much more intuitive to reach out to people privately. However, Tim and I believe in only launching carefully developed features, so rest assured that a lot of thought will be going into the system to maximize privacy, provide settings that make it easy to turn off, and provide security features that make it very difficult for abuse to take place. We're also open to any ideas here, so just let us know what you might be thinking.
There will be many more additions, but those are just a few we have in mind right now.
We've had a great year, and we really can't thank every member of the devRant community enough. We've always gotten amazingly positive feedback from the community, and we really do appreciate it. One of the most awesome things is when some compliments the kindness of the devRant community itself, which we hear a lot. It really is such a welcoming community and we love seeing devs of all kind and geographic locations welcomed with open arms.
2018 will be an important year for devRant as we continue to grow and we will need to continue the momentum. We think the ideas we have right now and the ones that will come from community feedback going forward will allow us to make this a big year and continue to improve the devRant community.
Thanks everyone, and thanks for your amazing contributions to the devRant community!
Looking forward to 2018,
- David and Tim48 -
Long but worth it...
So I was cleaning out my Google Drive last night, and deleted some old (2 years and up) files. I also deleted my old work folder, it was for an ISP I worked for over 2 years ago. After deleting the files I had a little twinge of "Man I hope they're not still using those". But seriously, it'd be a pretty big security risk if I was still the owner of those files... right? Surely they copied them and deleted all the info from the originals. IP addresses, Cisco configs, username and passwords for various devices, pretty much everything but customer info.
Guess who I get a call from this morning... "Hi this is Debbie from 'ISP'. I was trying to access the IP Master List and I can't anymore. I was just told to call you and see if there's any way to get access to it again" (Not her real name...)
I had to put her on hold so I could almost die of laughter...
Me: "Sorry about that Debbie, I haven't worked for that company for over 2 years. Your telling me in all that time no one thought to save them locally? No one made a copy? I still had the original documents?!"
Long pause
D: "Uh... Apparently not..."
Another long pause
D: "So is there any way you can give me access to them again?"
Me: "They're gone Debbie. I deleted them all last night."
D: Very worried voice "Can... Can you check?"
This kids is why you never assume you'll always have access to a cloud stored file, make local copies!!
A little bit of background on this company, the owner's wife fired me on trumped up "time card discrepancy" issues so she could hire her freshly graduated business major son. The environment over there was pretty toxic anyway...
I feel bad for "Debbie" and the other staff there, it's going to be a very bad week for them. I also hope it doesn't impact any customers. But... It is funny as hell, especially since I warned the owner as I was clearing out my desk to save copies, and plan on them being gone soon. Apparently he never listened.
This is why you should have a plan in place... And not just wing it...
PS. First Post!25 -
My last internship (it was awesome). A programmer developed a vacation/free day request application for internal use.
Asked if I could test it for security.
The dev working on it thought that was a very good idea as he wasn't much into security and explained how the authentication process worked.
I immediately noticed a flaw just from his explanation. He said it was secure anyways (with an explanation but his way of thinking was wrong in this case). Asked if I was allowed to show him. He said he was intrigued by this so gave me a yes right away.
For the record, user levels were normal user, general admin and super admin (he was the only super admin).
Wrote a quick thingy server side (one of my own servers/domains) for testing purposes.
Then I started.
Went from normal user to super admin (his account) through a combination of XSS and Session Hijacking within 15 seconds.
Explained him where he went wrong and he wrote a patch under my guidance 😃.
That felt so fucking awesome.5 -
New Dutch (or european?) law requiring https for any website with a contact form or higher is going into effect very soon. Were contacting customers so they can still be on time with this, this is how most convo's go:
Collegue: *explains*
Client: Im sure my security is good enough...
Collegue: i'd really recommend it, we've got free options as well!
Client: its just a secure connection, whats the big deal...
Collegue: *more arguments*
Client: I just don't see the point, security.... well.... does it really matter that much...
Collegue: Google might place you lower in the search results if you don't get a secure connection.
Client: 😶😥😵 uhm so what were the https options again? 😅
I hope they all die a painful death 😠26 -
Dear self proclaimed wordpress 'developers/programmers', kindly go fuck yourself.
I'm not talking about wordpress devs/designers who don't claim to have a better skillset than they have and are actually willing to learn, those are very much fine.
I'm talking about those wordpress people who claim that they're developers, programmers or whatever kind of bullshit which they're obviously not.
"A client's site crashed, you have to fix it!!!!!" sorry, come again? It's YOUR client's site. It's hosted on our hosting platform meaning that WE are responsible for KEEPING THE SERVERS UP AND FUNCTIONING.
You call yourself a wordpress 'developer' with 'programming experience' for 10 years but the second one of your shitty sites crashes, you come to us because 'it's your responsibility!!!'.
No, it's not. Next to that fact, the fact that you have to ask US why the site is crashing while you could easily login to your control panel, go to the fucking error logs and see that one of your facebook plugins crashes with a quite English error message, shows me that you definitely don't have 10 years of programming experience. And if you can't find that fucking article which tells you exactly where the motherfucking error logs are, don't come crying to us asking to fix your own fucking bullshit.
"My clients site got hacked, you have to clean it up and get it online again ASAP!!!!" - Nah, sorry, not my responsibility. The fact that you explicitly put your wordpress installation on 'no automatic updates' also doesn't help with my urge to fucking end you right now.
Add to that that we have some quite clear articles on wordpress security which you appearantly found too difficult (really? basic shit like 'set a strong fucking password' is too difficult for you?), you're on your own.
"I'm getting an error, please explain what's going wrong as soon as you can! this is a prio 1!!!!" - Nope. You were a wordpress dev/programmer right? Please act like one.
I'm not your personal wordpress agent.
I'm not your personal hacked wordpress site cleanup guy.
I'm not even a fucking wordpress professional. No, I'd rather jump off a bridge than develop wordpress bullshit for a living.
That you chose to do this, not a problem. Just don't rely on me for fixing your shit.
I'm sick of cleaning up your bullshit.
I'm done with answering your high prio tickets about bullshit which any dev could find out with just a few minutes of searching.
Oh your wordpress site isn't showing up so high in google? Yeah sure, shoot a ticket at us blaming us for your own SEO mess. I'm a fucking sysadmin, not a SEO expert.
I'm fucking done with you.
Go die in a fucking corner.18 -
Consultant: "you should deploy a website. Use wordpress and have a draft ready in a few days. It's easy."
Me: "It's a static website, a one-pager even. I think we would be better served with something light-weight without a database."
Consultant: "99% of the websites in the entire internet are powered by wordpress. It's state of the art, you should use it"
Me: 😢 "Nooo, it needs mainentance and stuff. Look, XY is much simpler. You can even version the static site with git"
Consultant: 😤
We ended up with wordpress for our static website now. I am so proud. I absolutely love wordpress. It is amazing. Now my static one-pager can have plugins, multiple users, security issues and all that. The future is now!17 -
So there was an inspection from government for our bank's IT security. I gave a tour to our server and security systems. I threw all possible acronyms as much as I could remember. Inspector nodded and noted down never uttered a word.
Finally, he breaks his silence, looking at a device he points out and says "What's that ?"
I look at the device then stare at his face back again at the device and to his face I reply "That's AC, Air Conditioner".19 -
So I got the job. Here's a story, never let anyone stop you from accomplishing your dreams!
It all started in 2010. Windows just crashed unrecoverably for the 3rd time in two years. Back then I wasn't good with computers yet so we got our tech guy to look at it and he said: "either pay for a windows license again (we nearly spend 1K on licenses already) or try another operating system which is free: Ubuntu. If you don't like it anyways, we can always switch back to Windows!"
Oh well, fair enough, not much to lose, right! So we went with Ubuntu. Within about 2 hours I could find everything. From the software installer to OpenOffice, browsers, email things and so on. Also I already got the basics of the Linux terminal (bash in this case) like ls, cd, mkdir and a few more.
My parents found it very easy to work with as well so we decided to stick with it.
I already started to experiment with some html/css code because the thought of being able to write my own websites was awesome! Within about a week or so I figured out a simple html site.
Then I started to experiment more and more.
After about a year of trial and error (repeat about 1000+ times) I finally got my first Apache server setup on a VirtualBox running Ubuntu server. Damn, it felt awesome to see my own shit working!
From that moment on I continued to try everything I could with Linux because I found the principle that I basically could do everything I wanted (possible with software solutions) without any limitations (like with Windows/Mac) very fucking awesome. I owned the fucking system.
Then, after some years, I got my first shared hosting plan! It was awesome to see my own (with subdomain) website online, functioning very well!
I started to learn stuff like FTP, SSH and so on.
Went on with trial and error for a while and then the thought occured to me: what if I'd have a little server ONLINE which I could use myself to experiment around?
First rented VPS was there! Couldn't get enough of it and kept experimenting with server thingies, linux in general aaand so on.
Started learning about rsa key based login, firewalls (iptables), brute force prevention (fail2ban), vhosts (apache2 still), SSL (damn this was an interesting one, how the fuck do you do this yourself?!), PHP and many other things.
Then, after a while, the thought came to mind: what if I'd have a dedicated server!?!?!?!
I ordered my first fucking dedicated server. Damn, this was awesome! Already knew some stuff about defending myself from brute force bots and so on so it went pretty well.
Finally made the jump to NginX and CentOS!
Made multiple VPS's for shitloads of purposes and just to learn. Started working with reverse proxies (nginx), proxy servers, SSL for everything (because fuck basic http WITHOUT SSL), vhosts and so on.
Started with simple, one screen linux setup with ubuntu 10.04.
Running a five monitor setup now with many distro's, running about 20 servers with proxies/nginx/apache2/multiple db engines, as much security as I can integrate and this fucking passion just got me my first Linux job!
It's not just an operating system for me, it's a way of life. And with that I don't just mean the operating system, but also the idea behind it :).20 -
Happened a few weeks ago but still awesome.
Me and a good friend have a website together but we don't monitor it too much.
He studied with me in the same class but went towards frontend/apps where I chose backend/servers/security. He knows how to do basic Linux stuff but that's about it.
We were at a party when he noticed that our site was offline. Walked over to me (because I manage the server) to notify me so I could look into it said I'd look into it (phone):
*visits site: nothing*
*online dig tool: got the server ip*
*remembered this one didn't have pubkey authentication - after three passwords attempts I'm in*
"service apache2 status"
*service doesn't exist*
*right, migrated this one from Apache to nginx....*
"history"
*ah, an nginx restart probably suffices...*
"service nginx restart"
BAM, site is reachable again.
*god damnit, lets encrypt cert expired...*
"history"
*sees command with certbot and our domain both in one*
"!892"
*20 seconds later: success message*
*service nginx reload*
BAM, site works securely again.
"Yo mate, check the site again"
Mate: 😶 w-w-what? *checks site and his watch* you started less than two minutes ago...?
Me: yeah..?
Mate: 😶 now this is why YOU manage our server and I don't 😐
His face was fucking gold. It wasn't that difficult for me (I do this daily) but to him, I was a God at that moment.
Awesome moment 😊24 -
My mentor/guider at my last internship.
He was great at guiding, only 1-2 years older than me, brought criticism in a constructive way (only had a very tiny thing once in half a year though) and although they were forced to use windows in a few production environments, when it came to handling very sensitive data and they asked me for an opinion before him and I answered that closed source software wasn't a good idea and they'd all go against me, this guy quit his nice-guy mode and went straight to dead-serious backing me up.
I remember a specific occurrence:
Programmers in room (under him technically): so linuxxx, why not just use windows servers for this data storage?
Me: because it's closed source, you know why I'd say that that's bad for handling sensitive data
Programmers: oh come on not that again...
Me: no but really look at it from my si.....
Programmers: no stop it. You're only an intern, don't act like you know a lot about thi....
Mentor: no you shut the fuck up. We. Are. Not. Using. Proprietary. Bullshit. For. Storing. Sensitive. Data.
Linuxxx seems to know a lot more about security and privacy than you guys so you fucking listen to what he has to say.
Windows is out of the fucking question here, am I clear?
Yeah that felt awesome.
Also that time when a mysql db in prod went bad and they didn't really know what to do. Didn't have much experience but knew how to run a repair.
He called me in and asked me to have a look.
Me: *fixed it in a few minutes* so how many visitors does this thing get, few hundred a day?
Him: few million.
Me: 😵 I'm only an intern! Why did you let me access this?!
Him: because you're the one with the most Linux knowledge here and I trust you to fix it or give a shout when you simply can't.
Lastly he asked me to help out with iptables rules. I wasn't of much help but it was fun to sit there debugging iptables shit with two seniors 😊
He always gave good feedback, knew my qualities and put them to good use and kept my motivation high.
Awesome guy!4 -
Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜
Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.
First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.
Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.
Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.
Dealing with attacks and getting hacked.
Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.
linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)
How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!
One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)
Dealing with different kinds of attacks:
Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.
So yah, hereby :P39 -
Wholesome anti-rant.
There’s this Indian chick at work that I really, really do not get along with. Fortunately she’s on a different team so we have practically zero interactions. Her code was always decent, maybe upper junior level? but I went away fuming almost every time we talked.
However, I did a release security review today (I’m down from five/six per month to one) and read through quite a bit of her code. It was clean and easy to read with good separation, clear naming and intentions, nothing was confusing, etc. It was almost beautiful. Had I any emotions I might have shed a tear. I sent her a message and let her know :) I actually learned a better way of doing a couple of things from it.
She has grown so much as a dev.32 -
Alright, since Facebook released a VPN service a little while ago but they're actively advertising it as a secure and privacy friendly service, I felt like - although I'm very busy right now - I should do a security/privacy blog post about this.
If you even slightly care about your own privacy or the privacy of anyone you're communicating with, for the love of God, don't use this service.
Hereby a blog post explaining stuffs: https://much-security.nl//...44 -
Wow, just wow.
The Dutch national security spy agency and also their military one are complaining that the organisation that was brought to life to check if they don't spy on innocent people (and execute illegal hacks and overstep their surveillance powers etc) is investigating too much and asking too many technical questions relating to ongoing operations.
Well, this shows that this is necessary apparently! I'm glad this organisation is doing their job.
Oh, the irony.13 -
Customer: why 1 router cost so much? I can buy 3 normal routers with that.
Me: this has security features and functions that 3 of those routers put together combined could not do. Then you will still need to buy firewall for security. Why have more devices and have more possible points of failure when u can have 1?
Customer *keeps quiet*
Me: numbers is not important. Having 5 normal parachutes during skydiving doesnt guarantee u better safety than 1 good reliable parachute.
My company earned $700 profit for that sale today. 😂5 -
Lads, I will be real with you: some of you show absolute contempt to the actual academic study of the field.
In a previous rant from another ranter it was thrown up and about the question for finding a binary search implementation.
Asking a senior in the field of software engineering and computer science such question should be a simple answer, specifically depending on the type of job application in question. Specially if you are applying as a SENIOR.
I am tired of this strange self-learner mentality that those that have a degree or a deep grasp of these fundamental concepts are somewhat beneath you because you learned to push out a website using the New Boston tutorials on youtube. FOR every field THAT MATTERS a license or degree is hold in high regards.
"Oh I didn't go to school, shit is for suckers, but I learned how to chop people up and kinda fix it from some tutorials on youtube" <---- try that for a medical position.
"Nah it's cool, I can fix your breaks, learned how to do it by reading blogs on the internet" <--- maintenance shop
"Sure can write the controller processing code for that boing plane! Just got done with a low level tutorial on some websites! what can go wrong!"
(The same goes for military devices which in the past have actually killed mfkers in the U.S)
Just recently a series of people were sent to jail because of a bug in software. Industries NEED to make sure a mfker has aaaall of the bells and whistles needed for running and creating software.
During my masters degree, it fucking FASCINATED me how many mfkers were absolutely completely NEW to the concept of testing code, some of them with years in the field.
And I know what you are thinking "fuck you, I am fucking awesome" <--- I AM SURE YOU BLOODY WELL ARE but we live in a planet with billions of people and millions of them have fallen through the cracks into software related positions as well as complete degrees, the degree at LEAST has a SPECTACULAR barrier of entry during that intro to Algos and DS that a lot of bitches fail.
NOTE: NOT knowing the ABSTRACTIONS over the tools that we use WILL eventually bite you in the ASS because you do not fucking KNOW how these are implemented internally.
Why do you think compiler designers, kernel designers and embedded developers make the BANK they made? Because they don't know memory efficient ways of deploying a product with minimal overhead without proper data structures and algorithmic thinking? NOT EVERYTHING IS SHITTY WEB DEVELOPMENT
SO, if a mfker talks shit about a so called SENIOR for not knowing that the first mamase mamasa bloody simple as shit algorithm THROWN at you in the first 10 pages of an algo and ds book, then y'all should be offended at the mkfer saying that he is a SENIOR, because these SENIORS are the same mfkers that try to at one point in time teach other people.
These SENIORS are the same mfkers that left me a FUCKING HORRIBLE AND USELESS MESS OF SPAGHETTI CODE
Specially to most PHP developers (my main area) y'all would have been well motherfucking served in learning how not to forLoop the fuck out of tables consisting of over 50k interconnected records, WHAT THE FUCK
"LeaRniNG tHiS iS noT neeDed!!" yes IT fucking IS
being able to code a binary search (in that example) from scratch lets me know fucking EXACTLY how well your thought process is when facing a hard challenge, knowing the basemotherfucking case of a LinkedList will damn well make you understand WHAT is going on with your abstractions as to not fucking violate memory constraints, this-shit-is-important.
So, will your royal majesties at least for the sake of completeness look into a couple of very well made youtube or book tutorials concerning the topic?
You can code an entire website, fine as shit, you will get tested by my ass in terms of security and best practices, run these questions now, and it very motherfucking well be as efficient as I think it should be(I HIRE, NOT YOU, or your fucking blog posts concerning how much MY degree was not needed, oh and btw, MY degree is what made sure I was able to make SUCH decissions)
This will make a loooooooot of mfkers salty, don't worry, I will still accept you as an interview candidate, but if you think you are good enough without a degree, or better than me (has happened, told that to my face by a candidate) then get fucking ready to receive a question concerning: BASIC FUCKING COMPUTER SCIENCE TOPICS
* gays away into the night53 -
So a fucking friend of mine makes me meet this fella who is a big shot according to his LinkedIn and please note has too much experience with Web Apps and Python
Me being naive actually trusted that and I meet him.
Fella: So what do you do?
Me: I am into Cyber Security nothing much I just do bug hunting for now
Fella: You know python will help you right?
Me: Sorry?
Fella: You see you have to be a python programmer for anything you want to do in CS
Me: Me yeah I kinda know python actually I am more into Ruby from start so ( Around this time I kinda sensed that he is a fake tech guy he is a corporate asshole)
Fella: show me any of your work
Me: (So to show him one of the thing I was working on I open GitHub desktop app) Me explaining blah blah blah
*Fella is in shock*
So at this point I was thinking probably he is impressed and that's why the shock right?
No a big fucking no
Apparently he never heard about GitHub or git and got blown away by the interface.
And the friend who made me meet that guy is not my fucking friend anymore that prick can die for ruining my day18 -
Navy story time again. Grab that coffee and fire up Kali, the theme is security.
So, when I got promoted to Lieutenant Jr. I had to attend a 1-year school inside my nostalgic Naval Academy... BUT! I was wiser, I was older... and I was bored. Like, really bored. What could go wrong? Well, all my fellow officers were bored too, so they started downloading/streaming/torrenting like crazy, and I had to wait for hours for the Kali updates to download, so...
mdk3 wlan0mon -d
I had this external wifi atheros card with two antennae and kicked all of them off the wifi. Some slightly smarter ones plugged cables on the net, and kept going, enjoying much faster speeds. I had to go to the bathroom, and once I returned they had unplugged the card. That kind of pissed me off, since they also thought it would be funny to hide it, along with the mouse.
But, oh boy, they had no idea what supreme asshole I can be when I am irked.
So, arpspoof it is. Turns out, there were no subnetworks, and the broadcast domain was ALL of the academy. That means I shut EVERYONE off, except me. Hardware was returned in 1 minute with the requested apologies, but fuck it, I kept the whole academy off the net for 6 hours. The sysadmin ran around like crazy, because nothing was working. Not even the servers.
I finally took pity on the guy (he had gotten the duties of sysadmin when the previous sysad died, so think about that) and he almost assaulted me when I told him. As it turned out, the guy never had any training or knowledge on security, so I had to show him a few things, and point him to where he could study about the rest. But still, some selective arp poison on select douchebags was in order...
Needless to say, people were VERY polite to me after that. And the net speed was up again, so I got bored. Again. So I started scanning the net.
To be continued...3 -
So I had my exams recently and I thought I'd post some of the most hacky shit I've done there over here. One thing to keep in mind, I'm a backender so I always have to hack my way around frontend!
- Had a user level authentication library which fucked up for some reason so I literally made an array with all pages and user levels allowed so I pretty much had a hardcoded user level authentication feature/function. Hey, it worked!
- CSS. Gave every page a hight of 110 percent because that made sure that you couldn't see part of the white background under the 'background' picture. Used !important about everywhere but it worked :P.
- Completey forgot (stress, time pressure etc) to make the user ID's auto incremented. 'Fixed' that by randomly generating a user id and really hoping during every registration that that user ID did not exist in the database already. Was dirty as fuck but hey it worked!
- My 'client' insisted on using Windows server.Although I wouldn't even mind using it for once, I'd never worked with it before so that would have been fucked for me. Next to that fact, you could hear swearing from about everyone who had to use Windows server in that room, even the die hard windows users rather had linux servers. So, I just told a lot of stuff about security, stability etc and actually making half of all that shit up and my client was like 'good idea, let's go for linux server then!'. Saved myself there big time.
- CHMOD'd everything 777. It just worked that way and I was in too much time pressure to spend time on that!
- Had to use VMWare instead of VirtulBox which always fucks up for me and this time it did again. Windows 10 enjoyed corrupting the virtual network adapters after every reboot of my host so I had to re-create the whole adapter about 20 times again (and removing it again) in order to get it to work. Even the administrator had no fucking clue why that was happening.
- Used project_1.0.zip etc for version control :P.
Yup, fun times!6 -
I work at a small retail store and we have quite a few regular customers who know I'm studying computer science because I'm always coding at work on my laptop.
One lady who comes in quite often and is very sweet asked me if I would take a look at her phone. She said she bought it and paid the owner of a phone repair store to set it up for her, but was felt like he did something weird to it. I told her I wasn't an expert but would look at it.
Oh my god. This guy set up her phone connected to his own personal icloud account. All of his music was on there. All of his contacts were on there. All of his pictures were on there. Even nude pictures of multiple people that this lady said she definitely does not know. I tell her this is very very wrong and no one in their right mind should've set her phone up this way.
I automatically think to factory reset. I'm unfamiliar with iPhone, as the last time I used one was an iPhone4 many years ago. I was unaware that apple applies an authentication lock when the phone is reset.
The authentication is set up underneath yet ANOTHER email address that belongs to this guy, as this lady promised me she has no knowledge of any email address similar to the one listed, nor does she have access to it.
I tell her to call the guy and ask for her money back and to unlock her phone so that she can reset it herself.
He claims that he cannot accept refunds if a factory reset has been performed.
Uhm, I am calling SOOOOO much bullshit. There should be absolutely no reason why the owner of the phone cannot factory reset it. The owner should be able to do ANYTHING she wants with it, without being locked out of it because some creep at a repair store did NOT DO HIS JOB CORRECTLY AND HE KNOWS IT. Why else would he claim he can't refund if it's been reset, because he KNOWS she got locked out.
So long story short I talked on the phone with him and cussed him out telling him he was wrong for taking advantage of someone who doesn't know much about technology and that he was invading privacy and violating her security and that i would report him if he didn't fully refund her and unlock her phone.
He gave her all of her money back, unlocked the phone (which she is deciding to sell because she got so scared by this), and I'm still filing a complaint against this man and his store. Who knows how many more clueless people he did this too. Fucking scumbag.10 -
DO NOT let employers demoralize you into staying with the company.
I've been with this one company for about 2 years. Everything was great, despite being underpaid, and having a lot of responsibility (I was the only front-end developer maintaining 4 big eCommerce sites).
One day about 2 months ago, I got a better offer. Better pay, more freedom, and way less stress (Customers screaming in your ear vs. no customers at all).
I talked to my team lead since I wanted my company to have a fair chance to counteroffer - I was fairly comfortable after all, and I felt like it would be a nice gesture.
If my team lead had just said "No, sorry, we can't counter that offer", there's a big chance that I would have stayed with them anyway. Instead, I got a fairly uncomfortable and personal rant thrown back at me.
He basically said that I should be happy with my salary, that he didn't feel like I had much responsibility, and that "I wasn't the type of person companies would hire for that salary".
He ended by saying I might as well stay, as there was no going back if the new place didn't work out - basically trying to tempt me with job security.
I told him that I would think about it. The worst part is that I actually did, since his rant really made me feel somewhat worthless as a developer. Luckily I came to my senses, and sent my resignation the next day.
I talked to an old coworker today, and they are still unable to find a developer who wants to take the job. I see that as justice :)
tl;dr: If a company tries to make you stay by demoralizing you - Run.17 -
Imagine if a structural engineer whose bridge has collapsed and killed several people calls it a feature.
Imagine if that structural engineer made a mistake in the tensile strength of this or that type of bolt and shoved it under the rug as "won't fix".
Imagine that it's you who's relying on that bridge to commute every day. Would you use it, knowing that its QA might not have been very rigorous and could fail at any point in time?
Seriously, you developers have all kinds of fancy stuff like Continuous Integration, Agile development, pipelines, unit testing and some more buzzwords. So why is it that the bridges don't collapse, yet new critical security vulnerabilities caused by bad design, unfixed bugs etc appear every day?
Your actions have consequences. Maybe not for yourself but likely it will have on someone else who's relying on your software. And good QA instead of that whole stupid "move fast and break things" is imperative.
Software developers call themselves the same engineers as the structural engineer and the electrical engineer whose mistakes can kill people. I can't help but be utterly disappointed with the status quo in software development. Don't you carry the title of the engineer with pride? The pride that comes from the responsibility that your application creates?
I wish I'd taken the blue pill. I didn't want to know that software "engineering" was this bad, this insanity-inducing.
But more than anything, it surprises me that the world that relies so much on software hasn't collapsed in some incredible way yet, despite the quality of what's driving it.44 -
Security decided to update our PCs with endpoint protection. It's blocking all connections to and from localhost.
It's been a productive day.
Such enterprise. Much security.3 -
The amount of thinking and programming that goes into writing a secure backend is fucking high but I love it!
It helps to think like someone who'd want to hack a user or the application so you know most security measures you have to take :)9 -
"Hey nephew, why doesn't the FB app work. It shows blank white boxes?"
- It can't connect or something? (I stopped using the FB app since 2013.)
"What is this safe mode that appeared on my phone?!"
- I don't know. I don't hack my smartphone that much. Well, I actually do have a customised ROM. But stop! I'm pecking my keyboard most of the time.
"Which of my files should I delete?"
- Am I supposed to know?
"Where did my Microsoft Word Doc1.docx go?"
- It lets you choose the location before you hit save.
"What is 1MB?"
- Search these concepts on Google. (some of us did not have access to the Internet when we learned to do basic computer operations as curious kids.)
"What should I search?"
- ...
"My computer doesn't work.. My phone has a virus. Do you think this PC they are selling me has a good spec? Is this Video Card and RAM good?"
- I'm a programmer. I write code. I think algorithmically and solve programming problems efficiently. I analyse concepts such as abstraction, algorithms, data structures, encapsulation, resource management, security, software engineering, and web development. No, I will not fix your PC.7 -
I have been a mobile developer working with Android for about 6 years now. In that time, I have endured countless annoyances in the Android development space. I will endure them no more.
My complaints are:
1. Ridiculous build times. In what universe is it acceptable for us to wait 30 seconds for a build to complete. Yes, I've done all the optimisations mentioned on this page and then some. Don't even mention hot reload as it doesn't work fast enough or just does not work at all. Also, buying better hardware should not be a requirement to build a simple Android app, Xcode builds in 2 seconds with a 8GB Macbook Air. A Macbook Air!
2. IDE. Android Studio is a memory hog even if you throw 32GB of RAM at it. The visual editors are janky as hell. If you use Eclipse, you may as well just chop off your fingers right now because you will have no use for them after you try and build an app from afresh. I mean, just look at some of the posts in this subreddit where the common response is to invalidate caches and restart. That should only be used as a last resort, but it's thrown about like as if it solves everything. Truth be told, it's Gradle's fault. Gradle is so annoying I've dedicated the next point to it.
3. Gradle. I am convinced that Gradle causes 50% of an Android developer's pain. From the build times to the integration into various IDEs to its insane package management system. Why do I need to manually exclude dependencies from other dependencies, the build tool should just handle it for me. C'mon it's 2019. Gradle is so bad that it requires approx 54GB of RAM to work out that I have removed a dependency from the list of dependencies. Also I cannot work out what properties I need to put in what block.
4. API. Android API is over-bloated and hellish. How do I schedule a recurring notification? Oh use an AlarmManager. Yes you heard right, an AlarmManager... Not a NotificationManager because that would be too easy. Also has anyone ever tried running a long running task? Or done an asynchronous task? Or dealt with closing/opening a keyboard? Or handling clicks from a RecyclerView? Yes, I know Android Jetpack aims to solve these issues but over the years I have become so jaded by things that have meant to solve other broken things, that there isn't much hope for Jetpack in my mind 😤
5. API 2. A non-insignificant number of Android users are still on Jelly Bean or KitKat! That means we, as developers, have to support some of your shitty API decisions (Fragments, Activities, ListView) from all the way back then!
6. Not reactive enough. Android has support for Databinding recently but this kind of stuff should have been introduced from the very start. Look at React or Flutter as to how easy it is to make shit happen without any effort.
7. Layouts. What the actual hell is going on here. MDPI, XHDPI, XXHDPI, mipmap, drawable. Fuck it, just chuck it all in the drawable folder. Seriously, Android should handle this for me. If I am designing for a larger screen then it should be responsive. I don't want to deal with 50 different layouts spread over 6 different folders.
8. Permission system. Why was this not included from the very start? Rogue apps have abused this and abused your user's privacy and security. Yet you ban us and not them from the Play Store. What's going on? We need answers.
9. In Android, building an app took me 3 months and I had a lot of work left to do but I got so sick of Android dev I dropped it in favour of Flutter. I built the same app in Flutter and it took me around a month and I completed it all.
10. XML.
If you're a new dev, for the love of all that is good in this world, do NOT get into Android development. Start with Flutter or even iOS. On Flutter and build times are insanely fast and the hot reload is under 500ms constantly. It's a breath of fresh air and will save you a lot of headaches AND it builds for iOS flawlessly.
To the people who build Android, advocate it and work on it, sorry to swear, but fuck you! You have created a mess that we have to work with on a day-to-day basis only for us to get banned from the app store! You have sold us a lie that Android development is amazing with all the sweet treat names and conferences that look bubbly and fun. You have allowed to get it so bad that we can't target an API higher than 18 because some Android users are still using devices that support that!
End this misery. End our pain. End our suffering. Throw this abomination away like you do with some of your other projects and migrate your efforts over to Flutter. Please!
#NoToGoogleIO #AndroidSummitBoycott #FlutterDev #ReactNative16 -
So today my middle company put a meeting with the new HR.
Meeting subject: you can't poach inside the company.
Context: I resigned, and I'll be taking with me 3 profiles.
HR: If you do take them, we'll take you to court.
Me: Why?
HR: It's poaching and by contract, you can't.
Me: You can show which clause?
HR: That's not the problem.
Me: Also in France, you need to notify the employee as you are denying his right to get a job. And pay him for that.
HR: What? That's none sense! Stop talking and listen.
Me: Ok
HR: We'll sue you and crush you. You'll have so much legal problem that you...
Me: I'll just start recording on my phone, so you say that you accept it and continue your intimidation rant.
HR: What? No!! Stop that.
Me: *stop it* Would you rather have my lawyer with us? Because we'll need to reschedule the meeting.
HR: If you continue that way, we'll tarnish your name and no company will hire you.
Me: You really aren't familiar with IT, right? Because I could delete ALL production. No system work. The BCP will kick in. You will lose one or two days. Then make an article of it, showing what kind of process or security should have been implemented. And I will still get a high pay job!!
HR: You know what? Get out! If you want to go to war, your problem.
Me: Ok, so you'll be getting news from my lawyer by mail.
HR: what?
Me: Yeah, that harassment. And my lawyer will get in touch. And I might also post on LinkedIn. And talk about it in the next events I'm invited.
HR: that's, that's...
Me: freedom of speech. Don't worry I'll write it so it's only viewed as my opinion. Have a nice day.
Two hours later my friend, lawyer, send them a mail and email.
Three hours later the COO calls me. Saying that HR was out of line and that it'll no occur again. It was an error and I should be forgiving.
So now all discussion with HR must be held with my attorney :). And middle company pay for it.6 -
Watching the Dutch government trying to get through the public procurement process for a "corona app" is equal parts hilarious and terrifying.
7 large IT firms screaming that they're going to make the perfect app.
Presentations with happy guitar strumming advertisement videos about how everyone will feel healthy, picnicking on green sunny meadows with laughing families, if only their app is installed on every citizen's phone.
Luckily, also plenty of security and privacy experts completely body-bagging these firms.
"It will connect people to fight this disease together" -- "BUT HOW" -- "The magic of Bluetooth. And maybe... machine learning. Oh! And blockchain!" -- "BUT HOW" -- "Shut up give us money, we promise, our app is going to cure the planet"
You got salesmen, promising their app will be ready in 2 weeks, although they can't even show any screenshots yet.
You got politicians mispronouncing technical terminology, trying hard to look as informed as possible.
You got TV presenters polling population support for "The App" by interviewing the most digitally oblivious people.
One of the app development firms (using some blockchain-based crap) promised transparency about their source code for auditing.... so they committed their source, including a backup file from one of their other apps, containing 200 emails/passwords to Github.
It's kind of entertaining... in the same way as a surgery documentary about the removal of glass shards from a sexually adventurous guy's butthole.
Imma keep watching out of morbid fascination.... from a very safe distance, far away from the blood and shit that's splattering against the walls.
And my phone -- keep your filthy infected bytes away from my sweet baby.
I'll stick with social distancing, regular hand washing, working from home and limited supermarket trips, thank you very much.26 -
So I've been looking for a Linux sysadmin job for a while now. I get a lot of rejections daily and I don't mind that because they can give me feedback as for what I am doing wrong. But do you know what really FUCKING grinds my FUCKING gears?
BEING REJECTED BASED ON LEVEL OF EDUCATION/NOT HAVING CERTIFICATIONS FOR CERTAIN STUFF. Yes, I get that you can't blindly hire anyone and that you have to filter people out but at least LOOK AT THEIR FUCKING SKILLSET.
I did MBO level (the highest sub level though) as study which is considered to be the lowest education level in my country. lowest education level meaning that it's mostly focused on learning through doing things rather than just learning theory.
Why the actual FUCK is that, for some fucking reason, supposed to be a 'lower level' than HBO or Uni? (low to high in my country: MBO, HBO, Uni). Just because I learn better by doing shit instead of solely focusing on the theory and not doing much else does NOT FUCKING MEAN THAT I AM DUMBER OR LESS EDUCATED ON A SUBJECT.
So in the last couple of months, I've literally had rejections with reasons like
- 'Sorry but we require HBO level as people with this level can analyze stuff better in general which is required for this job.'. - Well then go fuck yourself. Just because I have a lower level of education doesn't FUCKING mean that I can't analyze shit at a 'lower level' than people who've done HBO.
- 'You don't seem to have a certificate for linux server management so it's a no go, sorry!' - Kindly go FUCK yourself. Give me a couple of barebones Debian servers and let me install a whole setup including load balancers, proxies if fucking neccesary, firewalls, web servers, FUCKING Samba servers, YOU FUCKING NAME IT. YES, I CAN DO THAT BUT SOLELY BECAUSE I DON'T HAVE THAT FUCKING CERTIFICATE APPEARANTLY MEANS THAT I AM TOO INCOMPETENT TO DO THAT?! Yes. I get that you have to filter shit but GUESS WHAT. IT'S RIGHT THERE IN MY FUCKING RESUME.
- 'Sorry but due to this role being related to cyber security, we can't hire anyone lower than HBO.' - OH SO YOUR LEVEL OF EDUCATION DEFINES HOW GOOD YOU ARE/CAN BE AT CYBER SECURITY RELATED STUFF? ARE YOU MOTHERFUCKING RETARDED? I HAVE BEEN DOING SHIT RELATED TO CYBER SECURITY SINCE I WAS 14-15 FUCKiNG YEARS OLD. I AM FAMILIAR WITH LOADS OF TOOLS/HACKING TECHNIQUES/PENTESTING/DEFENSIVE/OFFENSIVE SECURITY AND SO ON AND YOU ARE TELLING ME THAT I NEED A HIGHER LEVEL OF FUCKING EDUCATION?!?!? GO FUCKING FUCK YOURSELF.
And I can go on like this for a while. I wish some companies I come across would actually look at skills instead of (only) study levels and certifications. Those other companies can go FUCK THEMSELVES.39 -
Alright, it's not perfect yet, only one post exists and the anonymous analytics are hardly working. Next to that I'm tired as fuck and need to go to bed so fuck it, here we go:
https://much-security.nl
There's not much yet, just one tiny post :)
I have no clue if it will work or crash but I think it'll handle well enough 😅
If you'd find any security issues, please don't exploit them, just report them and I'll take a look asap!
Thanks!44 -
*knock knock*
SIR do you have a moment to talk about our lord and savior the WINDOWS UPDATE?
"uhm no sorry I'm busy"
*sees a bulldozer in the background*
"what the .."
SIR just let him in your heart and feel his security patches drive your vulnerabilities away!!
"but the rendering hasn't finished ye.."
TOO LATE SIR, green light fellas let's do this
*bulldozer destroys my house and i wake up, sweating*
*hugs laptop*
"Oooh Ubuntu my baby I've missed you soo much!"
*wayland crashes*2 -
*signs up for Skillshare*
> Sorry, your password is longer than our database's glory hole can handle.
> Please shorten your password cumload to only 64 characters at most, otherwise our database will be unhappy.
Motherf-...
Well, I've got a separate email address from my domain and a unique password for them. So shortening it and risking getting that account stolen by plaintext shit won't really matter, especially since I'm not adding payment details or anything.
*continues through the sign-up process for premium courses, with "no attachments, cancel anytime"*
> You need to provide a credit card to continue with our "free" premium trial.
Yeah fuck you too. I don't even have a credit card. It's quite uncommon in Europe, you know? We don't have magstripe shit that can go below 0 on ya.. well the former we still do but only for compatibility reasons. We mainly use chip technology (which leverages asymmetric cryptography, awesome!) that usually can't go much below 0 here nowadays. Debit cards, not credit cards.
Well, guess it's time to delete that account as well. So much for acquiring fucking knowledge from "experts". Guess I'll have to stick to reading wikis and doing my ducking-fu to select reliable sources, test them and acquire skills of my own. That's how I've done it for years, and that's how it's been working pretty fucking well for me. Unlike this deceptive security clusterfuck!14 -
It's quite awesome how some people can make you realize how much you actually know about some stuff and how skilled you are on a certain subject.
Shoutout to @404response for making me realize that i actually know quite some stuff about security/privacy and also a shoutout to @devisionbyzero for making me realize that I'm actually quite good with linux/linux servers :).
Thanks guys!13 -
!(short rant)
Look I understand online privacy is a concern and we should really be very much aware about what data we are giving to whom. But when does it turn from being aware to just being paranoid and a maniac about it.? I mean okay, I know facebook has access to your data including your whatsapp chat (presumably), google listens to your conversations and snoops on your mail and shit, amazon advertises that you must have their spy system (read alexa) install in your homes and numerous other cases. But in the end it really boils down to "everyone wants your data but who do you trust your data with?"
For me, facebook and the so-called social media sites are a strict no-no but I use whatsapp as my primary chating application. I like to use google for my searches because yaa it gives me more accurate search results as compared to ddg because it has my search history. I use gmail as my primary as well as work email because it is convinient and an adv here and there doesnt bother me. Their spam filters, the easy accessibility options, the storage they offer everything is much more convinient for me. I use linux for my work related stuff (obviously) but I play my games on windows. Alexa and such type of products are again a big no-no for me but I regularly shop from amazon and unless I am searching for some weird ass shit (which if you want to, do it in some incognito mode) I am fine with coming across some advs about things I searched for. Sometimes it reminds me of things I need to buy which I might have put off and later on forgot. I have an amazon prime account because prime video has some good shows in there. My primary web browser is chrome because I simply love its developer tools and I now have gotten used to it. So unless chrome is very much hogging on my ram, in which case I switch over to firefox for some of my tabs, I am okay with using chrome. I have a motorola phone with stock android which means all google apps pre-installed. I use hangouts, google keep, google map(cannot live without it now), heck even google photos, but I also deny certain accesses to apps which I find fishy like if you are a game, you should not have access to my gps. I live in India where we have aadhar cards(like the social securtiy number in the USA) where the government has our fingerprints and all our data because every damn thing now needs to be linked with your aadhar otherwise your service will be terminated. Like your mobile number, your investment policies, your income tax, heck even your marraige certificates need to be linked with your aadhar card. Here, I dont have any option but to give in because somehow "its in the interest of the nation". Not surprisingly, this thing recently came to light where you can get your hands on anyone's aadhar details including their fingerprints for just ₹50($1). Fuck that shit.
tl;dr
There are and should be always exceptions when it comes to privacy because when you give the other person your data, it sometimes makes your life much easier. On the other hand, people/services asking for your data with the sole purpose of infilterating into your private life and not providing any usefulness should just be boycotted. It all boils down to till what extent you wish to share your data(ranging from literally installing a spying device in your house to them knowing that I want to understand how spring security works) and how much do you trust the service with your data. Example being, I just shared most of my private data in this rant with a group of unknown people and I am okay with it, because I know I can trust dev rant with my posts(unlike facebook).29 -
I wonder why banks are always so terribly insecure, given how much money there's for grabs in there for hackers.
Just a while ago I got a new prepaid credit card from bpost, our local postal service that for some reason also does banking. The reason for that being that - thank you 'Murica! - a lot of websites out there don't accept anything but credit cards and PayPal. Because who in their right mind wouldn't use credit cards, right?! As it turns out, it's pretty much every European I've spoken to so far.
That aside, I got that card, all fine and dandy, it's part of the Mastercard network so at least I can get my purchases from those shitty American sites that don't accept anything else now. Looked into the manual of it because bpost's FAQ isn't very clear about what my login data for their online customer area now actually is. Not that their instruction manual was either.
I noticed in that manual that apparently the PIN code can't be changed (for "security reasons", totally not the alternative that probably they didn't want to implement it), and that requesting a forgotten PIN code can be done with as little as calling them up, and they'll then send the password - not a reset form, the password itself! IN THE FUCKING MAIL.
Because that's apparently how financial institutions manage their passwords. The fact that they know your password means that they're storing it in plain text, probably in a database with all the card numbers and CVC's next to it. Wouldn't that be a treasure trove for cybercriminals, I wonder? But YOU the customer can't change your password, because obviously YOU wouldn't be able to maintain a secure password, yet THEY are obviously the ones with all the security and should be the ones to take out of YOUR hands the responsibility to maintain YOUR OWN password.
Banking logic. I fucking love it.
As for their database.. I reckon that that's probably written in COBOL too. Because why wouldn't you.23 -
Sooooo me and the lead dev got placed in the wrong job classification at work.
Without sounding too mean, we are placed under the same descriptor and pay scale reserved for secretaries, janitors and the people that do maintenance at work(we work for a college as developers) whilst our cowormer who manages the cms got the correct classification.
The manager went apeshit because the guidelines state that:
Making software products
Administration of dbs
Server maintenance and troubleshooting
Security (network)
And a lot of shit is covered on the exemption list and it is things that we do by a wide fucking margin. The classification would technically prohibit us from developing software and the whole it dptmnt went apeshit over it since he(lead developer) refuses (rightfully so) to touch anything and do basically nothing other than generate reports.
Its a fun situation. While we both got a substantial raise in salary(go figure) we also got demoted at the same time.
There is a department in IT which deals with the databases for other major applications, their title is "programmers" yet for some reason me and the lead end up writing all the sql code that they ever need. They make waaaaay more money than me and the lead do, even in the correct classification.
Resolution: manager is working with the head of the department to correct this blasphemy WHILE asking for a higher pay than even the "programmers"
I love this woman. She has balls man. When the president of the school paraded around the office asking for an update on a high priority app she said that I am being gracious enough to work on it even though i am not supposed to. The fucking prick asked if i could speed it up to where she said that most of my work I do it on my off time, which by law is now something that I cannot do for the school and that she does not expect any of her devs to do jack shit unless shit gets fixed quick. With the correct pay.
Naturally, the president did not like such predicament and thus urged the HR department(which is globally hated now since they fucked up everyone's classification) to fix it.
Dunno if I will get above the pay that she requested. But seeing that royal ammount of LADY BALLS really means something to me. Which is why i would not trade that woman for a job at any of my dream workplaces.
Meanwhile, the level of stress placed my 12 years of service diabetic lead dev at the hospital. Fuck the hr department for real, fuck the vps of the school that fucked this up royally and fuck people in this city in general. I really care for my team, and the lead dev is one of my best friends and a good developer, this shit will not fucking go unnoticed and the HR department is now in low priority level for the software that we build for them
Still. I am amazed to have a manager that actually looks out for us instead of putting a nice face for the pricks that screwed us over.
I have been working since I was 16, went through the Army, am 27 now and it is the first time that I have seen such manager.
She can't read this, but she knows how much I appreciate her.3 -
Designer: Need to file a bug, I'm not getting an option to login with FaceID
Me: Oh weird bug. Is it setup on the phone you are testing with?
Designer: yes, use it in all other apps
Me: Did you get an error during onboarding on the FaceID screen?
Designer: nope no error
Me: ..... hhhmm, can you show me your settings?
Me: ... eh, says you have FaceID disabled for this app ... did you click "No" to FaceID during onboarding?
Designer: Yes, to test edge cases
Me: ................ ok ........ if you setup the app and told it to not allow FaceID to login ......... you won't get the ability to use FaceID to login .......... like .... by design .... on purpose ...... cause .... you told it to do that
Designer: No no, it needs to have a setting on the login screen to allow me to turn that back on incase I forget my passcode
Me: the fuck it does. Yeah we can't have anything on the login page that says, without authorization, change my settings
*Deep breath*
Me: Remember we had this conversation previously, where you didn't want the user to create a passcode during onboarding as it was too much friction, and wanted to do FaceID only. With your backup plan being to allow the user to create a NEW passcode on the login screen if FaceID failed .... remember that discussion we had about security? ... and how its important? ... and that we like having any? Ok so its the same reason as that, just with a different setting this time
Designer: ... hhmm i'm not sure I like this
Me: ... tough luck then, not happening
Me: oh and btw, remember we had that other talk about reproduction steps for bugs? Like when the app crashed and you told me it was because its in light mode, and nothing else at all? So disabling FaceID, is very relevant info to the problem of "I can't login with FaceID", please tell me these things first11 -
My boss is still forcing us to support IE11. Recently, we started having even more bugs with one of our vendors on IE. We filed bug reports with the vendor to fix it, and they came back with "no. Why would we fix anything for IE11? Not even Microsoft is fixing anything for IE11." Boss's answer: well, let's make a separate component for IE11. Probably using flash and/or silverlight. We asked about redirecting IE traffic to Edge, he said that's "the nuclear option." So, doing the thing that Microsoft suggests, that involves not much work at all is "the nuclear option"; ignoring industry standards and recommendations, introducing well known security vulnerabilities, losing money, and trying to circumvent the vendor that serves out our major product, however, is totally reasonable. Our IE traffic is less than 3% of our users at this point.24
-
So this chick has been super nice to me for the past few months, and has been trying to push me towards a role in security. She said nothing but wonderful things about it. It’s easy, it’s not much work, it’s relaxing, etc.
I eventually decided I’m burned out enough that something, anything different would be good, and went for it. I’m now officially doing both dev and security. The day I started, she announced that she was leaving the security team and wouldn’t join any other calls. Just flat-out left.
She trained me on doing a security review of this release, which basically amounted to a zoom call where I did all of the work and she directed me on what to do next, ignored everything I said, and treated me like an idiot. It’s apparently an easy release. The work itself? Not difficult, but it’s very involved, very time consuming, and requires a lot of paper trail — copying the same crap to three different places, tagging lots of people, copying their responses and pasting them elsewhere, filing tickets, linking tickets, copying info back and forth to slack, signing off on things, tagging tickets in a specific way, writing up security notes in a very specific format etc. etc. etc. It’s apparently usually very hectic with lots of last-minute changes, devs who simply ignore security requests, etc.
I asked her at the end for a quick writeup because I’m not going to remember everything and we didn’t cover everything that might happen.
Her response: Just remember what you did here, and do it again!
I asked again for her to write up some notes. She said “I would recommend.. you watch the new release’s channel starting Thursday, and then review what we did here, and just do all that again. Oh, and if you have any questions, talk to <security boss> so you get in the habit of asking him instead of me. Okay, bye!”
Fucking what.
No handoff doc?
Not willing to answer questions after a day and a half of training?
A recap
• She was friendly.
• She pushed me towards security.
• She said the security role was easy and laid-back.
• I eventually accepted.
• She quit the same day.
• The “easy release” took a day and a half of work with her watching, and it has a two-day deadline.
• She treated (and still treats) me like a burden and ignores everything I said or asked.
• The work is anything but laid-back.
• She refuses to spend any extra time on this or write up any notes.
• She refuses to answer any further questions because (quote) “I should get in the habit of asking <security boss> instead of her”
So she smiled, lied, and stabbed me in the back. Now she’s treating me like an annoyance she just wants to go away.
I get that she’s burned out from this, but still, what a fucking bitch. I almost can’t believe she’s acting this way, but I’ve grown to expect it from everyone.
But hey, at least I’m doing something different now, which is what I wanted. The speed at which she showed her true colors, though, holy shit.
“I’m more of a personal motivator than anything,” she says, “and I’m first and foremost a supporter of women developers!” Exactly wrong, every single word of it.
God I hate people like this.20 -
Just looked at the anonymous analytics I collect on the security/privacy blog.
No SQL Injection attacks yet (would be useless anyways as I don't use MySQL/MariaDB for the databasing.
Directory Traversal attacks. Really? 🤣
Nice try, guys.39 -
!security
(Less a rant; more just annoyance)
The codebase at work has a public-facing admin login page. It isn't linked anywhere, so you must know the url to log in. It doesn't rate-limit you, or prevent attempts after `n` failures.
The passwords aren't stored in cleartext, thankfully. But reality isn't too much better: they're salted with an arbitrary string and MD5'd. The salt is pretty easy to guess. It's literally the company name + "Admin" 🙄
Admin passwords are also stored (hashed) in the seeds.rb file; fortunately on a private repo. (Depressingly, the database creds are stored in plain text in their own config file, but that's another project for another day.)
I'm going to rip out all of the authentication cruft and replace it with a proper bcrypt approach, temporary lockouts, rate limiting, and maybe with some clientside hashing, too, for added transport security.
But it's friday, so I must unfortunately wait. :<13 -
Although it might not get much follow up stuffs (probably a few fines but that will be about it), I still find this awesome.
The part of the Dutch government which keeps an eye on data leaks, how companies handle personal data, if companies comply with data protection/privacy laws etc (referring to it as AP from now on) finished their investigation into Windows 10. They started it because of privacy concerns from a few people about the data collection Microsoft does through Windows 10.
It's funny that whenever operating systems are brought up (or privacy/security) and we get to why I don't 'just' use windows 10 (that's actually something I'm asked sometimes), when I tell that it's for a big part due to privacy reasons, people always go into 'it's not that bad', 'oh well as long as it's lawful', 'but it isn't illegal, right!'.
Well, that changed today (for the netherlands).
AP has concluded that Windows 10 is not complying with the dutch privacy and personal data protection law.
I'm going to quote this one (trying my best to translate):
"It appears that Microsofts operating system follows every step you take on your computer. That gives a very invasive image of you", "What does that mean? do people know that, do they want that? Microsoft should give people a fair chance for deciding this by themselves".
They also say that unless explicit lawful consent is given (with enough information on what is collected, for what reasons and what it can be used for), Microsoft is, according to law, not allowed to collect their telemetrics through windows 10.
"But you can turn it off yourself!" - True, but as the paragraph above said, the dutch law requires that people are given more than enough information to decide what happens to their data, and, collection is now allowed until explicitly/lawfully ok'd where the person consenting has had enough information in order to make a well educated decision.
I'm really happy about this!
Source (dutch, sorry, only found it on a dutch (well respected) security site): https://security.nl/posting/534981/...8 -
Mother of god, choosing a topic for today's security/privacy blog post is hard!
I have too much choice 😅23 -
Someone asked for an RSS feed for the security/privacy blog, I thought?
Well, hereby! There are three feeds:
https://much-security.nl/main.xml - a feed which is updated with both blog posts and external links relating to privacy/security I find interesting/useful.
https://much-security.nl/own.xml - a feed only containing the blogs posts themselves. For people who are only interested in that part.
https://much-security.nl/external.x... - a feed only containing external links. For people who'd like to stay updated on recent cyber security/privacy thingies.
Tracking: every time a feed is visited, a redis value for that feed get's incremented. No time, ip addresses, user agent or whatsoever is saved. Just one variable getting increased once.
New domain name will also be revealed soon (probs tomorrow, going to bed soon as I've just been sick) :D.
Oh and just a warning, the main/external feed are the only ones populated with exactly one item right now :P30 -
Working on a funny/new api/service (will be a public one) and I'm only now realizing how important good security is but especially:
The amount of time that goes into securing an api/application is too goddamn high, I'm spending about 90 percent of my time on writing security checks 😅
Very much fun but the damn.31 -
Long story short, I'm unofficially the hacker at our office... Story time!
So I was hired three months ago to work for my current company, and after the three weeks of training I got assigned a project with an architect (who only works on the project very occasionally). I was tasked with revamping and implementing new features for an existing API, some of the code dated back to 2013. (important, keep this in mind)
So at one point I was testing the existing endpoints, because part of the project was automating tests using postman, and I saw something sketchy. So very sketchy. The method I was looking at took a POJO as an argument, extracted the ID of the user from it, looked the user up, and then updated the info of the looked up user with the POJO. So I tried sending a JSON with the info of my user, but the ID of another user. And voila, I overwrote his data.
Once I reported this (which took a while to be taken seriously because I was so new) I found out that this might be useful for sysadmins to have, so it wasn't completely horrible. However, the endpoint required no Auth to use. An anonymous curl request could overwrite any users data.
As this mess unfolded and we notified the higher ups, another architect jumped in to fix the mess and we found that you could also fetch the data of any user by knowing his ID, and overwrite his credit/debit cards. And well, the ID of the users were alphanumerical strings, which I thought would make it harder to abuse, but then realized all the IDs were sequentially generated... Again, these endpoints required no authentication.
So anyways. Panic ensued, systems people at HQ had to work that weekend, two hot fixes had to be delivered, and now they think I'm a hacker... I did go on to discover some other vulnerabilities, but nothing major.
It still amsues me they think I'm a hacker 😂😂 when I know about as much about hacking as the next guy at the office, but anyways, makes for a good story and I laugh every time I hear them call me a hacker. The whole thing was pretty amusing, they supposedly have security audits and QA, but for five years, these massive security holes went undetected... And our client is a massive company in my country... So, let's hope no one found it before I did.6 -
It's enough. I have to quit my job.
December last year I've started working for a company doing finance. Since it was a serious-sounding field, I tought I'd be better off than with my previous employer. Which was kinda the family-agency where you can do pretty much anything you want without any real concequences, nor structures. I liked it, but the professionalism was missing.
Turns out, they do operate more professionally, but the intern mood and commitment is awful. They all pretty much bash on eachother. And the root cause of this and why it will stay like this is simply the Project Lead.
The plan was that I was positioned as glue between Design/UX and Backend to then make the best Frontend for the situation. Since that is somewhat new and has the most potential to get better. Beside, this is what the customer sees everyday.
After just two months, an retrospective and a hell lot of communication with co-workers, I've decided that there is no other way other than to leave.
I had a weekly productivity of 60h+ (work and private, sometimes up to 80h). I had no problems with that, I was happy to work, but since working in this company, my weekly productivity dropped to 25~30h. Not only can I not work for a whole proper work-week, this time still includes private projects. So in hindsight, I efficiently work less than 20h for my actual job.
The Product lead just wants feature on top of feature, our customers don't want to pay concepts, but also won't give us exact specifications on what they want.
Refactoring is forbidden since we get to many issues/bugs on a daily basis so we won't get time.
An re-design is forbidden because that would mean that all Screens have to be re-designed.
The product should be responsive, but none of the components feel finished on Desktop - don't talk about mobile, it doesn't exist.
The Designer next to me has to make 200+ Screens for Desktop and Mobile JUST so we can change the primary colors for an potential new customer, nothing more. Remember that we don't have responsiveness? Guess what, that should be purposely included on the Designs (and it looks awful).
I may hate PHP, but I can still work with it. But not here, this is worse then any ecommerce. I have to fix legacy backend code that has no test coverage. But I haven't touched php for 4 years, letalone wrote sql (I hate it). There should be no reason whatsoever to let me do this kind of work, as FRONTEND ARCHITECT.
After an (short) analysis of the Frontend, I conclude that it is required to be rewritten to 90%. There have been no performance checks for the Client/UI, therefor not only the components behave badly, but the whole system is slow as FUCK! Back in my days I wrote jQuery, but even that shit was faster than the architecuture of this React Multi-instance app. Nothing is shared, most of the AppState correlate to other instances.
The Backend. Oh boy. Not only do we use an shitty outated open-source project with tons of XSS possibillities as base, no we clone that shit and COPY OUR SOURCES ON TOP. But since these people also don't want to write SQL, they tought using Symfony as base on top of the base would be an good idea.
Generally speaking (and done right), this is true. but not then there will be no time and not properly checked. As I said I'm working on Legacy code. And the more I look into it, the more Bugs I find. Nothing too bad, but it's still a bad sign why the webservices are buggy in general. And therefor, the buggyness has to travel into the frontend.
And now the last goodies:
- Composer itself is commited to the repo (the fucking .phar!)
- Deployments never work and every release is done manually
- We commit an "_TRASH" folder
- There is an secret ongoing refactoring in the root of the Project called "_REFACTORING" (right, no branches)
- I cannot test locally, nor have just the Frontend locally connected to the Staging webservices
- I am required to upload my sources I write to an in-house server that get's shared with the other coworkers
- This is the only Linux server here and all of the permissions are fucked up
- We don't have versions, nor builds, we use the current Date as build number, but nothing simple to read, nonono. It's has to be an german Date, with only numbers and has always to end with "00"
- They take security "super serious" but disable the abillity to unlock your device with your fingerprint sensor ON PURPOSE
My brain hurts, maybe I'll post more on this shit fucking cuntfuck company. Sorry to be rude, but this triggers me sooo much!2 -
ARGH. I wrote a long rant containing a bunch of gems from the codebase at @work, and lost it.
I'll summarize the few I remember.
First, the cliche:
if (x == true) { return true; } else { return false; };
Seriously written (more than once) by the "legendary" devs themselves.
Then, lots of typos in constants (and methods, and comments, and ...) like:
SMD_AGENT_SHCEDULE_XYZ = '5-year-old-typo'
and gems like:
def hot_garbage
magic = [nil, '']
magic = [0, nil] if something_something
success = other_method_that_returns_nothing(magic)
if success == true
return true # signal success
end
end
^ That one is from our glorious self-proclaimed leader / "engineering director" / the junior dev thundercunt on a power trip. Good stuff.
Next up are a few of my personal favorites:
Report.run_every 4.hours # Every 6 hours
Daemon.run_at_hour 6 # Daily at 8am
LANG_ENGLISH = :en
LANG_SPANISH = :sp # because fuck standards, right?
And for design decisions...
The code was supposed to support multiple currencies, but just disregards them and sets a hardcoded 'usd' instead -- and the system stores that string on literally hundreds of millions of records, often multiple times too (e.g. for payment, display fees, etc). and! AND! IT'S ALWAYS A FUCKING VARCHAR(255)! So a single payment record uses 768 bytes to store 'usd' 'usd' 'usd'
I'd mention the design decisions that led to the 35 second minimum pay API response time (often 55 sec), but i don't remember the details well enough.
Also:
The senior devs can get pretty much anything through code review. So can the dev accountants. and ... well, pretty much everyone else. Seriously, i have absolutely no idea how all of this shit managed to get published.
But speaking of code reviews: Some security holes are allowed through because (and i quote) "they already exist elsewhere in the codebase." You can't make this up.
Oh, and another!
In a feature that merges two user objects and all their data, there's a method to generate a unique ID. It concatenates 12 random numbers (one at a time, ofc) then checks the database to see if that id already exists. It tries this 20 times, and uses the first unique one... or falls through and uses its last attempt. This ofc leads to collisions, and those collisions are messy and require a db rollback to fix. gg. This was written by the "legendary" dev himself, replete with his signature single-letter variable names. I brought it up and he laughed it off, saying the collisions have been rare enough it doesn't really matter so he won't fix it.
Yep, it's garbage all the way down.16 -
Came across: https://krypt.co sounds interesting, because its like an additional 2fa for your ssh key, is locally encrypted, open source, well documented and transparent:
https://krypt.co/docs/security/...
Why is it not much talked about? sounds great so far, but maybe somebody can find the tick? or is using it himself?30 -
I've got a confession to make.
A while ago I refurbished this old laptop for someone, and ended up installing Bodhi on it. While I was installing it however, I did have some wicked thoughts..
What if I could ensure that the system remains up-to-date by running an updater script in a daily cron job? That may cause the system to go unstable, but at least it'd be up-to-date. Windows Update for Linux.
What if I could ensure that the system remains protected from malware by periodically logging into it and checking up, and siphoning out potential malware code? The network proximity that's required for direct communication could be achieved by offering them free access to one of my VPN servers, in the name of security or something like that. Permanent remote access, in the name of security. I'm not sure if Windows has this.
What if I could ensure that the system remains in good integrity by disabling the user from accessing root privileges, and having them ask me when they want to install a piece of software? That'd make the system quite secure, with the only penetration surface now being kernel exploits. But it'd significantly limit what my target user could do with their own machine.
At the end I ended up discarding all of these thoughts, because it'd be too much work to implement and maintain, and it'd be really non-ethical. I felt filthy from even thinking about these things. But the advantages of something like this - especially automated updates, which are a real issue on my servers where I tend to forget to apply them within a couple of weeks - can't just be disregarded. Perhaps Microsoft is on to something?11 -
Thank you Arch Linux community for saying that caring about security (i.e. expressing concerns about NSA's Speck being included as a module in Arch's distribution kernel) means that you're a tinfoil hat. Much trust, very wow! Nothing to hide, nothing to fear.. right?16
-
Merry Christmas devRanters! Because it's Christmas and I'm pretty much home alone all day I want to do two blog posts today/tomorrow.
Going to do a security one which will be about CSF.
Any ideas on what I could do for a privacy one? (the Firefox add-on thing will come along but not yet)
I'd love to hear ideas!9 -
I really have this fucking love/hate relationship with application security.
For a lot of stuff that I write, user input has to be validated, authentication is required and so on and I do love looking into that, pentesting my own applications to death and thinking about the security architecture of the application itself.
But, sometimes, I just want to focus on the fucking features and then it annoys the living hell out of me that securing an application can take so much time and brain power.
Yay and grrrr, I guess.8 -
Some 'wk306' highlights from different people:
Walk around the office in his underwear, because he forgot he left his trousers in the bathroom
Run a red light outside the office due to not wearing his required glasses. When questioned by co-workers, replied "I don't follow those facist rules"
Asking if we work less will we get paid more, because the project will take longer to do (while in a startup with no funding trying to secure some)
Tell a senior dev to stop testing in his spare time, as we won't be able to release on time if he keeps finding critical security bugs
Telling me "your timezone is not my concern", when asking for help with new tooling so we don't have to be online at the same time
Blaming my team for requesting too much help, leading to his team missing deadlines, in a meeting with very senior managers. When the reason we were requesting help was the handover doc we were given was filled with lies about features being finished and "ready to ship" and lacking any unit tests
Being accused of bullying and harassment to the CEO, because someone asked "did you follow up with X about the partnership they emailed us about". The person who was responsible, forgot 4 times, and saw it as an "attack" to mention it in team meetings
Telling an entire office/building mid November they've secured funding for at least the next year, then announcing in January after the Christmas break that its cheaper to move to India, so they are closing the office in 30 days2 -
Finally finished the blog post and (nearly) the last bugs (few remaining, still gotta think about how to solve them) are fixed.
The new blog post is online! I've taken a look at the Telegram messaging app and basically burned it into the ground. (Provided sources as well)
Next to that, a new domain name! As this blog is about online security AND privacy, I decided to change the domain name. The new one:
https://much-security-such-privacy.info/...
Dark theme can be enabled but will only work on one domain, you have to enable it on the other one as well to get a dark theme there. It stores the value in a cookie so it will remain when you reload the page and don't remove the cookies.
The RSS feed generator has a bug right now which makes that the page doesn't get updated, will work on that one tomorrow.
Thanks!
Last but not least, you can email me suggestions and so on at linuxxx@much-security.nl :)34 -
Translation: “The Password is to long. Please choose a Password that is not longer than 12 Characters.”
Oh, and the Password can only contain Letters and numbers 🙃14 -
Paranoid Developers - It's a long one
Backstory: I was a freelance web developer when I managed to land a place on a cyber security program with who I consider to be the world leaders in the field (details deliberately withheld; who's paranoid now?). Other than the basic security practices of web dev, my experience with Cyber was limited to the OU introduction course, so I was wholly unprepared for the level of, occasionally hysterical, paranoia that my fellow cohort seemed to perpetually live in. The following is a collection of stories from several of these people, because if I only wrote about one they would accuse me of providing too much data allowing an attacker to aggregate and steal their identity. They do use devrant so if you're reading this, know that I love you and that something is wrong with you.
That time when...
He wrote a social media network with end-to-end encryption before it was cool.
He wrote custom 64kb encryption for his academic HDD.
He removed the 3 HDD from his desktop and stored them in a safe, whenever he left the house.
He set up a pfsense virtualbox with a firewall policy to block the port the student monitoring software used (effectively rendering it useless and definitely in breach of the IT policy).
He used only hashes of passwords as passwords (which isn't actually good).
He kept a drill on the desk ready to destroy his HDD at a moments notice.
He started developing a device to drill through his HDD when he pushed a button. May or may not have finished it.
He set up a new email account for each individual online service.
He hosted a website from his own home server so he didn't have to host the files elsewhere (which is just awful for home network security).
He unplugged the home router and began scanning his devices and manually searching through the process list when his music stopped playing on the laptop several times (turns out he had a wobbly spacebar and the shaking washing machine provided enough jittering for a button press).
He brought his own privacy screen to work (remember, this is a security place, with like background checks and all sorts).
He gave his C programming coursework (a simple messaging program) 2048 bit encryption, which was not required.
He wrote a custom encryption for his other C programming coursework as well as writing out the enigma encryption because there was no library, again not required.
He bought a burner phone to visit the capital city.
He bought a burner phone whenever he left his hometown come to think of it.
He bought a smartphone online, wiped it and installed new firmware (it was Chinese; I'm not saying anything about the Chinese, you're the one thinking it).
He bought a smartphone and installed Kali Linux NetHunter so he could test WiFi networks he connected to before using them on his personal device.
(You might be noticing it's all he's. Maybe it is, maybe it isn't).
He ate a sim card.
He brought a balaclava to pentesting training (it was pretty meme).
He printed out his source code as a manual read-only method.
He made a rule on his academic email to block incoming mail from the academic body (to be fair this is a good spam policy).
He withdraws money from a different cashpoint everytime to avoid patterns in his behaviour (the irony).
He reported someone for hacking the centre's network when they built their own website for practice using XAMMP.
I'm going to stop there. I could tell you so many more stories about these guys, some about them being paranoid and some about the stupid antics Cyber Security and Information Assurance students get up to. Well done for making it this far. Hope you enjoyed it.26 -
--- iOS-Jailbreak-AppStore "Cydia" shuts down ---
This Friday, Jay Freeman, the maintainer of the iOS-Jailbreak-AppStore "Cydia", announced that he will shut-down his services.
"Cydia" is a app store for people that jailbreaked their iPhones and allows them to buy and download apps. Apple's AppStore doesn't allow jailbreaked apps, that's the reason it was created in 2009.
Jay Freeman, also known as "Saurik", explained that he wanted to shut down the service at the end of 2018 anyways.
Now, a recent security issue, threatening the data of all users, caused that the store no longer existed with immediate effect.
In addition to the security issue, "Cydia" was said to be no more profitable.
To calm you breakers down: Previous purchases can still be downloaded!
The software itself will continue to exist, but without a back-end for payments and stuff like that. Users are still able to do payments through third-party repositories, which already happened anyway, so that lowers the impact of the shut-down.
Just like "Cydia", other services are shutting down too.
One of the three big Cydia-repositories, ModMyi, said they wont allow any new apps and archived all existing ones.
ZodTTD and MacCiti will also be discontinued.
"Bigboss" is the only repository remaining.
Jailbreaks just lost their popularity over the last years. There's still no jailbreak for iOS 11! This shows that Apple is getting better and better at preventing jailbreaks.
On the other hand, it shows that the need for jailbreaks is not quite as high anymore and therefore the developers don't spend too much energy for breaking up iOS anymore.
Did you use Cydia, or any of the other services? Write us in the comments!
Thanks for reading!12 -
The day I discovered Schrödinger's lesser known paradox of simultaneously being fired and not fired.
This isn't really much of a dev story, but I figured I'd share it anyway.
About two minutes into signing into all my stuff, I suddenly was kicked out of everything. I tried logging in a few more times, and then suddenly started getting the error, "Your account has been disabled for security reasons." I couldn't sign into chat, and co-workers confirmed that I was missing from the company directory. My manager didn't come in for another two hours, and we couldn't get anyone else to answer what the hell was going on. So I was kinda panicking.
Eventually, we found out from one of our coordinators that someone else with the same name as me was leaving the company, and they had deactivated the wrong person.
It ended up getting a lot better. They told me that it could take up to 48 hours to restore my access (it took longer), so I found stuff to do so I could maintain my paycheck. One of those things was assisting someone with data collection and processing, where I eventually said, "Dude, I could totally automate this," and now that's what I'm getting paid to do.1 -
I just had to print out some bills for a colleague.
Nothing too bad you say?
Well.. She doesn't seem to care about security or privacy at all.
I opened the website of her email provider at my computer and moved away from the keyboard, so she could log in.
But instead she told me her email and password... In an office with some other colleagues... Multiple times and wrote it onto a piece of paper that the later left on my table.
After that I should look through her inbox to find the bills.
(Yup, I know a lot more about her now)
After finding and printing out her bills, she just thanked me and walked out of the office, because hey, why should I log out of her account?
It's nice that she trusts me... But that was a bit too much...4 -
I've been away, lurking at the shadows (aka too lazy to actually log in) but a post from a new member intrigued me; this is dedicated to @devAstated . It is erratic, and VERY boring.
When I resigned from the Navy, I got a flood of questions from EVERY direction, from the lower rank personnel and the higher ups (for some reason, the higher-ups were very interested on what the resignation procedure was...). A very common question was, of course, why I resigned. This requires a bit of explaining (I'll be quick, I promise):
In my country, being in the Navy (or any public sector) means you have a VERY stable job position; you can't be fired unless you do a colossal fuck-up. Reduced to non-existent productivity? No problem. This was one of the reasons for my resignation, actually.
However, this is also used as a deterrent to keep you in, this fear of lack of stability and certainty. And this is the reason why so many asked me why I left, and what was I going to do, how was I going to be sure about my job security.
I have a simple system. It can be abused, but if you are careful, it may do you and your sanity good.
It all begins with your worth, as an employee (I assume you want to go this way, for now). Your worth is determined by the supply of your produced work, versus the demand for it. I work as a network and security engineer. While network engineers are somewhat more common, security engineers are kind of a rarity, and the "network AND security engineer" thing combined those two paths. This makes the supply of my work (network and security work from the same employee) quite limited, but the demand, to my surprise, is actually high.
Of course, this is not something easy to achieve, to be in the superior bargaining position - usually it requires great effort and many, many sleepless nights. Anyway....
Finding a field that has more demand than there is supply is just one part of the equation. You must also keep up with everything (especially with the tech industry, that changes with every second). The same rules apply when deciding on how to develop your skills: develop skills that are in short supply, but high demand. Usually, such skills tend to be very difficult to learn and master, hence the short supply.
You probably got asleep by now.... WAKE UP THIS IS IMPORTANT!
Now, to job security: if you produce, say, 1000$ of work, then know this:
YOU WILL BE PAID LESS THAN THAT. That is how the company makes profit. However, to maximize YOUR profit, and to have a measure of job security, you have to make sure that the value of your produced work is high. This is done by:
- Producing more work by working harder (hard method)
- Producing more work by working smarter (smart method)
- Making your work more valuable by acquiring high demand - low supply skills (economics method)
The hard method is the simplest, but also the most precarious - I'd advise the other two. Now, if you manage to produce, say, 3000$ worth of work, you can demand for 2000$ (numbers are random).
And here is the thing: any serious company wants employees that produce much more than they cost. The company will strive to pay them with as low a salary as it can get away with - after all, a company seeks to maximize its profit. However, if you have high demand - low supply skills, which means that you are more expensive to be replaced than you are to be paid, then guess what? You have unlocked god mode: the company needs you more than you need the company. Don't get me wrong: this is not an excuse to be unprofessional or unreasonable. However, you can look your boss in the eye. Believe me, most people out there can't.
Even if your company fails, an employee with valuable skills that brings profit tends to be snatched very quickly. If a company fires profitable employees, unless it hires more profitable employees to replace them, it has entered the spiral of death and will go bankrupt with mathematical certainty. Also, said fired employees tend to be absorbed quickly; after all, they bring profit, and companies are all about making the most profit.
It was a long post, and somewhat incoherent - the coffee buzz is almost gone, and the coffee crash is almost upon me. I'd like to hear the insight of the veterans; I estimate that it will be beneficial for the people that start out in this industry.2 -
I had a coworker that was an Air Force pilot (99% certain he was telling the truth as I was working for a government contractor and he had security clearance so I'd be a little surprised if he fooled HR and our whole team). Thing is... He genuinely believed the earth is flat. Whenever anybody would ask "haven't you seen the curvature of the earth? Like... More than once?" He'd respond with "yes I have, what's your point?". Uh.... Okay.
Didn't help that he also was convinced cpp is the only language you ever need for any project. Like, "what if instead of building a web API and two separate native mobile app frontends (Swift/Java)... We instead build our own proprietary C++ framework that somehow runs on IOS and Android and we can also use it for our Backend instead of .Net?"
I'm not saying I love Java or Swift or that at some point I haven't thought about why we can't just use cpp in both, but you're supposed to grow out of that kind of thinking. I think every noobie or college students thinks "oh there's got to be a way". But at some point in your career you realize even if you could, it wouldn't be any easier to use and the performance gain would crazy small compared to amount of effort and you'd be playing catch up with both IOS/Android forever.
But no matter how many times we'd shoot it down, he'd keep bringing it up. And he wasn't straight out of school or something. He had like 20 years of programming experience.
I don't have a lot of memorable co-workers that were positive but honestly I think that's because usually if they're good at what they do I don't have to interact with them a bunch or spend time thinking "Jesus what am I going to have to fix next from this guy". I definitely have worked with good/great programmers, they just don't stand out as much as the shitty ones.1 -
My school just tried to hinder my revision for finals now. They've denied me access just today of SSHing into my home computer. Vim & a filesystem is soo much better than pen and paper.
So I went up to the sysadmin about this. His response: "We're not allowing it any more". That's it - no reason. Now let's just hope that the sysadmin was dumb enough to only block port 22, not my IP address, so I can just pick another port to expose at home. To be honest, I was surprised that he even knew what SSH was. I mean, sure, they're hired as sysadmins, so they should probably know that stuff, but the sysadmins in my school are fucking brain dead.
For one, they used to block Google, and every other HTTPS site on their WiFi network because of an invalid certificate. Now it's even more difficult to access google as you need to know the proxy settings.
They switched over to forcing me to remote desktop to access my files at home, instead of the old, faster, better shared web folder (Windows server 2012 please help).
But the worst of it includes apparently having no password on their SQL server, STORING FUCKING PASSWORDS IN PLAIN TEXT allowing someone to hijack my session, and just leaving a file unprotected with a shit load of people's names, parents, and home addresses. That's some super sketchy illegal shit.
So if you sysadmins happen to be reading this on devRant, INSTEAD OF WASTING YOUR FUCKING TIME BLOCKING MORE WEBSITES THAN THEIR ARE LIVING HUMANS, HOW ABOUT TRY UPPING YOUR SECURITY, PASSWORDS LIKE "", "", and "gryph0n" ARE SHIT - MAKE IT BETTER SO US STUDENTS CAN ACTUALLY BROWSE MORE FREELY - I THINK I WANT TO PASS, NOT HAVE EVERY OTHER THING BLOCKED.
Thankfully I'm leaving this school in 3 weeks after my last exam. Sure, I could stay on with this "highly reputable" school, but I don't want to be fucking lied to about computer studies, I don't want to have to workaround your shitty methods of blocking. As far as I can tell, half of the reputation is from cheating. The students and sysadmins shouldn't have to have an arms race between circumventing restrictions and blocking those circumventions. Just make your shit work for once.
**On second thought, actually keep it like that. Most of the people I see in the school are c***s anyway - they deserve to have half of everything they try to do censored. I won't be around to care soon.**undefined arms race fuck sysadmin ssh why can't you just have any fucking sanity school windows server security2 -
Taking IT classes in college. The school bought us all lynda and office365 accounts but we can't use them because the classroom's network has been severed from the Active Directory server that holds our credentials. Because "hackers." (The non-IT classrooms don't have this problem, but they also don't need lynda accounts. What gives?)
So, I got bored, and irritated, so I decided to see just how secure the classroom really was.
It wasn't.
So I created a text file with the following rant and put it on the desktop of the "locked" admin account. Cheers. :)
1. don't make a show of "beefing up security" because that only makes people curious.
I'm referring of course to isolating the network. This wouldn't be a problem except:
2. don't restrict the good guys. only the bad guys.
I can't access resources for THIS CLASS that I use in THIS CLASS. That's a hassle.
It also gives me legitimate motivation to try to break your security.
3. don't secure it if you don't care. that is ALSO a hassle.
I know you don't care because you left secure boot off, no BIOS password, and nothing
stopping someone from using a different OS with fewer restrictions, or USB tethering,
or some sort malware, probably, in addition to security practices that are
wildly inconsistent, which leads me to the final and largest grievance:
4. don't give admin priveledges to an account without a password.
seriously. why would you do this? I don't understand.
you at least bothered to secure the accounts that don't even matter,
albeit with weak and publicly known passwords (that are the same on all machines),
but then you went and left the LEAST secure account with the MOST priveledges?
I could understand if it were just a single-user machine. Auto login as admin.
Lots of people do that and have a reason for it. But... no. I just... why?
anyway, don't worry, all I did was install python so I could play with scripting
during class. if that bothers you, trust me, you have much bigger problems.
I mean you no malice. just trying to help.
For real. Don't kick me out of school for being helpful. That would be unproductive.
Plus, maybe I'd be a good candidate for your cybersec track. haven't decided yet.
-- a guy who isn't very good at this and didn't have to be
have a nice day <3
oh, and I fixed the clock. you're welcome.2 -
Devs: Hey, what should we do?
A:
provide our SDKs for download as easily as possible so that any potential customer can try it out and see how much better we are compared to our competitors?
Or…
B:
Should we lock our SDKs behind a login where the customer needs to create an account and enter the most amount of private information possible, just in case, then also require to create some security access tokens that he needs to configure in his app to have access to our service via the sdk and also hide all of the documentation behind a login which requires some permission based roles to access and also make the sdks closed source so that it’s a pain in the ass to debug and understand?
Marketing people:
B! Definitely B! Make sure to piss off and annoy our customers as much as humanly possible! -
I love it when a fellow "dev" asks about some interesting security topic (full disk encryption) and I'm like "yeah I use LUKS pretty much everywhere".. and then takes an entire arm when given a hand.
Performance in LUKS? Yeah sure you can benchmark it within cryptsetup. Here's how to do it and choose a good cipher for your CPU.
D: Oh also how do I check my battery life?
M (thinking): you lazy fucking piece of shit.
M: FUCKING GOOGLE IT
D: Obviously that means that you don't know it.
M (thinking): so not only lazy but also disgustingly ungrateful, fucking twat.
M: acpi. Next time fucking Google it.
D: You know what? Never mind.
As if I'm the one that's fucking wrong now!! But you know what, never mind indeed. Because you've successfully wasted my fucking time instead of fucking googling "check battery life Linux" like a sensible dev would.
Fellow "dev", if you're on devRant I hope you read this. You can seriously go fuck yourself.4 -
My first job was actually nontechnical - I was 18 years old and sold premium office furniture for a small store in Munich.
I did code in my free time though (PHP/JS mostly, had a litte browsergame back then - those were the days), so when my boss approached me and asked me whether I liked to take over a coding project, I agreed to the idea.
Little did I know at the time: I was supposed to work with a web agency the boss had contracted to build their online shop. Only that he had no plan or anything, he basically told them "build me an online shop like abc(a major competitor of ours at the time)"
He employed another sales lady who was supposed to manage the shop (that didn't exist yet). In the end, I think 80% of her job was to keep me from killing my boss.
As you can imagine, with this huuuuge amout of planning and these exact visions of what was supposed to be, things went south fast and far. So far that I could visit my fellow flightless birds down in the Penguin's republic of Antarctica and still need to go further.
Well... When my boss started suing the web agency, I was... ahem, asked to take over. Dumb as I was, I did - I was a PHP kid and thought that Magento, being written in PHP, would be easy to master. If you know Magento, you know that was maybe the wrongest thing I ever said.
Fast forward 3 very exhausting months, the thing was online. Not all of it worked yet, but it was online and fairly secure.
I did next to everything myself, administrating the CentOS box the shop was running on, its (own) e-mail server, the web server, all the coding required for the shop (can you spell 12 hour day for 8 hour pay?)
3 further months later, my life basically was a wreck, I dragged myself to work, the only thing I looked forward being the motorcycle ride home. The system worked though.
Mind you, I was still, at the time, working with three major customers, doing deskside support and some admin (Win Server 2008R2 at the time) - because, to quote my boss, "We could not afford a full time developer and we don't need one".
I think i stopped coding in my free time, the one hobby I used to love more than anything on the world, somewhere Decemerish 2012. I dropped out of the open source projects I was in, quit working on my browser game and let everything slide.
I didn't even care to renew the domains and servers for it, I just let it die without notice.
The little free time I had, I spent playing video games and getting drunk/high.
December 2013, 1.5 years on the job, I reached my breaking point and just left, called in sick at least a week per month because I just could not see this fucking place anymore.
I looked for another job outside of ALL of what I did before. No more Magento, no more sales, no more PHP. I didn't have to look for long, despite what I thought of my skills.
In February 2014, I told my boss that I quit. It was still seven months until my new job started, but I wanted him to know early so we could migrate and find a replacement.
The search for said replacement started in June 2014. I had considerably less work in the months before, looks like he got the hint.
In August 2014, my replacement arrived and I got him started.
I found a job, which I am still in, and still happy about after almost half a decade, at a local, medium sized ISP as a software dev and IT security guy. Got a proper training with a certificate and everything now.
My replacement lasted two months, he was external and never really did his job - the site, which until I had quit, had a total of 3 days downtime for 3 YEARS (they were the hoster's fault, not mine), was down for an entire month and he could not even tell why.
HIS followup was kicked after taking two weeks to familiarize himself with the project. Well, I think that two weeks is not even barely enough to familiarize yourself with nearly three years of work, but my boss gave him two days.
In 2016, the shop was replaced with another one. Different shop system, different OS, different CI. I don't know why and I can't say I give a damn.
Almost all the people that worked at the company back with me have left for greener pastures, taking their customers (and revenue) with them.
As for my boss' comments, instructions and lines: THAT might not be safe for work. Or kids. Or humans in general. And there wouldn't be much left if you put it through a language filter...
Moral of the story: No, it's not a bad thing to leave a place if you're mistreated there. Don't mistake loyalty with stupidity!
And, to quote one of my favourite Bands: "Nothing matters when the pain is all but gone" (Tragedy + Time by Rise Against).8 -
Watch out for these fucking bug bounty idiots.
Some time back I got an email from one shortly after making a website live. Didn't find anything major and just ran a simple tool that can suggest security improvements simply loading the landing page for the site.
Might be useful for some people but not so much for me.
It's the same kind of security tool you can search for, run it and it mostly just checks things like HTTP headers. A harmless surface test. Was nice, polite and didn't demand anything but linked to their profile where you can give them some rep on a system that gamifies security bug hunting.
It's rendering services without being asked like when someone washes your windscreen while stopped at traffic but no demands and no real harm done. Spammed.
I had another one recently though that was a total disgrace.
"I'm a web security Analyst. My Job is to do penetration testing in websites to make them secure."
"While testing your site I found some critical vulnerabilities (bugs) in your site which need to be mitigated."
"If you have a bug bounty program, kindly let me know where I should report those issues."
"Waiting for response."
It immediately stands out that this person is asking for pay before disclosing vulnerabilities but this ends up being stupid on so many other levels.
The second thing that stands out is that he says he's doing a penetration test. This is illegal in most major countries. Even attempting to penetrate a system without consent is illegal.
In many cases if it's trivial or safe no harm no foul but in this case I take a look at what he's sending and he's really trying to hack the site. Sending all kinds of junk data and sending things to try to inject that if they did get through could cause damage or provide sensitive data such as trying SQL injects to get user data.
It doesn't matter the intent it's breaking criminal law and when there's the potential for damages that's serious.
It cannot be understated how unprofessional this is. Irrespective of intent, being a self proclaimed "whitehat" or "ethical hacker" if they test this on a site and some of the commands they sent my way had worked then that would have been a data breach.
These weren't commands to see if something was possible, they were commands to extract data. If some random person from Pakistan extracts sensitive data then that's a breach that has to be reported and disclosed to users with the potential for fines and other consequences.
The sad thing is looking at the logs he's doing it all manually. Copying and pasting extremely specific snippets into all the input boxes of hacked with nothing to do with the stack in use. He can't get that many hits that way.4 -
My company just migrated our mail servers over to office365. My boss has been excited and could barely contain himself when the migration was done he was having the best day ever after he got a good deal on some new toys...Then I ruined it.
Me (setting up) > WTF!? um...well I guess I don't have email on my phone anymore. These permissions are fucked.
Him > Oh why?
Me > They are ridiculous, I won't give away this much control just to read email.
Him (panicking) > and if buy you a company phone?
Me > Not a fuck it's still a personal device. I'll just sandbox the web version.
Him > Your over reacting, they obviously need them for security blah blah...
Me (sends him the pic) > The minimum system requirement is internet.
(...silence...)
I feel kinda bad for killing his vibe - he's a nice guy and he's only trying to do right by us but now he seems down like his toy isn't shiny anymore because he respects me. I wasn't beating on the stack or his choice (mines running on thunderbird). I just can't support this trend of GOD mode permissions for email / calculator and other single feature apps. I'll use the web app instead. You have to draw the line somewhere...
On the other hand I can't deny that I'm loving the irony that Microsoft just made my life easier and have a deep sense of satisfaction that for the first time ever I got fuck up his Friday :/18 -
If you discount all the usual sql injections the most blatant was not our but a system one customer switched to after complaining over cost.
The new system was a bit more bare bones featurewize but the real gem was the profile page for their customers.
The only security was an id param pointing to the users primary key, which was an auto incrementing integer :)
And not only could you access all customer data but you could change it to.
But since the new system was built by their it chief’s son we realized it was not much we could do.2 -
Red flags in your first week of your software engineering job 🚩
You do the first few days not speaking to anyone.
You can't get into the building and no one turns up until mid day.
The receptionist thinks you're too well dressed to work in this building, thinks you're a spy and calls security on you.
You are eating alone during lunch time in the cafeteria
You have bring your own material for making coffee for yourself
When you try to read the onboarding docs and there aren't any.
You have to write the onboarding docs.
You don't have team mates.
When you ask another team how things are going and they just laugh and cry.😂😭
There's no computer for you, and not even an "it's delayed" excuse. They weren't expecting you.
Your are given a TI PC, because "that's all we have", even though there's no software for it, and it's not quite IBM compatible.
You don't have local admin rights on your computer.💀
You have to buy a laptop yourself to be able to do your job.
It's the end of the week and you still don't have your environment set up and running.
You look at the codebase and there are no automated tests.
You have to request access every time you need to install something through a company tool that looks like it was made in 2001.
Various tasks can only be performed by one single person and they are either out sick or on vacation.
You have to keep track of your time in 6 minute increments, assigned to projects you don't know, by project numbers everyone has memorised (and therefore aren't written down).
You have to fill in timesheets and it takes you 30 minutes each day to fill them in because the system is so clunky.🤮
Your first email is a phishing test from the IT department in another country and timezone, but it has useful information in it, like how to login to the VPN.
Your second email is not a phishing test, but has similar information as the first one. (You ignore it.)
Your name is spelled wrong in every system, in a different way. 2 departments decide that it's too much trouble, and they never fix the spelling as long as you work there. One of them fixes it after you leave, and annoys you for a month because you haven't filled out the customer survey.6 -
I live in zurich switzerland one of the most expensive places to live. And i work as a jack of all trades graphic ux/ui designer/copy writer/marketeer in IT security.
I earn about $3800 a month, but every salery calculator says I should earn above $7000. With a median salery of $9300. But this seems so much money and I suffer from low self esteem. So what should I do? (Quitting is not an option because I like it there)11 -
Had a talk with my mentor and the CTO today.
They made very clear that they'd want to keep me employed after I finished my bachelor and briefly asked about my plans.
I am happy and this kind of gave me some more peace of mind concerning job security.
Thing is though, I don't know yet what I want to do in two years from now. There are some possibilities and of course I don't know how my private life will develop.
If I stay there, I could finish my bachelor and then do a master halftime, like I do now with my bachelor - or I could stop at my bachelor and start working full-time again.
I rather want to stay there - though I strongly dislike the 9 to 5 job model, the work would be in a field I'm interested in. My colleagues are a nice bunch of people and I respect them a lot, especially the team I work with.
On the other hand, I always thought about freelancing and was researching possibilities during the last year. My skills are not so easy to translate into a freelancing job, though, if I don't want to do at least 50% software development.
Or I could get a job somewhere else which would have the charms of starting from scratch. Many new experience, much new things, wow.
Maybe also a better salary though if I'd be doing the job for the money only, I'd probably have worked elsewhere.
...
I'm usually quite relaxed about my future plans but some of these things were on my mind for some time now, also, I'm not sure whether I can "define" my future just yet.
Also, I'm overthinking it, yes.
I will have another talk in about a month.
No pressure, right?7 -
Well, for starters there was a cron to restart the webserver every morning.
The product was 10+ years old and written in PHP 5.3 at the time.
Another cron was running every 15 minutes, to "correct" data in the DB. Just regular data, not from an import or something.
Gotta have one of those self-healing systems I guess.
Yet another cron (there where lots) did run everyday from 02:00 to 4ish to generate the newest xlsx report. Almost took out the entire thing every time. MySQL 100%. CPU? Yes. RAM? You bet.
Lucky I wasn't too much involved at the time. But man, that thing was the definition of legacy.
Fun fact: every request was performed twice! First request gave the already logged-in client an unique access-token. Second request then processed the request with the (just issued) access-token; which was then discarded. Security I guess.
I don't know why it was build this way. It just was. I didn't ask. I didn't wanted to know. Some things are better left undisturbed. Just don't anger the machine. I became superstitious for a while. I think, in the end, it help a bit: It feels like communicating with an alien monster but all you have is a trumpet and chewing gum. Gentle does it.
Oh and "Sencha Extjs 3" almost gave me PTSD lol (it's an ancient JS framework). Followed by SOAPs WSDL cache. And a million other things.5 -
SeniorDev: “OMFG..MalwareBytes is taking up almost 50% of my CPU!”
Me: “Didn’t you have a virus on your machine couple of days ago?”
SeniorDev: “Uh..yea..but it was cleaned up.”
Me: “Your OS might have been compromised. If your antivirus is still busy doing something, then it may be time to start over with a fresh re-install.”
SeniorDev: “No, that’s not it. This is just BS our Network admins don’t want to fix because I’m not a VP”
Me: “I’m pretty sure they don’t care.”
-in as much of a ‘I’m kidding’ tone as I could -
Me: “They would care more if you stopped going to inappropriate web sites on the company computer.”
SeniorDev: “I never go to those sites. It was a link to a charity web site my wife sent me. You know how those sites are. They are built by college kids, so they have no security and was hijacked. That’s how I got the virus.”
Me: “You actually said that to Jim and he believed it?”
SeniorDev: “Well ...yea because….oh …–bleep- you.”
"Jim" sits about 50 feet away, popped his head over the cube wall and smiled. It was awesome. -
Long rant ahead.. 5k characters pretty much completely used. So feel free to have another cup of coffee and have a seat 🙂
So.. a while back this flash drive was stolen from me, right. Well it turns out that other than me, the other guy in that incident also got to the police 😃
Now, let me explain the smiley face. At the time of the incident I was completely at fault. I had no real reason to throw a punch at this guy and my only "excuse" would be that I was drunk as fuck - I've never drank so much as I did that day. Needless to say, not a very good excuse and I don't treat it as such.
But that guy and whoever else it was that he was with, that was the guy (or at least part of the group that did) that stole that flash drive from me.
Context: https://devrant.com/rants/2049733 and https://devrant.com/rants/2088970
So that's great! I thought that I'd lost this flash drive and most importantly the data on it forever. But just this Friday evening as I was meeting with my friend to buy some illicit electronics (high voltage, low frequency arc generators if you catch my drift), a policeman came along and told me about that other guy filing a report as well, with apparently much of the blame now lying on his side due to him having punched me right into the hospital.
So I told the cop, well most of the blame is on me really, I shouldn't have started that fight to begin with, and for that matter not have drunk that much, yada yada yada.. anyway he walked away (good grief, as I was having that friend on visit to purchase those electronics at that exact time!) and he said that this case could just be classified then. Maybe just come along next week to the police office to file a proper explanation but maybe even that won't be needed.
So yeah, great. But for me there's more in it of course - that other guy knows more about that flash drive and the data on it that I care about. So I figured, let's go to the police office and arrange an appointment with this guy. And I got thinking about the technicalities for if I see that drive back and want to recover its data.
So I've got 2 phones, 1 rooted but reliant on the other one that's unrooted for a data connection to my home (because Android Q, and no bootable TWRP available for it yet). And theoretically a laptop that I can put Arch on it no problem but its display backlight is cooked. So if I want to bring that one I'd have to rely on a display from them. Good luck getting that done. No option. And then there's a flash drive that I can bake up with a portable Arch install that I can sideload from one of their machines but on that.. even more so - good luck getting that done. So my phones are my only option.
Just to be clear, the technical challenge is to read that flash drive and get as much data off of it as possible. The drive is 32GB large and has about 16GB used. So I'll need at least that much on whatever I decide to store a copy on, assuming unchanged contents (unlikely). My Nexus 6P with a VPN profile to connect to my home network has 32GB of storage. So theoretically I could use dd and pipe it to gzip to compress the zeroes. That'd give me a resulting file that's close to the actual usage on the flash drive in size. But just in case.. my OnePlus 6T has 256GB of storage but it's got no root access.. so I don't have block access to an attached flash drive from it. Worst case I'd have to open a WiFi hotspot to it and get an sshd going for the Nexus to connect to.
And there we have it! A large storage device, no root access, that nonetheless can make use of something else that doesn't have the storage but satisfies the other requirements.
And then we have things like parted to read out the partition table (and if unchanged, cryptsetup to read out LUKS). Now, I don't know if Termux has these and frankly I don't care. What I need for that is a chroot. But I can't just install Arch x86_64 on a flash drive and plug it into my phone. Linux Deploy to the rescue! 😁
It can make chrooted installations of common distributions on arm64, and it comes extremely close to actual Linux. With some Linux magic I could make that able to read the block device from Android and do all the required sorcery with it. Just a USB-C to 3x USB-A hub required (which I have), with the target flash drive and one to store my chroot on, connected to my Nexus. And fixed!
Let's see if I can get that flash drive back!
P.S.: if you're into electronics and worried about getting stuff like this stolen, customize it. I happen to know one particular property of that flash drive that I can use for verification, although it wasn't explicitly customized. But for instance in that flash drive there was a decorative LED. Those are current limited by a resistor. Factory default can be say 200 ohm - replace it with one with a higher value. That way you can without any doubt verify it to be yours. Along with other extra security additions, this is one of the things I'll be adding to my "keychain v2".11 -
I live in a developing country where not a lot of people know much about security, programming and such. The moment I make a post about coding or something on social media, relatives/friends/strangers come and ask me to hack a Facebook profile or request a free download link to PUBG. And when I say that I can't, or that it's not really possible, they fuss and blame me for it. God damn people.4
-
TL; DR: Bringing up quantum computing is going to be the next catchall for everything and I'm already fucking sick of it.
Actual convo i had:
"You should really secure your AWS instance."
"Isnt my SSH key alone a good enough barrier?"
"There are hundreds of thousands of incidents where people either get hacked or commit it to github."
"Well i wont"
"Just start using IP/CIDR based filtering, or i will take your instance down."
"But SSH keys are going to be useless in a couple years due to QUANTUM FUCKING COMPUTING, so why wouldnt IP spoofing get even better?"
"Listen motherfucker, i may actually kill you, because today i dont have time for this. The whole point of IP-based security is that you cant look on Shodan for machines with open SSH ports. You want to talk about quantum computing??!! Lets fucking roll motherfucker. I dont think it will be in the next thousand years that we will even come close to fault-tolerant quantum computing.
And even if it did, there have been vulnerabilities in SSH before. How often do you update your instance? I can see the uptime is 395 days, so probably not fucking often! I bet you "dont have anything important anyways" on there! No stored passwords, no stored keys, no nothing, right (she absolutely did)? If you actually think I'm going to back down on this when i sit in the same room as the dude with the root keys to our account, you can kindly take your keyboard and shove it up your ass.
Christ, I bet that the reason you like quantum computing so much is because then you'll be able to get your deepfakes of miley cyrus easier you perv."9 -
So I can see everything thinks CS should be taught differently this week.
Based on all of the ways we could change it, something no one seems to be mentioning much is security.
Everyone has many ways of learning logical processors and understanding how they work with programming, but for every line of code taught, read or otherwise learnt you should also learn, be taught how to make it less vulnerable (as nothing is invulnerable on the internet)
Every language has its exploits and pitfalls and ways of overflowing but how you handle these issues or prevent them occurring should be more important than syntaxually correct code. The tools today are 100000x better then when I started with notepad.exe, CMD and Netscape.
Also CS shouldn’t be focused on tools and languages as such, seeing as new versions and ideals come out quicker then CS courses change, but should be more focused on the means of coming to logical decisions and always questioning why or how something is the way it is, and how to improve it.
Tl;dr
Just my two cents. -
> Worst work culture you've experienced?
It's a tie between my first to employers.
First: A career's dead end.
Bosses hardly ever said the truth, suger-coated everything and told you just about anything to get what they wanted. E.g. a coworker of mine was sent on a business trip to another company. They had told him this is his big chance! He'd attend a project kick-off meeting, maybe become its lead permanently. When he got there, the other company was like "So you're the temporary first-level supporter? Great! Here's your headset".
And well, devs were worth nothing anyway. For every dev there were 2-3 "consultants" that wrote detailed specifications, including SQL statements and pseudocode. The dev's job was just to translate that to working code. Except for the two highest senior devs, who had perfect job security. They had cooked up a custom Ant-based build system, had forked several high-profile Java projects (e.g. Hibernate) and their code was purposely cryptic and convoluted.
You had no chance to make changes to their projects without involuntarily breaking half of it. And then you'd have to beg for a bit of their time. And doing something they didn't like? Forget it. After I suggested to introduce automated testing I was treated like a heretic. Well of course, that would have threatened their job security. Even managers had no power against them. If these two would quit half a dozen projects would simply be dead.
And finally, the pecking order. Juniors, like me back then, didn't get taught shit. We were just there for the work the seniors didn't want to do. When one of the senior devs had implemented a patch on the master branch, it was the junior's job to apply it to the other branches.
Second: A massive sweatshop, almost like a real-life caricature.
It was a big corporation. Managers acted like kings, always taking the best for themselves while leaving crumbs for the plebs (=devs, operators, etc). They had the spacious single offices, we had the open plan (so awesome for communication and teamwork! synergy effects!). When they got bored, they left meetings just like that. We... well don't even think about being late.
And of course most managers followed the "kiss up, kick down" principle. Boy, was I getting kicked because I dared to question a decision of my boss. He made my life so hard I got sick for a month, being close to burnout. The best part? I gave notice a month later, and _he_still_was_surprised_!
Plebs weren't allowed anything below perfection, bosses on the other hand... so, I got yelled at by some manager. Twice. For essentially nothing, things just bruised his fragile ego. My bosses response? "Oh he's just human". No, the plebs was expected to obey the powers that be. Something you didn't like? That just means your attitude needs adjustment. Like with the open plan offices: I criticized the noise and distraction. Well that's just my _opinion_, right? Anyone else is happily enjoying it! Why can't I just be like the others? And most people really had given up, working like on a production line.
The company itself, while big, was a big ball of small, isolated groups, sticking together by office politics. In your software you'd need to call a service made by a different team, sooner or later. Not documented, noone was ever willing to help. To actually get help, you needed to get your boss to talk to their boss. Then you'd have a chance at all.
Oh, and the red tape. Say you needed a simple cable. You know, like those for $2 on Amazon. You'd open a support ticket and a week later everyone involved had signed it off. Probably. Like your boss, the support's boss, the internal IT services' boss, and maybe some other poor sap who felt important. Or maybe not, because the justification for needing that cable wasn't specific enough. I mean, just imagine the potential damage if our employees owned a cable they shouldn't!
You know, after these two employers I actually needed therapy. Looking back now, hooooly shit... that's why I can't repeat often enough that we devs put up with way too much bullshit.3 -
Electric cars are not better for the environment. All petrol cars combined are only responsible for 7.9% of CO2 emissions. If your electric car is charged from a grid that is powered by a coal-burning power station, it contributes nothing to dealing with climate change. It only provides you with the false sense of security, and you can look cool telling your friends that “you know, I drive a Tesla, I’m environmentally conscious, your gas car is bad”.
Electric cars are lame. When I’m out of fuel, I can refuel fully in minutes. With electric car, I’ll have to wait at least five hours. Let’s be realistic, superchargers aren’t common, and will never be.
Gasoline is 46.4 MJ/kg, or 34.2 MJ/l. Li-Ion is 0.36–0.875. Let’s be generous and say it’s 0.9. To match 1 kg of petrol, I would need 51 kilos of batteries.
Average gas tank is 18 gallons, or 68 litres. To match that, my battery must have a weight of 2.5 metric tonnes. Bear in mind, empty battery and full battery has the same weight. Also, bear in mind, batteries perform worse in the winter.
As per energy density and practicality, things don’t get much better than petrol. Liquid hydrogen has higher energy density, but to store it, gas tank has to have very, very thick walls, to withstand the pressure. And, hydrogen is a bitch. It’s extremely dangerous. You can’t smell it until it’s too late. Hydrogen-air mixture will explode if you look at it the wrong way.
All that “electric cars good for climate” hype is merely Elon maintaining his stock bubble.23 -
Two prisoners built two computer from recycled parts, hacked into the security system and also gained access to the Internet. They got caught because they probably downloaded too much porn.
http://gizmodo.co.uk/2017/04/...2 -
Boss: We need to disable CSRF and any other form of security, because that shitty, insignificant client has a website that is abomination anyone's eyes, can't pay because of the iframe thingy.
Me: I'd advice against it. This is a significant security issue that just screams to be exploited and there has to be a solution, but idk much about this situation.
Boss: Idk we need to kiss every clients ass till they come. Remove all the security
Me: *Just wants to get home, last one in the office besides the boss* fine
*removes it, deploys and gets the fuck home*
...2 weeks later
Payment gateway: Yeah, we blocked your account, because someone was trying to purchase 30k product in a span of 1h
I'm not even mad about that, but rather about the fact I fucking called it.
* Achievement unlocked: Targeted by scammers
P.s. no major damages, cause the guys from the payment gate understand shit about security.3 -
Reported an important security vulnerability inside our organization, right before getting off work. A security team member contacts me over chat asking for some details on my investigation. At the end, he tells me: "thanks, I will copy and paste this conversation on the ticket so that everyone can see".
What I imagined: he would copy and paste the conversation as is, so that every line written by me is prefixed with my name.
What he does: he writes a summary of our conversation, barely mentioning my name, making it look like that part of the investigation was done by him.
Now I have so much anger inside of me that my internal organs are boiling.6 -
//Random Mr. Robot thought//
So this picture and this quote in general has been in my mind quite recently. The first time I saw this scene it just passed through my mind as just a wierd quirk of elliot. But upon further thinking, I question that given Elliot is someone who specializes in network security in a sense. A part of which focuses on finding exploits in networks or even software in general( basically finding the worst in them). And the more I think about that,the more I come to realisation that just like most programmers mix together logic in their life in dealing with people, this scene stands out as an example of just that happening with Elliot and what perhaps, makes him such a good hacker. Perhaps we could all learn from this, or perhaps I'm just looking too much into this. Eh.4 -
Does anyone else get that surreal feeling where you actually realise you're paid to sit and write a language which most of the world doesnt understand, no one can speak it, and the those who may have the capability to write it don't really want to understand?
I mean, I'm pretty sure that a book written in Latin wouldn't sell well enough to pay the author year-on-year.
Pretty much job security through obscurity.
Surreal.3 -
I'm working at this company where I have to update their app both for Android and iOS and it was originally coded by what seems to be one guy, that has written some of the worse code I've seen (I've seen pretty bad code when I was at uni), there is so much uncommented code, commented code with no real reason on why it's commented, variables that are one or two letters, Lots and Lots of magical numbers for things like images! And for the first few weeks working on the iOS app I was also still learning objective-c and had to look at his code for reference, I cringed so much.
I take pride in my commented code, I take pride in writing description for methods and having my variables at the top of a class and explain exactly why it's a constant. I'm also only just a recent graduate.
This guy that worked out this app is a senior developer, now working on security software for a bank, how is he even allowed to code?3 -
!dev
There’s this person at $work who never uses punctuation of any kind. She has mental issues and insists on neutral pronouns (and strongly advertises these) so I’ll use the indefinite to pretend to be respectful. It has multiple thoughts while typing a message and just keeps typing through all of them without stopping. It pauses not to collect its thoughts, to edit for clarity or to fix mistakes, to separate anything (including disjoint topics), to summarize, etc. (Though calling these “thoughts” is a huge stretch, given its lack of propensity for that particular subject.) It’s as if it has zero distinction between writing and speaking, and simply lets the mental diarrhea flow while their fingers do their best to keep pace. Reading these trainwrecks of thought — and gleaning any useful information from them — is always difficult and a little bit painful.
It is also in charge of IT security, which is more than a bit worrying. (But I hate the company with a passion, so it doesn’t bother me nearly as much as it otherwise would.)40 -
I really enjoy my old Kindle Touch rather than reading long pdf's on a tablet or desktop. The Kindle is much easier on my eyes plus some of my pdf's are critical documents needed to recover business processes and systems. During a power outage a tablet might only last a couple of days even with backup power supplies, whereas my Kindle is good for at least 2 weeks of strong use.
Ok, to get a pdf on a Kindle is simple - just email the document to your Kindle email address listed in your Amazon –Settings – Digital Content – Devices - Email. It will be <<something>>@kindle.com.
But there is a major usability problem reading pdf's on a Kindle. The font size is super tiny and you do not have font control as you do with a .MOBI (Kindle) file. You can enlarge the document but the formatting will be off the small Kindle screen. Many people just advise to not read pdf's on a Kindle. devRanters never give up and fortunately there are some really cool solutions to make pdf's verrrrry readable and enjoyable on a Kindle
There are a few cloud pdf- to-.MOBI conversion solutions but I had no intention of using a third party site my security sensitive business content. Also, in my testing of sample pdf's the formatting of the .MOBI file was good but certainly not great.
So here are a couple option I discovered that I find useful:
Solution 1) Very easy. Simply email the pdf file to your Kindle and put 'convert' in the subject line. Amazon will convert the pdf to .MOBI and queue it up to synch the next time you are on wireless. The final e-book .MOBI version of the pdf is readable and has all of the .MOBI options available to you including the ability for you to resize fonts and maintain document flow to properly fit the Kindle screen. Unfortunately, for my requirements it did not measure-up to Solution 2 below which I found much more powerful.
Solution 2) Very Powerful. This solution takes under a minute to convert a pdf to .MOBI and the small effort provides incredible benefits to fine tune the final .MOBI book. You can even brand it with your company information and add custom search tags. In addition, it can be used for many additional input and output files including ePub which is used by many other e-reader devices including The Nook.
The free product I use is Calibre. Lots of options and fine control over documents. I download it from calibre-ebook.com. Nice UI. Very easy to import various types of documents and output to many other types of formats such as .MOBI, ePub, DocX, RTF, Zip and many more. It is a very powerful program. I played with various Calibre options and emailed the formatted .MOBI files to my Kindle. The new files automatically synched to the Kindle when I was wireless in seconds. Calibre did a great job!!
The formatting was 99.5% perfect for the great majority of pdf’s I converted and now happily read on my Kindle. Calibre even has a built-in heuristic option you can try that enables it to figure out how to improve the formatting of the raw pdf. By default it is not enabled. A few of the wider tables in my business continuity plans I have to scroll on the limited Kindle screen but I was able to minimize that by sizing the fonts and controlling the source document parameters.
Now any pdf or other types of documents can be enjoyed on a light, cheap, super power efficient e-reader. Let me know if this info helped you in any way.4 -
While building a Java net sniffer app, I finally write the code to run a Linux binary in a separate process after three days. It works perfectly!
Then I export my app to a runnable jar file.
About nine exceptions are thrown, including a security exception. So much for being done. 😐5 -
After a few weeks of being insanely busy, I decided to log onto Steam and maybe relax with a few people and play some games. I enjoy playing a few sandbox games and do freelance development for those games (Anywhere from a simple script to a full on server setup) on the side. It just so happened that I had an 'urgent' request from one of my old staff member from an old community I use to own. This staff member decided to run his own community after I sold mine off since I didn't have the passion anymore to deal with the community on a daily basis.
O: Owner (Former staff member/friend)
D: Other Dev
O: Hey, I need urgent help man! Got a few things developed for my server, and now the server won't stay stable and crashes randomly. I really need help, my developer can't figure it out.
Me: Uhm, sure. Just remember, if it's small I'll do it for free since you're an old friend, but if it's a bigger issue or needs a full recode or whatever, you're gonna have to pay. Another option is, I tell you what's wrong and you can have your developer fix it.
O: Sounds good, I'll give you owner access to everything so you can check it out.
Me: Sounds good
*An hour passes by*
O: Sorry it took so long, had to deal with some crap. *Insert credentials, etc*
Me: Ok, give me a few minutes to do some basic tests. What was that new feature or whatever you added?
O: *Explains long feature, and where it's located*
Me: *Begins to review the files* *Internal rage wondering what fucking developer could code such trash* *Tests a few methods, and watches CPU/RAM and an internal graph for usage*
Me: Who coded this module?
O: My developer.
Me: *Calm tone, with a mix of some anger* So, you know what, I'm just gonna do some simple math for ya. You're running 33 ticks a second for the server, with an average of about 40ish players. 33x60 = 1980 cycles a minute, now lets times that by the 40 players on average, you have 79,200 cycles per minute or nearly 4.8 fucking cycles an hour (If you maxed the server at 64 players, it's going to run an amazing fucking 7.6 million cycles an hour, like holy fuck). You're also running a MySQLite query every cycle while transferring useless data to the server, you're clusterfucking the server and overloading it for no fucking reason and that's why you're crashing it. Another question, who the fuck wrote the security of this? I can literally send commands to the server with this insecure method and delete all of your files... If you actually want your fucking server stable and secure, I'm gonna have to recode this entire module to reduce your developer's clusterfuck of 4.8 million cycles to about 400 every hour... it's gonna be $50.
D: *Angered* You're wrong, this is the best way to do it, I did stress testing! *Insert other defensive comments* You're just a shitty developer (This one got me)
Me: *Calm* You're calling me a shitty developer? You're the person that doesn't understand a timer, I get that you're new to this world, but reading the wiki or even using the game's forums would've ripped this code to shreds and you to shreds. You're not even a developer, cause most of this is so disorganized it looks like you copy and pasted it. *Get's angered here and starts some light screaming* You're wasting CPU usage, the game can't use more than 1 physical core, and after a quick test, you're stupid 'amazing' module is using about 40% of the CPU. You need to fucking realize the 40ish average players, use less than this... THEY SHOULD BE MORE INTENSIVE THAN YOUR CODE, NOT THE OPPOSITE.
O: Hey don't be rude to Venom, he's an amazing coder. You're still new, you don't know as much as him. Ok, I'll pay you the money to get it recoded.
Me: Sounds good. *Angered tone* Also you developer boy, learn to listen to feedback and maybe learn to improve your shitty code. Cause you'll never go anywhere if you don't even understand who bad this garbage is, and that you can't even use the fucking wiki for this game. The only fucking way you're gonna improve is to use some of my suggestions.
D: *Leaves call without saying anything*
TL;DR: Shitty developer ran some shitty XP system code for a game nearly 4.8 million times an hour (average) or just above 7.6 million times an hour (if maxed), plus running MySQLite when it could've been done within about like 400 an hour at max. Tried calling me a shitty developer, and got sorta yelled at while I was trying to keep calm.
Still pissed he tried calling me a shitty developer... -
I don't know if I'm being pranked or not, but I work with my boss and he has the strangest way of doing things.
- Only use PHP
- Keep error_reporting off (for development), Site cannot function if they are on.
- 20,000 lines of functions in a single file, 50% of which was unused, mostly repeated code that could have been reduced massively.
- Zero Code Comments
- Inconsistent variable names, function names, file names -- I was literally project searching for months to find things.
- There is nothing close to a normalized SQL Database, column ID names can't even stay consistent.
- Every query is done with a mysqli wrapper to use legacy mysql functions.
- Most used function is to escape stirngs
- Type-hinting is too strict for the code.
- Most files packed with Inline CSS, JavaScript and PHP - we don't want to use an external file otherwise we'd have to open two of them.
- Do not use a package manger composer because he doesn't have it installed.. Though I told him it's easy on any platform and I'll explain it.
- He downloads a few composer packages he likes and drag/drop them into random folder.
- Uses $_GET to set values and pass them around like a message contianer.
- One file is 6000 lines which is a giant if statement with somewhere close to 7 levels deep of recursion.
- Never removes his old code that bloats things.
- Has functions from a decade ago he would like to save to use some day. Just regular, plain old, PHP functions.
- Always wants to build things from scratch, and re-using a lot of his code that is honestly a weird way of doing almost everything.
- Using CodeIntel, Mess Detectors, Error Detectors is not good or useful.
- Would not deploy to production through any tool I setup, though I was told to. Instead he wrote bash scripts that still make me nervous.
- Often tells me to make something modern/great (reinventing a wheel) and then ends up saying, "I think I'd do it this way... Referes to his code 5 years ago".
- Using isset() breaks things.
- Tens of thousands of undefined variables exist because arrays are creates like $this[][][] = 5;
- Understanding the naming of functions required me to write several documents.
- I had to use #region tags to find places in the code quicker since a router was about 2000 lines of if else statements.
- I used Todo Bookmark extensions in VSCode to mark and flag everything that's a bug.
- Gets upset if I add anything to .gitignore; I tried to tell him it ignores files we don't want, he is though it deleted them for a while.
- He would rather explain every line of code in a mammoth project that follows no human known patterns, includes files that overwrite global scope variables and wants has me do the documentation.
- Open to ideas but when I bring them up such as - This is what most standards suggest, here's a literal example of exactly what you want but easier - He will passively decide against it and end up working on tedious things not very necessary for project release dates.
- On another project I try to write code but he wants to go over every single nook and cranny and stay on the phone the entire day as I watch his screen and Im trying to code.
I would like us all to do well but I do not consider him a programmer but a script-whippersnapper. I find myself trying to to debate the most basic of things (you shouldnt 777 every file), and I need all kinds of evidence before he will do something about it. We need "security" and all kinds of buzz words but I'm scared to death of this code. After several months its a nice place to work but I am convinced I'm being pranked or my boss has very little idea what he's doing. I've worked in a lot of disasters but nothing like this.
We are building an API, I could use something open source to help with anything from validations, routing, ACL but he ends up reinventing the wheel. I have never worked so slow, hindered and baffled at how I am supposed to build anything - nothing is stable, tested, and rarely logical. I suggested many things but he would rather have small talk and reason his way into using things he made.
I could fhave this project 50% done i a Node API i two weeks, pretty fast in a PHP or Python one, but we for reasons I have no idea would rather go slow and literally "build a framework". Two knuckleheads are going to build a PHP REST framework and compete with tested, tried and true open source tools by tens of millions?
I just wanted to rant because this drives me crazy. I have so much stress my neck and shoulder seems like a nerve is pinched. I don't understand what any of this means. I've never met someone who was wrong about so many things but believed they were right. I just don't know what to say so often on call I just say, 'uhh..'. It's like nothing anyone or any authority says matters, I don't know why he asks anything he's going to do things one way, a hard way, only that he can decipher. He's an owner, he's not worried about job security.13 -
A coworker told me this a little while ago and I cringed.
"Coworker installs windows partition o n a Mac, not sure what utility he used but he's handled every IT issue, people in our company for years but googling and researching ways to do things.
Steve comes along to do a service on the Macs (apparently) and sees what my coworker did and says "get rid of that it's a security risk", coworker had a legitimate reason to use Windows, plugin for Excel only works in Windows, so Steve could have totally done checks to ensure security wasn't a risk, but he's a Mac elitist, what can you do :/, lucky coworker though gets to use a windows PC and never looked back xD."
Honestly scared of Steve doing that so called service seeing I have tons of things I need to use (source tree, Android studio, some tools to test push notifications) and just down right deleting them because of his reasons, that and the whole he does services after hours without much warning (last time it was a leave password on desk for the next "week" and Steve will come in and fix the Macs) I can't defend my argument of why I use something like Android studio (to develop the app for the company LOL) -
Follow-up to my previous story: https://devrant.com/rants/1969484/...
If this seems to long to read, skip to the parts that interest you.
~ Background ~
Maybe you know TeamSpeak, it's basically a program to talk with other people on servers. In TeamSpeak you can generate identities, every identity has a security level. On your server you can set a minimum security level you need to connect. Upgrading the security level takes longer as the level goes up.
~ Technical background ~
The security level is computed by doing this:
SHA1(public_key + offset)
Where public_key is your public key in Base64 and offset is an 8 Byte unsigned long. Offset is incremented and the whole thing is hashed again. The security level comes from the amount of Zero-Bits at the beginning of the resulting hash.
My plan was to use my GPU to do this, because I heared GPUs are good at hashing. And now, I got it to work.
~ How I did it ~
I am using a start offset of 0, create 255 Threads on my GPU (apparently more are not possible) and let them compute those hashes. Then I increment the offset in every thread by 255. The GPU also does the job of counting the Zero-Bits, when there are more than 30 Zero-Bits I print the amount plus the offset to the console.
~ The speed ~
Well, speed was the reason I started this. It's faster than my CPU for sure. It takes about 2 minutes and 40 seconds to compute 2.55 Billion hashes which comes down to ~16 Million hashes per second.
Is this speed an expected result, is it slow or fast? I don't know, but for my needs, it is fucking fast!
~ What I learned from this ~
I come from a Java background and just recently started C/C++/C#. Which means this was a pretty hard challenge, since OpenCL uses C99 (I think?). CUDA sadly didn't work on my machine because I have an unsupported GPU (NVIDIA GeForce GTX 1050 Ti). I learned not to execute an endless loop on my GPU, and so much more about C in general. Though it was small, it was an amazing project.1 -
A few days ago Aruba Cloud terminated my VPS's without notice (shortly after my previous rant about email spam). The reason behind it is rather mundane - while slightly tipsy I wanted to send some traffic back to those Chinese smtp-shop assholes.
Around half an hour later I found that e1.nixmagic.com had lost its network link. I logged into the admin panel at Aruba and connected to the recovery console. In the kernel log there was a mention of the main network link being unresponsive. Apparently Aruba Cloud's automated systems had cut it off.
Shortly afterwards I got an email about the suspension, requested that I get back to them within 72 hours.. despite the email being from a noreply address. Big brain right there.
Now one server wasn't yet a reason to consider this a major outage. I did have 3 edge nodes, all of which had equal duties and importance in the network. However an hour later I found that Aruba had also shut down the other 2 instances, despite those doing nothing wrong. Another hour later I found my account limited, unable to login to the admin panel. Oh and did I mention that for anything in that admin panel, you have to login to the customer area first? And that the account ID used to login there is more secure than the password? Yeah their password security is that good. Normally my passwords would be 64 random characters.. not there.
So with all my servers now gone, I immediately considered it an emergency. Aruba's employees had already left the office, and wouldn't get back to me until the next day (on-call be damned I guess?). So I had to immediately pull an all-nighter and deploy new servers elsewhere and move my DNS records to those ASAP. For that I chose Hetzner.
Now at Hetzner I was actually very pleasantly surprised at just how clean the interface was, how it puts the project front and center in everything, and just tells you "this is what this is and what it does", nothing else. Despite being a sysadmin myself, I find the hosting part of it insignificant. The project - the application that is to be hosted - that's what's important. Administration of a datacenter on the other hand is background stuff. Aruba's interface is very cluttered, on Hetzner it's super clean. Night and day difference.
Oh and the specs are better for the same price, the password security is actually decent, and the servers are already up despite me not having paid for anything yet. That's incredible if you ask me.. they actually trust a new customer to pay the bills afterwards. How about you Aruba Cloud? Oh yeah.. too much to ask for right. Even the network isn't something you can trust a long-time customer of yours with.
So everything has been set up again now, and there are some things I would like to stress about hosting providers.
You don't own the hardware. While you do have root access, you don't have hardware access at all. Remember that therefore you can't store anything on it that you can't afford to lose, have stolen, or otherwise compromised. This is something I kept in mind when I made my servers. The edge nodes do nothing but reverse proxying the services from my LXC containers at home. Therefore the edge nodes could go down, while the worker nodes still kept running. All that was necessary was a new set of reverse proxies. On the other hand, if e.g. my Gitea server were to be hosted directly on those VPS's, losing that would've been devastating. All my configs, projects, mirrors and shit are hosted there.
Also remember that your hosting provider can terminate you at any time, for any reason. Server redundancy is not enough. If you can afford multiple redundant servers, get them at different hosting providers. I've looked at Aruba Cloud's Terms of Use and this is indeed something they were legally allowed to do. Any reason, any time, no notice. They covered all their bases. Make sure you do too, and hope that you'll never need it.
Oh, right - this is a rant - Aruba Cloud you are a bunch of assholes. Kindly take a 1Gbps DDoS attack up your ass in exchange for that termination without notice, will you?5 -
Ya'll know what... If humans weren't such annoying vulnerability-searching little shits then we wouldn't have had to implement any protection against them and think of all the performance that would be saved on that. Take branch prediction vulnerability mitigation in the Linux kernel for example, that's got to make a performance hit of least 10% on basically everything.
Alas, I do get why security is important and why we keep such vulnerability mitigation running despite the performance hit. I get why safe code is necessary but still... if these people weren't such annoying little bastards.
Yeah, I was just kind of set off by the above. So much would be faster and easier if only the programmers wouldn't have to plan for people exploiting their software. Software would be written much faster and humans would progress to stuff that actually matters like innovation.8 -
My boss wants to be asynchronous with php. Then to render the backend async he wants to use beanstalk using python to be scalable.
I said : we can use node.js it's already asynchronous. And we don't care about the langage php python...
Boss : node.js isn't scalable, there is no security it's not good enough, it's not enough safe. I code with php since 15 years and it's better than node. To much problem in the node.js version 0.12.
OK BUT NOW WE HAVE NODEJS VERSION 6 LTS. WAKE UP. OMG I GIVE IT UP LET'S GO.5 -
Despite common sense, I think technology is not making our lives easier. It's just build chaos on top of chaos.
Take server-side programming for instance.
First you have to find someone to host your thing, or a PaaS provider. Then you have to figure out how much RAM and storage you need, which OS you're going to use. And then there's Docker (which will run on top of a VM on AWS or GCP anyway, making even less sense). And then there's the server technology: nginx, Apache (and many many more; if, that is, you're using a server at all). And then there are firewalls, proxies, SSL. And then you go back to the start, because you have to check if your hosting provider will support the OS or Docker or your server. (I smell infinite recursion here.)
Each of these moving parts come with their own can of worms in terms of configuration and security. A whole bible to read if you want to have the slightest clue about what you're doing.
And then there's the programming language to use and its accompanying frameworks. Can they replace the server technology? Should you? Will they conflict with each other and open yet another backdoor into your system? Is it supported by your hosting provider? (Did I mention an infinite recursion somewhere?)
And then there's the database. Does it have a port to the language/framework of your choosing? Why does it expose an web interface? Is it supposed to replace your server? And why are its security features optional again? (Just so I have to test both the insecure and the secure environments?)
And you haven't written a single line of code yet, mind you.4 -
Hey guys it's not a rant, but i feel this place might help...
I am a 20 yr old, second year guy ...have got some experience in core Java and after that, i have been doing android for 8months... Yeah , i coded some basic apps got my hands dirty on firebase, sql libraries and some connectivity...
Even got landed in an internship.
Today i feel myself to be an intermediate android dev , nd i know their are many things that can be learnt in android that i don't know..
But what after that?development as a carrier interests me, but i fear for a job security ... I could learn more of Android,maybe learn ios after that but their are always articles coming out that react is future, webapps will replace android and stuff like that...
I Have also heard stuff like companies today want to squeeze more out of their techs, so they want less and complete developers having experience in both web and mobile app designing and other stuff like that
Are you freakin kidding me? Android and ios alone are like drinking Pacific and indian ocean and to add web developing, its like drinking out every drop of ocean in the world.
I guess their are guys which exist with knowledge of all three, maybe I can cover them all too(someday) but that would take my whole clg life of 4 years..(I guess)
And no ,I don't have problems with that too.. I actually like developing but again i hear big words like cloud computing, AR,VR AI, data sciences, automation, graphics designing, game dev, and many more...
Basically i hear too much and i fear too much 😅 and i don't think closing my ears would be a good choice...
So, which ocean of carrier should i aim to go for?nd are my fears real? Do companies really prefer some web guy designing Amazon like apps over android-only guys like me?is automation nd templates really gonna take all we, developers jobs?should i look into ai/data sciences?
Well , i am a simple guy, who got his first pc at 17 so naturally, i am fascinated even by the working of a calculator app and anything relates to tech so am open to pursue my interests in any fields23 -
Why so much hate for Windows? I can do all the scripting that I do on Linux on Windows as well. AutoHotKey for the win! In fact, the hacks that I can do on Windows directly cannot be done on Linux unless I have the terminal open. I'm still learning, yeah, so I'll learn how to do that in due time, but I've never had any issues with drivers, software issues, or security threats while using Windows.
And Windows Defender is so good now! I don't need an antivirus. Well, good browsing habits and common sense is enough of an antivirus so it's a moot point anyway.
Either way, I like embracing the power of AND. Why choose? I love both Windows and Linux!26 -
TL;DR: Google asked me to PROVIDE a phone number to verify connection from a new device, on the said device.
Yesterdayto log into my work Google account from my personal laptop to check emails, calendars update and so on. I opened up a private navigation window, went to Google sign-in page, entered my credentials, all is well.
Google then decided to "verify it's me" and prompted me to PROVIDE a phone number (work account without work phone means no phone number set up) so that they can send a verification code to the number I just provided to make sure the connection is legit.
Didn't want to do that, clicked "use another method" and got asked to fill the last password I remember, which would be my current password thanks to my trusty password manager. After submitting, I'm prompted with an error saying I have to contact my admin to reset my password because they can't log me in with my CURRENT password.
I ain't gonna do that, so went back to login page, provided my phone number, got the code, filled in the code, next thing I know I'm browsing through my emails.
What the duck? Could have been anybody giving any phone number. So much for extra security.
Also don't care that they have my phone number, the issue is more about the way used to obtain it: locking me out of my account and having no other way of logging in.6 -
I find it hilarious the total misconception of hacking that the general public has. I tell people I know cyber security (Not as much as a lot of people around here) but it is a hobby of mine and I find it very useful/interesting.
But I can't stop but laugh when someone is like, can you get all the text messages my bf receives?
Can you hack this for me can you back that?
C'mon even if I knew how to do that without being caught you think I would even admit that to you. Do hackers just walk around with an index card pasted to their forehead of their skill? It's not even slightly reasonable to think this lol even for someone who doesn't know about the field -
Sorry to keep whining about my stupid fucking job, but y'all, I think I'm nearing my limit.
There's some good...I am pretty much free to resolve issues any way I want to, as the only other person in the company who "codes" only knows one old ass language that doesn't apply to 90% of the rest of the tech stack at all, and some SQL - all of that to say, we may disagree, but ultimately, these matters are always deferred to me at the end of the day, insofar as the actual implementation goes (which is to say I am not micromanaged). At least as far as non-visuals are concerned, because those of course, are the most important things. Button colors and shit, woo hoo**. That's what we should focus on as we're bringing in potentially millions of dollars per month - the god damn button color and collapsible accordions based on data type over the shit ass DB performance bottleneck, the lack of redundancy or backups (aside from the one I made soon after I started -- literally saved everyone today because of that. My thanks? None, and more bullshit tasks) or the 300GB+ spaghetti code nightmare that is the literal circulatory system of the FUCKING COMPANY. Hundreds of people depend on it for their livelihoods, and those of their families, but fuck me in the face, right? I'm just a god damn nerd who has worked for the federal government, a handful of fortune 500's, a couple of fortune 100's, some startups, etc. But the fuck do I know about the lifecycle of companies?
I could continue ranting, but what's the point? I've got a nice little adage that I've started to live by, and y'all might appreciate it: "If everything is a priority/is important, nothing is". These folks just don't fucking get it. I'm torn because, on the one hand, they waste my time and kinda underpay me, in addition to forcing me to be onsite for 50 hours a week. They don't listen to me, couldn't give a flying shit about my experientially based opinions. I'm just a fucking chimp with a typewriter, there to take commands like a fucking waiter. But there's a lot of job security, assuming I don't fucking snap one day, and the job market for devs (I'm sure I don't need to tell you) is hostile atm. I'm also drinking far more than usual, and I really need to do something about that. It's only wednesday - I think...not 100% on that truth be told, and I logged my fourth trip to the liquor store this week already.
**Dear backenders - don't ever learn front end, or if you do, just lie about it to avoid being designated full stack. It's not worth it.5 -
*follow-up to https://devrant.com/rants/1887422*
The burnt remnants of my ID card's authentication information, waiting for the wind to come pick it up. It's stored in my password database now and committed to my git server, as it should be. Storing PIN and PUK codes on paper, whatever government cunt thought thought that that was a good idea...
If you've got identification papers containing authentication information like PIN and PUK codes, by all means add them to your password manager (if you're using Linux, I'd like to recommend GNU Pass) at once and burn the physical version. There's no reason why you'd want those on paper, unless you store your passwords on a post-it too.
At least that's as much as me and possibly you as citizens can do. Our governments are doomed anyway, given the shitty security policy they have, and likely the many COBOL mainframes still in use today. Honestly, the meddlings of Russia with the US elections doesn't seem too far-fetched, given this status quo. It actually surprises me that this kind of stuff doesn't happen more often, given that certain governments hire private pentesters yet can't secure their own infrastructure. -
Wow so much hate for WordPress. Le me to the rescue 💀
Yes WP is bloated and crappy and full of security issues etc etc. Agreed. That doesn't mean it is useless though.
It is alright to use for someone who is not really good with web, someone who just needs a blog, someone who just needs a home page, about page and contact form with a possibility of updating photo and text once or two times a month.
It is not suitable for e-commerce nor lots of transactions/forms involving websites.
As long as you know what kind of horse/vehicle you are on, you won't end up in the dirt.4 -
I don't understand privacy advocators.
Am I the only one who wouldn't give up practicality in exchange for "potentially more secure"?
I don't understand so much what the deal is with people who avoid Facebook, or don't trust Google or Microsoft, just in the basis of "privacy" or "security".
Websites tracking you to serve ads? Well, it's pointless because I very rarely buy something from the internet or let myself be influenced, ads are waste of time, just use an adblocker.
I can pretty much upload my whole life or documents on Google drive, even if I made it public no one would really care or read it all. It's like that GitHub project you uploaded but never documented, so no one cares. I usually use alternative software not because of "privacy" but because it has features other software doesn't have.
In reality you realize people aren't that interested in your life more than their own life.24 -
Every single stakeholder in my company tells me that I should be working on something different, every time I talk to them. For example - we've got some issues, that I've ranted on previously. I go to my manager, and tell him that it's going to take longer than I'd hoped, because the author of this part of the codebase wasn't familiar with functional programming or OOP, didn't document anything, and just generally produced an unmaintainable, borderline indescribable mess. The next guy after him made it all so much worse, because they're both a couple of tryhard douchebags, and I hope they fucking die. For real. I hope fire ants are involved.
Anyway, getting carried away there, whew. So I tell my manager that we'd be further ahead just replacing the code, because it's only doing a couple of things, and should not be so complex. He says "cool, but what you really need to be doing is rebuilding this other thing." So I switch gears and work on that other thing until I hit a point that requires the input of another stakeholder. I go to talk to this guy, and all hell breaks loose "why are you working on that, this is higher priority", and I explain the sequence of events. Manager denies having said what he said, I look like an asshole, yet again. Then the old "this should be simple, just change this" from the dudes who don't know code, and don't want to know. I try to explain, offer to show them precisely why their "simple ask" is anything but, but they just start screaming about how they hate technology. Yeah, well me fucking too. I keep hearing about how much "job security" I have, but man I'm going to lose my mind at this rate. I have seventeen motherfucking things that are "emergencies", and as many fucking dumb ass unintuitive workflows to go through to get them changed. All on production, because this place is fucking stupid. Just let me discard this shitty legacy code and be done with it already. FUCK.
Thank fucking fuck it's friday. In about six, seven hours, my goal is to be so fucking wasted that I can't feel my face. Get drunk, play with the dog, install a new distro on the desktop, maybe play a little guitar (the guitar is normal sized. It's not a ukulele or anything). Perfect friday night.9 -
Rant considering the latest Cyber attack and the news around it.
(A recap: a lot of Windows computers were infected with ransomware (due to security hole on Windows), which demanded 300$ in bitcoins to unlock data. After 3 days the price would double, and after 7 days the data was to be deleted)
1) In our country, one of the biggest companies was attacked (car factory). The production stopped and they got for around 1 000 000€ damage in less than 24h (1300 people without work). The news said that they were attacked because they are such a big company and were charged more, as the hackers "knew who they were dealing with" - another reason being the fact that the text was in croatian (which is our neighbor country), but noone realized that it is just a simple google translate of english text - which is obviously not true. The hackers neither know nor care who is hacked, and will charge everyone the same. They only care about the payment.
2) In UK whole (or large part) of medical infrastructure went down. The main thing everyone was saying was: "Nobody's data is stolen". Which, again, is obvious. But noone said anything about data being deleted after a week, which includes pretty much whole electronic medical record of everyone and is pretty serious.
And by the way, the base of the ransomware is code which was stolen from NSA.
All that millions and millions of dollars of damage could be avoided by simply paying the small fee.
The only thing that is good is that (hopefully) the people will learn the importance of backups. And opening weird emails.
P.S. I fucking hate all that 'hacky thingys' they have all over the news.5 -
My internship is about to end in two months. I was under the impression that I'll start looking for a job towards mid August and then decide what to do. I didn't expect my company to offer me a position so early before my internship ended.
Initially I had liked the place. The work was pretty relaxed and I had quite a bit of freedom. Soon enough, I proved my worth and my team started respecting my opinions and suggestions. They even consulted me on multiple occasions.
The first thing I noticed on the downside was the company, despite being resourceful enough and having a decent turnover and important clients, was quite stingy in terms of employee welfare. There was no coffee. There was machine but you had to buy the capsule for yourself. And that sucks. I know I don't need to say more but the other problems were there was no enterprise subscription (or any subscription) to PhpStorm even though our team handled so many PHP projects. I know IDEs are personal preferences but not having any professional IDEs is not something to let slide. The lead dev uses NetBeans (and not because he loved it or anything). Even though I worked on WebDev and front end, I had no option to ask for a second screen. I had one display apart from my laptop. Usually most companies in Paris provides food tickets for internships and this company did not even give me that. And worst of all, there wasn't really anyone I looked up to. As much as I enjoy responsibilities and all, I don't think I should be in an environment where I have nothing much to learn from my seniors. For some fucked sense of security and certainty, I was willing to overlook all this when they offered me a position. But I recently had my interview and the regional manager, a fuck face who still makes me wonder how he reached his position, made a proposal for some quite a small amount of salary. What infuriated more than his justifications was his attitude itself. There was absolutely no respect whatsoever. It was more like "We'll give you this, I think this is more than enough for you. Take it or do whatever you want". I asked for more and he didn't even bother negotiating. I declined the offer.
Now this would have solved all the issues. But my manager and my lead dev like me a lot. Both of them are pretty nice people. They both were bothered with the fact that I had turned down the offer. My manager even agreed that the offer was too low and had already given me tips to help me negotiate. But after I turned down the offer, she went and discussed the issue with the regional manager and he offered me a new proposal. This time it was decent but still under my expectations. I'm pretty sure I can do better elsewhere. I said I need time to think about it. I get multiple advises from people to take it atleast so that I get my visa converted to a work permit. For some reason, I want to take the risk and say no. And find something else. But today my lead dev called me aside and asked me if was going to say no. He really tried to influence me by telling me a lot of good things about me and telling me about the number of different projects we're going to start next month and all that. Even though I'm fully convinced that I don't want to work here, just the sheer act of saying no to these two people I respect is sooo fucking difficult for me that I can already imagine me working here for the next one year. The worst part is I can clearly classify their words and sentences into stuff they say to canvass me, stuff they're bullshitting about and flattery just to make me stay. Despite knowing I'm being taken advantage of, some fucked up module in my head wouldn't stop guilt tripping me. I don't know what to do. If I only I could find a really better job.
Pardon the grammatical errors if any. I'm just venting out and my thoughts branch in 500 different ways simultaneously.5 -
Oh boy I got a few. I could tell you stories about very stupid xss vectors like tracking IDs that get properly sanitized when they come through the url but as soon as you go to the next page and the backend returns them they are trusted and put into the Dom unsanitized or an error page for a wrong token / transaction id combo that accidentally set the same auth cookie as the valid combination but I guess the title "dumbest" would go to another one, if only for the management response to it.
Without being to precise let's just say our website contained a service to send a formally correct email or fax to your provider to cancel your mobile contract, nice thing really. You put in all your personal information and then you could hit a button to send your cancelation and get redirected to a page that also allows you to download a pdf with the sent cancelation (including all your personal data). That page was secured by a cancelation id and a (totally save) 16 characters long security token.
Now, a few months ago I tested a small change on the cancelation service and noticed a rather interesting detail : The same email always results in the same (totally save) security token...
So I tried again and sure, the token seemed to be generated from the email, well so much about "totally save". Of course this was a minor problem since our cancelation ids were strong uuids that would be incredibly hard to brute force, right? Well of course they weren't, they counted up. So at that point you could take an email, send a cancelation, get the token and just count down from your id until you hit a 200 and download the pdf with all that juicy user data, nice.
Well, of course now I raised a critical ticket and the issue was fixed as soon as possible, right?
Of course not. Well I raised the ticket, I made it critical and personally went to the ceo to make sure its prioritized. The next day I get an email from jira that the issue now was minor because "its in the code since 2017 and wasn't exploited".
Well, long story short, I argued a lot and in the end it came to the point where I, as QA, wrote a fix to create a proper token because management just "didn't see the need" to secure such a "hard to find problem". Well, before that I sent them a zip file containing 84 pdfs I scrapped in a night and the message that they can be happy I signed an NDA.2 -
Every week in my intro to information security class we are asked about what security stuff has gone down in the past week. Equifax is making it incredibly easy to not have to do much research.1
-
When i was younger, lesser experienced and more naive than now; i got away with a lot of things. By lot of things i mean security flaws in my applications and overall architecture. I realise now i could've so easily been pawned.
Not that i claim to be totally secure even now, or would ever. It is a process, slow and painful one - Learning.
What i wish to point out is the role of favorable probability (non believers would call it luck). Security is so much about it. You get away with so many things for so long. And bang one day the roll of dice is unfavorable. On such rare occasions, just look back and wonder - damn i should've been breached long ago.rant hindsight security fail looking back security luck vulnerabilities food for thought musings naive probability2 -
Don't think I could love IT anymore then I do now! Currently and intern and was stressing a small bit about what I wanted to do after college (i.e. web development, mobile development, security) then came to the realisation that I can do whatever i want. I don't think any other profession has such a freedom within industry and that is why love IT so much. Looking forward to many more years of learning and developing my skills2
-
Who thought Lua was a good idea for extending gameplay functionality??
It's weakly typed, has no OOP functionality and no namespace rules. It has no interesting data structures and tables are a goddamn mystery. Somebody made the simplest language they could and now everybody who touches it is given the broadest possible tools to shoot themselves in the foot.
Lua's ease of embedding into C++ code is a fool's paradise. Warcraft 3's JASS scripting language had way more structure and produced much better games, whilst being much simpler to work with than Lua.
All the academics describing metatables as 'powerful extensionality' and a fill-in for OOP are digging the hole deeper. Using tables to implement classes doesn't work easily outside school. Hiding a self:reference to a function inside of syntactic sugar is just insanity.
Nobody expects to write a triple-A game in lua, but they are happy to fob it off to kids learning to program. WoW made the right choice limiting it to UI extensions.
Fighting the language so you can try and understand a poorly documented game engine and implement gameplay features as the dev's intend for 'modders', is just beyond the pale. It's very difficult to figure out what the standard for extending functionality is, when everybody is making it up as they go along and you don't have a strongly-typed and structured language to make it obvious what the devs intended.
If you want to give your players a coding sandbox, make the scripting language yourself like JASS. It will be way better fit for purpose, way easier to limit for security and to guarantee reasonable performance. Your players get a sane environment to work in and you just might get the next DOTA.
Repeatedly shooting yourself in the foot on invisible syntax errors and an incredibly broad language is wasted suffering for kids that could be learning the programming concepts that cross all languages way quicker and with way more satisfying results.
Lua is hot garbage for it's most popular application, I really don't get it. Just stop!24 -
When I was in 11th class, my school got a new setup for the school PCs. Instead of just resetting them every time they are shut down (to a state in which it contained a virus, great) and having shared files on a network drive (where everyone could delete anything), they used iServ. Apparently many schools started using that around that time, I heard many bad things about it, not only from my school.
Since school is sh*t and I had nothing better to do in computer class (they never taught us anything new anyway), I experimented with it. My main target was the storage limit. Logins on the school PCs were made with domain accounts, which also logged you in with the iServ account, then the user folder was synchronised with the iServ server. The storage limit there was given as 200MB or something of that order. To have some dummy files, I downloaded every program from portableapps.com, that was an easy way to get a lot of data without much manual effort. Then I copied that folder, which was located on the desktop, and pasted it onto the desktop. Then I took all of that and duplicated it again. And again and again and again... I watched the amount increate, 170MB, 180, 190, 200, I got a mail saying that my storage is full, 210, 220, 230, ... It just kept filling up with absolutely zero consequences.
At some point I started using the web interface to copy the files, which had even more interesting side effects: Apparently, while the server was copying huge amounts of files to itself, nobody in the entire iServ system could log in, neither on the web interface, nor on the PCs. But I didn't notice that at first, I thought just my account was busy and of course I didn't expect it to be this badly programmed that a single copy operation could lock the entire system. I was told later, but at that point the headmaster had already called in someone from the actual police, because they thought I had hacked into whatever. He basically said "don't do again pls" and left again. In the meantime, a teacher had told me to delete the files until a certain date, but he locked my account way earlier so that I couldn't even do it.
Btw, I now own a Minecraft account of which I can never change the security questions or reset the password, because the mail address doesn't exist anymore and I have no more contact to the person who gave it to me. I got that account as a price because I made the best program in a project week about Java, which greatly showed how much the computer classes helped the students learn programming: Of the ~20 students, only one other person actually had a program at the end of the challenge and it was something like hello world. I had translated a TI Basic program for approximating fractions from decimal numbers to Java.
The big irony about sending the police to me as the 1337_h4x0r: A classmate actually tried to hack into the server. He even managed to make it send a mail from someone else's account, as far as I know. And he found a way to put a file into any account, which he shortly considered to use to put a shutdown command into autostart. But of course, I must be the great hacker.3 -
!Rant #motivation #hugeProject
Yesterday i started a new app and i designed some of it but classes i coded will speed up the whole coding of other parts .
Anyways today i needed to work on the server side of the project and when i was working on setting up the databases structures i realized how big is this project (it uses like 3 APIs) so i was unmotivated because its a side project and it takes alot of time and overall it dont worth it and even app may fail or may be successful.
So i said i dont care about how it will turn out
Im gonna do it , and im gonna do it right now
So i did now its 6 am and the server part is almost finished ! 75% done .
It was a secure login system and signup with verifications and more security stuff and the codes that provide the server status and most of the user parts . And some of the features of the app .
The most hard thing remaining is to setup the in app purchases and the APIs .
So if you see a project that is huge .
Dont give up . Just do it as long as you can
And you will see how much you progress !
And the huge project will be a big project ;)
Then a normal project , then a tiny project :P
Good night1 -
Seems like my connection to much-security isn't so... secure 😂
Didn't you forget something, @linuxxx?6 -
Why does email suck so much oh my god, I don't want a fucking lesson in the kinds of domain records, I can set a TXT to prove that I control the DNS record, I have a TLS certificate, what the fuck else would I possibly need to prove!? None of this is contributing anything to security! Just fucking figure it out, it's the internet, not an international border, jesus.6
-
1. It's gonna be more and more specialized - to the point where we'll equal or even outdo the medical profession. Even today, you can put 100 techs/devs into a room and not find two doing the same job - that number will rise with the advent of even more new fields, languages and frameworks.
2. As most end users enjoy ignoring all security instructions, software and hardware will be locked down. This will be the disadvantage of developers, makers and hackers equally. The importance of social engineering means the platform development will focus on protecting the users from themselves, locking out legitimate tinkerers in the process.
3. With the EU getting into the backdoor game with eTLS (only 20 years after everyone else realized it's shit), informational security will reach an all-time low as criminals exploit the vulnerabilities that the standard will certainly have.
4. While good old-fashioned police work still applies to the internet, people will accept more and more mass surveillance as the voices of reason will be silenced. Devs will probably hear more and more about implementing these or joining the resistance.
5. We'll see major leaks, both as a consequence of mass-surveillance (done incompetently and thus, insecurely) and as activist retaliation.
6. As the political correctness morons continue invading our communities and projects, productivity will drop. A small group of more assertive devs will form - not pretty or presentable, but they - we - get shit done for the rest.
7. With IT becoming more and more public, pseudo-knowledge, FUD and sales bullshit will take over and, much like we're already seeing it in the financial sector, drown out any attempt of useful education. There will be a new silver-bullet, it will be useless. Like the rest. Stick to brass (as in IDS/IPS, Firewall, AV, Education), less expensive and more effective.
8. With the internet becoming a part of the real life without most people realizing it and/or acting accordingly, security issues will have more financial damages and potentially lethal consequences. We've already seen insulin pumps being hacked remotely and pacemakers' firmware being replaced without proper authentication. This will reach other areas.
9. After marijuana is legalized, dev productivity will either plummet or skyrocket. Or be entirely unaffected. Who cares, I'll roll the next one.
10. There will be new JS frameworks. The world will turn, it will rain.1 -
Not a dev!rant,/but certainly a rant. Long post ahead.
First of all I MISSED YOU ALL
Had my fair issues of shit these months. And for that, FUCK EVERYTHING. End of rant for now. I am still managing somehow to do - slowly as fuck, but who cares at this point - like finally going to uni, finding a psychologist and not a psycho, unraveling a fuckton of previous trauma (hi abuse) and ~drums~ buying my new desktop! Not exactly a nasa server but a middish level workstation/gaming place. I am shopping right now. The previous days have been shaky with all the flashback business and emotional rollercoaster of death, but I feel like going the right way somehow. Is it true? Who knows! But after enduring several issues of suicide planning and luckily only one serious-bugged attempt epically hilariously failed, the slightest hope is a victory. I like p2p, so feel free to torrent and seed this little joy. If it is mine it can be yours. Take it!
Also, you know how much autistic I am, but I'd really like to make some friends. I make attempts but honestly I am awkward errrr.... I don't know how many dude/ttes I can count on. For friend I mean simply someone that honestly likes me somehow, is loyal, and has interest in sharing they like to do or think! (And if they want to give me tips on security/sysadmin/dev stuff, even better, but not required obviously).
Also, I may have some projects in mind. Will publish in the projects section when the roughest idea is finished.
Maybe I deserve an updoot. In real life.
(Which is also here....)
🎶🎶🎶🎶2 -
My university provides advanced education courses and you'll get certified if you pass them. I'm really interested but I don't have so much time, so which one should I pick?
List of courses I'm interested in:
SQL
IT-Security
Project Management
PHP
I'm curious about your suggestions ;)9 -
No experience with paid work yet, but for sysadmin work I'd mostly look at the environment and how the previous admin left the premises, and why they left. I wouldn't want to work with a bird's nest for a server room, that's got everything jammed into one clusterfuck of a god-function sort of server or something crazy like that. Separation of services, security, wire management, all those things matter because that's the state that you'll be working in, and cleaning up someone else's mess.. it makes my blood boil.
Payment is important, and if the job doesn't pay well, don't take it. Or if they place a wee bit too much value in those expensive pieces of toilet paper called certificates, it denotes incompetence from the employer by being unable to gauge your skills on their own (and I get that there's time management involved, but come on.. how long can it take to have a conversation with someone to gauge what their skillset is). But the working environment in particular is of vital importance. If it's all going to be yours to build, great (and don't you dare to half-ass it -_-). But if it's already been partially done by someone else, they'd better done it well. -
So after my hosting my first project and announcing it on devrant, the users pointed out the many security faults and places where the code can be exploited ( thank you so much ). So I started my research on security ( im 99% self-taught ). The first thing I landed across is the code vulnerabilities which the I can fix then the vulnerabilities of the language itself and then binary code to overrun whatever the language it is. Well, the topic gets broader and broader. If I click on a link named xxx vulnerabilities oh god that is a whole new collection of hundeds of wiki like pages. I feel like I'm lost and here I need some real help2
-
Because I am very interested in cyber security and plan on doing my masters in it security I always try to stay up to date with the latest news and tools. However sometimes its a good idea to ask similar-minded people on how they approach these things, - and maybe I can learn a couple of things. So maybe people like @linuxxx have some advice :D Let's discuss :D
1) What's your goto OS? I currently use Antergos x64 and a Win10 Dualboot. Most likely you guys will recommend Linux, but if so what ditro, and why? I know that people like Snowden use QubesOS. What makes it much better then other distro? Would you use it for everyday tasks or is it overkill? What about Kali or Parrot-OS?
2) Your go-to privacy/security tools? Personally, I am always conencted to a VPN with openvpn (Killswitch on). In my browser (Firefox) I use UBlock and HttpsEverywhere. Used NoScript for a while but had more trouble then actual use with it (blocked too much). Search engine is DDG. All of my data is stored in VeraCrypt containers, so even if the system is compromised nobody is able to access any private data. Passwords are stored in KeePass. What other tools would you recommend?
3) What websites are you browsing for competent news reports in the it security scene? What websites can you recommend to find academic writeups/white papers about certain topics?
4) Google. Yeah a hate-love relationship, but its hard to completely avoid it. I do actually have a Google-Home device (dont kill me), which I use for calender entries, timers, alarms, reminders, and weather updates as well as IOT stuff such as turning my LED lights on and off. I wouldn"t mind switching to an open source solution which is equally good, however so far I couldnt find anything that would a good option. Suggestions?
5) What actions do you take to secure your phone and prevent things such as being tracked/spyed? Personally so far I havent really done much except for installing AdAway on my rooted device aswell as the same Firefox plugins I use on my desktop PC.
6) Are there ways to create mirror images of my entire linux system? Every now and then stuff breaks, that is tedious to fix and reinstalling the system takes a couple of hours. I remember from Windows that software such as Acronis or Paragon can create a full image of your system that you can backup and restore at any point to get a stable, healthy system back (without the need to install everything by hand).
7) Would you encrypt the boot partition of your system, even tho all data is already stored in encrypted containers?
8) Any other advice you can give :P ?12 -
Windows rant incoming!
For fucks sake! I think Windows have asked me 117 times if I want to update now. The answer is still fucking no!
And I don't care how much of a security improvement it might be, when your shitty update causes a Memory Management error.
So fuck off, stop minimising my game while I play and go fix your shitty update first!
Fuck you Microsoft, fuck your QA team and while I'm at it, I want to say fuck you to all versions of Windows Server as well!5 -
A Rant that took my attention on MacRhumors forum.
.
I pre-calculated projected actual overall cost of owning my i5/5/256 Haswell Air, which I got for $1500.
After calculations, this machine would cost me about $3000 for 3 years of use.
(Apple Care, MS Office Business, Parallels, Thunderbolt adapter to HDMI, Case... and so on).
Yea... A lot of people think it's all about the laptop with Apple. nah... not at all. There's a reason Apple is gradually dropping the price of their laptops.
They are slowly moving to a razor and blade business model... which basically is exactly what it sounds like - you buy the razor which isn't too expensive, but you've got no choice but to buy expensive additional blades.
I doubt Apple is making much money from laptop sales alone... well definitely not as much as they were making 5 years or so ago (remember the original air was about $1800 for base model, and if i remember correctly - $1000 additional dollars to upgrade to 64GB SSD from the base HDD.
Yes, ONE THOUSAND DOLLARS FOR 64GB SSD!
Well, anyways, the point is that Apple no longer makes them BIG bucks from the laptop alone, but they still make good profits from upgrades. $300 to go to 512GB SSD from 256, $100 for 4GB extra ram, and $150 for a small bump in processor. They make good profits from these as well.
But that's not where they make mo money. It's once you buy the Macbook, they've got you trapped in their walled garden for life. Every single apple accessory is ridiculously overpriced (compared to market standards of similar-same products).
And Apple makes their own cables and ports. So you have to buy exclusively for Apple products. Every now and then they will change even their own ports and cables, so you have to buy more.
Software is exclusive. You have no choice but to buy what apple offers... or run windows/linux on your Mac.
This is a douche level move comparable to say Mircrosoft kept changing the usb port every 2-3 years, and have exclusive rights to sell the devices that plug in.
No, instead, Intel-Microsoft and them guys make ports and cables as universal as possible.
Can you imagine if USB3.0 was thinner and not backwards compatible with usb2.0 devices?
Well, if it belonged to Apple that's how it would be.
This is why I held out so long before buying an apple laptop. Sure, I had the ipod classic, ipod touch, and more recently iPad Retina... but never a laptop.
I was always against apple.
But I factored in the pros and cons, and I realized I needed to go OS X. I've been fudged by one virus or another during my years of Windows usage. Trojans, spywares. meh.
I needed a top-notch device that I can carry with me around the world and use for any task which is work related. I figured $3000 was a fair price to pay for it.
No, not $1500... but $3000. Also I 'm dead happy I don't have to worry about heat issues anymore. This is a masterpiece. $3000 for 3 years equals $1000 a year, fair price to pay for security, comfort, and most importantly - reliability. (of course awesome battery is superawesome).
Okay I'm going to stop ranting. I just wish people factored in additional costs from owning an a mac. Expenses don't end when you bring the machine home.
I'm not even going to mention how they utilize technology-push to get you to buy a Thunderbolt display, or now with the new Air - to get a time capsule (AC compatible).
It's all about the blades, with Apple. And once you go Mac, you likely won't go back... hence all the student discounts and benefits. They're baiting you to be a Mac user for life!
Apple Marketing is the ultimate.
source: https://forums.macrumors.com/thread...3 -
Well, throughout my life I've never really thought about programming. Then one day during some downtime on a backpacking trip with a friend, while I had nothing to do my friend sat there with his computer with the screen all dark, filled with funny colourful text in lines of different length, with some lines even starting more towards the middle of the page than to the left, almost following a vertical wave pattern. He said he was writing a program to control his home remotly as well as working as a security feature that could unlock his home automatically when he got home. I was amazed by the colorful text as well as the fact that he could just create this crazy program out of nothing.
Half a year later I attended my first lecture at the computer science programme. My first program was a command line tool used for baking bread. It asked you how much flour you'd use and how many eggs, then it'd tell you wether or not you'd got the correct ratio. I was blown away by the intuitive nature of programming. I could imagine the control flow as a tree or flow chart in my head. I mean the whole program was only a couple of user inputs followed by an if-statement and a print-statement, but for me it was awe inspiring. I knew then that I'd probably chosen the right path in education. -
If I could I just wouldn't support email in any way shape anymore.
It's just too much hassle with all the spam filters and people just don't understand how email works.
Nobody fucking reads it anyway.... but everyone wants like a bazillion variations on stupid emails that go out that nobody will read.
They don't get that email is often instant ... but is actually async.
They don't understand that just because they got an email sent to their own distribution list ... and someone took them off the list... that doesn't mean that WE an outside group emailing that list stopped sending them messages.
Nobody actually looks at their spam filters until I tell them to do it for the 3rd time. And as if by magic folks at the same company don't 'have spam filter problems all the time'.
I had a company 'security' filter that straight up followed all the links in an email (that's fine ... we're good, I get that).... and then their stupid bot or whatever would actually click options on a form and fucking submit the fucking form!!!!!
I mean I get that maybe some sites have folks submit some shit and then deliver malware but that's gonna have consequences submitting shit none the less because I don't know it's just your fucking bot...
So they'd get various offers from our customers and bitch when they went to find it was already gone.5 -
So for those of you keeping track, I've become a bit of a data munger of late, something that is both interesting and somewhat frustrating.
I work with a variety of enterprise data sources. Those of you who have done enterprise work will know what I mean. Forget lovely Web APIs with proper authentication and JSON fed by well-known open source libraries. No, I've got the output from an AS/400 to deal with (For the youngsters amongst you, AS/400 is a 1980s IBM mainframe-ish operating system that oriiganlly ran on 48-bit computers). I've got EDIFACT to deal with (for the youngsters amongst you: EDIFACT is the 1980s precursor to XML. It's all cryptic codes, + delimited fields and ' delimited lines) and I've got legacy databases to massage into newer formats, all for what is laughably called my "data warehouse".
But of course, the one system that actually gives me serious problems is the most modern one. It's web-based, on internal servers. It's got all the late-naughties buzzowrds in web development, such as AJAX and JQuery. And it now has a "Web Service" interface at the request of the bosses, that I have to use.
The programmers of this system have based it on that very well-known database: Intersystems Caché. This is an Object Database, and doesn't have an SQL driver by default, so I'm basically required to use this "Web Service".
Let's put aside the poor security. I basically pass a hard-coded human readable string as password in a password field in the GET parameters. This is a step up from no security, to be fair, though not much.
It's the fact that the thing lies. All the files it spits out start with that fateful string: '<?xml version="1.0" encoding="ISO-8859-1"?>' and it lies.
It's all UTF-8, which has made some of my parsers choke, when they're expecting latin-1.
But no, the real lie is the fact that IT IS NOT WELL-FORMED XML. Let alone Valid.
THERE IS NO ROOT ELEMENT!
So now, I have to waste my time writing a proxy for this "web service" that rewrites the XML encoding string on these files, and adds a root element, just so I can spit it at an XML parser. This means added infrastructure for my data munging, and more potential bugs introduced or points of failure.
Let's just say that the developers of this system don't really cope with people wanting to integrate with them. It's amazing that they manage to integrate with third parties at all...2 -
I f&#king hate it here. I am just eyeing to exit as soon as 1 year of my contractual obligation is over. My employer is a good employer. Provides good benefits but I just can't take the bureaucrazy in here. Just yesterday, had to ask another team to deploy objects on our behalf as they are the schema owner. They did it and asked us to review it today. But how? We don't even have manual access to the schema, because we are not the content owner and security! But that's fine, I can always query the catalog views and check the metadata and should be able to conclude the deployment. Right? NOOOO. Because security! Of what? Column names?
Prev rant: https://devrant.com/rants/5145722/...2 -
As a junior dev from a sysadmin and security background, this is a list of software development concepts I never seemed to truly understand but hope to(rated from most intimidating to least):
1) Frontend web development and all the huge world of javascript frameworks and tools. - It's more overwhelming than the political geography of the Holy Roman Empire in the Middle Ages.
2) Machine Learning, Deep Learning and A.I- too much math that fucks with my brain.
3) low-level programming(kernel,drivers) - sounds extremely interesting but the code in assembly/C/C++ looks like Linear A Minoan hieroglyphics.
4) Rx(insert language here) - I never get why it is useful or why someone invented this. Seems interesting though.
5) Code Reflection - sounds like Thelemic magick.
6) Packaging, automation, build tools, devops, CI, Testing -seems too complicated. I just want to run an executable at the client or make a web app that does something. Why all this process?6 -
Apple’s Vision Pro Hacked On Launch Day
Just within hours of Apple releasing its much-hyped mixed reality headset, Apple Vision Pro, a security researcher was able to discover a critical kernel vulnerability in the device’s software – visionOS, which, if exploited, could potentially enable jailbreaks and malware attacks. More detail:
https://aprogrammerlife.com/top-rat...10 -
just found out a vulnerability in the website of the 3rd best high school in my country.
TL;DR: they had burried in some folders a c99 shell.
i am a begginer html/sql/php guy and really was looking into learning a bit here and there about them because i really like problem solving and found out ctfs mainly focus on this part of programming. i am a c++ programmer which does school contest like programming problems and i really enjoy them.
now back on topic.
with this urge to learn more web programming i said to myself what other method to learn better than real life sites! so i did just that. i first checked my school site. right click. inspect element. it seemed the site was made with wordpress. after looking more into the html code for the site i concluded all the images and files i could see on the site were from a folder on the server named 'wp-content/uploads'. i checked the folder. and here it got interesting. i did a get request on the site. saw the details. then i checked the site. bingo! there are 3 folders named '2017', '2018', '2019'. i said to myself: 'i am god.'
i could literally see all the announcements they have made from 2017-2019. and they were organised by month!!! my curiosity to see everything got me to the final destination.
with this adrenaline i thought about another site. in my city i have the 3rd most acclaimed high school in the country. what about checking their security?
so i typed the web address. looked around. again, right click, inspect element and looked around the source code. this time i was more lucky. this site is handmade!!! i was soooo happy because with my school's site i was restricted with what they have made with wordpress and i don't have much experience with it.
amd so i began looking what request the site made for the logos and other links. it seemed all the other links on the site were with this format: www.site.com/index.php?home. and i was very confused and still am. is this referencing some part of the site in the index.php file? is the whole site written inside the index.php file and with the question mark you just get to a part of the site? i don't really get it.
so nothing interesting inside the networking tab, just some stylesheets for the site's design i guess. i switched to the debugger tab and holy moly!! yes, it had that tree structure. very familiar. just like a project inside codeblocks or something familiar with it. and then it clicked me. there was the index.php file! and there was another folder from which i've seen nothing from the network tab. i finally got a lead!! i returned in the network tab, did a request to see the spgm folder and boooom a site appeared and i saw some files and folders from 2016. there was a spgm.js file and a spgm.php file. there was a contrib, flavors, gal and lang folders. then it once again clicked me! the lang folder was las updated this year in february. so i checked the folder and there were some files named lang with the extension named after their language and these files were last updated in 2016 so i left them alone. but there was this little snitch, this little 650K file named after the name of the school's site with the extension '.php' aaaaand it was last modified this year!!!! i was so excited! i thought i found a secret and different design of the site or something completely else! i clicked it and at first i was scared there was this black/red theme going on my screen and something was a little odd. there were no school announcements or event, nononoooo. this was still a tree structured view. at the top of the site it's written '!c99Shell v. 1.0...'
this was a big nono. i saw i could acces all kinds of folders. then i switched to the normal school website and tried to access a folder i have seen named userfiles and got a 403 forbidden error. wopsie. i then switched to the c99 shell website and tried to access the userfiles folder and my boy showed all of its contents. it was nakeeed naked. like very naked. and in the userfiles folder there were all, but i mean ALL files and folders they have on the server. there were a file with the salary of each job available in the school. some announcements. there was a list with all the students which failed classes. there were folders for contests they held. it was an absolute mess and i couldn't believe it.
i stopped and looked at the monitor. what have i done? just to learn some web programming i just leaked the server of the 3rd most famous high school in my country. image a black hat which would have seriously caused more damage. currently i am writing an email to the school to updrage their security because it is reaaaaly bad.
and the journy didn't end here. i 'hacked' the site 2 days ago and just now i thought about writing an email to the school. after i found i could access the WHOLE server i searched for the real attacker so if you want to knkw how this one went let me know in the comments.
sorry for the long post, but couldn't held it anymore13 -
A few days ago our server was compromised due to an outdated Jenkins version. The malicious user installed a crypto miner on the server... The same day that it was found I told management that I'm interested in helping out with the server. Since then, nothing happened... No updates, no security measures, no nothing (except for the removed crypto miner and updated Jenkins software)
Oh well only a matter of time before another hack...
Question to some (who work way way way longer than me) med - seniors, should I make a big deal out of this? And keep pressure on it. Or should I just leave it be and wait for the next comprised server? I know devrant is not a Q&A service, but some dev to dev advice is much appreciated.
- incognito1 -
I just noticed that my hotel room card is a simple, unprotected NFC card that has a whopping 8x8x16=1024 bit allocated. If I had another NFC tag with my I'd be tempted to copy it and play around with it a bit...12
-
Weeks ago, a change went into production. For some reason, we can't implement our own changes or create new databases in production, we have to have a whole different department do it. This would be great except for one thing:
THEY CAN'T THINK FOR THEMSELVES. I've had to tell them how to run scripts I wrote. I've had to tell them how to fix problems that arise.
Back to that script ran three weeks ago or so. It didn't add permissions to allow me, the system and application developer to see the stored procedure, much less run it. Application can't run it. Thankfully the application works without it.
Fast forward to tonight. My change that I'm attempting to implement is the creation of the stored procedure, because nothing could see it, I assumed it didn't exist... reasonable, right? Database folks tells me it exists. They then tell me they can't give me nor the application permissions because it doesn't ask for it in the change plan.
Excuse me.... WHAT FUCKING WORLD DOES IT MAKE SENSE TO CREATE SOMETHING AND HIDE IT FROM THE CREATOR LET ALONE THE APPLICATION SO IT CAN'T USE IT?! FUCKING THINK. WHY WOULD I WASTE MY FUCKING TIME TO TALK TO YOU OFFSHORE PIECES OF SHIT AT 10PM WHEN I'D RATHER PLAY VIDEO GAMES.
I'm so fucking done with enterprises. Someone with reasonable job security at a startup, please hire me. You will probably pay me more fucking money than this company does anyway.
Now on to my second change of the night. Thankfully I don't have to rely on anyone outside of me... so I won't be wasting my fucking time. -
About two weeks ago I had a cyber security competition. I spent a week or so working on a bash script so I didn't have two spend hours and hours on end doing tedious tasks to get points.
So here comes competition day and I have about 12 or so scripts that I predicted to get 60 or so of the 100 points. I open the competition image, grab my scripts, and run my call script (script that calls all the other scripts). Maybe 15 minutes later, the script is done...
ZERO FUCKING POINTS. I double checked all the files that the scripts configured and all of them worked. But NONE the vulnerabilities that my script fixed were vulnerabilities that the scoring report counted. Instead of me taking 20 to 30 minutes on the image it took my and 1:07... doesn't sound like much but the highly competitive people finished in around 1 hour and the people who just didn't give a shit about Linux took 3 hours...
Luckily... I was put onto the highly competitive team after that and it all worked out... I'll hopefully add more to this script before next competition. -
Open source is poison, hoax and source of much troubles.
Even as I love OSS, and I use it a lot, when things go south, they go south terribly.
There was "security" updates in one OSS program I have been using, that accidentally prevented use cases which specifically affected me. I raised bug report, made issue and gave small repro for it.
One of the core developers acknowledges that yes, this is problem, and could be handled with few added options, which users of similar use case could use to keep things working. He then tags issue "needs help" and disappears.
After I have waited some time, I ask help how I could fix it myself, like how to setup proper dev environment for that tool. Asked it in their forums few days later, as issue didn't get any response. Then asked help in their slack, as forums didn't get any help.
Figured out how to get dev environment up, fix done (~4 lines changed, adding simple check for option enabled or not) and figured out how to test that this works.
I create pull request to project, checking their CONTRIBUTING and following instructions there. Then I wait. I wait two weeks, and then one of the core develors goes to add label "needs response from maintainer". That is now almost two weeks ago...
So, bug that appeared in October, and issue that was created October 8th, is still not fixed, even as there is fix in PR for 28 days this far.
And what really ticks me off? People who make statements like: "it is OSS, have you thought of contributing and fixing things yourself?" when we run into problems with open source software.
Making fix yourself ain't biggest problem... but getting it actually applied seems to be biggest roadblock. This kind of experiences doesn't really encourage me to spend time fixing bugs in OSS, time is often better spend changing to different tool, or making changes in my own workflow or going around problem some kludge way.
I try to get business starting, and based on OSS tools. But my decision is staggering, as I had also made decision to contribute back to OSS... but first experiences ain't that encouraging.
Currently, OSS feels like cancer.17 -
Multi User, One Account, and other shit
I'm gonna rant about something as a user, and someone who makes stupid web stuff.
My bank has been updating their web banking over time and they decided that every individual on an account, should have their own login. They really want to push this on their users, I suspect specifically folks like me and my wife who share one login for the joint accounts we have at the bank together.
Why share one login, because it's the only sure fire way I know that I and my wife can see all the same shit no doubt about it.
The banks never tell you what you can see or can't with joint accounts, I doubt it is even documented on their end, but in every damn case something is hidden or different in some weird way.
Messages to the bank people? If I send it, my wife often can't. I get that for security reasons that's a thing, but it makes no sense for a joint account.
ANY difference to me breaks online banking ENTIRELY. Joint accounts are supposed to be... well one account that is the same.
Other banks we used where we had different logins for the joint account, each login actually had separate bill pay accounts per user. So if I went to bill pay and scheduled something to be paid, my wife had no idea, same if she did.
Right fucking there, banking is just broken entirely!
So no Mr. Bank, fuck you we're both logging in via the same login.
Fast forward to N00bPancakes making a thing.
So my employer has a customer (Direct Customer). Direct Customer wants a thing that makes communication with their customer (Indirect Customer) easier.
The worst thing about making something for your customer's customer is that Direct Customer always imagines that Indirect Customer is gonna be super ninja power users....
But no, that's not the case... in fact almost nobody is a power user, and absolutely nobody WANTS to be a power users.
Worse yet in my case the only reason this tool exists is because Direct Customer and Indirect Customer can't communicate well enough anyway... that should tell you something about the amount of effort Indirect Customer is willing to expend.
So with that tool, this situation constantly comes up:
Direct Customer thinks it would be great if every user from Indirect Company had some sort of custom messaging, views, and etc in of Cool Communication Tool. The reason is because that's what Direct Customer loves about Ultra Complex Primary Tool that they use ....
Then I have to fight the constant fight of:
NOBODY WANTS TO BE A POWER USER, NOBODY EVEN WANTS TO DO MUCH OF ANYTHING ON THE INTERNET THAT ISN'T SCREAMING AT OTHER PEOPLE OR POST MEMES OR WATCH SHITTY VIDEOS. THE MOMENT ANYONE AT INDIRECT COMPANY LOGS IN AND SEES ANY INFO THAT IS DIFFERENT FROM THEIR COWORKER THEY'LL SHIT THEMSELVES, FLOOD EVERYONE WITH 'OH GAWD SOME NON SPECIFIED THING IS WRONG' AND RESPOND TO EMAILS LIKE A JELLYFISH DROPPED OFF IN NEW MEXICO... AND NOTHING WILL GET DONE!!!
God damn it people.
Also side rant while I'm busy fighting the good fight to keep shit simple and etc:
People bitch about how horrible the modern web is and then bitch at web devs like we're rulers of the internet or something.... What really pisses me off about that is other devs who do that.... like bro, do you make policy at your company? You decide not to sell some info or whatever shit your company sells? Like fuck off with your 'man I miss html' because you got scared by some shitty JS error and ran back to your language of choice and just poked your head out of the the basement and got scared... and you shit on another developer about that? Fuck you.1 -
tl;dr. web hosting && a panic attack && security threat
i wasn't sure whether my brother's domain was hosted or not (because it wasnt showing a website and he didnt know any better).
so i decided to host a react-app for it on netlify and pointed the domain's nameservers towards it (a separate security threat at bottom).
all went well and now when you punch in the domain it ..all-behold.. shows a website.
NOW, i remember my brother was using the domain's email which probably means it was hosted, right?. so im panicking because im not sure whether i just deleted all his emails or not because it's 1:15 am and he's asleep.
there is a rant in there somewhere but im in too much of a shock as to how much data i might have just accidentally deleted
.
.
another tl;dr: my domain registrar let me change someone else's settings..
the reason i didnt know his domain settings is that he didnt know his password.
i had bought a couple of domains and was gonna host them on netlify. while i was doing this a bright idea hit me.. "you should finally build a website for your brother for the domain he bought 7 years ago"..
this is where the fun begins.
i sent an email to my registrar to point all nameservers of all domains to my nameservers and just to try out i included my brother's domain into it (i dont own this domain it's not registered by my email), and the next day i get an email telling me they've successfully made all changes.
.
Now tomorrow is monday and i'm going to their office to tell them i found a security flaw and see how long i can stall before actually telling them what it was and how their live's could've been made hell.3 -
I have been a professional Dev for about a year for a cyber security startup. Unfortunately, startup died do to finance mismanagement. My lead Dev said that he wanted to start a co-op contract business and since we all work great together than we should stick around. So we tried to obtain contracts and it is going much slower than imagine. I am going on my second month of no work or contract work. I'm working on my own site to do some freelance work on the side for myself offering ever, marketing and ERP software services. That is the goal for side hustle. However, for the main hustle well I'm stressed now of being home and we'll meetings not turning into money. I actually want to call it quits and do my own thing and look for normal gig. It just feels rough as he has been my mentor and offered me my first software gig. I don't feel like I own anyone anything I'm regards money or time. However, I do feel bad of I take off it will hurt them from being able to handle larger contract if they do get one.
Note: I'm pulling from my savings
Thoughts??3 -
I need guidance about my current situation.
I am perfectionist believing in OOP, preventing memory leak in advance, following clean code, best practices, constantly learning about new libraries to reduce custom implementation & improve efficiency.
So even a single bad variable name can trigger my nerves.
I am currently working in a half billion $ IT service company on a maintenance project of 8 year old Android app of security domain product of 1 of the top enterprise company of the world, which sold it to the many leading companies in the world in Govt service, banking, insurance sectors.
It's code quality is such a bad that I get panic attacks & nightmares daily.
Issues are like
- No apk obfuscation, source's everything is openbook, anybody can just unzip apk & open it in Android Studio to see the source.
- logs everywhere about method name invoked,
- static IV & salt for encryption.
- thousands of line code in God classes.
- Irrelevant method names compared to it's functionality.
- Even single item having list takes 2-3 seconds to load
- Lag in navigation between different features' screens.
- For even single thing like different dimension values for different density whole 100+ lines separate layout files for 6 types of densities are written.
- No modularized packages, every class is in single package & there are around 100+ classes.
Owner of the code, my team lead, is too terrified to change even single thing as he don't have coding maturity & no understanding of memory leak, clean code, OOP, in short typical IT 'service' company mentality.
Client is ill-informed or cost-cutting centric so no code review done by them in 8 years.
Feeling much frustrated as I can see it's like a bomb is waiting to blast anytime when some blackhat cracker will take advantage of this.
Need suggestions about this to tackle the situation.10 -
!rant
I'm a computer engineering student.
I'm very much interested in Systems and networking.
That's why I was thinking of persuing cyber-security as a career option.
But I'm not quite sure if that is a good choice.
Also I don't know how to proceed in order to achieve excellence in cyber-security.
It would be a great help if you guys could help me.
Thanks :)20 -
Just as an extension of last rant to explain how much fun it is to keep up with Apple's security through obscurity bullshit.
AFAIK this full disk access (FDA) feature was touted to protect a user's data on macOS. Programs that want to access those files need to request the user's permissions to do so. Now to the fun part: Apple is not providing any API. A staff member suggested, that you should only try to access the files your app needs and if you can't as for the user's allowance. One should not use some fixed files and try to access them, because their locations might change, as well as their (UNIX file) access rights (ACL), or if they fall under FDA. Not to speak about the other security features that might hinder you accessing files (you might be sandboxed, or the files might be subject to SIP/rootless).
Honestly, you should be starting to take drugs, if you want to stay sane. I mean UNIX ACL are weird enough: e.g. you can make a directory only readable for root such that a user cannot list the files inside, but you can place files inside that the user can read (if she knows about their existence). On macOS you'll never know. You may have all the rights to access a file,.. but Apple will only give you the finger.
As they always do to us developers.2 -
This was initially a reply to a rant about politics ruining the industry. Most of it is subjective, but this is how I see the situation.
It's not gonna ruin the industry. It's gonna corrupt it completely and fatally, and it will continue developing as a toxic sticky goo of selfishness and a mandatory lack of security until it chokes itself.
Because if something can get corrupted, it will get corrupted. The only way for us as a species to make IT into a worthy industry is to screw it up countless times over the course of a hundred years until it's as stable and reliable as it can possibly be and there are as many paradigms and individually reasonable standards as there can possibly be.
Look around, see the ridiculus amount of stupid javascript frameworks, most of which is just shitcode upon vulnerabilities upon untested dependencies. Does this look to you like an uncorrupted industry?
The entire tech is rotting from the hundreds of thousands of lines of proprietary firmware and drivers through the overgrown startup scene to fucking Node.js, and how technologies created just a few decades ago are unacceptable from a security standpoint. Check your drivers and firmware if you can, I bet you can't even see the build dates of most firmware you run. You can't even know if it was built after any vulnerability regarding that specific microcontroller or whatever.
Would something like this work in chemical engineering? Hell no! This is how fucking garage meth labs work, not factories or research labs. You don't fucking sell people things without mandatory independent testing. That's how a proper industry works. Not today's IT.
Of course it's gonna go down in flames. Greed had corrupted the industry, and there's nothing to be done about it now but working as much as we can, because the faster we move the sooner we'll get stuck and the sooner we can start over on a more reasonable foundation.
Or rely on layers of abstraction and expect our code to be compilable on anything the future holds for us.2 -
At my institution there is a sys admin that belongs to an entirely different department. They have their own systems on their own network, separated from ours. I do not care, nor do I mind at all, but this is the second time I've had to put their admin in his place.
The first instance was when we had a security firm gauge our systems for vulnerabilities etc. The one that they have was fine, but required some additional configurations on their Tomcat servers. The "sys-admin" contacted I.T (my department) in order to request assistance, the net manager was the one he contacted, and he told the dude that he is not familiar with the Tomcat environment that they have, but that I, the dev manager, would possibly give him some pointers. The net manager is my friend, and he knows how much of a dickhead I am, so he was careful in what he told him. So the dude calls me:
"Hey, I need some items fixed on my Tomcat servers, they told me you have to do it"
Me: "Who? those are your servers"
Him: "The net manager said that you would do it"
Me: "I am certain he didn't tell you that bud, no one here will take care of your servers, they are yours, I am not doing any configurations on your stuff, that is your job"
Him: "Can't you just do them?"
Me: "No, bye"
The little bitch escalated it to my department director, who told him exactly the same thing, the director did ask if I would be willing to assist, I told him no since even though his configurations were minimal, I was not going to put myself in the position to which that fucker's ineptitude would cause him to point fingers at me, director backed me up and told the fucker to deal with his own shit.
This year it came to my attention that not only do they have their owns servers, but their own SSO system. This moron contacted me, tagging VPS and such in the email to tell me that I had to configure his SSO because "they told me you had to do it". The same shit happened, but this time I put him on blast during a meeting and told him that as "sys admin" for his stuff it was his responsibility to deal with the SSO that they have, and to contact the vendor to ask for the specifications. In front of EVERYONE he asked me if I could do it for him, I fucking looooooooled and told him that he just admitted to not being able to do his job (for which he is paid handsomely) in front of the entire room of VPS. One VP asked me why I was not willing to help him, and I told the VP that it would be the equivalent of me taking his vehicle for services, it is not my vehicle, thus not my responsibility. The VP agreed and told the fucker to get on with it and do what I said: contact his vendor channels to figure it out himself since it was indeed his position.
Yet again he said that he didn't know about SSO configs and that he was "told that I would do it", everyone asked who the fuck told him that and he said that the vendor, they asked again how it was and he showed the message from the vendor telling him: "Have your SSO admin perform the following <bla bla bla bla>" they asked him who was the manager for the SSO that they had. He said that it was him. Then they asked him what logic made him believe that it should be me, he stated again "they told me it was him".
I could hear everyone's brains shortcircuiting as no one could believe someone would be this fucking dense.
I don't think he will continue to have his job for much longer. I understand not knowing something, and I would have been happy to give pointers since I do administer systems of that level, but I can't with the whole made up "they said he would do it"
Bitch who said that? just say that you want me to do it because you can't, I mean, I am still not fucking doing it, but damn. Fucking morons man.5 -
@linuxxx
Can you do a security / privacy check for ProtonVPN? All I know is that it is Switzerland based and pretty much secure.9 -
The ability to find a cushy job with comfortable pay, benefits, and security. I don't want much, I just want to not have to need much ever again.
-
Any professional pentesters or someone working in cybersecurity as a profession? I need some advice. The company I intern with right now wants me to test their web applications for security (they really don't care so much about security). I just wanted to know is there a standard set of procedures or a checklist that is usually followed? I know automated testing is not all that effective against web applications but what are the steps you usually take?
As of now, I have run tests and am now performing a code review but it's in PHP and I'm not really good with it. I'd like to know what more is done as a standard please.2 -
I chose Network/Cyber Security because it was my internship experience and they were willing to pay me good money to stay on... No but seriously I am much better at understanding how complex systems work than coding them. This job, as stressful as it is, is a different kind of stressful that the deadline-fraught jobs of software developers worldwide.
And i can do it fully remote.2 -
Went into the office today to turn in my badge and gun (security badge/parking pass and yubikeys really) since I'm pretty much being given my last week before changing jobs to do brain dumps for knowledge transfer, and fuck all else.
Found a jar of moonshine in a closet when I went to take my things. IT said I could keep it. Not a bad parting gift. -
We have hand sanitizers that are usually empty and spray way too much leaving your hands drenched in liquid
Also, one side has gates which means you have to touch your security card to get in and on the other side there are the elevators so you have to touch the buttons outside and inside to get away, or do it with your elbow
Point is, could be better :p -
I used to be a big security guy, not allowing stuff like most of the social media, not bringing my phone anywhere, carrying a RPi tablet for privacy reasons. Very Stallman stuff.
Recently I noticed that I don't care so much.. I see these things as opportunities, for instance Microsoft products could be benefitial for job opportunities, I have some workout sessions on my phone.
I could restrict myself... but is it worth it just to decline some capitalist/politician's row in a dataset for analysis?
But then again I feel as a society I think we should either do this or request this data to be distributed to us as well.
Should you be playing a game of cards, when the enemy can see your hand? What do u think?4 -
!!rant life toptags bottags
My tags seem to be okay. Let's go.
I'm 14. I live in a place where nobody smart lives, and the school I go to has no coders.
Last year, all my friends moved. The only friend I had left now hates me, simply because they yelled at me everyday and I yelled at them once.
I am in the middle of my exams. I also have the flu, but thankfully it's not the e-flu, otherwise you guys should prepare for 24/7 headaches.
Due to the medications I am taking, I'm half-asleep all the time, and I probably am messing up all of my grades.
My entire extended family is in India, and I go there 2 times a year. I miss them so much right now :(.
At the same as doing exams, I am trying to keep my laptop (primary) and PC (secondary, desk) configuration and setup approximately synchronized. In order to do that, I am setting up my dotfiles repository.
Except that all my laptop config (which works) is written horribly, and I need to rewrite it all.
At the same time, I have 3 other projects going on: An OS written in D, a source-based package management system written in D, a small website (not online), and a whatever's cooking in my mind at this moment.
Right now, I'm supposed to be studying for my French exam.
Instead, I'm here, typing this out on my phone.
I have a classmate in school who can type QWERTY at 80WPM. I'm learning Dvorak (Programmer's!) and my current speed is 33WPM, after about 2 months of half-hearted practise during work time and at school.
Sometimes, I look at the world we have here, and what we're doing to it, and I wish that sometimes we could simply be content with life. Let's just live, for once.
I find ~60 random songs in one go, simply by finding a song I know on YouTube and going to the 'Mix - <song>' playlist. I download them all (youtube-dl), and I listen to them. Sometimes, I find this little part in a song (Mackelmore & Ryan Lewis - Can't Hold Us beginning instrumentals, or Safe and Sound chorus instrumentals) that make me feel so happy I feel like all's good in the world. Then the song moves on and with it, my happiness.
I look at Wayland, and X, and I think - Why can't we have one way of doing things - a fixed interface to express anything, so that one common API exists for everything of that type? And I realise it's because they feel that they're missing something from the others. Perhaps it's a bug nobody's solved or functionality that's missing, and they think that they can do better than that. And I think - Well, that's stupid. Submit a fucking bug report or pull request instead of reinventing the wheel. And then I realise that all the programming I've ever done in my life IS simply reinventing the wheel. And some might say, "Well, that guy designed it with spokes and wood. I designed it with rubber and steel," but that doesn't work, because no matter what how you make it, it's just a wheel. They both do the same thing. Both have advantages and disadvantages, because nothing's perfect. We're not perfect because we all have agendas and wants and likes and dislikes and hates and disgusts and all kinds of other crap, and our DNA's not perfect because it manages to corrupt copy operations (which is basically why we die of old age, I think).
And now I've lost my train of thought and this is too large to scroll over so I'm just going to move on to the next topic. At this point (.), I have 1633 letters left.
I hate the fact that the world's become so used to QWERTY because of stuff that happened 100 years ago that Dvorak is enough of a security to stop most people from being able to physically use my laptop.
I don't understand why huge companies like Google want to know about me. What would you do with this information? Know how to take over my stuff when the corporation-opocalypse comes around? Why can't they leave me alone? Why do I have to flash a ROM onto my phone so that Google cannot track me? What do you want, Google?
I don't give a shit any more, so there's my megarant.
Before anybody else (aside from myself) tells me that this is too big, all these topics are related simply because my train of thought went this way. There's a connection between each of these things, but I just don't know what it is.
Goodnight, world. 666 is the number of characters I have left. So is 42, for that matter (thanks, Douglas Adams!). Goodbye.rant life story current project ugh megarant why are you doing this to me life schrodinger's tags 🐈 life3 -
So much talk about wannacry and security, but everyone will forget in a few weeks and go back to using old unpatched OS with vulnerabilities.. Why don't people understand that security is a necessity, not a luxury!6
-
Is there a way to sign code for free (or atleast not need to pay over £200 for it)? Im a student and cant really afford much but I have been working on a website and made an electron build for it, however downloading the installer prompts the user to discard it in chrome, then running the installer prompts the user to select do not run in the windows security thingy as its from another computer.
What would be the best way around this if I cant get a certificate for it?2 -
When I say I'm in "DevOps" what I really mean is that I'm a full-stack engineer, DBA, system administrator, security engineer, auditor, cloud custodian, cost optimization expert, and everything else that doesn't get its own dedicated staff member here. Pretty much the catch all between developers and customer.
-
I’d been working event based and freelance jobs in the security and entertainment fields for years, with odd stints as a bartender sprinkled in. My pay was mostly decent, but I had no job security, and I was more on the road than at home. A few years before this job search experience I had already realised I can’t continue on this path for ever, especially if I ever want a serious relationship (e.g. 16 weeks straight touring Europe with on avg. 16h work days pretty much every day isn’t ideal in that regard, and also really though on both body and mind). So I decided to study. As I applied in autumn, not every line of study accepted students. The closest to my interest I found was BBA in Business IT.
Fast forward 1,5 years. After moving away from my previous base due to then-gfs studies, I had also been able to accept less work. Well, there were really two reasons: I didn’t want to go on weeks long big tours anymore, and I’d had to price up on my freelance job due to reasons. I still managed to keep our household going, but not knowing when the next paycheck would be available was becoming a little too stressful. I wanted job security. So a few weeks after my wedding I scoured the internetz for positions I could apply to, and applied to a dozen or so places. They were a variety of positions I had a vague understanding of from what I’d learned at UAS: from sales to data analytics to dev… I was aware pretty much all of the applications were a long shot by best, so I expected to be ghosted…
Two of the organizations I applied to wanted to go forward with me. Both dev jobs. I can’t even remember the specifics of the other one anymore, but I do remember the interview: I got in to their office (which was ridiculously open), and got marched into a tiny conference room. The interviewer was passive-aggressive and really bombarded me with questions, not really leaving a socially awkward introvert with any time to answer. I started to get really anxious and twitchy, sweating like a pig. Just wanted out. But nooo, they wanted me to do a coding test live. So they sat me on a computer with Eclipse open, gave me an assignment and told me not to use the internet. What’s even worse is that I could literally feel the interviewer breathing down my neck when I tried to do the test. Well, didn’t happen cause I was under so much pressure that I couldn’t think at all… yeah, that was horrible.
Anyhow, the other position I really applied to because it was in my hometown and I recognised the company name from legendary commercials from the 90s - everyone in this country who watched TV in mid-to-late 90s remembers those. Anyway, to my surprise, my present day manager contacted me and wanted me to do a coding test. At the time he asked I was having a bout of fevers after fevers, not really able to get healthy. I told him that I’d do it as soon as I’m healthy. A month went by, maybe more. He asked again. Again I replied that as soon as I get healthy, but promised to do it next week the latest. I didn’t deliver on that, but the next week after that, even if I was the most feverish I had been, I did the tests. I could only finish half of them, cause I couldn’t look at a screen for long at a time and had to visit the loo every 10min or so, but apparently that was enough. Next week I was already going to the interview… oh I also googled what is PHP on the way there, since it was mentioned as a requirement and I had no idea what it was. Imagine that…
The interview itself couldn’t have been more different from the other one. We were sitting in a nice conference room with my manager and the product’s lead dev, drinking coffee, our feet on the table and talking smack. Oh, and we did play a game of NHL<insertNumber> on PS4 during the interview… it was relaxed. Of course the more serious chat was there, too, but I can only really remember how relaxed it was. When I left the interview, I had been promised the position and that I would be sent the contract to be signed as soon as the CEO had reviewed and approved it. Next day, I had signed it and some time later I started at my current job (I gave a date when I was available to start, since there was a tour still agreed upon between the interview and the start).
Oh, and the job’s pretty much like the interview. Relaxed. It’s a good place to be in, even though the pay could be better (I regularly get offers for junior positions with more pay, and mid level positions with double the pay). I do value a pleasant working environment and the absence of stress more than big munny, what can I say?1 -
Much like traditional engineering I can see software engineering suddenly becoming very very regulated around the world. Different systems safety bodies will open up for things like embedded systems development where their is a risk of harm, mandatory security standards will be put in place etc.
Enjoy the cowboy days ladies/gents/others regulatory bodies are on their way!4 -
I recently went to an office to open up a demat account
Manager: so your login and password will be sent to you and then once you login you'll be prompted to change the password
Me: *that's a good idea except that you're sending me the password which could be intercepted* ok
Manager: you'll also be asked to set a security question...
Me: *good step*
Manager: ...which you'll need to answer every time you want to login
Me: *lol what? Maybe that's good but kinda seems unnecessary. Instead you guys could have added two factor authentication* cool
Manager: after every month you'll have to change your password
Me : *nice* that's good
Manager: so what you can do change the password to something and then change it back to what it was. Also to remember it keep it something on your number or some date
Me: what? But why? If you suggest users to change it back to what it was then what is the point of making them change the password in the first place?
Manager: it's so that you don't have to remember so many different passwords
Me: but you don't even need to remember passwords, you can just use softwares like Kaspersky key manager where you can generate a password and use it. Also it's a bad practice if you suggest people who come here to open an account with such methods.
Manager: nothing happens, I'm myself doing that since past several years.
Me: *what a fucking buffoon* no, sir. Trust me that way it gets much easier to get access to your system/account. Also you shouldn't keep your passwords written down like that (there were some password written down on their whiteboard)
Manager: ....ok...so yeah you need sign on these papers and you'll be done
Me:(looking at his face...) Umm..ok4 -
TLDR; WINE+me=system binaries gone. (HOWTHEFUCKDIDIDOTHAT) Kernel panic. Core program files gone. I'll never have it fixed right. Will backup, then install fedora tomorrow.
I really like games and I'm sure there are many of you who can relate. Imagine my perpetual pain, being on the job hunt, no money, and only my Linux laptop for games. (It's only Linux because of a stupid accident and a missing windows installation disk, partly explained in a previous rant). My stack of games my dad and I have played over the years, going back to populous and before, looked light enough for my laptop to run them smoothly. I wanted to see if I could get one to work. My eyes settled on simcity 4 and Sid Meier's railroad tycoon, 13 and 10 years old, respectively. Simcity didn't work as many times as I tried following online instructions. Disk 1 went fine. Disk 2 showed up as Disk 1. Didn't think much of it, so long as the computer could read the contents. I downloaded playonlinux as that could apparently do the complex stuff for me. Didn't work. I gave up with it after an hour and a half.
Next was railroads. Put the disk in aaaand it says SimCity disk 1 is in the tray. Fuck right off, thank you very much. Eject, put back, reject, eject, fiddle in wineconfig, eject, more of this, and voilà it read as railroads :) Ran autoplay.exe with wine, followed instructions, installed it, and it worked! Chose single player, then the map and setting, pressed play, and all the models of the buildings and track were floating in the air over a green plane, the UI is weird and the map doesn't represent anything but trains. All the fkin land is gone, laying track is gonna be a ballache.
I quit it and decided bedtime.
Ctrl+alt+t
sudo shutdown -h now
shutdown not found.
sudo reboot
reboot not found
Que?
Nope, I don't like this.
Force choked my laptop by the power button. Turned it on again.
Lines of text appear.
Saw a phrase I've only ever seen on Mr Robot.
Kernel panic.
Nooooo thanks, not today, this is fiction.
I turned it off and on. Same thing. I read the logs and some init files couldn't be found. I got the memory stick I used to install mint in the first place and booted from that. I checked the difference between my stick's bin and sbin and the laptop's, and it was indeed missing binaries. Fuck knows what else has happened, I only wanted to play games but now I don't know what is or isn't in my computer. How can I trust what's on it now?
I go downstairs and tell my dad. He says something about rpm, but this is Linux so it won't work. I learn that binaries can be copied over, so maybe I can fix it.
Go upstairs again, decide not to fix it. Fedora is light, has a good rep for security, and is even more difficult to get games on, which is my vice. There are more reasons, but the overriding one is that I'm spooked by the fact that something I did went into and removed system binaries, maybe even altered others, so I want something I'm less likely to do that with. Also my fellow cs students used to hate on it but my dad uses and recommended it so I want to try it.
Also, seriously, fuck wine/PlayOnLinux/my inability to follow instructions(?)/whatever demons haunt me. Take your pick, at least one if not more is to blame and I can't tell which, but it's prooooobably the third one.
It's going to be 16 hours before I touch my laptop again, comments before I backup then install fedora are welcome, especially if they persuade me to do differently.
P.S thanks for reading this mind dump of a post, I'm writing while it's fresh but I'm tired AF.6 -
I came across this blog (I guess) that's mostly critique about the security of major open source projects. The author claims to be a security researcher.
At least some of the claims seem to have merit, but how much? Opinions?
https://madaidans-insecurities.github.io/...3 -
This kind of BS makes me mad
" - The password must have 6 digits
- It must have at most 2 repeated digits and 3 sequentials"
RIGHT, because 293417 is SO much safer than 999123
Btw, this is a phone company, so with this password you could probably have access to someone's phone number, phone records, address, and much more. WTF1 -
So a while back I had found a hole in a website's security, one that I has used pretty frequently. I was able to change my cookies and become any user I wanted. The only caveat was that I had to log in as a user in order to get things started. But once I was in I could basically be anyone I wanted to be just by changing a few numbers in the user ID of the cookie. They also did all of their user processing on the client side. Even password checks.
A couple weeks back I decided to go back in to see if anything had changed since then. It did! But not in the way I had thought.
So these guys decided that instead of fixing their security hole, they would have users just contact their people directly in order to get a new account.
Wow that's so much fucking overhead for basically being a lazy shit and not fixing the security holes. I mean how bad is your architecture if you can't go in and fix this?
Not only that I found that they actually stripped all of the users of their original subscriptions. So now if you want to get back on your subscription you'll have to fork over another $399. So that means going to their shitty form filling out your name, your number, email, and just hope that someone contacts you via phone call.
I'm glad I dropped this service. They clearly can't get their shit together.rant hackerman what the fuck are you doing bold and brash it's all shit more like belongs in the trash front end is shit back end is shit -
Anyone have much success with Kali/WiFi penetration testing?
I've been tasked with trying to break WPA security within a couple of hours without a dictionary attack - is that even possible?
I have an Alfa AWUS036NHA capable of monitoring mode if that makes any difference. It's my first time trying anything like this.10 -
So, there was this time I was a security intern for google, It was my first day as an intern tho :p and I got a little excited about exploring stuff and all at the workplace. Me having a large appetite was mesmerized by the food supplied over there.
I might have sat approximately 2 hours over there fantasizing about how much could I save over food by eating a lot over here and taking some to home.
Then came the SE/SDE guys over my place and we started discussing how there was a loophole here and how one could exploit it. All were heads over heels how was I making calculations for "my" property. All seemed to be pretty interested except for one guy. This guy was over excited how I was managing this and slacking off over the first day. He happened to be a senior lead architect, turns out he shows too much interest in anything he finds suspicious. This wasn't supposed to be rant, but yeah. My story. -
Fuck I feel fucked up just for completing user account management, authentication, email verification, password reset. Securing all of this with ssl and checking for any security loopholes.
I can't believe this took me more than a couple months.
Well I was lazy and unmotivated.
I fucking hate crafting stupid ass routes in nginx.
I fucking hate making a nice responsive gui.
I have to design even the stupid html for the emails. Fuuuuck.
So much boilerplate on top of that with username and email validation.
I learnt regex 5 times over the past couple months, still not enough.
And now I actually have to build the functional part.
On the plus side I can reuse this stupid boilerplate if I can make it more modular and readable.
There's shit ton of comments to the point where I feel like an idiot for including so much info. It's like I've written it for a toddler to take over.
Gawd. Anyways it's over now. 50% I guess.
I can finish the rest of the server more quickly and then spend another year designing the Android application.
I'm really lazy in places where I have to design UI/UX. Although at this point it's kinda what could put my application at the top. (I'm lazy, I ain't bad.. I just hate implementing my ideas I wish I could just visualize and have it appear on my screen)
I do like parts of gui that involve little math problems that would make motion smooth and efficient. -
So... being backend and DevOps was not enough. I am supposed alone to walk through PCI DSS compliance now.
https://pcisecuritystandards.org/do...
Undoubtedly fun, but a bit too much for one dev to do everything. But, no choice is left, so let's have the new hat of security on!6 -
Jesus christ I need my VP and CIO to get their hands out of Azure and GCP and just let me work.
Yes, governance and security and IAM are big deals. That's why you have infraops people like me to deal with that.
I'm literally working with one hand tied behind my back because just about every button press or CLI command I need to do my damn job as a professional cloud fluffer requires me to go bother an executive and ask permission to pretty please can I deploy a new container, can you go press the shiny button? No not that one, move your mouse up...up..now UP..ok over lef-no..can I have mouse control? Sigh fine, do you see where it says "Approvers", no that says "Release Pipeline"
Look I actually kinda like this job, I do, in as much as when I have something to do I get left the fuck alone to do it. Meetings are minimal, aside from the odd days when one of our app services decides to yeet itself into the river Styx, there's little distractions.
Yeah, developers do dumb shit but that's probably best left to the notion of job security and never talked about again less they go to HR and complain that the ops guy was very stern and direct and made the developer take some accountability for their work product.
AND YET
It's so intergalactically stupid that I have to go ask permission just to do ops tasks by the same people barging down my goddamn door asking why the ops task isn't done yet.
"Because you won't give me permissions in GCP to actually DO anything".
Okay. Rant over. Time for lunch. Good meeting, see you all at the holiday party.2 -
Given how much talk there's around security, I think it'd be grand idea to dedicate a weekly rant to cybersecurity. Could spark an interesting discussion, especially in today's heated climate. Thoughts?
E.g. Best way to increase security/privacy?9 -
So I decided to install a third OS on my laptop and oh boy, I never thought I'd have to deal with so many issues!
First, I had to make space for the new OS, so I did the only feasible thing - Shrunk a windows partition (Used for gaming only), then installed the third OS into it. (For clarification, one OS was Windows, the second Debian for work and the new one was Kali for a course at school about security and ethical hacking)
Well... After I installed and tried out that the Kali worked... My Debian began to make problems. It would hang for almost a minute during start as it tried to mount a (for some reason) no longer existing Swap partition.
After it gave up and I found out... I, fortunately, fixed it after just a bit of googling. At least I learned to repack the ramfs.
It worked all fine and dandy... Only... My Debian now shared the swap with Kali.
Few weeks forward, last friday, I tried to boot up Kali at class... Only for it to... Stop at a black screen, weird.
Some minor detective work later, I found out nothing was... Wrong really.
But... For some mysterious reason, my complete GDM just.... No longer worked.
One LightDM and XFCE instal later (Thanks god that at least TTY still worked fine), it finally worked again, and this time, I booted back into Debian, shrunk the Kali partition a little more and dedicated it's own swap there. Setting and resetting everything, and finally had a working triple-boot laptop...
My only question is... Why?
Does sharing Swap really affect the system so much, besides hibernation ofc.3 -
Client be like:
Pls, could you give the new Postgres user the same perms as this one other user?
Me:
Uh... Sure.
Then I find out that, for whatever reason, all of their user accounts have disabled inheritance... So, wtf.
Postgres doesn't really allow you to *copy* perms of a role A to role B. You can only grant role A to role B, but for the perms of A to carry over, B has to have inheritance allowed... Which... It doesn't.
So... After a bit of manual GRANT bla ON DATABASE foo TO user, I ping back that it is done and breath a sigh of relief.
Oooooonly... They ping back like -- Could you also copy the perms of A on all the existing objects in the schema to B???
Ugh. More work. Lets see... List all permissions in a schema and... Holy shit! That's thousands of tables and sequences, how tf am I ever gonna copy over all that???
Maybe I could... Disable the pager of psql, and pipe the list into a file, parse it by the magic of regex... And somehow generate a fuckload of GRANT statements? Uuuugh, but that'd kill so much time. Not to mention I'd need to find out what the individual permission letters in the output mean... And... Ugh, ye, no, too much work. Lets see if SO knows a solution!
And, surprise surprise, it did! The easiest, simplest to understand way, was to make a schema-only dump of the database, grep it for user A, substitute their name with B, and then input it back.
What I didn't expect is for the resulting filtered and altered grant list to be over 6800 LINES LONG. WHAT THE FUCK.
...And, shortly after I apply the insane number of grants... I get another ping. Turns out the customer's already figured out a way to grant all the necessary perms themselves, and I... No longer have to do anything :|
Joy. Utter, indescribable joy.
Is there any actual security reason for disabling inheritance in Postgres? (14.x) I'd think that if an account got compromised, it doesn't matter if it has the perms inherited or not, cuz you can just SET ROLE yourself to the granted role with the actual perms and go ham...3 -
Disclaimer: This is all theoretical. Neither me nor my friend (with whom I discussed this) are stupid enough to even try to pursue this, but as an idea, i believe it might generate cool/new ideas/ways for handling secure communications across social groups.
Let's do some role play. Let's design a delivery app for drug dealers, think Seamless or Uber Eats, but for drugs. Not for big deliveries, like kilograms of coke, but smaller stuff. Maybe a few grams of it or something. The clients could rate dealers, and vide-versa. This would build a level of trust within the system. There would be no names, just anonymous reviews, ratings, and prices. Only the info you'd need to know.
The biggest (only?) problem we found (besides legality) was that, how would you prove that you're a client and not a snitch (or cop). This would have to somehow be handled both on signup, as well as when ordering (let's imagine that all who are clients are pure and won't ever snitch).
One of the ways we found to combat this was to have the app invite-only. This would, in theory, do away with the problem of having snitches signing up. However, what if the phone got stolen/breached by a snitch, and they also got full access to the account. One way we thought we could combat this would be with a "dispose number" or something similar. Basically, you call a number, or send a text, or message a Signal bot etc, which would lead to the account's instant termination, no traces of that user left. Hence, a dispose number.
The flow of the app would be as follows:
A client wants some amount of heroin. He opens the app, searches for a dealer, sends the him the desired amount, and in return gets back a price from the dealer. If both parties agree on the amount and price, the deal would start.
The app would then select a random time (taken from the client's selected timeframe and the dealer's "open" time) and a location (within a certain radius of both them, somewhere in between them both for convenience). If both of them accept the time and place, they'll have to meet up at said time and place.
The actual delivery could also be done using two dead drops - the client drops the money at one of them, the dealer drops the goods at the other one. Yes, this might be subject to abuse, but it wouldn't be that bad. I doubt that clients would make huge orders to unknown/badly rated dealers, as well as dealers accepting offers from badly rated clients. My idea is that they would start small, just so if they do lose their money/goods, the actual loss wouldn't be as big for them, but for the other party, having bad ratings would mean less clients willing to buy or dealers willing to sell.
A third way would be to use crypto, but the reason I left this as the last one is because it's not that wide-spread yet, at least not in local drug dealing. With this method, the client would initiate the order, the crypto would be sent to either the dealer or an escrow account, the dealer would then drop the goods at a random place and let the client know where to go to get them. After the client has gotten the goods, they could both review/rate the quality as well as the overall experience with that dealer, which would either make or break the dealer's upcoming deals. This would be pretty much like other DNM's, but on a local scale, making deliveries faster.
So far, this would seem like something that would work. Are there any ideas that might improve this? Anything that might make things more secure/anonymous?
My reason for this post is to spark a conversation about security and anonymity, not to endorse drugs or other illegal stuff.
Cheers!
PS. Really loving the new PC design of devRant14 -
!rant
Many out there say you should use 2 factor authentication with everything, but personally i feel lile that would just turn your phone into a sigle point of failure.
Phisical security is my primary worry, because loosing your phone or having it stolen yould pretty much lock you out of all your accounts.
Another thing is i don't know as much about android security, and i wouldn't be confortable managing it.
I have 2FA active for some key services, but imho a strong password is usually enough. I think its far more more importat for your overall security to avoid passwords re-use.
What do you think? Do you have 2FA on all the time?9 -
Question - my field is information security (or cyber security if you want to think of me as a time lord), but I wanted to know;
Front end and back Devs, how much time do you spend on security issues and/or implementing security measures?10 -
Boss just repositioned the security camera we use to watch the front door right behind me, with perfect view of me and my monitor.....micro manage much....1
-
"I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them." - Linus Torvalds
-
Magento Debugging Horror!
Changing lots of things in magento with no problem. Continuing development for quite sometime. Suddenly decide to clear cache to see affect of a change on a template in frontent. Suddenly magento crashes! There's no error message. No exception log. No log in any file anywhere on the disk. All that happens is that magento suddenly returns you to the home page!
Reverting all the changes to the template. Clear the cache. Nope! Still the same! Why? Because the problem has happened somewhere in your code. Magento just didn't face it, because it was using an older version of your code. How? Because magento 2 even caches code! Not the php opcache. Don't get me wrong. It has it's own cache for code, in a folder called generated. Now that you cleared all the caches including this folder, you just realized that, somewhere something is wrong. But there is no way for you to know where as there is absolutely no exception logged anywhere!
So you debug the code, from index.php, down to the deepest levels of hell. In a normal php code, once the exception happens, you should see the control jumps to an exception handler, there, you can see the exception object and its call stack in your debugger. But that's not the case with magento.
Your debugger suddenly jumps to a function named:
write_close();
That's all. No exception object. No call stack. No way to figure out why it failed. So you decide to debug into each and every step to figure out where it crashes. The way magento renders response to each request is that, it calls a plugin, which calls a plugin loop, which calls another plugin, which calls a list of plugins, which calls a plugin loop, which calls another plugin.....
And if in each step, just by accident, instead of step through, you use the step over command of your debugger, the crash happens suddenly and you end up with the same freaking write_close() function with no idea what went wrong and where the error happened! You spend a whole day, to figure out, that this is actually a bug in core of magento, they simply introduced after your recent update of magento core to the latest STABLE version!!! It was not your mistake. They ruined their own code for the thousandth of time. You just didn't notice it, because as I said, you didn't clear the `generated` folder, therefore using an older version of everything!
Now that after spending 7 hours figuring out what has failed with absolutely no standard way of debugging and within a spaghetti of GOTO commands (Magento calls them plugin), why not report it to github? So you report it with a pull request. This also takes 1 hour of your time. Just to next day get informed that your pull request is rejected because another person already fixed the bug and made the same pull request. It was just not on the latest stable version yet!
So you decide to avoid updating magento as much as possible. Because you know that the next Stable version will make your life and career unstable. But then the customer complains that the Admin Panel is warning him of using old Magento version which might pose SECURITY THREATS! -
If only NPM' security team (so pretty much NSP's) would inform the package owners as soon as they discover vulnerabilities and give them the standard 30-90 days to fix them and release a new version before going public, instead of straight out publishing the security audits which generates noise on the terminal (obviously when using npm) and on Github
-
Been thinking about taking up server-side programming (I'm mobile).
Any tips?
Should I go with something like node.js, which I'm a bit familiar with and is quite popular or should I try another language/platform? Maybe Rust (given it's similar to Swift) or even Swift itself.
Any good resources (tutorials, guides, etc.) would be much appreciated, especially if they focus on security.
Cheers!17 -
My work product: Or why I learned to get twitchy around Java...
I maintain a Java based test system, that tests a raster image processor. The client is a Java swing project that contains CORBA bindings to the internal API of the raster image processor. It also has custom written UI elements and duplicated functionality that became available in later versions of Java, but because some of the third party tools we use don't work with later versions of Java for some reason, it's not possible to upgrade Java to gain things as simple as recursive directory deletion, yes the version of Java we have to use does not support something as simple as that and custom code had to be written to support it.
Because of the requirement to build the API bindings along with the client the whole application must be built with the raster image processor build chain, which is a heavily customised jam build system. So an ant task calls out to execute a jam task and jam does about 90% of the heavy lifting.
In addition to the Java code there's code for interpreting PostScript files, as these can be used to alter the behaviour of the raster image processor during testing.
As if that weren't enough, there's a beanshell interface to allow users to script the test system, but none of the users know Java well enough to feel confident writing interpreted Java scripts (and that's too close to JavaScript for my comfort). I once tried swapping this out for the Rhino JavaScript interpreter and got all the verbal support in the world but no developer time to design an API that'd work for all the departments.
The server isn't much better though. It's a tomcat based application that was written by someone who had never built a tomcat application before, or any web application for that matter and uses raw SQL strings instead of an orm, it doesn't use MVC in any way, and insane amount of functionality is dumped into the jsp files.
It too interacts with a raster image processor to create difference masks of the output, running PostScript as needed. It spawns off multiple threads and can spend days processing hundreds of gigabytes of image output (depending on the size of the tests).
We're stuck on Tomcat seven because we can't upgrade beyond Java 6, which brings a whole manner of security issues, but that eager little Java updated will break the tool chain if it gets its way.
Between these two components we have the Java RMI server (sometimes) working to help generate image data on the client side before all images are pulled across a UNC network path onto the server that processes test jobs (in PDF format), by reading into the xref table of said PDF, finding the embedded image data (for our server consumed test files are just flate encoded TIFF files wrapped around just enough PDF to make them valid) and uses a tool to create a difference mask of two images.
This tool is very error prone, it can't difference images of different sizes, colour spaces, orientations or pixel depths, but it's the best we have.
The tool is installed in both the client and server if the client can generate images it'll query from the server which ones it needs to and if it can't the server will use the tool itself.
Our shells have custom profiles for linking to a whole manner of third party tools and libraries, including a link to visual studio 2005 (more indirectly related build dependencies), the whole profile has to ensure that absolutely no operating system pollution gets into the shell, most of our apps are installed in our home directories and we have to ensure our paths are correct for every single application we add.
And... Fucking and!
Most of the tools are stored as source bundles in a version control system... Not got or mercurial, not perforce or svn, not even CVS... They use a custom built version control system that is built on top of RCS, it keeps a central database of locked files (using soft and hard locks along with write protecting the files in the file system) to ensure users can't get merge conflicts by preventing other users from writing to the files at all.
Branching is heavy weight and can take the best part of a day to create a new branch and populate the history.
Gathering the tools alone to build the Dev environment to build my project takes the best part of a week.
What should be a joy come hardware refresh year becomes a curse ("Well fuck, now I loose a week spending it setting up the Dev environment on ANOTHER machine").
Needless to say, I enjoy NOT working with Java. A lot of this isn't Javas fault, but there's a lot of things that Java (specifically the Java 6 version we're stuck on) does not make easy.
This is why I prefer to build my web apps in python or node, hell, I'd even take Lua... Just... Compiling web pages into executable Java classes, why? I mean I understand the implementation of how this happens, but why did my predecessor have to choose this? Why?2 -
I am a web-dev wannabe marketing person. I was locked up in mental ward twice because I often get paranoid way too much about security issues that might never happened to me. Last time I even refused to use hexcode because I believed that my computer is being used for someone's crypto mining. I am still scared of node.js,CDN and googlefont or TIFF, pdf files, and many other things that I don't understand perfectly.
It's always breathtaking, cliffhanging, and thrilling session when I'm working on something with my computer. My heartbeat gets faster, my palms gets sweaty when I start to type <script>. It's like when you watch horror movie, or wearing seatbelt on roller coaster before the session begins. You are frightened but excited at the same time. 🤤7 -
Just dropping some current experience here.
Content security policies are big mess in both chrome and firefox.
Chrome has some 4 years old "bug" where you can't add hash of JS file to 'style-src' policy to permit inline-styles THAT would be set by this script (jQuery actually).
Firefox is beautifully unhelpful, it just pops of error "blocked ..something..", not even saying what it was.
EDIT:
And I am missing a pair of some steel balls to ask about this on SO because there is this much of very similar questions, nonetheless -if I did read them right- every one of them is talking about enabling style attribute, and that's something different.
EDIT2: Chrome currently generates 138 errors "jquery-3.4.0.min.js:2 Refused to apply inline style..." , this ain't hitting production.10 -
Maslow's Hierarchy breaks down five human needs. You need to meet the lower numbers in order to feel fulfilled in higher levels (i.e. You likely don't feel like you belong to a community when you're struggling to find food & water.) :
1. Physiological (Foods, Water, Clothes, Sleep)
2. Safety & Security
3. Love & Belonging
4. Esteem
5. Self Actualization
The company I'm at is struggling financially so nobody received raises. There were no promotions to celebrate this year. There was diminishing pride in working here. Multiple re-organizations shatter my view that I belong to a team. Multiple rounds of layoffs shattered my feeling of job security. Multiple meetings start with my co-workers buying time to brush their teeth, scarfing down what food they can eat quickly, brewing another cup of coffee.
I firmly believe it's a manager's job to watch out for the culture and build up their employees through this process, but the managers are watching out for their own backs, and probably struggling with the same things we are as individual contributors.
Hey corporate management, while you were off at your executive off-site, your employees are failing to meet some basic needs. You wonder why we bitch about 4-day work weeks and needing less meetings. You think we're entitled when we ask for food and snacks delivered to our door.
We're not entitled. We're broken.
We're not lazy. We're burnt out.
You say we get unlimited time off, but you frequently comment about how much time we're taking off in public forums.
You say you pay us competitively, but that was last year, and shit costs 60% more now.
You say we're responsible for the success of the company, but you're responsible for the morale of the company.1 -
I have last few months left out of graduation and i don't know what should i learn. There's so much things (web dev , ai/ml, blockchain, android , cloud, ,hybrid apps, gaming, ar/vr, data analysis, security,etc) and as a cs student, i feel i should be knowing them all.
In last 6 years ,
Techs that i liked or got success in :
java, Android,python, data analysis, hybrid apps(flutter)
Techs that i didn't liked or failed in : ai/ml, cloud computing , webdev(css/js) ,hybrid apps(react/angular/ionic/...)
Techs that i didn't tried : security, cryptography, blockchain, open cv , ar/vr, gaming
I am not bound by my likeness or success.
My failures was mainly because i didn't liked those techs and continued further in them. And my success comprises of just launching a few apps, passing in some certification or grabbing an internship opp because of those skills.
But if you think a particular skill is necessary to have as a cs professional then let me know. I just want to earn a lot of money and get out of this mess asap1 -
So I get to work on building a client at work for industrial automation. I am building a mini hmi to show customers how our server works. The code uses opcua. The reason I am making a client is because all the opcua hmis on the market are really expensive. There is nothing less than $600. There are hmis for free out there, but none of them say they support opcua. opcua has become a major protocol in the industrial automation industry.
It took me about 2 days to gin together a client that is pretty much abstracted and will be easy to maintain. A lot of that was just learning the opcua library client code.
Now I want to create servers and clients geared toward home automation for fun and profit. I want to take sensor data from arduinos using a simple serial protocol like modbus or other protocols that are supported. Then have an opcua server that collects this data. Then finally have an opcua hmi that I develop talk to these servers. The security model is much better and would be compatible with other vendors clients/servers. I already have a game engine I want to use for the hmi portion. It has tons of widgets for displaying data, graphs, lists, text, etc. It does both 2d and 3d.
This sounds like a project that could really fun, meshes with my work learning, and provides value to people that want to automate their lives.
The other side effect is that the next time I go looking for a simple and cheap hmi that supports opcua, there will be one. -
On the topic of having to make decisions as a dev that shouldn’t be made (solely, at least) by devs…
There’s a lot to like in my current work environment: I enjoy being around my colleagues, I get to do a variety of tasks, and many of them interesting to me and/or great learning opportunities, the pay doesn’t suck and so on… there’s also not much pressure put on the dev team from other parts of the organisation. The flipside of the coin is that nobody who should express some kind of vision as to how we should develop the product further does so.
Me and my fellow devs in the team are so frustrated about it. It feels like we’re just floating around, doing absolutely nothing meaningful. It’s as if the business people just don’t care. And we are the ones ending up deciding what features to develop and what the specs are for those etc. and I really don’t think we should be the ones doing that.
One would think that’s a great opportunity to work on refactoring, infrastructure, security and process improvements and so on - but somehow we get bothered just enough by mundane issues we can’t get to work on those effectively. Also, many of the things we’d want to do would need sign-off from the management, but they are not responsive really. Just not there. Except for our TM, but they don’t have the power neccessary… at least they are trying tho… -
Was working on a high priority security feature. We had an unreasonable timeline to get all of the work done. If we didn’t get the changes onto production before our deadline we faced the possibility of our entire suit being taken offline. Other parts of the company had already been shut down until the remediations could be made -so we knew the company execs weren’t bluffing.
I was the sole developer on the project. I designed it, implemented it, and organized the efforts to get it through the rest of the dev cycle. After about 3 month of work it was all up and bug free (after a few bugs had been found and squashed). I was exhausted, and ended up taking about a week and a half off to recharge.
The project consisted of restructuring our customized frontend control binding (asp.net -custom content controls), integrations with several services to replace portions of our data consumption and storage logic, and an enormous lift and shift that touched over 6k files.
When you touch this much code in such a short period of time it’s difficult to code review, to not introduce bugs, and _to not stop thinking about what potential problems your changes may be causing in the background_.3 -
My college senior project has become a monster. I look at it and all the work put into between my friend and I and all I can think of is
"This shits fucked I'm glad it's not for sale"
Seriously it works for the most part, but we're up to ~2500 lines of code and about as many headaches and it's still missing so much functionality and has so many security flaws. It's a great proof of concept, but good lord I couldn't imagine building it into a feasible application. It'd take months of work full time!6 -
I recently joined DevRants, and with me joining any new site or media where you can share I am usually the guy who is shy and likes to sit back and watch/read. However I wanted to post a question as I am trying to get a job within the Cyber Security field. I have a computer science degree and honestly I feel like I can't even code at a level I should be able to. I am also currently working/studying for my CompTIA Security+. It has been going good but, I always second guess myself and doubt my abilities. I guess this a a slight rant and question so far.
My question is how can I better improve both my skills (coding, linux, and security) and also my mental. I would say its imposter syndrome but I don't have a job so I don't think it would be fair to say it is. I just want to break into the job field and show people that if given the help and resources I can excel at the task given. I do learn fast and pick things up pretty good. Any help/recommendations is much appreciated, and I look forward to more talks.3 -
finally found what was messing up with virtualbox. the problem? bank security module. also my computer is much faster now 😑
-
I'm on vacation.
A friend asked me if I could work on a freelance web project. I was getting bored of summer vacations so I said yes.
It was a website for online lottery and it was already developed by some freelancers.
Owner wanted more freelancers to revamp design and administration panel.
I looked at the site and knew that I had seen the worst design and code of my life.
Frontend was made of two colors only, black and yellow. Out of both, black was more prominent. Moreover it had nothing related to Js as if it was developed as a challenge to be accomplished without java script.
Admin panel and backend was much worse than that. No security practices and deprecated essential libraries.
The nightmare is about to end as I have inducted a much better design from themeforest for frontend.
Backend is in my homebrew php framework.
(Good luck future freelancers 😆)
I'm positive that next edits will be features additions only and no one will blame my code.6 -
I have a small NUC-like machine in my home with an old external hdd connected to it. I use it to run my local gitlab, nextcloud and to test a few websites I build for the lolz.
If you too have a homelab, whether it's a single raspberry or an entire room full or racks, you know damn well that everything you have running locally as a web service keeps going until it doesn't, for whatever fucking reason. This time, it was the turn of my nextcloud.
The machine has arch linux running, I chose it since I already use it on my coding laptop and being a rolling release means I don't have to manually upgrade to a newer version, risking various fuck-ups and consequent screaming of profanity.
The downside is that arch is a bleeding-edge distro, so, despite being pretty good for what concerns security, as updates are pushed out some packages may still require legacy software to work as intended, since obviously not all developers for all packages can release simultaneously.
The problem was that php reached 8.2.x but nextcloud couldn't use anything beyond 8.1, so the highlighted solution was to download php-legacy, a package with a set of utilities which the cloud could use instead of mainline php.
Pretty easy, right? fuck my life, here we go.
I edited apache-httpd's configurations to link the new libraries, updated every reference in every virtual host that could possibly screw up the web server.
Done.
Then I went on and disabled the php-fpm mainline, creating a new systemd unit that would instead run the legacy executable and afterwards I edited nextcloud's additional configs so they use that instead.
Done, getting a bit dizzy, but I reboot everything and breathe.
At this point the migration should be complete, but wait, the server returns an error saying that the application is still trying to use php 8.2+...wait, what in the sysadmin Christ?
Back to nextcloud config, everything is set, everything else in every other fucking php-legacy and web server is fine, the old fpm service is disabled, I am confused, and why in the FUCKING FUCK is the new php-fpm unit failing to start at boot with "error 78/config - directory not found"? Hello? Am I being trolled by a shitty dual-core amazon fake NUC?
Maybe yes, cause it turns out that the unit was referencing a directory in the external hdd, which gets mounted at boot time after the unit itself starts, so nothing much, just a matter of tinkering with cron jobs, a reboot and at least this one is off my balls.
But why still isn't the server responding correctly? why? WHY?
After slamming my cock on the keyboard here and there scrolling back through all the config files I think to myself, hmmm, my gitlab is working flawlessly, well yeah, I didn't need to install the whole web stack, everything was nice and easy wrapped in a docker container...so why am I even here, why the fuck am I bothering with all this layered web-app bullshit, why don't I just run the up-to-date docker image that someone else has already set up for me, back up all the data and reupload them on the application?
Oh joy, you can't imagine, after 3...almost 4 hours of pure computer-touching the relief I had from seeing the blue web page with the "welcome to nextcloud" title.
Right now it's copying back all the files, and the external hdd is now linked to include the data folder.
Like really, everything was solved in two lines of bash.
I am still fuming, but at least I learned a valuable lesson, if you want a service up for yourself, implement it and deploy it as fucking easy straight-forward as you can, giving MAXIMUM priority to already fully-working options that are out there just waiting to be downloaded and used. I swing my scrotal sack on web-apps elegance as long as it's MY homelab in MY place.
Eat a fat dick php.
sudo pacman -Rns nextcloud
sudo systemctl disable --now php-fpm-legacy
sudo pacman -Rns php-legacy
sudo pacman -Rns $(sudo pacman -Qdtq)2 -
How much of an asshole you have to be to say the poster doesn't know PHP and bitch about "security problems" in an answer to a clearly newbie question about forms and redirection on Quora?2
-
I like the people I work with although they are very shit, I get paid a lot and I mostly enjoy the company but..
Our scrum implementation is incredibly fucked so much so that it is not even close to scrum but our scrum master doesn't know scrum and no one else cares so we do everything fucked.
Our prs are roughly 60 file hangers at a time, we only complete 50% of our work each sprint because the stories are so fucked up, we have no testers at all, team lead insists on creating sql table designs but doesn't understand normalisation so our tables often hold 3 or 4 sets of data types just jammed in.
Our software sits broken for months on end until someone notices (pre release), our architecture is garbage or practically non existent. Our front end apps that only I know the technology have approaches dictated by team lead that has no clue of the language or framework.
Our front end app is now about 50% tech debt because project management is so ineffectual and approaches are constantly changing. For instance we used to use view models for domain transfer objects... Now we use database entities, so there is no commonality between models but the system used to have shared features relying on that..sour roles and permissions are fucked since a role is a page regardless of the pages functionality so there is no ability to toggle features, but even though I know the design is fucked I still had to implement after hours of trying to convince team lead of it. Fast forward a few months and it's a huge cluster fuck to enforce.
We have no automated testing of any sort or manual testing in place.
I know of a few security vulnerabilities I can nuke our databases with but it got ignored.
Pr reviews are obviously a nightmare since they're so big.
I just tried to talk to scrum master again about story creation since any story involving front end ui as an aspect of it is crammed in under one pointed story as sub tasks, essentially throwing away any ability to calculate velocity. Been here a year now and the scrum master doesn't know what I mean by velocity... Her entire job is scrum master.
So anyway I am thinking about leaving because I like being a developer and it is slowly making me give up on doing things to a high standard and I have no chance of improving things, but at the same time the pay is great and I like the people. -
So many people on devRant rave about iPhones because of the better security and privacy, but the new iPhone X starts at a whopping $1000! Sure, you don't have to get the X, but that's what everybody wants.
You'll say "well, I'm willing to pay more if it means better security because that's just the way it is." It doesn't have to be. It would be much more beneficial to actually fight and take a stand for better security and more privacy than just put up with outrageous prices.1 -
Currently having very funny project lead, who gives on the spot estimates for 9 years old very pathetic quality code having Android app in security domain. Memory leaks, bad practices, typos, CVEs etc. you name it we have it in our source of the app.
Since 5-6 sprints of our project, almost 50% of user stories were incomplete due to under estimations.
Basically everyone in management were almost sleeping since last 7-8 years about code quality & now suddenly when new Dev & QA team is here they wanted us to fix everything ASAP.
Most humourous thing is product owner is aware about importance of unit test cases, but don't want to allocate user stories for that at the time of sprint planning as code is almost freezed according to him for current release.
Actually, since last release he had done the same thing for each sprint, around 18 months were passed still he hadn't spared single day for unit testing.
Recently app crash issue was found in version upgrade scenario as QAs were much tired by testing hundreds of basic trivial test cases manually & server side testing too, so they can't do actual needful testing & which is tougher to automate for Dev.
Recently when team's old Macbook Pros got expired higher management has allocated Intel Mac minis by saying that few people of organization are misusing Macbooks. So for just few people everyone has to suffer now as there is no flexibility in frequent changing between WFH & WFO. 1 out of those Mac minis faced overheating & in repair since 6 months.
Out of 4 Devs & 3 QAs, all 3 QAs & 2 Devs had left gradually.
I think it's time to say goodbye 😔3 -
AWS Contractor
I've been putting a web application together that I'm looking to have published on AWS. Not having too much experience with AWS, I am looking to hire a contractor. I've had a number of quotes from different AWS admin's ranging from $40 an hour to $200 an hour, from 1-days worth of work to 2-months worth of work!
I'm not really sure what to make of it or to whom to trust. I believe they’re using my ignorance to overcharge me. I've listed my requirements below, could you guys use your professional experiences to let me know what you think is reasonable charge and where best I could find someone to help me.
My application is a US shopping website where people can set up an online shop and upload their products and maintain an inventory of the items.
This is what I’m looking for setup and configuration with the following two areas:
1) AWS SYSTEMS…
* AIM - Set up my server admin users.
* EC2 - Web Hosting.
* RDS - Fast DB.
* SES - To send emails.
* S3 Buckets - Uploaded image hosting.
Route 53 - I don’t know but someone said I should have this.
* Elastic Load Balancing - For, well, load balancing.
2) SCRIPTS…
* A script that would back up the database once a day and save it to a private S3 Bucket.
* A script that will run once a day that calls an internal API, and POST a query to it.
* A script that runs once every 90 days, to refresh the SSL using ZeroSSL.com
Is there anything that I've missed such as security systems, firewalls, auto scaling and CDNs?
The quotes that I've received arranged from $320 to $64,000. I know I am being abused because of my ignorance. I would never overcharge someone because the customer doesn't know the efforts of the work. I hope someone here can help to understand the efforts needed and can tell me the true cost.
Thank you6 -
What is your opinion about courses?
I got into the world of development from the world of Sysadmining and security with 10 month long Java course and now doing web courses in my free time.
I feel this really helped me, as before I tried to learn completely by myself but failed. Now I feel much more confident learning by myself(albeit I still feel Noobish as fuck)
How did you learn? Did you take courses? Completely by yourself? Through work?4 -
let rant: (Bool, Bool, String) -> Void = { (isRant, isDev, contents) in
print(contents)
}
rant(false, true, "
So, a year ago more or less, I set out to teach myself some server-side programming on the side.
Many (MANY) tutorials, Digital Ocean droplets created and destroyed, coffee mugs and FMLs later, I can say 'Hello World' from Node.js - built from source and not running as a sudoer - using express and forever on Ubuntu, behind another Ubuntu server running nginx - also built from source so to add headers-more and naxsi - using all sorts of goodies to enhance security and talking to each other via SSH. Oh, and taking to the world over HTTPS with a grade A on SSL Labs (I know this doesn't mean much to you. Yeah you, rolling your eyes over there. So why don't you just bugger off before even commenting? Haha)
Feels good man.
")2 -
- I love blowing my mind. Even if it is the most confusing thing. Things like security mechanisms, neurons' behaviors, mathematics (even tho I hate it when I fail lol), electronics, medical terminology and chemistry.
- I love collecting rare coins, personally never-seen stones and put them into my collection. I love to be a designer. Not only on my laptop. I have a book shelf and within that book shelf I put stones that create the yin yang sign while pushing the books to two sides. That makes them look like they are levitating. I have stones (including obsidian) that create a triangle and a knife hanging down the wall of my room.
- I love visiting touristic, historic, naturally-beautiful but also non-touristic (non-touristic? yes. by that I mean visiting e.g. the areas of touristic cities which are dangerous, because you can easily fall down off of a slippery ground and take serious injuries) places around the globe, talk to complete strangers in public (I am trying to be an extrovert), take pictures with my camera and collecting antiquities.
- I love taking risks (no. I don't play any poker games etc on the internet) without trying to put other people in risk. Driving insanely with whatever I have. Car, bike, you name it.
- I love reading books. Books that are about human psychology, fantasy novels and books about programming languages.
- I love to cook (I am at the beginning).
- I love to use the konMari method of tidying up my room.
- I love plants.
- I love having everything in my room tidied up (even if I am too busy with other stuff and skip this cleaning process for a week upto a month sometimes. Sorry, room.).
- I love doing sports. But mostly sport that I have never tried before. This can be, because of my greedy wish for an adrenaline kick. That led me into taking a balloon flight at 4 am (sunrise) and to paragliding at sunset above Mediterranean sea btw. (I am normally afraid of flying, but paragliding was awesome).
- I love swimming. Like, you cannot pull me out of the sea for a minimum of 2 hours, if it is not important.
- I love laying above the sea water and let the sea carry me to somewhere else.
- I love being alone. I love the silence. I love to be free in my thoughts.
- I love watching the sunset, the light that shines through the forest, the moonlight and the stars at night.
- I love dreaming. No, like, lucid dreaming for example.
- I love being open to any opinions.
- I love to learn about other people's views about the world and their religion.
- I love pets and would do anything to keep them alive when they are ill. It hurts my heart seeing them like this.
- I love watching demonic "A: Holy shit! Did you see this thing, too?! B: Yes!" YouTube videos just for the fun of it, but I hate horror movies and games.
- I love trying out new things. The creation of music and video for example.
- I love to give my hair and beard a shape, if I am too lazy to go to the barbershop lol. By that I don't mean just going to the barbershop, but taking an electric razor and cutting my hair myself even if I get bad results from time to time that can be corrected by letting any family member tell me in which area of of my head the hair problem is.
- I don't like disco clubs.
- I don't like toxic people even though I can be a quite toxic person myself without realizing it. If I appear toxic to you, inform me about it. Having so much testosterone in that moment, can make me do things that I don't want to do.
- I don't like drugs even tho I have to admit that I am trying a few from time to time (maybe 6 months in-between) to have a dopamine kick. I am not an addict.
- I hate myself for things that I did in the past.
- I used to watch MMA videos etc.
- I used to use a telescope, but I can't find it anymore.
- I used to have a microscope, but I can't find it anywhere and besides of that the seller did literally piss in it before selling it to me many years ago. Don't want to touch it tbh.
- I used to play games, but I don't enjoy games anymore. That makes me feel sad.
- I miss the old moments of my life.
In conclusion:
I like how things went and go so far. It changed me so much. It made me a good and a bad person. I became more open and confident, but it also particularly made me a leader who can say "fuck off" in a bad way to his family. I would like to undo this particular part of me.5 -
Update:
I've been trying to leave DoD for a couple of months now. Translating my 10 year's experience with complex Intelligence enterprise level systems to something relatable to the civilian IT world. Grabbed a few certs to help out A+, network+ and security+ with Linux+ as my next target. Photos of me working on unclassified systems, radios, cell towers and servers. I'm a teacher for military UAS so this shouldn't be to hard to get even a basic job in IT right.
No one will hire...
Linux admin: Nope
Network admin: Nope
Assistant Network admin: Nope
IT call service: Nope
Pool cleaner fucking nope
Many interviews and nothing
I'm broke and sold all of my personal valuables. I can't hold out much longer and really looking at becoming homeless. But I'm kinda ok with it, one last payment on my apartment and car is all I can do now. My parents think I'm in Afghanistan working a six figure job lol
DoD: we see you're trying to leave we'll pay you alot to teach A+, Network+ and Security+ traveling all across the country and staying at hotels with all expenses paid.
FU FU FU I want out please tell me someone has a job, I'll be a janitor of a server room Idc I just want out. Fuck the pay
I start Tuesday...4 -
Fellow ranters, I need some advice.
Work at an early stage startup to build their initial product(let's call it X) or work at slightly established startup with funding(let's call it Y)?
Both have their own benefits.
Working at X:
- I have equity (and a co founder position) thus chances of high rewards if the startup is successful.
- I get to build the whole product from scratch (great learning experience).
Working at Y:
- Don't know much about the company but I get a decent stable income.
- Work with a team (although a small one).
- Job security.
I'm currently in my final year and have given up on campus placements. Moreover, I'm not interested in wasting my time in pointless interview preparations. So I figured that startup is the way to go.7 -
I hate having too much security, on the user side. I have 2 step verification on anything that allows and also most of my passwords are up to a limit, seriously. This is why I have LastPass but obviously no work I ever been in allowed it. Except Freelancing and my own software / apps.
-
I wonder if crypto exchanges are so damn vulnerable or just so transparent.
I mean, it is impossible to scroll tech articles for more than a few seconds before stumbling on a report of yet another crypto exchange being nicked a couple hundred mil USD.
- It could be that their security severely sucks (wouldn't blame them for it, most businesses do suck at securing shit).
- It could be that the entire black hat community is putting it's might on stealing money that is so fucking easy to launder.
- It could be that is damn nigh impossible to cover up a crypto hack since the evidence of coins drifting away is forever on display in the public ledger, and in that case crypto companies are not hacked more often than regular companies, they are just much more often publically shamed for it.
- It could be a mix of all the above, but my intuition is that one factor is more relevant.
Which would be the most relevant factor? One of the above or yet another attack vector to the stupidest value conduit ever?5 -
So I have a pretty decent job on a more than good wage working for a larger company... I have my own team and get a good bit of responsibility with the role..... But the culture outside of my team is non existent....business is a mess and everything is a war to get anything done... I wish I could just take my team and do my own thing.... So.....
An old colleague and a great friend wants us to do our own thing... The money looks good... There is great demand... She is already doing it and making great money and turning down work and wants an equal partner in the business idea.. Equal equity split...
.... Why am I so worried about leaving a job I don't really have much loyalty too? Ironically the friend wanting me to go do our own thing with hired me here and got me promoted!
I want to go do it but something is keeping me here and I don't know what.... Am I just making excuses not to go?
Am I being rational wanting to stay or tricked of this false security a big firm offers?
Thoughts in the comments plz4 -
hello folks, any help would appreciated :). serious question about designing/developing a rest backend.
here is a little insight: I want to reduce the endpoints for many CRUD operations as I can. So for that approach I defined a set of "dynamic" routes like /:moduleName/list, /:moduleName/update and so on.
Now I want to also reduce hardcoding as much stuff as I can for the front end. like I want forms/view/components to know which fields can be sent in the "/:moduleName/xxx" endpoints from above. So I'm thinking to make some /:moduleName/list/map, /:moduleName/update/map endpoints that tells the frontend which fields/keys can be sent for X or Y operation.
regarding design/security concerns Is that a good approach? do you know any other approach that's like to what I want to achieve?6 -
Some magic happened about situation talked in earlier rant at below link.
https://devrant.com/rants/2910513/...
Now magically even before I inform about this situation directly to the client, now after 8 years they used some proprietary static code analyzer on latest app source & found out around 200+ security issues which covers most pain points I told in the above rant.
I also found out that there is a list of 100+ vulnerabilities documented in client doc repo, which were pending since around 5-6 years.
Now I have to work along my junior to fix these both kind of issues.
Suddenly dull maintenance project became much challenging & interesting. :-) -
This "binaryextensions" NPM package is a fraud (not to be confused with "binary-extensions"!): https://npmjs.com/package/...; it contains a single JSON array of purportedly "all binary extensions", reaches 700k downloads a week, yet only lists 13 binary extensions (https://github.com/bevry/...).
This is a huge danger to security, especially if it's being used in production environments for input checking. For comparison, here is a much more robust version of a repo with the same goal (https://github.com/sindresorhus/...)1 -
What we will miss, if he really softens:
In fact, if the reason is stated as "it makes debugging easier", then I fart in your general
direction and call your mother a hamster.
In short: just say NO TO DRUGS, and maybe you won't end up like the Hurd people.
Of course, I'd also suggest that whoever was the genius who thought it was a good idea to read things ONE F*CKING BYTE AT A TIME with system calls for each byte should be retroactively aborted. Who the f*ck does idiotic things like that? How did they not die as babies, considering
that they were likely too stupid to find a tit to suck on?
Gnome seems to be developed by interface nazis, where consistently the excuse for not doing something is not "it's too complicated to do", but "it would confuse users".
I think the stupidity of your post just snuffed out everything
I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the
point where they pretty much admit that nothing else matters to them.
That is either genius, or a seriously diseased mind. - I can't quite tell which.
Christ, people. Learn C, instead of just stringing random characters together until it compiles (with warnings).
"and anybody who thinks that the above is
(a) legible
(b) efficient (even with the magical compiler support)
(c) particularly safe
is just incompetent and out to lunch.
The above code is sh*t, and it generates shit code. It looks bad, and
there's no reason for it." -
TL;DR how much do I charge?
I'm freelancing for the first time; regularly, I get paid a salary.
I'm freelancing as a donation: the hours I put into this work directly translate to deductions in my tax. I don't get paid any money directly.
I'm doing some web-based enterprise software for an organization. Handling the whole process from writing responsive front-end code to setting up the server and domain for them and even managing myself. So full stack plus dev ops.
My normal salary is $31 an hour and at work I do less. I largely do maintenance for existing applications plus some very minor new systems design. I don't do any server management (different team) and I damn well didn't buy the domain names for my company. So I think it's safe to say I'm taking on a drastically larger role in this freelance gig.
My moral dilemma is the organization will basically say yes to any price - because they don't pay it, the government will (up until the point I pay 0 taxes, I suppose)
I've done some minor research on what other freelancers charge for somewhat similar things and I get pretty wildly varying results. I've seen as low as $20/hr but I really doubt the quality of such a service at that price.
I'm thinking around $50 USD an hour would be a fair price. For even further reference besides my actual salary, I will say that I am in a urban / suburban part of Florida, where developers are very hard to find locally.
Is $50 too high? Too low? This is a very complicated system with (frankly excessive) security practices and features. Before this they had a handful of excel spreadsheets in a OneDrive folder.7 -
Im always trying to learn new things. Im passionate about learning new things, especially development. So much i started a small collaboration group of developers and slack group to collaborate new projects/ideas,get to know new people, and just to learn new things from each other. The group is not language specific developers only, but mostly consists of PHP/Laravel developers at the moment, so im always trying to grow that network as much as possible, so if you would like to join my network to collaborate new ideas or to just even talk to some cool cats, ill send you an invite any day. Anyways, back to my original reason for this post. Im mid level developer who considers himself pretty knowledgeable in PHP and Laravel. Im curious to what other developers use to learn new things. Im constantly questioning my skillset and compare myself to senior developers who always blow me away with their knowledge which often makes me feel like i dont know enough. Currently I use resources such as:
-laracasts.com
-serversforhackers.com
-digital ocean articles or any textbook that wont cost me an arm and a leg lol
I mean i just want to learn about tech related stuff always but currently interested in learning specifically about development topics such as:
- Server administration because i would consider this my weakest skill set (things like provisioning,nginx/security, deployment)
- Continous Integration (as ive never been at a job that practices it)
- RESTful APIs(as ive never developed one)
and so much more but i wont waste your time with my never ending list. What resources/tools do you guys use for your learning?6 -
Hey there, I've never really done anything like this but I'm in the second year of college.
I really want to go into the security area, not completely sure but pretty inclined to pentesting.
The question is, what, in your opinion, do you think is a good starting point so I'm pretty much ready to start working when I finish my 5 year course? My college doesn't have any or many security classes, so I'll have to do it all by myself.
Right now I know java, C and html, css and Javascript, which I'm learning by myself.5 -
A philosophical question about maintenance/updating.
There is no need to repeat the reasons we need to update our dependencies and our code. We know them/ especially regarding the security issues.
The real question is , "is that indicates a failure of automation"?
When i started thinking about code, and when also was a kid and saw all these sci fi universes with robots etc, the obvious thing was that you build an automation to do the job without having to work with it anymore. There is no meaning on automate something that need constant work above it.
When you have a car, you usually do not upgrade it all the time, you do some things of maintance (oil, tires) but it keeps your work on it in a logical amount.
A better example is the abacus, a calculating device which you know it works as it works.
A promise of functional programming is that because you are based on algebraic principles you do not have to worry so much about your code, you know it will doing the logical thing it supposed to do.
Unix philosophy made software that has been "updated" so little compared to all these modern apps.
Coding, because of its changeable nature is the first victim of the humans nature unsatisfying.
Modern software industry has so much of techniques and principles (solid, liquid, patterns, testing that that the air is air) and still needs so many developers to work on a project.
I know that you will blame the market needs (you cannot understand the need from the start, you have to do it agile) but i think that this is also a part of a problem .
Old devices evolved at much more slow pace. Radio was radio, and still a radio do its basic functionality the same war (the upgrades were only some memory functionalities like save your beloved frequencies and screen messages).
Although all answers are valid, i still feel, that we have failed. We have failed so much. The dream of being a programmer is to build something, bring you money or satisfaction, and you are bored so you build something completely new.13 -
// Rant 1
---
Im literally laughing and crying rn
I tried to deploy a backend on aws Fargate for the first time. Never used Fargate until now
After several days of brainwreck of trial and error
After Fucking around to find out
After Multiple failures to deploy the backend app on AWS Fargate
After Multiple times of deleting the whole infrastructure and redoing everything again
After trying to create the infrastructure through terraform, where 60% of it has worked but the remaining parts have failed
After then scraping off terraform and doing everything manually via AWS ui dashboard because im that much desperate now and just want to see my fucking backend work on aws and i dont care how it will be done anymore
I have finally deployed the backend, successfully
I am yet unsure of what the fuck is going on. I followed an article. Basically i deployed the backend using:
- RDS
- ECS
- ECR
- VPC
- ALB
You may wonder am i fucking retarded to fail this hard for just deploying a backend to aws?
No. Its much deeper than you think. I deployed it on a real world production ready app way.
- VPC with 2 public and 2 private subnets. Private subnets used only for RDS. Public for ALB.
- Everything is very well done and secure. 3 security groups: 1 for ALB (port 80), 1 for Fargate (port 8080, the one the backend is running on), 1 for RDS postgres (port 5432). Each one stacked on top and chained
- custom domain name + SSL certificate so i can have a clean version of the fully working backend such as https://api.shitstain.com
- custom ECS cluster
- custom target groups
- task definitions
Etc.
Right now im unsure how all of this is glued together. I have no idea why this works and why my backend is secure and reachable. Well i do know to some extent but not everything.
To know everything, I'll now ask some dumbass questions:
1. What is ECS used for?
2. What is a task definition and why do i need it?
3. What does Fargate do exactly? As far as i understood its a on-demand use of a backend. Almost like serverless backend? Like i get billed only when the backend is used by someone?
4. What is a target group and why do i need it?
5. Ive read somewhere theres a difference between using Fargate and... ECS (or is it something else)? Whats the difference?
Everything else i understand well enough.
In the meantime I'll now start analyzing researching and understanding deeply what happened here and why this works. I'll also turn all of this in terraform. I'll also build a custom gitlab CI/CD to automate all of this shit and deploy to fargate prod app
// Rant 2
---
Im pissing and shitting a lot today. I piss so much and i only drink coffee. But the bigger problem is i can barely manage to hold my piss. It feels like i need to piss asap or im gonna piss myself. I used to be able to easily hold it for hours now i can barely do it for seconds. While i was sleeping with my gf @retoor i woke up by pissing on myself on her bed right next to her! the heavy warmness of my piss woke me up. It was so embarrassing. But she was hardcore sleeping and didnt notice. I immediately got out of bed to take a shower like a walking dead. I thought i was dreaming. I was half conscious and could barely see only to find out it wasnt a dream and i really did piss on myself in her bed! What the fuck! Whats next, to uncontrollably shit on her bed while sleeping?! Hopefully i didnt get some infection. I feel healthy. But maybe all of this is one giant dream im having and all of u are not real9 -
So first day on the job, I'm in the application security team. Any tips? Anything much appreciated!7
-
I’m in a tough spot - I’m completely overloaded with sysadmin type work (server upgrades, firewall and vendor coordination, security, password maintenance) that I don’t have time to complete any programming work assigned to me. My bosses are aware and have done their best to help, but I just can’t keep up (have two young kids too and just can’t work nights anymore without trouble at home). My bosses have been great, so I feel terrible about this, but I think I’m going to have to look for another employer, I can’t do this anymore. Am I a horrible person to leave them with so much work even though they tried to help me?8
-
Why do most people think that a person can only be great at one thing.
I've just started working as a developer and when I tell people I am also learning cyber security they are like what's the point of it. And how I should focus on one thing and blah blah.
Man, nobody questions Elon Musk when he is learning new things everyday. But then why can't we do the same and man we don’t need to be judged. A little support would be so much better.6 -
I recently came across this article with some basic security advices, like use 2fa security key, encrypt your USB keys, don't use untrusted USB chargers / cables / ports (or use a data blocker cable if you need to charge your device). It made me think, how relevant are the USB-related threats and risks today? Do people really still use and carry so many wired USB devices, and just drop or plug them wherever?
The last time I used an USB device to transfer some important data was probably over 10 years ago, and for the love of god I don't know anyone who still carries an USB key with sensitive data with them on a daily basis, much less actively uses it. Besides, whoever still does that probably puts their USB key on the same keychain as their ID / access tag and a bunch of other keys (including a 2fa device if they use one) - they're not going to lose just some sensitive data, they're going to lose authentication and physical access devices as well, and that could turn a small data leak into a full-scale incident, with or without an encrypted USB device.
I'm also not sure about untrusted USB cables and ports, from what I've seen the USB outlets and cables are pretty much non-existent in public places, most places offer wireless charging pads instead (usually built into a hand rest or table surface).3 -
Just what is life
1st I love developing Web Apps
2nd I hate when it has bugs (Always does Everyone does)
3rd More hate for Security related bugs
So I started bug hunting so that even I can make developers hurt I thought I might find peace here
But here we fucking have SQL Injections which are not really that bad easy peasy
But we also have special kind of SQL Injections the Boolean Based ones (Medium Level Demons) and also The Time Based SQL Injections (Medium Level Demon with lots of health consumes too much time has a repetitive process and we have to wait a lot also if you have network lag you are doomed)
No its nice story till here but here it fucking ends the happiness I mean my luck is worst kind of fucking thing anybody ever can have.
I got a mix of both Demons;_;
A Time-Based Boolean SQL Injections yess fuckety amounts of fucking time wasted and redundant fucking process also to make matters worst the fucking famous tool #SQLMAP doesn't work in my case -
tl;dr: looking for suggestions for new instant messenger (WhatsApp, Telegram, etc.)
so I used to use Facebook Messenger a LOT, actually much more than even texting (I know I know, Facebook=spyware lol). I wanna ditch Facebook so bad but most of the people I talk to, I message through Messenger, and thus, I don't have most people's actual phone number. so I'm looking for suggestions for a new messaging platform, where these are my priorities:
1. Ease of use/existing userbase (e.g. the more of my friends that are already on it, the better)
2. Security & Privacy
3. the ability to easily find people I know without having their phone number7 -
Well thanks a lot for the clarification of WHY I cannot sync my work (Office 365) mail using the mail client in Windows 10!
It's not that it's wrong; it's (probably) very much correct.
It's not that it's not precise; I don't think it could be anymore precise than a data dump like that.
It's not that trying to help me solve the problems; I'm sure it is.
But now that I have all the (debug) info about the security policies in place it would be great if it would show what violated which policy and maybe even what they mean and how to fix it?
The most concrete to go by is the error code, and judging by a google that has meant "your mail has problems" for at least three years...
...not even a single link was found to the (only) page detailing content, possible values, and dependencies between policies. -
Approx. 24 hours ago I proceeded to use MEGA NZ to download a file It's something I've done before. I have an account with them.
This is part of the email I received from MEGA NZ following the dowload: "
zemenwambuis2015@gmail.com
YOUR MEGA ACCOUNT HAS BEEN LOCKED FOR YOUR SAFETY; WE SUSPECT THAT YOU ARE USING THE SAME PASSWORD FOR YOUR MEGA ACCOUNT AS FOR OTHER SERVICES, AND THAT AT LEAST ONE OF THESE OTHER SERVICES HAS SUFFERED A DATA BREACH.
While MEGA remains secure, many big players have suffered a data breach (e.g. yahoo.com, dropbox.com, linkedin.com, adobe.com, myspace.com, tumblr.com, last.fm, snapchat.com, ashleymadison.com - check haveibeenpwned.com/PwnedWebsites for details), exposing millions of users who have used the same password on multiple services to credential stuffers (https://en.wikipedia.org/wiki/...). Your password leaked and is now being used by bad actors to log into your accounts, including, but not limited to, your MEGA account.
To unlock your MEGA account, please follow the link below. You will be required to change your account password - please use a strong password that you have not used anywhere else. We also recommend you change the passwords you have used on other services to strong, unique passwords. Do not ever reuse a password.
Verify my email
Didn’t work? Copy the link below into your web browser:
https://mega.nz//...
To prevent this from happening in the future, use a strong and unique password. Please also make sure you do not lose your password, otherwise you will lose access to your data; MEGA strongly recommends the use of a password manager. For more info on best security practices see: https://mega.nz/security
Best regards,
— Team MEGA
Mega Limited 2020."
Who in their right mind is going to believe something like that that's worded so poorly.
Can anybody shed some light on this latest bit of MEGA's fuckery?
Thank you very much.4 -
Anyone knows if u can make good money by reverse Engineering apks and looking for security holes? Anyone experienced in doing that and how much could u charge1
-
Initially I was taking Network Security. Didn't like it that much. Figured I should explore and took a diploma in Information Tech.
First programming assignment, stayed up the whole night to solve it accompanied by a couple of Monster drinks. Got hooked on programming ever since. Picked up caffeine addiction along the way.
Oh and I'm now lactose intolerant. Strongly believe it's due to the large amounts of coffee I had back in the day. -
Thinking to start smoking 🚬
Never tried it once in 26 years not even a sip even refused temptations from school friends
Now by starting a job, i have no security, ironically. I feel like i stepped at the leap of a bottomless pit and tomorrow i jump into it and fall... and fall....and fall..... No end.
I have no idea how to use ansible and rexify.org and thats what I'll need to use. I have no idea how to do devops with Azure, and thats what ill do. I only build devops with terraform on Aws.
The unknown of 9-5 is frightening me more than starting a business. Paradoxically, i think it would come as a relief to get fired within the first week from failing to complete literally everything
On top of that my blonde gf disappeared yesterday for 3-4 hours. No texts no phone calls. Called for 2 times no answer. Called 3rd time and got a voice message the phone was shut down. 3-4 hours later she said she was with mom at shopping and didnt have internet
I also caught her texting some random guy on instagram. They both have vanish mode enabled (texts delete themselves as soon as you leave the conversation). Confronted her today. She wont tell me the truth. Likes his pics on ig. Keeps lying. On a question "why do you have vanish mode enabled with him?" her answer is "well i guess married men always use vanish mode"
Im tired
Too much shit unraveling. The opening of 2024 already doesnt look good
Why do good people die in accidents or diseases but i dont and i live? Shits unfair. Why doesnt nature/God fucking kill me? I beg to die. I hope to die. I pray for something to kill me. It would come as such a relief.
This life is meaningless and empty to me. typeof(life) yields a void. I dont value it. Its shit. Whether succeed or fail its meaningless. Nihilism was right
I am literally a walking dead. Physically moving but spiritually dead. Mentally lost. I am the captain of a ship in the middle of the ocean who no longer knows where the ship is going
Why cant i just get cancer or something. Can cigarettes help me get it? Cause I'll start consuming that shit right away to speedrun that process
End it17 -
Every single time that I realised how much of my expertise sounds like vaporware to people, mostly management and C-level.
Have been working on security for quite some time now but seeing that I can't really get through make me feel useless and not worth my weight in shit.1 -
How do all you other devs deal with sleep? Because I am losing my fucking mind I work for myself so I don't go to work at 9am leave at 6pm.
I normally work until 6am and then sleep till 12 drink 3 strong coffee to start functioning again try and do something productive which at the moment involves catching up on the NBA playoffs and then starting work at 6pm.
Due to resent baby I thought shit my life is fucked I haven't left the house in 3 days I need structure routine I need to work 9am to 6pm become human again but I just can't FUCKING sleep it's now 1:30am and I'm trying to sleep.
I know what your thinking why are you on devRant but I've been trying to sleep for the past 3 hours but all I can think about is work code, refactoring, new languages, security, support shit that can wait but I can't get it out my head, keep thinking "ah your not tired you could work", and YES I have a list which get bigger every day wish I had a drug dealer or was still in contact with my old mates so I could get some Valium but it's hot milk and sleeping tablets for me, life is so much easier when you can just fuck of home at the end of the day and forget about work, not having your laptop next to you trying to trick you into opening it. How do other people who work for theirselves deal with the life work balance?4 -
!rant
Looking for help starting with DevOps.
Does anyone know of a site or forum where you can talk about general coding/scripting patterns rather than just asking specific questions?
Bear with me, this may be a bit longer than most posts here.
I'm a self-taught admin/tech working with one colleague (who's also mostly self taught) at a high school, managing both clients and servers.
We've been doing most things manually bit I'm looking into converting as much work as possible into more of a DevOps setup, with Powershell-scripts for multi step tasks.
I want to do this for a number of reasons. Having a script doing a number of steps would cut down on time spent on individual tasks and minimize the risk that a step is missed or, perhaps even worse, mistyped. Also it's important that I actually learn what I'm doing, why something works and why something fails.
As and example, I have a powershell-script which moves a student from one year to another (basically they have user names with a two-digit prefix based on the year they started and a suffix with two letters from their first names and four from their last names) if they need to repeat a grade.
It basically renames the account in the AD with the correct year-prefix, changes the samAccountName, renames Home and Profile-directories on disk and changes paths on the profile-tab in AD, moves the user into a new OU and security group etc.
It works as intended if the user account to be renamed exists and there's no name conflict with the new name. But I'd like for the script to validate that there's no problem with user names, source and target security groups and OUs etc. and eventually split the script up into smaller clearly defined functions for better readability.
However, I don't want someone to just write the script for me, I'd prefer to be able to discuss script flow and come to my own conclusions and solutions.1