TL;DR: Fuck you Apple.

10:30 PM, parent needs iPhone update to update Messenger. How hard can this be?
Need to update iPhone from 9.x to latest, which is so outdated it still required iTunes. Fk.

Boot iTunes on Windows 10 pc that is at least 10 years old.
Completely unresponsive
Crash in task manager
Launch and is completely unresponsive. (Also starts playing unrequested music.. Oh joy..)
Fuck this, go to apple.com to download iTunes exe
Gives me some Microsoft store link. Fuck that shit, just give me the executable
Google “iTunes download”. click around on shitty Apple website. Success.
Control panel. Uninstall iTunes. (Takes forever, but it works)
Restart required (of fucking course).
2 eternities later. Run iTunes exe. Restart required. Fk.
Only 1 eternity later. Run iTunes, connect iPhone.
Actually detects the device. (holy shit, a miracle)
Starts syncing an empty library to the phone. Ya, fuck that.
Google. Disable option. Connect phone. Find option to update.
Update started. Going nowhere fast. Time for a walk at 1:00 AM punching the air.
Come back. Generic error message: Update failed (-1). Phone is stuck installing update. (O shit)
1x hard reset
2x hard reset
Google. Find Apple forum with exact question. Absolutely useless replies. (I expected no less)
Google recovery mode. Get into recovery mode.
Receive message: “You can update, but if it fails, you will have to reset to factory settings”. Fuck it, here we go.
Update runs (faster this time). Fails again. Same bullshit error message. (Goddammit, fuck. This might actually be bad.)
Disconnect phone.
… It boots latest iOS version. (holy shit, there is a god)
Immediately kill iTunes. Fuck that shit.
Parents share Apple account
Sign in, 2FA required.
Fat finger the code.
Restart “welcome” process.
Will not send code. What. The. Fuck.
Requests access code on other parent’s iPhone.
No code present. What???
Try restarting welcome process again. No dice. (Of course)
Set code on other parent’s iPhone.
Get message “Code is easy to guess”. Ya. IDGAF
Use code on newly updated iPhone. Some success.
Requires reset of password.
Password cannot be the same as old password (Goddammit)
Change password.
Welcome process done.
Sign in again on same phone after welcome process done in settings. (Nice.)
Sign in again on other phone with updated password
Update Messenger.
Update hangs. Needs more space.
Delete shit.
Update frozen in App Store (Really??)
Restart iPhone.
Update Messenger.
Update complete past 2. Well that was easy.

Apple, fuck you.
Some call Android unintuitive, but I look at the settings app on iPhone and realize you aren’t any better.
This company hasn’t been innovative since 2007. Over 1000 USD for a phone? Are you fucking kidding me?
Updating an iPhone from iOS 9.x is probably uncommon anymore. But this is a fucking joke. Fix your shit.
Shit like this is why I’ll never again own an Apple product. I have HAD IT with the joke of a business.

Thanks for reading.

Question regarding implementing two factor authentication.

I want to implement 2FA for at least one service I'm writing but I'm wondering, next to email, what services/implementations could I use?

I know that email isn't the best when it comes to security but I also don't want to force (a-technical) users to install an app specifically for 2FA so keeping email as an option as well.

But except for email, any ideas? Anything related to Google/facebook (prism integrated services) are a no go anyways (this has, as mentioned before, nothing to do with my ego or giving myself 'a pat on the back')

As for costs, I don't mind a little bit of money but the service will be free at first and I'm not rich :)

Looking forward to the comments!

*Sigh

Every single one of us here loathe this question "Hey can you hack a Facebook account for me?"

Even worse when the one asking is your mom.
😶😶😶

(Backstory, she and her friend runs a store. Shit happened between them. The friend is the one who setup the store's Facebook page. Now posting shit on that page. She's not tech savvy. I can probably brute force her password. No 2FA)

Dilemma. Dilemma.

sms 2fa makes me very happy in a house with no reception /s

@netikras since when does proprietary mean bad?

Lemme tell you 3 stories.

CISCO AnyConnect:
- come in to the office
- use internal resources (company newsletter, jira, etc.)
- connect to client's VPN using Cisco AnyConnect
- lose access to my company resources, because AnyConnect overwrites routing table (rather normal for VPN clients)
- issue a route command updating routing table so you could reach confluence page in the intranet
- route command executes successfully, `route -n` shows nothing has changed
- google this whole WTF case
- Cisco AnyConnect constantly overwrites OS routing table to ENFORCE you to use VPN settings and nothing else.

Sooo basically if you want to check your company's email, you have to disconnect from client's VPN, check email and reconnect again. Neat!

Can be easily resolved by using opensource VPN client -- openconnect

CISCO AnyConnect:
- get a server in your company
- connect it to client's VPN and keep the VPN running for data sync. VPN has to be UP at all times
- network glitch [uh-oh]
- VPN is no longer working, AnyConnect still believes everything is peachy. No reconnect attempts.
- service is unable to sync data w/ client's systems. Data gets outdated and eventually corrupted

OpenConnect (OSS alternative to AnyConnect) detects all network glitches, reports them to the log and attempts reconnect immediatelly. Subsequent reconnect attempts getting triggered with longer delays to not to spam network.

SYMANTEC VIP (alleged 2FA?):
- client's portal requires Sym VIP otp code to log in
- open up a browser in your laptop
- navigate to the portal
- enter your credentials
- click on a Sym VIP icon in the systray
- write down the shown otp number
- log in

umm... in what fucking way is that a secure 2FA? Everything is IN the same fucking device, a single click away.

Can be easily solved by opensource alternatives to Sym VIP app: they make HTTP calls to Symantec to register a new token and return you the whole totp url. You can convert that url to a qr code and scan it w/ your phone (e.g. Google's Authenticator). Now you have a true 2FA.

Proprietary is not always bad. There are good propr sw too. But the ones that are core to your BAU and are doing shit -- well these ARE bad. and w/o an oppurtunity to workaround/fix it yourself.

I was never really fond of 2FA, mostly due to the pain in the ass it creates if you lose or can’t access the 2nd device or jumping between GAuth to access Password Manager to access a password to use a login 😱.

But when your phone prompts up with a “allow some Asian, access to you’re iCloud account” you feel a world of relief that you have:

1) a notification you’re account is no longer secure,

And,

2) an immediate ability to change passwords before any access is granted.

Now it’s 1 more password I no longer know due to it being a scrambled mess of characters.

PS: Fuck you, you low life shithead!

So... I’m sitting here doing pretty much nothing, just reading through some rants when all of a sudden I get a wave of emails.

Pinterest!
We noticed a login from a new device or location and want to make sure it’s you.
Device: Firefox, Windows 8
Where: New Jersey, United States (Approximate)

OhhhhhKay then... so there’s a couple of problems with this, 1 I didn’t even know I had a Pinterest account, 2 I don’t have Pinterest in my password manager either.

So I follow the link and fair enough it’s actually pintest, so I attempt to login, to no avail, oh maybe it’s a social login..., ok let’s try google, nope that wasn’t it, deletes account, logins with Facebook, oh here we go, checks logins, 1 random jersey player, deletes account, swaps to Facebook, changes password (this fucker was already 100+ characters) and adds 2FA and contains no new logins 🤔

Ok... so what the fuck, either someone managed to get through a long ass password or something phishy is going on, the email for FB logins is seldomly used (maybe a handful of services at best) as I have another for all the junk and spam bullshit I expect from today’s “marketing”

So... did I mention I sometimes hate banks?

But I'll start at the beginning.

In the beginning, the big bang created the universe and evolution created humans, penguins, polar bea... oh well, fuck it, a couple million years fast forward...

Your trusted, local flightless bird walks into a bank to open an account. This, on its own, was a mistake, but opening an online bank account as a minor (which I was before I turned 18, because that was how things worked) was not that easy at the time.

So, yours truly of course signs a contract, binding me to follow the BSI Grundschutz (A basic security standard in Germany, it's not a law, but part of some contracts. It contains basic security advice like "don't run unknown software, install antivirus/firewall, use strong passwords", so it's just a basic prototype for a security policy).

The copy provided with my contract states a minimum password length of 8 (somewhat reasonable if you don't limit yourself to alphanumeric, include the entire UTF 8 standard and so on).

The bank's online banking password length is limited to 5 characters. So... fuck the contract, huh?

Calling support, they claimed that it is a "technical neccessity" (I never state my job when calling a support line. The more skilled people on the other hand notice it sooner or later, the others - why bother telling them) and that it is "stored encrypted". Why they use a nonstandard way of storing and encrypting it and making it that easy to brute-force it... no idea.

However, after three login attempts, the account is blocked, so a brute force attack turns into a DOS attack.

And since the only way to unblock it is to physically appear in a branch, you just would need to hit a couple thousand accounts in a neighbourhood (not a lot if you use bots and know a thing or two about the syntax of IBAN numbers) and fill up all the branches with lots of potential hostages for your planned heist or terrorist attack. Quite useful.

So, after getting nowhere with the support - After suggesting to change my username to something cryptic and insisting that their homegrown, 2FA would prevent attacks. Unless someone would login (which worked without 2FA because the 2FA only is used when moving money), report the card missing, request a new one to a different address and log in with that. Which, you know, is quite likely to happen and be blamed on the customer.

So... I went to cancel my account there - seeing as I could not fulfill my contract as a customer. I've signed to use a minimum password length of 8. I can only use a password length of 5.

Contract void. Sometimes, I love dealing with idiots.

And these people are in charge of billions of money, stock and assets. I think I'll move to... idk, Antarctica?

"How do we share access to two-factor authentication."

What you mean is "how do we defeat the purpose of multi-factor authentication."

No, just no. Who does this shit ? I turned on 2FA for a reason.

Bittrex is "amazing"...

I had lost my 2FA a long time ago (as my phone fried) and missed the account ferification deadline which caused my account to get disabled. Off we go to support!

0. Nothing to rant about at this point. I just created an account in their zendesk, logged in and logged a ticket to reset my 2FA and reactivate my account. They asked me for info, I provided it to them and got my 2FA disabled. Hooray!

1. I then asked to reenable my account. They sent me a link to restart the verification process. I open up that link and log in. I'm asked to upload some photos. I select requested photos from my galery and hit [UPLOAD]. An error pops up saying that smth wrong happened and I need to reload that site and reupload my photos. After page refresh they are telling me they are validating my uploaded info (w/o any way to resubmit my info, which, according to the error seen below, was not successfully submitted in the first place)...

2. So I reach out to the support guy again. Guess what he replies! He says he's sorry but he cannot help me any more and I need to create a NEW ACCOUNT in their support site with the same email <???!!!???>

3. I try to log in to the support portal and my access no longer works. MY ACCOUNT HAS BEEN DELETED! WTF!!!

4. I do as I'm told and create a new acc with the same email. Now I can log back in. So I'm raising a new ticket saying I still cannot finish my verification process due to the same error. It looks like it's going to be a fun ride with them so I can't wait to see what they'll reply.

So, the Network I was on was blocking every single VPN site that I could find so I could not download proton onto my computer without using some sketchy third-party site, so, being left with no options and a tiny phone data plan, I used the one possible remaining option, an online Android emulator. In the emulator running at like 180p I once again navigated to proton VPN, downloaded the windows version, and uploaded it to Firefox send. Opened send on my computer, downloaded the file, installed it, and realized my error, I need access to the VPN site to log in.

In a panic, I went to my phone ready to use what little was left of data plan for security, and was met with no signal indoors. Fuck. New plan. I found a Xfinity wifi thing, and although connecting to a public network freaked me out, I desided to go for it because fuck it. I selected the one hour free pass, logged in, and it said I already used it, what? When?, So I created a new account, logged in, logged into proton, and disconnected, and finally, I was safe.

Fuck the wifi provider for discouraging a right to a private internet and fuck the owner for allowing it. I realize how bad it was to enter my proton account over Xfinity wifi, but I was desperate and desperate times call for desperate means. I have now changed my password and have 2fa enabled.

So, i use this bulk messaging service and they decided to make logins OTP only ("for security reasons", they say), sent to your email.
So instead of entering a password quickly,
- enter the password for your email account,
- click about 10 times on Resend OTP
- wait for OTP
- copy OTP and paste in the box.

So basically relying on the person's email provider's security than deploying their own.

This is not about devRant… but it might as well be.

Imagine public forum. Everyone can read and post, everyone can comment. And there's no way to send a private message.

You use said forum for years. Whether you like it or not, you form alliances, friendships, frenemieships and engage all kinds of social contracts. There's no ro(ot)ster either, so you keep all that in your head, until one day you need a social contract formalized — exchange contact info. With Steven.

You can't just “@Steven text me, here's my phone”, that's borderline suicidal. You yearn a safe haven. A proxy that'd allow privacy. So you quickly spin up a service, let's say Discord (it wasn't Discord, but close enough), post a link, and within seconds Steven joins… He and seven other Stevens.

So you send each a unique sentence, a 2fa token so to speak, and ask them to post it on said devRant-like forum — they can delete it later after all. And a few minutes later there's eleven Stevens posting garbage faster than mods can delete, because whitespace power. But you bravely sift through that shit until the correct Steven rants “I'm blue, da-ba-dee da-ba-da”, and finally you know which Discord Steven is blue, so you can privately chat about colours.

And then Steven's 75 years old, well-reputed account gets banned on devRant for posting along other spamming Stevens. And you can't even PM administration, because devRant is a public forum without PM-ing indeed.

Was recently in a motorcycle accident and haven't been cleared to go back to work yet so I'm trying to build my first Android app.

I don't know Java, XML, kotlin, Android studio, or what the fuck a Gradle is; but I figured I'd take my app idea and download Android studio then try winging everything from there.

Needless to say, I'm having a damn hard time lol. I have been watching firebase tutorials on YouTube to try and figure out how to add authentication to my app. I kinda got it working in the AVD. But my personal Google account has 2FA enabled so I can't seem to get the app to sign me out, or sign me back in. (I was able to authenticate once successfully.)

I have no idea if having 2FA enabled is even the problem. I tried turning on debugging and can't seem to figure out how to actually get the app to debug or get a debug console open.

I seriously feel like the world's biggest n00b right now. Going to go YouTube/Google how to get the debugging working. Then I'm off for a round of learning how to read a debug report!

Hahahaha... Kill me now -_-'

Dashlane is a fucking mess.
1. This fucker won’t sync.
2. This fucker requires you to pick the american state when you enter addresses so no non-us addresses
3. This fucker uses a really bad vpn company under the hood as “its” vpn
4. This fucker somehow messed up the offline 2fa, the thing that students do successfully in their authenticator apps

I’m gonna go back to noo.js.org, that fucker will sync even without any connection, across infinite number of devices, instantly. Yes it does nothing but passwords, yes you can’t change passwords but at least you’re always synced. And it doesn’t sell your data because it doesn’t even have a server let alone a database.

FUCK YOU DASHLANE

My brother-in-law's mother's face when she was telling me that she was forced to use 2FA Microsoft Office for work..
"They think we're all IT ppl or what"

Just realise how complex the "simple" 2FA activation step is for someone without the slightest IT curiosity. Not super-democratic either.. (eg. For someone who uses a library PC and has no phone)

Trying to remote in your home PC to setup git but because you have 2fa you need to signup about 6 time than creating a repo to push the home project to and setting up an exact copy of the tools on your laptop to continue on that said home project.

Why Apple has to do every configuration so f**ckin difficult? After a thousand logins, validations, and 2FA just to change my f**ckin region I find that I need to contact local support by chat or call even if my account is clean (no payment method added, no purchases made, etc.). Yeah right, great products, but crappy website UX.

Thats top notch design.
All actions happening on the page go to one endpoint. Removing old trusted computers, changing the password, changing 2FA, you name it.

Now if you want to remove all old trusted devices, you cannot remove all at once, there is no button for it. So you click one after the other. And then it stops working. Ok, then do the normal password rotation. Hmm, button has a loading spinner and then nothing happens.

Looking into the browser console:
- All requests go to /myaccount/security/graphql
- All requests get a 429 Too many requests
- Even if you just click a panel, it tracks the action to the graphql endpoint. Or at least tries to because even that gets shot down with a 429

Pretty dumb, eh? Must be some small shitty website. It's not. It's fucking paypal.

This is not a developer-related rant, but honestly, I'm annoyed, and this felt like the best place to vent.

My Twitter account has been suspended/restricted. I can still log in, but I can't tweet, follow people, anything.
No reason was given to me at all for my restriction, other than an automated reply when I attempted to appeal it stating they suspected my account of being hacked - an account I hadn't used in about a month, has a randomly generated 12 character password and has 2FA.

Here's the thing - I didn't grow up with Twitter, I've never really taken an interest in it, I only have my account to post dev stuff now and then as I know some over devs do - It felt like a good place to easily log what I'm currently working on and show off my work that I was proud of.

There aren't any other platforms I know of where I can do that, other than here (but my work consists of things that are also not dev related, so...)

I have no idea if I will get my Twitter account back; it's been over a week now since I attempted to appeal it with absolutely no response.

If anyone knows decent platforms where I can share my work and progress (dev, art, level design, etc.) and can use it sort of like a dev blog, I would greatly appreciate it.

Well fuck Amazon. I am trying to get into my account because for some fucking reason they say my payment method is faulty while they actually write off the subscription of prime of it. But to get into my account I need to login again with 2FA as I have that turned it on. So far so good. But since it's an old phone number I can't login. Well just change the phone number wouldn't you think? Well yes but to change the phone number I need to login in with the old phone number to which I have no longer access 🤦‍♂️. Eventually found a phone number I could call. I get a lovely lady on the phone which guides me to resetting my password but for that, you guessed it, I need to do the 2FA again. I get send through to the next person as she can't change it for me because of privacy reasons (oh well). That guy first askes the last 4 numbers of my creditcard like 5 times because he can't remember it (write it the fuck down then asshole) then he starts mistaking the 6 for 9 (like how the fuck do you do that) and then the text messages don't come in while I am on the phone with him which he tries to blame to my service provider because they would block Amazon (like why would they do that?). But since I got a text message of them 15 min before I shot that down quickly. Then he finally admitted that they might have a disruption going on. So I think we'll fine I'll just ask my question to him how it's possible that Prime stops working as I am watching it because my payment method is faulty according to them (but manage to write off the subscription) and he starts talking just shit. Just admit that you don't know and connect me to someone who does know how that can happen. In the the end I just hung up because I knew I wasn't getting anywhere with this guy and don't you know it, as I start writing this the text messages come in. Problem solved you would say just out that number in the website and you can change your phone number. Well no because I have to tell the number to the guy who I hung up with because the texts weren't coming in 😒. Now I should call them back but I think I'll wait till tomorrow hopefully the day shift will be a bit more knowledgeable on how shit works and can actually remember 4 digits.

So as a personal project for work I decided to start data logging facility variables, it's something that we might need to pickup at some point in the future so decided to take the initiative since I'm the new guy.
I setup some basic current loop sensors are things like gas line pressures for bulk nitrogen and compressed air but decided to go with a more advanced system for logging the temperature and humidity in the labs. These sensors come with 'software' it's a web site you host internally. Cool so I just need to build a simple web server to run these PoE sensors. No big deal right, it's just an IIS service. Months after ordering Server 2019 though SSC I get 4 activation codes 2 MAK and 2 KMS. I won the lottery now i just have to download the server 2019 retail ISO and... Won't take the keys. Back to purchasing, "oh I can download that for you, what key is yours". Um... I dunno you sent me 4 Can I just get the link, "well you have to have a login". Ok what building are you in I'll drive over with a USB key (hoping there on the same campus), "the download keeps stopping, I'll contact the IT service in your building". a week later I get an install ISO and still no one knows that key is mine. Local IT service suggests it's probably a MAK key since I originally got a quote for a retail copy and we don't run a KMS server on the network I'm using for testing. We'll doesn't windows reject all 4 keys then proceed to register with a non-existent KMS server on the network I'm using for testing. Great so now this server that is supposed to connected to a private network for the sensors and use the second NIC for an internet connection has to be connected to the old network that I'm using for testing because that's where the KMS server seems to be. Ok no big deal the old network has internet except the powers that be want to migrate everything to the new more secure network but I still need to be connected to the KMS server because they sent me the wrong key. So I'm up to three network cards and some of my basic sensors are running on yet another network and I want to migrate the management software to this hardware to have all my data logging in one system. I had to label the Ethernet ports so I could hand over the hardware for certification and security scans.

So at this point I have my system running with a couple sensors setup with static IP's because I haven't had time to setup the DNS for the private network the sensors run on. Local IT goes to install McAfee and can't because it isn't compatible with anything after 1809 or later, I get a message back that " we only support up to 1709" I point out that it's server 2019, "Oh yeah, let me ask about that" a bunch of back and forth ensues and finally Local IT get's a version of McAfee that will install, runs security scan again i get a message back. " There are two high risk issues on your server", my blood pressure is getting high as well. The risks there looking at McAfee versions are out of date and windows Defender is disabled (because of McAfee).

There's a low risk issue as well, something relating to the DNS service I didn't fully setup. I tell local IT just disable it for now, then think we'll heck I'll remote in and do it. Nope can't remote into my server, oh they renamed it well that's lot going to stay that way but whatever oh here's the IP they assigned it, nope cant remote in no privileges. Ok so I run up three flights of stairs to local IT before they leave for the day log into my server yup RDP is enabled, odd but whatever let's delete the DNS role for now, nope you don't have admin privileges. Now I'm really getting displeased, I can;t have admin privileges on the network you want me to use to support the service on a system you can't support and I'm supposed to believe you can migrate the life safety systems you want us to move. I'm using my system to prove that the 2FA system works, at this rate I'm going to have 2FA access to a completely worthless broken system in a few years. good thing I rebuilt the whole server in a VM I'm planning to deploy before I get the official one back. I'm skipping a lot of the ridiculous back and forth conversations because the more I think about it the more irritated I get.

7 monthos ago, i invested a ridiculus amount of money on crypto. The day this month i decided to buy a battery for my loved laptop, i was notified that this crypto had doubled its price. Thanks Lord My God, i said, without any work and stress, i had 100% profit, i would totally buy the battery from the new money, i converted them all in euros, and started my odyssey.

Well, the platform, need 2fa to withdraw your money. But it did not inform you, it only had a popup saying "Reming me later".

WTF means "remind me later", for me it is something optional!!!! No red colours, no messages like (try again, your transactionr requires this ) etc.

Time is the only resource that do not come back, and i feel that my profit is already less, since the hour i spent searching, and searching, and then searching the chat (which is very well hidden...) and then chatting, and then writting this rant, i could have worked for the same amount of money.....

There should be a blacklist for websites that don’t allow 2FA or do it through SMS. There’s no excuse for sites such as PayPal not allowing TOTP, only some prehistoric hardware based token generator.

Guys, I just need to know if I'm the one who's crazy.
I work at a fairly large bank. This bank has an Online Banking platform. Now, for reasons that deserve a rant of their own, I work on a self service account opening platform (in branch).
Now, my team is being tasked with adding features that will force customers to enroll in Online Banking and 2FA when opening accounts if they have not already done so.
The reason? There's low usage of the Online Banking solution.
My problem? I think this is a pointless waste of time.
Hear me out: All existing customers already have the ability to enroll with online banking, they can do it from there homes, in their underwear if they want, and they aren't doing it. Can anyone explain to me why we expect that customers who showed no interest in online banking before are going to be interested in using the application now?
You come in to branch to open an account, we stop the process to force you to enroll with internet banking(if you want to finish opening your account through the app), and then hope you'll use it now (despite the fact you could have enrolled at home all along)
We're duplicating the feature of an existing project and slowing down an unrelated process so we can hope you change your mind? Is this not a marketing problem? Do we not just need to sell the shit better? What am I not seeing? It's insane, we even took time to look at signing customers up for email addresses (in branch, while opening an account) if they didn't have one(because you need an email address for online banking). What really gets me is that everyone on my team is eating this shit up like it makes perfect sense. Like nobody else seems to think this is fucking stupid. I'm now resigned to implementing this bullshit. Am I the crazy one here? I realize I must be. Whatever I get paid anyway I guess. I raised my concerns repeatedly and I just kept getting the same stupid response. My job is done