Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "no passwords"
-
Long but worth it...
So I was cleaning out my Google Drive last night, and deleted some old (2 years and up) files. I also deleted my old work folder, it was for an ISP I worked for over 2 years ago. After deleting the files I had a little twinge of "Man I hope they're not still using those". But seriously, it'd be a pretty big security risk if I was still the owner of those files... right? Surely they copied them and deleted all the info from the originals. IP addresses, Cisco configs, username and passwords for various devices, pretty much everything but customer info.
Guess who I get a call from this morning... "Hi this is Debbie from 'ISP'. I was trying to access the IP Master List and I can't anymore. I was just told to call you and see if there's any way to get access to it again" (Not her real name...)
I had to put her on hold so I could almost die of laughter...
Me: "Sorry about that Debbie, I haven't worked for that company for over 2 years. Your telling me in all that time no one thought to save them locally? No one made a copy? I still had the original documents?!"
Long pause
D: "Uh... Apparently not..."
Another long pause
D: "So is there any way you can give me access to them again?"
Me: "They're gone Debbie. I deleted them all last night."
D: Very worried voice "Can... Can you check?"
This kids is why you never assume you'll always have access to a cloud stored file, make local copies!!
A little bit of background on this company, the owner's wife fired me on trumped up "time card discrepancy" issues so she could hire her freshly graduated business major son. The environment over there was pretty toxic anyway...
I feel bad for "Debbie" and the other staff there, it's going to be a very bad week for them. I also hope it doesn't impact any customers. But... It is funny as hell, especially since I warned the owner as I was clearing out my desk to save copies, and plan on them being gone soon. Apparently he never listened.
This is why you should have a plan in place... And not just wing it...
PS. First Post!25 -
The programmer and the interns part 2.
We will discuss numerous events that happened over the past week or so.
Case 0:
We had our weekly engineering meeting. The interns were invited as well.
We hold meetings in the generic, big, corporate meeting rooms with a huge table in the middle.
There were more than enough chairs for everyone yet the most motivated and awkward intern (let's call him Simon) chose to stand, cause "it's cool man, I always stand". At this point we all know that he probably read about Agile stand up meetings and is confusing it with this one. Otherwise he's simply trying to stand out from the rest. (See what I did there?)
Anyway the meeting has started way later than planned (what a surprise) and took much longer than Simon expected. Everybody is sitting and listening to the CTO while occasionally glancing at the weird looking intern standing awkwardly and refusing to sit because it would make his original intentions pointless. He even tried to nod whith a serious face and his hands crossed when the CTO said something and looked at his general direction. The meeting was about a hour and a half long but with the delay it was at least 2.5 hours.
At the end Simon was so exhausted that he fell asleep on the office puff, was forgotten and locked inside. 3 hours later when I was home I received a call from him with his sleepy-trying-to-sound-awake voice telling the news. Lucky there's a 24/7 Noc team that could rescue him.
Case 1:
An intern who was late on his Linux test connected to every test VM (should I remind you that each one has a personal VM but they share passwords for their roots?) and tried to reset it with "sleep 10s; shutdown -h now".
He took down all 13 of those so I had to turn them on and switch passwords again.
Case 2:
One of the interns didn't do any of his training chores. Apparently he forgot what he was told to use, ignored all online documentation and used Windows CMD with Linux commands for almost a week already.
Case 3:
Simon uses Vim to write all text possible. Even mails, he then selects all and copies into the mail body. He spent half a day on a homework task I gave them. He wrote everything inside one text file using Vim. When he was done he saved the file and quit the editor. He then said "Oh shit! I've forgot to sign my name!". I explicitly told him that theres absolutely no need for that because I see which mail the file was sent from. He said "I don't even need a program for that!" and gave a couple of strokes on the keyboard.
Later I received an email from him with a .txt attachment. When I opened it the only text that was inside was "by Simon ;)".
I logged to his machine and checked the last command ran on the file:
echo "by Simon ;)" > linuxtasks.txt
Case 4:
The girl here uses a MacBook. She keeps getting confused with the terminal windows and rebooting her own machine instead of the remote VM.
Case 5:
Haven't checked yet how this happened but one of the interns deleted the gui from his local Centos.33 -
TLDR : I left a company which doesn't understand the concept of email id and passwords.
Me (trying to login to the alumni website) *no register user option*
Customer support - you've to click on forgot password to create an account.
Me - Wonderful
*clicks on reset password*
*enters employee id, name, email, father's name, DOB, date of joining , date of leaving, current city because apparently if I just enter my employee id it is as if they never knew me. Sigh*
*your password will be sent to your email id*
Me - okay. *waits for two weeks because I assumed someone will manually go and create my account and email me, considering the state of system. *
After two weeks,
Me - I still haven't received my password on email after I created my account. Can you please check?
After one week,
Customer support - you need to click on forget password if you forgot your password.
Me - *inventing new curse words* I have not forgot my password, I never received it in the first place!
After one week,
Customer support - yes you'll receive your password on your email id.
Me - *runs out of curse words* seriously dude?
* proceeds to reset password*
System - your password has been reset. Your new password will be sent to your email id. *apparently anyone can reset passwords if you have the employee id, which is an integer*
After a week
Me - Am I going to ever receive the password? I've tried generating passwords, resetting my password. I never get my passwords. What should I do!!
Customer support - yes you need to click on Forgot password.
Me - are you fucking kidding me!!!
You fuckers need to be fired and replaced by a FAQ page which has no question and just a single answer, because a peanut has higher IQ than you. For any questions you may have, just reset password. Goddammit idiots!
Also, which email id are you sending my passwords to?
Customer support - myname@oldcompany.com
Me - you do realize that this is the alumni website for the company. Alumni means ex members.
Being ex members, you can assume we don't have access to our company email ids obviously?
Customer support - yes.
Me - how am I supposed to get the password using my old email id then?
Customer support - you need to click on forgot password option.
I think I should probably move to the Himalayas for my anger management issues. Plus it'll be probably easier to throw idiots off a mountain.31 -
Its Friday, you all know what that means! ... Its results day for practiseSafeHex's most incompetent co-worker!!!
*audience: wwwwwwooooooooo!!!!*
We've had a bewildering array of candidates, lets remind ourselves:
- a psychopath that genuinely scared me a little
- a CEO I would take pleasure seeing in pain
- a pothead who mistook me for his drug dealer
- an unbelievable idiot
- an arrogant idiot obsessed with strings
Tough competition, but there can be only one ... *drum roll* ... the winner is ... none of them!
*audience: GASP!*
*audience member: what?*
*audience member: no way!*
*audience member: your fucking kidding me!*
Sir calm down! this is a day time show, no need for that ... let me explain, there is a winner ... but we've kept him till last and for a good reason
*audience: ooooohhhhh*
You see our final contestant and ultimate winner of this series is our good old friend "C", taking the letters of each of our previous contestants, that spells TRAGIC which is the only word to explain C.
*audience: laughs*
Oh I assure you its no laughing matter. C was with us for 6 whole months ... 6 excruciatingly painful months.
Backstory:
We needed someone with frontend, backend and experience with IoT devices, or raspberry PI's. We didn't think we'd get it all, but in walked an interviewee with web development experience, a tiny bit of Angular and his masters project was building a robot device that would change LED's depending on your facial expressions. PERFECT!!!
... oh to have a time machine
Working with C:
- He never actually did the tutorials I first set him on for Node.js and Angular 2+ because they were "too boring". I didn't find this out until some time later.
- The first project I had him work on was a small dashboard and backend, but he decided to use Angular 1 and a different database than what we were using because "for me, these are easier".
- He called that project done without testing / deploying it in the cloud, despite that being part of the ticket, because he didn't know how. Rather than tell or ask anyone ... he just didn't do it and moved on.
- As part of his first tech review I had to explain to him why he should be using if / else, rather than just if's.
- Despite his past experience building server applications and dashboards (4 years!), he never heard of a websocket, and it took a considerable amount of time to explain.
- When he used a node module to open a server socket, he sat staring at me like a deer caught in headlights completely unaware of how to use / test it was working. I again had to explain it and ultimately test it for him with a command line client.
- He didn't understand the need to leave logging inside an application to report errors. Because he used to ... I shit you not ... drive to his customers, plug into their server and debug their application using a debugger.
... props for using a debugger, but fuck me.
- Once, after an entire 2 days of tapping me on the shoulder every 15 mins for questions / issues, I had to stop and ask:
Me: "Have you googled it?"
C: "... eh, no"
Me: "can I ask why?"
C: "well, for me, I only google for something I don't know"
Me: "... well do you know what this error message means?"
C: "ah good point, i'll try this time"
... maybe he was A's stoner buddy?
- He burned through our free cloud usage allowance for a month, after 1 day, meaning he couldn't test anything else under his account. He left an application running, broadcasting a lot of data. Turns out the on / off button on the dashboard only worked for "on". He had been killing his terminal locally and didn't know how to "ctrl + c a cloud app" ... so left it running. His intention was to restart the app every time you are done using it ... but forgot.
- His issue with the previous one ... not any of his countless mistakes, not the lack of even trying to make the button work, no, no, not for C. C's issue is the cloud is "shit" for giving us such little allowances. (for the record in a month I had never used more than 5%).
- I had to explain environment variables and why they are necessary for passwords and tokens etc. He didn't know it wasn't ok to commit these into GitHub.
- At his project meetups with partners I had to repeatedly ask him to stop googling gifs and pay attention to the talks.
- He complained that we don't have 3 hour lunch breaks like his last place.
- He once copied and pasted the same function 450 times into a file as a load test ... are loops too mainstream nowadays?
You see C is our winner, because after 6 painful months (companies internal process / requirements) he actually achieved nothing. I really mean that, nothing. Every thing was so broken, so insecure / wide open, built without any kind of common sense or standards I had to delete it all and start again ... it took me 2 weeks.
I hope you've all enjoyed this series and will join me in praying for the return of my sanity ... I do miss it a lot.
Yours truly,
practiseSafeHex20 -
1. Forgot my password.
2. Clicked "Forgot" password button.
3. Received my forgotten password as plain text in my email7 -
Creating a new account is always fun...
"This Is My Secure Password" <-- Sorry, no spaces allowed.
"ThisIsMySecurePassword" <-- Sorry, Passwords must include a number
"ThisIsMySecurePassword1" <-- Sorry, Passwords must include a special character
"ThisIsMySecurePassword 1" <-- Sorry, no spaces allowed
"ThisIsMySecurePassword%1" <-- Sorry, the % character is not allowed
"ThisIsMySecurePassword_1" <-- Sorry, passwords must be shorter than 16 characters
"Fuck" <-- Sorry, passwords must longer than 6 characters
"Fuck_it" <-- Sorry, passwords can't contain bad language
"Password_1" <-- Accepted.25 -
I was reviewing one dev's work. It was in PHP. He used MD5 for password hashing. I told him to use to password_hash function as MD5 is not secure...
He said no we can't get a password from MD5 hashed string. It's one way hashing...
So I asked him to take couple of passwords from the users table and try to decode those in any online MD5 decoder and call me after that if he still thinks MD5 is secure.
I have not got any call from him since.18 -
Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜
Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.
First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.
Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.
Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.
Dealing with attacks and getting hacked.
Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.
linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)
How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!
One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)
Dealing with different kinds of attacks:
Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.
So yah, hereby :P39 -
Started talking with someone about general IT stuff. At some point we came to the subject of SSL certificates and he mentioned that 'that stuff is expensive' and so on.
Kindly told him about Let's Encrypt and also that it's free and he reacted: "Then I'd rather have no SSL, free certificates make you look like you're a cheap ass".
So I told him the principle of login/registration thingies and said that they really need SSL, whether it's free or not.
"Nahhh, then I'd still rather don't use SSL, it just looks so cheap when you're using a free certificate".
Hey you know what, what about you write that sentence on a whole fucking pack of paper, dip it into some sambal, maybe add some firecrackers and shove it up your ass? Hopefully that will bring some sense into your very empty head.
Not putting a secure connection on a website, (at all) especially when it has a FUCKING LOGIN/REGISTRATION FUNCTION (!?!?!?!!?!) is simply not fucking done in the year of TWO THOUSAND FUCKING SEVENTEEN.
'Ohh but the NSA etc won't do anything with that data'.
Has it, for one tiny motherfucking second, come to mind that there's also a thing called hackers? Malicious hackers? If your users are on hacked networks, it's easy as fuck to steal their credentials, inject shit and even deliver fucking EXPLOIT KITS.
Oh and you bet your ass the NSA will save that data, they have a whole motherfucking database of passwords they can search through with XKeyScore (snowden leaks).
Motherfucker.68 -
This isn't really a hacking story but it does remind me of something I did as "revenge."
In middle school, this one fool kept bullying me. Always tried to harm me, always tried to insult me, always tried to make me fall during PE.
I hated him a lot, so instead of trying to kill him as planned, I did a harmless little keylogger prank thing.
I installed a keylogger on the school's laptop before class. (I did it during break, and when class started, I placed it on his desk.)
He took the bait, and instead of doing work, he logged onto his social media accounts. Now I had his passwords and everything.
When I went home, I logged onto his social media. I checked his messages so I can get some dirt on him, didn't find much except for the fact he snuck out a few times, and smoked before.
I changed his profile picture to some cringy anime thing and messaged one of his friends (the one who always copied my test answers in History and would steal my homework) and I said, "tell --- that if he doesn't stop being an asshole, I'll do worse than "hack" his social media."
It freaked them both out a bit, but didn't change their behavior, which is a shame because my threat was empty. It's not like I was able to do anything more than that in middle school. To this day, they still have no idea who did that.
This was about 4 years ago.15 -
I worked in the same building as another division in my organization, and they found out I had created a website for my group. They said, “We have this database that was never finished. Do you think you could fix it?”
I asked, “What was it developed in?”
He replied, “Well what do you know?”
I said, “LAMP stack: PHP, MySQL, etc.” [this was over a decade ago]
He excitedly exclaimed, “Yeah, that’s it! It’s that S-Q-L stuff.”
I’m a little nervous at this point but I was younger than 20 with no degree, entirely self-taught from a book, and figured I’d check it out - no actual job offer here yet or anything.
They logged me on to a Windows 2000 Server and I become aware it’s a web application written in VB / ASP.NET 2.0 with a SQL Server backend. But most of the fixes they wanted were aesthetic (spelling errors in aspx pages, etc.) so I proceeded to fix those. They hired me on the spot and asked when I could start. I was a wizard to them and most of what they needed was quite simple (at first). I kept my mouth shut and immediately went to a bookstore after work that day and bought an ASP.NET book.
I worked there several years and ended up rewriting that app in C# and upgrading the server and ASP.NET framework, etc. It stored passwords in plaintext when I started and much more horrific stuff. It was in much better shape when I left.
That job was pivotal in my career and set the stage for me to be where I am today. I got the job because I used the word “SQL” in a sentence.3 -
An intern I was supposed to lead (as an intern) and work with. Which sounded kinda crazy to me, but also fun so I rolled with it. But when I met her I quickly found out she didn't even have a coding editor installed and when I advised one she was "scared of virusses". She had Microsoft Edge in her toolbar, and some picture of a cat as a background. We were given some project by our boss, and a freelance programmer helped us set it up on Trello. Great, lets start! Oke maybe first some R&D, she had to reaeach how to use the Twilio API. After catching her on WhatsApp a few times I realised this wasnt gonna go anywere. After a few weeks of coding and posting a initial project to git I asked her if she could show me the code of the API she made so far..
She told me she was using the quickstart guide (the last 3 FUCKING weeks) which contained some test project with specific use cases.
The one that I did 3 weeks ago that same fucking morning.
AND SHE WAS STILL NOT DONE...
A few days later I asked her about the progress (strangly, I wasn't allowed ti give her another task bcs the freelanc already did) and guess what... She got fking pissed at me
Her: "I will come to you when im done, ok?"
Me: "I just want to see how it is going so far and if you are running into any problems!"
Her: "I dont want to show you right now"
She then goes to my fucking boss to tell him I am bothering her.
And omg... Please dear god please kill me now...
Instead of him saying the she probably didn't do shit. He says to me that the girl thinks im looking down on her and she needs a stress free environment to work in. She will show me when its done. ITS A FUCKING QUICKSTART GUIDE YOU DUMB BITCH.
He then procceeded to whine to me about the email template (another project I do at the same time) which didn't look perfect in all of his clients.
Dont they understand that I am not a frontend developer? Can you stop please? I know nothing about email templates, I told you this!!!
Really... the whole fucking internship the only thing the girl did was ask people if they want more tea. Then she starts cleaning the windows, talk to people for an hour, or clean everyone's dask.
all this while I already made 50% of the fucking product and she just finished the quickstart tutorial 😭. Truly 2 months wasted, and the worse thing is I didn't get any apprication. They constantly blamed me and whined at me. Sometimes for being 3 minutes late, the other for smoking too much, or because I drink to much coffee, or that I dont eat healthy. They even forced me to play Ping Pong. While im just trying to do my job. One of the worst things they got mad at me for if when my laptop got hacked bcs it was infected with some virus. He had remote access and bought 5 iPhones 6's with my paypal while I was on break. I had to go home and quickly reset all my passwords and make sure the iPhones wouldnt get delivered. strange this was, this laptop I only used at the company. So it must have been software I had to download there. Probably phpstorm (torrent). Bcs nobody would give me a license. And the freelancer said I * have to *.
the monday after I still had to reinstall windows so I called them and said I would be late. when I came they were so disrepectfull and didn't understand anything. It went a little like this:
Boss: why u late?
Me: had to reinstall my laptop, sorry.
Boss: why didnt you do this in your own time?
Me: well, I didn't have any time.
Boss: cant you do this in the weekend or something? Because now we have to pay you several hours bcs you downloaded something at home.
Me: I am only using this laptop for work so thats not possible.
Boss: how can that even be possible? You are not doing anything at home with your laptop? Is that why you never do anything at home?
Me: uhm, I have desktop computer you know. Its much faster. And I also need to rest sometimes. Areeb (freelancer) told me to torrent the software. He gave me the link. 2 days later this happends
Boss: Ahh okeee I see.. Well dont let it happen again.
After that nobody at the compamy trusted me with anything computer related. Yes it was my own fault I downloaded a virus but it can happen to anyone. After that I never used Windows again btw, also no more auto login apps.8 -
Just went skydiving. Realized I probably should have left behind all my clients' site admin passwords in case my chute didn't open. Turns out I'm still alive so no harm done.8
-
Our website once had it’s config file (“old” .cgi app) open and available if you knew the file name. It was ‘obfuscated’ with the file name “Name of the cgi executable”.txt. So browsing, browsing.cgi, config file was browsing.txt.
After discovering the sql server admin password in plain text and reporting it to the VP, he called a meeting.
VP: “I have a report that you are storing the server admin password in plain text.”
WebMgr: “No, that is not correct.”
Me: “Um, yes it is, or we wouldn’t be here.”
WebMgr: “It’s not a network server administrator, it’s SQL Server’s SA account. Completely secure since that login has no access to the network.”
<VP looks over at me>
VP: “Oh..I was not told *that* detail.”
Me: “Um, that doesn’t matter, we shouldn’t have any login password in plain text, anywhere. Besides, the SA account has full access to the entire database. Someone could drop tables, get customer data, even access credit card data.”
WebMgr: “You are blowing all this out of proportion. There is no way anyone could do that.”
Me: “Uh, two weeks ago I discovered the catalog page was sending raw SQL from javascript. All anyone had to do was inject a semicolon and add whatever they wanted.”
WebMgr: “Who would do that? They would have to know a lot about our systems in order to do any real damage.”
VP: “Yes, it would have to be someone in our department looking to do some damage.”
<both the VP and WebMgr look at me>
Me: “Open your browser and search on SQL Injection.”
<VP searches on SQL Injection..few seconds pass>
VP: “Oh my, this is disturbing. I did not know SQL injection was such a problem. I want all SQL removed from javascript and passwords removed from the text files.”
WebMgr: “Our team is already removing the SQL, but our apps need to read the SQL server login and password from a config file. I don’t know why this is such a big deal. The file is read-only and protected by IIS. You can’t even read it from a browser.”
VP: “Well, if it’s secured, I suppose it is OK.”
Me: “Open your browser and navigate to … browse.txt”
VP: “Oh my, there it is.”
WebMgr: “You can only see it because your laptop had administrative privileges. Anyone outside our network cannot access the file.”
VP: “OK, that makes sense. As long as IIS is securing the file …”
Me: “No..no..no.. I can’t believe this. The screen shot I sent yesterday was from my home laptop showing the file is publicly available.”
WebMgr: “But you are probably an admin on the laptop.”
<couple of awkward seconds of silence…then the light comes on>
VP: “OK, I’m stopping this meeting. I want all admin users and passwords removed from the site by the end of the day.”
Took a little longer than a day, but after reviewing what the web team changed:
- They did remove the SQL Server SA account, but replaced it with another account with full admin privileges.
- Replaced the “App Name”.txt with centrally located config file at C:\Inetpub\wwwroot\config.txt (hard-coded in the app)
When I brought this up again with my manager..
Mgr: “Yea, I know, it sucks. WebMgr showed the VP the config file was not accessible by the web site and it wasn’t using the SA password. He was satisfied by that. Web site is looking to beat projections again by 15%, so WebMgr told the other VPs that another disruption from a developer could jeopardize the quarterly numbers. I’d keep my head down for a while.”8 -
I'm not angry, mostly sad.
At my workplace we don't use git.
There are constant overwriting, sending code via email or USB stick and forgetting passwords to zip-files shenanigans going on.
I already use git for all my local projects (literally git init in the directory) but my coworker and I thought that it would be a great idea to have a local server with a Gitlab running on it.
So I started looking into running a self-hosted Gitlab (for about 15 minutes) and then our boss who was sitting right next to me almost shouted at us: "Such stuff should be coordinated with the boss! We don't just do something and burn my money because it's _cool_!"
No, git is not cool, it's necessary for crying out loud! Gitlab is cool but at the end of the day also just another tool too.
I guess I have some persuasion to do.
I don't know what version control has done to our boss that he has such a deep dislike for it.9 -
Day 1 10:00 am
Login to email account (Zimbra)
Your password is incorrect (I entered it correctly, this was a permanent issue ,used to happen in the company with many employees)
Reset your password by logging into internal company portal.
11:00 am
Logged into company portal, somehow. 2 Mbps internet shared among 104 people, you can imagine the speed.
Reset email password
* your password has been sent to your email id*
Are you fucking kidding me? U have emailed me the password to the same email I can't log in to?
Where did the architecture designer get this top notch weed from?
Day 2
Asked HR to reset my password (using a colleague's email)
Day 3
No reply from HR yet
Day 4
I went to meet HR, she's on vacation. So they have 1 person managing the password reset, for 5000 people with no backup person. Cool.
Day 5
Your internal company password has expired. Check your email for link to create new password. This is some next level shit going on.
Day 6
I called up Internal IT team to generate a new email for me.
They asked me to raise a ticket.
I can't raise a ticket because the only way to do so, is through the portal.
Day 7
Nothing. Btw, personal email and all social networks were banned. You can't even open stackoverflow.
And this was a research lab, amazing huh?
Day 8
Loss of pay for 4 days since I can't login to company portal to fill timesheet.
Day 9
HR comes back. Resets my password.
I try to generate my new password for portal.
The password policy:
Password can't be same as last 10 passwords
Passwords expire every week
8 characters minimum, 2 upper case, 2 lower case, NO SPECIAL SYMBOL. WTF. How long do u think its gonna take to crack that?
Fuckers had a company wise policy to automatically lock PC every 1 min if not used. Who the fuck can keep on using it continuously! I'm reading an article, and bam ! Locked. 2 wrong entries and that's it, repeat all steps again. Fuckers really didn't want to let me do my job, just keep on logging in all day.12 -
Worst thing you've seen another dev do? So many things. Here is one...
Lead web developer had in the root of their web application config.txt (ex. http://OurPublicSite/config.txt) that contained passwords because they felt the web.config was not secure enough. Any/all applications off of the root could access the file to retrieve their credentials (sql server logins, network share passwords, etc)
When I pointed out the security flaw, the developer accused me of 'hacking' the site.
I get called into the vice-president's office which he was 'deeply concerned' about my ethical behavior and if we needed to make any personnel adjustments (grown-up speak for "Do I need to fire you over this?")
Me:"I didn't hack anything. You can navigate directly to the text file using any browser."
Dev: "Directory browsing is denied on the root folder, so you hacked something to get there."
Me: "No, I knew the name of the file so I was able to access it just like any other file."
Dev: "That is only because you have admin permissions. Normal people wouldn't have access"
Me: "I could access it from my home computer"
Dev:"BECAUSE YOU HAVE ADMIN PERMISSIONS!"
Me: "On my personal laptop where I never had to login?"
VP: "What? You mean ...no....please tell me I heard that wrong."
Dev: "No..no...its secure....no one can access that file."
<click..click>
VP: "Hmmm...I can see the system administration password right here. This is unacceptable."
Dev: "Only because your an admin too."
VP: "I'll head home over lunch and try this out on my laptop...oh wait...I left it on...I can remote into it from here"
<click..click..click..click>
VP: "OMG...there it is. That account has access to everything."
<in an almost panic>
Dev: "Only because it's you...you are an admin...that's what I'm trying to say."
Me: "That is not how our public web site works."
VP: "Thank you, but Adam and I need to discuss the next course of action. You two may go."
<Adam is her boss>
Not even 5 minutes later a company wide email was sent from Adam..
"I would like to thank <Dev> for finding and fixing the security flaw that was exposed on our site. She did a great job in securing our customer data and a great asset to our team. If you see <Dev> in the hallway, be sure to give her a big thank you!"
The "fix"? She moved the text file from the root to the bin directory, where technically, the file was no longer publicly visible.
That 'pattern' was used heavily until she was promoted to upper management and the younger webdev bucks (and does) felt storing admin-level passwords was unethical and found more secure ways to authenticate.5 -
Buckle up kids, this one gets saucy.
At work, we have a stress test machine that trests tensile, puncture and breaking strength for different materials used (wood construction). It had a controller software update that was supposed to be installed. I was called into the office because the folks there were unable to install it, they told me the executable just crashed, and wanted me to take a look as I am the most tech-savvy person there.
I go to the computer and open up the firmware download folder. I see a couple folders, some random VBScript file, and Installation.txt. I open the TXT, and find the first round of bullshit.
"Do not run the installer executable directly as it will not work. Run install.vbs instead."
Now, excuse me for a moment, but what kind of dick-cheese-sniffing cockmonger has end users run VBScript files to install something in 2018?! Shame I didn't think of opening it up and examining it for myself to find out what that piece of boiled dogshit did.
I suspend my cringe and run it, and lo and behold, it installs. I open the program and am faced with entering a license key. I'm given the key by the folks at the office, but quickly conclude no ways of entering it work. I reboot the program and there is an autofilled key I didn't notice previously. Whatever, I think, and hit OK.
The program starts fine, and I try with the login they had previously used. Now it doesn't work for some reason. I try it several times to no avail. Then I check the network inspector and notice that when I hit login, no network activity happens in the program, so I conclude the check must be local against some database.
I browse to the program installation directory for clues. Then I see a folder called "Databases".
"This can't be this easy", I think to myself, expecting to find some kind of JSON or something inside that I can crawl for clues. I open the folder and find something much worse. Oh, so much worse.
I find <SOFTWARE NAME>.accdb in the folder. At this point cold sweat is already running down my back at the sheer thought of using Microsoft Access for any program, but curiosity takes over and I open it anyway.
I find the database for the entire program inside. I also notice at this point that I have read/write access to the database, another thing that sent my alarm bells ringing like St. Pauls cathedral. Then I notice a table called "tUser" in the left panel.
Fearing the worst, I click over and find... And you knew it was coming...
Usernames and passwords in plain text.
Not only that, they're all in the format "admin - admin", "user - user", "tester - tester".
I suspend my will to die, login to the program and re-add the account they used previously. I leave the office and inform the peeps that the program works as intended again.
I wish I was making this shit up, but I really am not. What is the fucking point of having a login system at all when your users can just open the database with a program that nowadays comes bundled with every Windows install and easily read the logins? It's not even like the data structure is confusing like minified JSON or something, it's literally a spreadsheet in a program that a trained monkey could read.
God bless them and Satan condemn the developers of this fuckawful program.8 -
You can't imagine how many lines of pure and utter horseshit, seemingly written in PHP, I had to dig through this whole weekend. (relating to my 2 previous rants)
How is it even possible to write code this unbelievably ugly?
Examples:
- includes within loops
- included files use variables from parent files
- start- and endtags separated to different files
- SQL queries generated by string concatenation, no safety measures at all (injection)
- repeating DB calls within loops
- multiple directories with the same code (~40 files), only different by ~8 lines, copied
- a mixture of <?php echo ... ?> and <?= ... ?>
- a LOT of array accesses and other stuff prefixed with "@" (suppress error messages)
- passwords in cleartext
- random non-RESTful page changes with a mixture of POST and GET
- GET parameters not URL-encoded
- ...
My boss told me it took this guy weeks and weeks of coding to write this tool (he's an "experienced dev", of course WITHOUT Git).
Guess what?
It took me only 20 hours and about 700 lines of code.
I must confess, since this task, I don't hate PHP anymore, I just simply hate this dev to death.
Addendum: It's Monday, 5:30am. Good night. 😉12 -
Colleagues sharing passwords.That was a big fat NO when I was a sysadmin - and for a good reason. But now, since I'm closer to development, it feels like no one really cares about the passwords. If I tell my colleague I'll take 10 minutes more because I can't log in, he OFFERS me his credentials. And sends them over saying "in case you need it". [the next day the same colleague was complaining his account is locked out. Oh, wonders! How on Earth...!]
But seriously, password sharing is a serious problem. I would fire the person on spot if I caught him sharing his credentials! This is the 8th deadly sin! IDC if they are for non-prod. Most people reuse their passwords in multiple systems, and even non-prod envs can bring the prod down! Or worse - install a trojan.15 -
!!pointless story
Bug report comes in from a coworker. "Cloudinary uploads aren't working. I can't sign up new customers."
"I'll look into it" I say.
I go to one of our sites, and lo! No Cloudinary image loads. Well that can't be good.
I check out mobile app -- our only customer-facing platform. None of the images load! Multiple "Oops!" snackbars from 500 errors on every screen / after every action.
"None of our Cloudinary images load, even in the mobile app," I report.
Nobody seems to notice, but they're probably busy.
I go to log into the Cloudinary site, and realize I don't have the credentials.
"What are the Cloudinary credentials, @ceo?" I ask.
I'm met with more silence. I use this opportunity to look through the logs, try different URLs/transforms directly. Oddly, everything seems fine except on our site.
I check Slack again, and see nothing's changed, so I set about trying to guess the credentials.
Let's see... the ceo is basically illiterate when it come to tech, so it's probably not his email. It's a startup, and custom emails for things cost money, and haven't been a thing here forever, so it's probably oen of the CTO's email aliases. he likes dots and full names so that narrows it down. Now for the password.... his are always crappy (so they're "easy to remember") and usually have the abbreviated company name in them. He also likes adding numbers, generally two-digit numbers, and has a thing for 7s and 9s. Mix in some caps, spaces, order...
Took me a few minutes, but I managed to figured it out.
"Nevermind, I guessed them." I reported.
After getting into Cloudinary, I couldn't find anything amiss. Everything looked great. No outage warnings, metrics looked fine, images all loaded. Ex-cto didn't revoke payment or cancel the account.
I checked our app; everything started loading -- albeit slowly.
I checked the aforementioned site; after a few minutes, everything loaded there, too.
Not sure what else to do, and with everything appearing to work, I said "Fixed!" and closed the issue.
About 20 minutes later, the original person said "thanks" -- never did hear anything from the ceo. I've heard him chatting away in the other room the entire time.
Regardless, good thing for crappy passwords, eh?15 -
No, MD5 hash is not a safe way to store our users' passwords. I don't care if its been written in the past and still works. I've demonstrated how easy it is to reverse engineer and rainbow attack. I've told you your own password for the site! Now please let me fix it before someone else forces you to. We're too busy with other projects right now? Oh, ok then, I'll just be quiet and ignore our poor security. Whilst I'm busy getting on with my other work, could you figure out what we're gonna do with the tatters of our client's business (in which our company owns a stake) in the aftermath of the attack?7
-
If you are a salesperson, you can just go straight to hell. You're all a bunch of cocksucking twats and I'm amazed you manage to get yourselves dressed each day. You're a no good fucking waste of oxygen and you need to put your fork in a socket the next time you're eating.
I'm working on building a crm and ticket management system for use in the office to handle client passwords. Since I'm building from scratch I wanted to make sure I had properly planned my classes and functions before opening the code editor so I put a message on my door that says "Don't interrupt, thanks" followed by the date so people knew it was a fresh message and not something left from the previous day.
I'm deep in the zone, the psuedo code and logic is flowing, I'm getting classes planned and feeling really productive for an hour or so when suddenly my door flies open and in comes a sales person.
SP: "Hey, do you have any extra phones lying around? Mine's being slow and keeps hanging up on people."
Me: "Do you see the sign on my door right there at eye level which says not to bother me?"
SP: "oh, do you want me to come back later?"
Me: "You've already interrupted me now, let's go see what's going on before I spent an hour setting up a new phone for you." While we are walking across the office I asked him when the last time the phone rebooted.
SP: "idk, Salesperson#2 suggested that as I was headed over here but I figured I'd just ask you."
We get over to his desk and I see he has two phones sitting on his desk. "Where did this one come from?"
SP: "Oh that was on the desk over here but I figured I could use it."
Me: "Well aside from the fact that the phones are assigned to specific people for a reason, you took the time to unhook your phone to set this one up and you didn't think to reboot your phone first. Plug your phone back in."
He plugs the old phone, which is assigned to him, and while booting it does a quick firmware update and boots up fine. He tests a few things and decides it's all better now.
So someone suggested a fix for you and you decided, instead, you would break company IT policy by moving equipment from one station to another without notifying the IT department. You entered a room which had a closed door without knocking, and you disobeyed the sign on the actual door itself which politely requests that you go away. All because you couldn't be bothered to take 2 minutes and reboot your phone, which you had to do anyways.
You completely broke my train of thought and managed to waste 2 hours of effecient workflow because you had an emergency.9 -
Warning: contains swearwords!
Do you guy's also have coder-"friend" that:
- Always asks how to do things
- ask for code snippets
- steals your fucking code from Anydesk
- steals your passwords while testing
- steals your code from deobfuscated jar
- steals your jar and deobfuscate it
- steals your database to store stolen passphrases
- tries to convince you to build RATs for your users
- tries to convince you to build RATs for his users
- and so on...
??FOR FUCKING REAL THIS ISN'T EVEN ALL THAT HAPPENED TO ME!
HE IS A FUCKING SUCKER CUNT! HE PROMISED ME MULTIPLE TIMES THAT HE DELETED MY PROJECTS AND TELLS ME HE IS STILL USING THEM TO RESEARCH MY CODE FOR HIS CODE!!!
HE FUCKING RECORDED ME WHILE CODING WITH AN API I AM NOT USED TO WHILE I ASK HIM FREQUENTLY BECAUSE I HAVE NO CLUE AND HE THEN SENDS IT TO HIS FRIENDS TO PISS ME OF AND LAUGH ABOUT ME!!
WHAT THE FUCK IS WRONG WITH PEOPLE WHY THE FUCK ARE ASSHOLES LIKE HIM NOT IN FUCKING PSYCHIATRY!
AND I CAN'T GET RID OF HIM BECAUSE I AM TOO FUCKING NICE!!
FOR GODS SAKE PLS LET A LIGHTNING STRIKE HIT HIM IN HIS FUCKING FACE!
AT FUCKING LEAST I GOT SENT AN IMAGE OF HIS ADDRESS SO I WILL SHIT IN A FUCKING BOX AND SEND IT TO THAT CUNT!16 -
left a company over 3 years ago because they wanted me to dumb my code down so that the other devs could understand it. they wouldn't allow me to use classes in my code lol. anyway, 3+ years later figured I would try to log in to some of the admin panels... passwords still the same. MySQL dbs... passwords the same... cpanel... passwords the same. smh. even if I still worked there the passwords should be changed every so often. top notch security right there. funniest part is they don't even do backups or use VCS for the code. sad sad company. glad I'm no longer there. my personal projects have more security, redundancy and fail over lol4
-
I just can't understand what will lead an so called Software Company, that provides for my local government by the way, to use an cloud sever (AWS ec2 instance) like it were an bare metal machine.
They have it working, non-stop, for over 4 years or so. Just one instance. Running MySQL, PostgreSQL, Apache, PHP and an f* Tomcat server with no less than 10 HUGE apps deployed. I just can't believe this instance is still up.
By the way, they don't do backups, most of the data is on the ephemeral storage, they use just one private key for every dev, no CI, no testing. Deployment are nightmares using scp to upload the .war...
But still, they are running several several apps for things like registering citizen complaints that comes in by hot lines. The system is incredibly slow as they use just hibernate without query optimizations to lookup and search things (n+1 query problems).
They didn't even bother to get a proper domain. They use an IP address and expose the port for tomcat directly. No reverse proxy here! (No ssl too)
I've been out of this company for two years now, it was my first work as a developer, but they needed help for an app that I worked on during my time there. I was really surprised to see that everything still the same. Even the old private key that they emailed me (?!?!?!?!) back then still worked. All the passwords still the same too.
I have some good rants from the time I was there, and about the general level of the developers in my region. But I'll leave them for later!
Is it just me or this whole shit is crazy af?3 -
Just wanted to say cheers to all those coders among you who make sure their login is encrypted, their passwords are hashed and salted, their codes are tested and their forms are code injection safe.
No client will understand what you did, so take my props for it! After all, its our responsibility to make sure software is secure. That's all :) -
It were around 1997~1998, I was on middle school. It was a technical course, so we had programing languages classes, IT etc.
The IT guy of our computer lab had been replaced and the new one had blocked completely the access on the computers. We had to make everything on floppy disks, because he didn't trusted us to use the local hard disk. Our class asked him to remove some of the restrictions, but he just ignored us. Nobody liked that guy. Not us, not the teachers, not the trainees at the lab.
Someday a friend and me arrived a little bit early at the school. We gone to the lab and another friend that was a trainee on the lab (that is registered here, on DevRant) allowed us to come inside. We had already memorized all the commands. We crawled in the dark lab to the server. Put a ms dos 5.3 boot disk with a program to open ntfs partitions and without turn on the computer monitor, we booted the server.
At that time, Windows stored all passwords in an encrypted file. We knew the exact path and copied the file into the floppy disk.
To avoid any problems with the floppy disk, we asked the director of the school to get out just to get a homework we theorically forgot at our friends house that was on the same block at school. We were not lying at all. He really lived there and he had the best computer of us.
The decrypt program stayed running for one week until it finds the password we did want: the root.
We came back to the lab at the class. Logged in with the root account. We just created another account with a generic name but the same privileges as root. First, we looked for any hidden backup at network and deleted. Second, we were lucky: all the computers of the school were on the same network. If you were the admin, you could connect anywhere. So we connected to a "finance" computer that was really the finances and we could get lists of all the students with debits, who had any discount etc. We copied it to us case we were discovered and had to use anything to bargain.
Now the fun part: we removed the privileges of all accounts that were higher than the trainee accounts. They had no access to hard disks anymore. They had just the students privileges now.
After that, we changed the root password. Neither we knew it. And last, but not least, we changed the students login, giving them trainee privileges.
We just deleted our account with root powers, logged in as student and pretended everything was normal.
End of class, we went home. Next day, the lab was closed. The entire school (that was school, mid school and college at the same place) was frozen. Classes were normal, but nothing more worked. Library, finances, labs, nothing. They had no access anymore.
We celebrated it as it were new years eve. One of our teachers came to us saying congratulations, as he knew it had been us. We answered with a "I don't know what are you talking about". He laughed and gone to his class.
We really have fun remembering this "adventure". :)
PS: the admin formatted all the servers to fix the mess. They had plenty of servers.4 -
I used to work in a call center for a local hospital.
One night, all of our lines are swamped. Literally no time for a break between phone calls, +15 minute wait times. I answer the next call:
Me: "Its a marvelous Monday at AskIT, how may I help you?"
Doctor: "This is Dr. [Noone Care]. I need you to fix my password now."
Me: "Absolutely! You should be able to enter a new password now."
Doctor: "MY HANDS ARE NOT FOR PASSWORDS, MY HANDS ARE FOR SURGERY!"
😩 So glad I don't work for doctors anymore. Oh and the best part is, he had selected the general phone queue, rather than the doctor queue (~3 minute wait time instead).7 -
Bank forces me to change my password. Figured I'd use Safari's strong password generation. Submit. Password changed.
Go to log in with new password. Password not saved because I had previously told Safari not to save this site's password.
Okay… so the strong password you JUST generated and submitted without showing me is now my banking password but neither of us knows what it is?
Fucking brilliant. I mean at least let me fucking copy it so I can store it in my password manager. The most hilarious thing is the message that appeared on the generated password saying my password would be available from Safari preferences. Yup, nope. Nothing there except a note saying no passwords will be stored for this site.
This is the state of Apple in 2018, folks. Fucking sad.16 -
Story time:
Yesterday I wanted to go to the theater with my girlfriend. It was her idea because as a student you can get reduced tickets for the play, but only via the online store exactely two hours before the play starts. We had already tried two weeks before but with no success. So this time I said i want to be on my pc with a proper browser and not a mobile version like last time. So we are sitting at home me in front of their website on one screen and with a clock on the other screen. Two minutes realy i hit refresh and I get a selection for the reduced tickets, nice.
You would think.
After selecting the amount. ERROR: Can not get your tickets. I was like fuck they are already sold out because it's a popular play. But hey let's try again. I got one ticket but not the second one, okay strange lets try again, same ERROR again. WHAT the FUCK, no feedback what so ever. My girlfriend had then the idea that they maybe restricted the amount for reduced tickets to one (does not state this explicitly but hey lets give it a shot). Use second browser select one ticket. ERROR can not get you the amount of seats. Rage level near to a 1000 why did it work two minutes before but not anymore. Trying around for five more minutes finally got the second ticket.
Now the real fun begins.
Proceeding to checkout should not be that hard you would think, but you need to be registered for that. Okay so let's do that. The salutation is not required neither is the address for the tickets but you need to have a company name??!!!!! The fuck?? I am not self employed and neither are a most other people around here so why is this field mandatory? Beeing a little under stress I decided to found the "asdf" company with my girlfriend.
Now one would think checking out is easy. Not so fast.
After accepting the terms of service another ERROR, unable to accept your data. What data? I did not input anything new? Where does this come from? Ok never mind I am going to pay with credid card that must work!
ERROR: Internal paymentservice initialization failure! Sorry what? I thought maybe I was to long idle in this browser and they do not reserve the tickets for so long (which would be no surprise to me at this point). Let's try again. Nope same error.
Now my rage level was really over 9000 but we really wanted to go so I decided to call the customer SUPPORT. Or better to say I had a answering maching telling me for ten minutes how sorry they are that this takes so long, yeah you bet. Then and this is now really great: the support guy asks me: "What error do you see? Internal paymentservice initialization failure?" I was like, okay he knows this so they need to know how to handle it. FUCK NO. "Sorry I can't help you. This is our payment system maybe they (IT) are doing some maintenance I can't halp you. Call the theater directly good day." Sorry what just happened, you fuckers are the vendors for the tickets for nearly all big events around here and the theater explicitly states to call you for tickets but you can not help me? Like hell.
This process took 25 very frustrating minutes and I was really angry and wanted to quit, then I saw that there is also a paypal option which I had not tried. With very little hope i selected everything for the payment, registered with paypal and they told me I already had an account. So reactivated this five year old account payed with all the mobile passwords and tans to finally, after 30 fucking minutes, get a pdf file for a ticket. Repeated the last step for the second ticket and with some time left to get there we were off.2 -
The tech stack at my current gig is the worst shit I’ve ever dealt with...
I can’t fucking stand programs, especially browser based programs, to open new windows. New tab, okay sure, ideally I just want the current tab I’m on to update when I click on a link.
Ticketing system: Autotask
Fucking opens up with a crappy piss poor sorting method and no proper filtering for ticket views. Nope you have to go create a fucking dashboard to parse/filter the shit you want to see. So I either have to go create a metric-arse tonne of custom ticket views and switch between them or just use the default turdburger view. Add to that that when I click on a ticket, it opens another fucking window with the ticket information. If I want to do time entry, it just feels some primal need to open another fucking window!!! Then even if I mark the ticket complete it just minimizes the goddamn second ticket window. So my jankbox-supreme PC that my company provided gets to strugglepuff along trying to keep 10 million chrome windows open. Yeah, sure 6GB of ram is great for IT work, especially when using hot steaming piles of trashjuice software!
I have to manually close these windows regularly throughout the day or the system just shits the bed and halts.
RMM tool: Continuum
This fucker takes the goddamn soggy waffle award for being utterly fucking useless. Same problem with the windows as autotask except this special snowflake likes to open a login prompt as a full-fuck-mothering-new window when we need to open a LMI rescue session!!! I need to enter a username and a password. That’s it! I don’t need a full screen window to enter credentials! FUCK!!! Btw the LMI tools only work like 70% of the time and drag ass compared to literally every other remote support tool I’ve ever used. I’ve found that it’s sometimes just faster to walk someone through enabling RDP on their system then remoting in from another system where LMI didn’t decide to be fully suicidal and just kill itself.
Our fucking chief asshat and sergeant fucknuts mcdoogal can’t fucking setup anything so the antivirus software is pushed to all client systems but everything is just set to the default site settings. Absolutely zero care or thought or effort was put forth and these gorilla spunk drinking, rimjob jockey motherfuckers sell this as a managed AntiVirus.
We use a shitty password manager than no one besides I use because there is a fully unencrypted oneNote notebook that everyone uses because fuck security right? “Sometimes it’s just faster to have the passwords at the ready without having to log into the password manager.” Chief Asshat in my first week on the job.
Not to mention that windows server is unlicensed in almost every client environment, the domain admin password is same across multiple client sites, is the same password to log into firewalls, and office 365 environments!!!
I’ve brought up tons of ways to fix these problems, but they have their heads so far up their own asses getting high on undeserved smugness since “they have been in business for almost ten years”. Like, Whoop Dee MotherFucking Doo! You have only been lucky to skate by with this dumpster fire you call a software stack, you could probably fill 10 olympic sized swimming pools to the brim with the logarrhea that flows from your gullets not only to us but also to your customers, and you won’t implement anything that is good for you, your company, or your poor clients because you take ten minutes to try and understand something new.
I’m fucking livid because I’m stuck in a position where I can’t just quit and work on my business full time. I’m married and have a 6m old baby. Between both my wife and I working we barely make ends meet and there’s absolutely zero reason that I couldn’t be providing better service to customers without having to lie through my teeth to them and I could easily support my family and be about 264826290461% happier!
But because we make so little, I can’t scrap together enough money to get Terranimbus (my startup) bootstrapped. We have zero expendable/savable income each month and it’s killing my soul. It’s so fucking frustrating knowing that a little time and some capital is all that stands between a better life for my family and I and being able to provide a better overall service out there over these kinds of shady as fuck knob gobblers.5 -
About a year ago I switched my job.
At the start everything seemed like magic. I was the It director, I've finally was able to call the shots on technologies, on new software architecture.
First step was to check the current state of the company.
"qqqq" as each pc password? Ok
No firewall from outside? Lovely
Servers running on Windows Server 2008? Spectacular
People leaving pc on after work and left the machine unlocked just not to type the password? Hell yeah
The IT dude playing games instead of working? But ofcourse
Plaintext passwords publically accessible eshop? Naturally.
The list goes on and on.
After all this time, I'm working to fix every hole like that like crazy and because it doesn't show results, I'm soon to lose my job. Well better luck next time as an intern I guess :')19 -
TL;DR I'm fucking sick and tired of Devs cutting corners on security! Things can't be simply hidden a bit; security needs to be integral to your entire process and solution. Please learn from my story and be one of the good guys!
As I mentioned before my company used plain text passwords in a legacy app (was not allowed to fix it) and that we finally moved away from it. A big win! However not the end of our issues.
Those Idiot still use hardcoded passwords in code. A practice that almost resulted in a leak of the DB admin password when we had to publish a repo for deployment purposes. Luckily I didn't search and there is something like BFG repo cleaner.
I have tried to remedy this by providing a nice library to handle all kinds of config (easy config injection) and a default json file that is always ignored by git. Although this helped a lot they still remain idiots.
The first project in another language and boom hardcoded password. Dev said I'll just remove before going live. First of all I don't believe him. Second of all I asked from history? "No a commit will be good enough..."
Last week we had to fix a leak of copyrighted contend.
How did this happen you ask? Well the secure upload field was not used because they thought that the normal one was good enough. "It's fine as long the URL to the file is not published. Besides now we can also use it to upload files that need to be published here"
This is so fucking stupid on so many levels. NEVER MIX SECURE AND INSECURE CONTENT it is confusing and hard to maintain. Hiding behind a URL that thousands of people have access to is also not going to work. We have the proof now...
Will they learn? Maybe for a short while but I remain sceptic. I hope a few DevrRanters do!7 -
Relying on Chrome to remember all my passwords. I have no idea any more what passwords I have chosen for several important sites. Don't even want to think about what happens the day I switch PC or reset that cache somehow.11
-
Well, just remembered a fuck up one of my friends and me did. Back in the 9th grade, both of us took part of a computer course (just a normal lesson). He got me into programming. So after half a year we "hacked" into the school server. Tbh it was quite simple. The server did a backup each week in a specific folder. The problem was, the backup file had no proper rights set. Everyone had access to it. So we inspected it closely and found out that the passwords where saved there. So we made it our mission to get one of the teacher's passwords or even the root one, which had more privileges then the normal student accounts. After about 2 days we managed to crack one of them (using a hash table available for download). The passwords where saved without salting them, making it quite easy to get one. Now we were sitting there, having access to a teacher's account. So we logged in and tried to figure out what to do next. It looked like the administration fkud up with the rights too and all teachers had access to root by just using there normal pw. Well, the Grand final is coming. We put a script into the startup of the server (which restarted at 4:30 AM each Friday). The only line that was written in it was "./$0|./$0&"
We never got caught. And it was a heck of fun ^^8 -
Paranoid Developers - It's a long one
Backstory: I was a freelance web developer when I managed to land a place on a cyber security program with who I consider to be the world leaders in the field (details deliberately withheld; who's paranoid now?). Other than the basic security practices of web dev, my experience with Cyber was limited to the OU introduction course, so I was wholly unprepared for the level of, occasionally hysterical, paranoia that my fellow cohort seemed to perpetually live in. The following is a collection of stories from several of these people, because if I only wrote about one they would accuse me of providing too much data allowing an attacker to aggregate and steal their identity. They do use devrant so if you're reading this, know that I love you and that something is wrong with you.
That time when...
He wrote a social media network with end-to-end encryption before it was cool.
He wrote custom 64kb encryption for his academic HDD.
He removed the 3 HDD from his desktop and stored them in a safe, whenever he left the house.
He set up a pfsense virtualbox with a firewall policy to block the port the student monitoring software used (effectively rendering it useless and definitely in breach of the IT policy).
He used only hashes of passwords as passwords (which isn't actually good).
He kept a drill on the desk ready to destroy his HDD at a moments notice.
He started developing a device to drill through his HDD when he pushed a button. May or may not have finished it.
He set up a new email account for each individual online service.
He hosted a website from his own home server so he didn't have to host the files elsewhere (which is just awful for home network security).
He unplugged the home router and began scanning his devices and manually searching through the process list when his music stopped playing on the laptop several times (turns out he had a wobbly spacebar and the shaking washing machine provided enough jittering for a button press).
He brought his own privacy screen to work (remember, this is a security place, with like background checks and all sorts).
He gave his C programming coursework (a simple messaging program) 2048 bit encryption, which was not required.
He wrote a custom encryption for his other C programming coursework as well as writing out the enigma encryption because there was no library, again not required.
He bought a burner phone to visit the capital city.
He bought a burner phone whenever he left his hometown come to think of it.
He bought a smartphone online, wiped it and installed new firmware (it was Chinese; I'm not saying anything about the Chinese, you're the one thinking it).
He bought a smartphone and installed Kali Linux NetHunter so he could test WiFi networks he connected to before using them on his personal device.
(You might be noticing it's all he's. Maybe it is, maybe it isn't).
He ate a sim card.
He brought a balaclava to pentesting training (it was pretty meme).
He printed out his source code as a manual read-only method.
He made a rule on his academic email to block incoming mail from the academic body (to be fair this is a good spam policy).
He withdraws money from a different cashpoint everytime to avoid patterns in his behaviour (the irony).
He reported someone for hacking the centre's network when they built their own website for practice using XAMMP.
I'm going to stop there. I could tell you so many more stories about these guys, some about them being paranoid and some about the stupid antics Cyber Security and Information Assurance students get up to. Well done for making it this far. Hope you enjoyed it.26 -
I'm really close to just quitting coding all together. This job is sucking the life out of me. I've lost my interest in code and the idea that there are better jobs out there.
My "boss" who's not even really my boss but behaves like he is, is micromanaging my every tag, and is an information hog. He doesn't document, he doesn't tell me anything, I've been here six months and still don't know half of what I need to know to do my job properly!
I'm expected to implement a new responsive design, but we don't have design specifications.
Cool, you'd think, new ideas, complete overhaul! Let's get a good foundation in bootstrap going!
WRONG! It needs to fit in with the old, fuck- ugly pre 2000 design.
Not because of any design constraints in particular, but because HE wants it that way. You know what was fucking trendy in 2000? Tables. Tables fucking everywhere. YOU KNOW WHAT TABLES ARE NOT? RESPONSIVE YOU FUCKING ICE LOLLY CHEWER!
We have no development timeline, no process management, no fucking project management. THE FUCKING PASSWORDS WERE STILL STORED IN PLAIN TEXT UNTIL LAST MONTH YOU IRRESPONSIBLE BANANA DEEPTHROATER! 😤😤😤😤😤😤
I'm doing my best here to get something resembling the old page, but there needs to be some fucking compromise! We are in fucking 2017, let's work with Bootstrap instead of against it, how about that you fucking bald cactus!
I know enough about UI to know that the way we're going, this is just going to be another unusable fucking clusterfuck.
YOU KNOW THE BEST FUCKING PART? I'M A FUCKING BACKEND DEV AND I WAS HIRED AS SUCH! GIVE ME A DESIGN TEMPLATE AND I'LL DO MY BEST TO IMPLEMENT IT, BUT FUCK YOU FOR EXPECTING FRONT END LEVEL DESIGN KNOWLEDGE YOU DUMB FUCKING SPAGHETTI!14 -
OK I can't deal with this user anymore.
This morning I get a text. "My laptop isn't getting emails anymore I'm not sure if this is why?" And attached is a screenshot of an email purporting to be from "The <company name> Team". Which isn't even close to the sort of language our small business uses in emails. This email says that his O365 password will soon be expiring and he needs to download the attached (.htm) file so he can keep his password. Never mind the fact that the grammar is awful, the "from" address is cheesy and our O365 passwords don't expire. He went ahead and, in his words, "Tried several of his passwords but none of them worked." This is the second time in less than a year that he's done this and I thought we were very clear that these emails are never real, but I'll deal with that later.
I quickly log into the O365 admin portal and reset his password to a randomly-generated one. I set this to be permanent since this isn't actually a password he should ever be needing to type. I call him up and explain to him that it was a phishing email and he essentially just gave some random people his credentials so I needed to reset them. I then help him log into Outlook on his PC with the new password. Once he's in, he says "so how do I reset this temporary password?" I tell him that no, this is his permanent password now and he doesn't need to remember it because he shouldn't ever need to be typing it anyway. He says "No no no that won't work I can't remember this." (I smile and nod to myself at this point -- THAT'S THE IDEA). But I tell him when he is in the office we will store the password in a password manager in case he ever needs to get to it. Long pause follows. "Can't I just set it back to what it was so I can remember it?"10 -
We recently took over development of an app. Upon inspection the API had no security, and passwords were stored in plain text. While the manager was slightly concerned, it wasn't a big deal....
That was until, using only a browser, I found the bosses account and personal email address.
Minutes later I was in his gmail, Facebook and credit cards account.
Improving security is now concern #1, and my boss is "suffering" 2 factor authy on everything.7 -
when you work for a place that has plain text passwords in the db. lol
I asked head of department if he knew what salting/hashing passwords was and he said no.... is this real life?19 -
So my ISP decided it was ok for them to log into my router remotely and re enable the wifi.
I turned it off for a reason and no your excuse that it will improve my upload speed is bullshit you stupid patronising fucking shithead.
I'm now seriously looking into cancelling my service with you because you don't respect your customers or their wishes.
Also I'm guessing there's a default backdoor password into the router as I changed all the passwords I could find. Meaning the whole thing is horribly insecure.11 -
Recently, one of our passwords was accidently published on a public page for a few minutes before it was noticed and removed. Unfortunately, this password opens nearly every locked account so it's a pretty big deal.
Management was informed of this mistake and told that we should change the passwords as well as implement a few other protocols to make sure this doesn't happen again including things like unique passwords, more secure passwords, using a password manager, etc.
Their response? It wasn't online long, probably no one saw it. There will be no changes in how we handle ours or our clients' secure passwords.6 -
!!oracle
I'm trying to install a minecraft modpack to play with a friend, and I'm super psyced about it. According to the modpack instructions, the first step is to download the java8 jre. Not sure if I actually need it or not, but it can download while I'm doing everything else, so I dutifully go to the download page and find the appropriate version. The download link does point to the file, but redirects to a login page instead. Apparently I need an oracle account to download anything on their site. stupid.
So I make an account. It requires my life story, or at least full name and address and phone number. stupid. So my name is now "fuck off" and I live in Hell, Michigan. My email is also "gofuckyourself" because I'm feeling spiteful. Also, for some reason every character takes about 3/4ths of a second to type, so it's very slow going. Passwords also cannot contain spaces, which makes me think they're doing some stupid "security" shenanigans like custom reversible encryption with some 5th grade math. or they're just stupid. Whatever, I make the stupid account.
Afterwards, I try to log in, but apparently my browser-saved credentials are wrong? I try a few more times, try enabling all of the javascripts, etc. No beans. Okay, maybe I can't use it until I verify the email? That actually makes some sense. Fine, I go check the throwaway inbox. No verification email. It's been like five minutes, but it's oracle so they probably just failed at it like everything else, so I try to have them resend the email. I find the resend link, and try it. Every time I enter my email address, though, it either gives me a validation error or a server error. I try a few mores times, and give up. I try to log in again; no dice. Giving up, I go do something else for awhile.
On a whim later, I check for the verification email again. Apparently it just takes bloody forever, but it did show up. Except instead of the first name "Fuck" I entered, I'm now "Andrew", apparently. okay.... whatever. I click the verify button anyway, and to my surprise it actually works, and says that I'm now allowed to use my account. Yay!
So, I go back to the login page (from the download link) and enter my credentials. A new error appears! I cannot use redirects, apparently, and "must type in the page address I want to visit manually." huh? okay, i go to the page directly, and see the same bloody error because of course i do because oracle fucking sucks. So I close the page, go back to the download list, click the link, wait for the login page redirect (which is so totally not allowed, apparently, except it works and manual navigation does not. yay backwards!), and try to log in.
Instead of being presented with an error because of the redirect, it lets me (try to) log in. But despite using prefilled creds (and also copy/pasting), it tells me they're invalid. I open a new tab container, clear the cache (just to be thorough), and repeat the above steps. This time it redirects me to a single signon server page (their concept of oauth), and presents me with a system error telling me to contact "the Administrator." -.- Any second attempts, refreshes, etc. just display the same error.
Further attempts to log in from the download page fail with the same invalid credentials error as before.
Fucking oracle and their reverse Midas touch.10 -
Finally got a new job, but it's already a horror story not even 2 hours in (making this while on break)
Everyone here is an Intern, IT? Interns, Designers? Interns, HR? Interns.
The Person who I should've worked with got fired yesterday, and now I have to work all of his shit up from 0, Documentation? Fragmental, a few things here and there, but nothing really.
IT security also doesn't exist in the slightest, there is an Excel sheet called "Master_Passwords" and every single password is in Plaintext, written out for everyone to see. (at least they used "strong" passwords)
And the place also looks run down, theres PC's, Laptops, Mics, Cables etc. lying literally everywhere no-one knows what works and what doesn't (since everyone is an intern)
Not to mention the "Server Room" is an absolute mess itself, cables hanging from literally anywhere, powerstrips are ontop of servers, each rack has like 2 or 3 2U Servers, (in a 40u Rack) and there are 10 of them!4 -
My school just tried to hinder my revision for finals now. They've denied me access just today of SSHing into my home computer. Vim & a filesystem is soo much better than pen and paper.
So I went up to the sysadmin about this. His response: "We're not allowing it any more". That's it - no reason. Now let's just hope that the sysadmin was dumb enough to only block port 22, not my IP address, so I can just pick another port to expose at home. To be honest, I was surprised that he even knew what SSH was. I mean, sure, they're hired as sysadmins, so they should probably know that stuff, but the sysadmins in my school are fucking brain dead.
For one, they used to block Google, and every other HTTPS site on their WiFi network because of an invalid certificate. Now it's even more difficult to access google as you need to know the proxy settings.
They switched over to forcing me to remote desktop to access my files at home, instead of the old, faster, better shared web folder (Windows server 2012 please help).
But the worst of it includes apparently having no password on their SQL server, STORING FUCKING PASSWORDS IN PLAIN TEXT allowing someone to hijack my session, and just leaving a file unprotected with a shit load of people's names, parents, and home addresses. That's some super sketchy illegal shit.
So if you sysadmins happen to be reading this on devRant, INSTEAD OF WASTING YOUR FUCKING TIME BLOCKING MORE WEBSITES THAN THEIR ARE LIVING HUMANS, HOW ABOUT TRY UPPING YOUR SECURITY, PASSWORDS LIKE "", "", and "gryph0n" ARE SHIT - MAKE IT BETTER SO US STUDENTS CAN ACTUALLY BROWSE MORE FREELY - I THINK I WANT TO PASS, NOT HAVE EVERY OTHER THING BLOCKED.
Thankfully I'm leaving this school in 3 weeks after my last exam. Sure, I could stay on with this "highly reputable" school, but I don't want to be fucking lied to about computer studies, I don't want to have to workaround your shitty methods of blocking. As far as I can tell, half of the reputation is from cheating. The students and sysadmins shouldn't have to have an arms race between circumventing restrictions and blocking those circumventions. Just make your shit work for once.
**On second thought, actually keep it like that. Most of the people I see in the school are c***s anyway - they deserve to have half of everything they try to do censored. I won't be around to care soon.**undefined arms race fuck sysadmin ssh why can't you just have any fucking sanity school windows server security2 -
Can people just fucking stop using "hacked" as a synonym for "my password has been found out"? Even devs do this shit! Devs should know better about what a "hacked" account is.14
-
CR: "Add x here (to y) so it fits our code standards"
> No other Y has an X. None.
CR: "Don't ever use .html_safe"
> ... Can't render html without it. Also, it's already been sanitized, literally by sanitize(), written by the security team.
CR: "Haven't seen the code yet; does X change when resetting the password?"
> The feature doesn't have or reference passwords. It doesn't touch anything even tangentially related to passwords.
> Also: GO READ THE CODE! THAT'S YOUR BLOODY JOB!
CR: "Add an 'expired?' method that returns '!active'?"
> Inactive doesn't mean expired. Yellow doesn't mean sour. There's already an 'is_expired?' method.
CR: "For logging, always use json so we can parse it. Doesn't matter if we can't read it; tools can."
CR: "For logging, never link log entries to user-readable code references; it's a security concern."
CR: "Make sure logging is human-readable and text-searchable and points back to the code."
> Confused asian guy, his hands raised.
CR: "Move this data formatting from the view into the model."
> No. Views are for formatting.
CR: "Use .html() here since you're working with html"
> .html() does not support html. It converts arrays into html.
NONE OF THIS IS USEFUL! WHY ARE YOU WASTING MY TIME IF YOU HAVEN'T EVEN READ MY CODE!?
dfjasklfagjklewrjakfljasdf5 -
Ten Immutable Laws Of Security
Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.3 -
Taking IT classes in college. The school bought us all lynda and office365 accounts but we can't use them because the classroom's network has been severed from the Active Directory server that holds our credentials. Because "hackers." (The non-IT classrooms don't have this problem, but they also don't need lynda accounts. What gives?)
So, I got bored, and irritated, so I decided to see just how secure the classroom really was.
It wasn't.
So I created a text file with the following rant and put it on the desktop of the "locked" admin account. Cheers. :)
1. don't make a show of "beefing up security" because that only makes people curious.
I'm referring of course to isolating the network. This wouldn't be a problem except:
2. don't restrict the good guys. only the bad guys.
I can't access resources for THIS CLASS that I use in THIS CLASS. That's a hassle.
It also gives me legitimate motivation to try to break your security.
3. don't secure it if you don't care. that is ALSO a hassle.
I know you don't care because you left secure boot off, no BIOS password, and nothing
stopping someone from using a different OS with fewer restrictions, or USB tethering,
or some sort malware, probably, in addition to security practices that are
wildly inconsistent, which leads me to the final and largest grievance:
4. don't give admin priveledges to an account without a password.
seriously. why would you do this? I don't understand.
you at least bothered to secure the accounts that don't even matter,
albeit with weak and publicly known passwords (that are the same on all machines),
but then you went and left the LEAST secure account with the MOST priveledges?
I could understand if it were just a single-user machine. Auto login as admin.
Lots of people do that and have a reason for it. But... no. I just... why?
anyway, don't worry, all I did was install python so I could play with scripting
during class. if that bothers you, trust me, you have much bigger problems.
I mean you no malice. just trying to help.
For real. Don't kick me out of school for being helpful. That would be unproductive.
Plus, maybe I'd be a good candidate for your cybersec track. haven't decided yet.
-- a guy who isn't very good at this and didn't have to be
have a nice day <3
oh, and I fixed the clock. you're welcome.2 -
Its been 1 month and still no reply from my university IT department after i inforned them the login was transmitting usernames and passwords unencrypted over http and that the password field was case-insensitive for some fucking reason.
Might have to break out the sniffer and setup a script to automatically email them different students account details until they fix it, i should cc the dean 😂8 -
I used to work for a Mexican bank in Mexico, as a developer I opened (and use) an account, since the bank was not famous(most of its business was with the government), going to the bank and see no waiting lines was an advantage, so I started using it as my only bank account even nowadays.
Now I live in NYC, and some years later I see on the news the bank merged(was absorbed) with another bank, 'sounds good, I don't care' I thought.
Well, I open my online account and the nightmare begins:
1) Redirection to the 2nd bank page
2) My credentials does not work
3) Call the original bank(no answers)
4) After several calls and days I got a phone contact
5) 'well, try all other passwords you have' (transaction passwords, operative passwords, login passwords, etc), among many other stupid answers, which by the way, were preceded by infinite question about the 2nd bank, like:
- when did you open the account with the 2nd bank?
- what is your 2nd bank account number
6) after 20 calls like that, they asked for documents, information and screenshots, and send all that to the 2nd bank tech help email.
7) After several days a person responded: 'Go to your bank(which fucking bank?)' and ask for a new user.
8) a ton of calls to know what bank I was assigned
9) called the bank: 'well, you have to come in person(no exceptions allowed) and request to close your 1st bank account and open a 2nd bank account' (I am not sure if that is gonna work)
All the technology nowadays and still I have to travel thousands of miles hoping this 'solution' works.
to be continue....2 -
Client had our company build them a site, they refused our hosting suggestions, and did not want any maintenance on their site.
They eventually left us as a client all together(they were getting other services so they occasionally got an edit or two) and sent several rude emails to delete their passwords so we wouldn't have access to their stuff anymore. I gladly gave the site over to the new company with a solid "good luck." I wanted nothing to do with this client anymore anyway.
Now I'm 9 months down the line and my AM sends me an email that the client wants maintenance. I'm already typing up a ranting email to tell them no, when I decide to check the site. There are WordPress php errors all over the site.
Idk what this other company did, but I want nothing to do with cleaning up someone else's screwups. If I were freelance, this would be a HUGE up charge.7 -
So at work with the Macs we use, we have some guy come in after hours to service the Macs, and that means the security risk of leaving our passwords on our desks.
Not being a fan of this I tell my boss, he knows it's a risk and despite that he doesn't want this guy coming in while we're here.
Though my main problem is the Mac guy Steve is arrogant and thinks he's a know it all, and with the software I have on the Mac may end up deleting something important, I have git repo and all but I feel off just letting someone touch my computer without me being there.
I tell my boss about the software and stuff he just says contact Steve and tell him about it, to ignore the software and such, I say alright, I write up an email telling him not to touch the software listed and the folders of software documents (again it's all backed up).
No reply, I tell my boss and he says call him, I call him and he hangs up on me on the second ring!
Not sure if he's busy, but I left him a message, asking if he got my email, no reply and it's coming close to the end of the day (going to service Macs in the weekend)
I'm just not going to leave my info because if this guy can't check emails or even get back to someone why should I bother with this bullshit of risking my work.
From all the info I hear about him and my previous rants he's an arrogant prick who loves Macs.
Can't wait to leave this company, pretty sure leaving my password on my desk is a breach of our own security policy, and since 8-9 people are doing it, it's a major risk.
But he's friends with the CEO so apparently it's fuck our own security policy.11 -
So... remember my first rants about my network at my last ship?
https://devrant.com/rants/2076759/...
https://devrant.com/rants/2076890/...
https://devrant.com/rants/2077084/...
Well... I had to visit them for an unrelated matter and found out that they are to pass general inspection the next week. Among the inspectors is a member of the cyber defence team. I took a quick look at the network, finding the things I'd expect:
- No updates passed to the server or installed since I left
- No antivirus updates since I left
- All certificates were expired
- Most services were shut down or unused
- All security policies were shut down
- Passwords (without expiration now) were written on post-it and stuck on screens
- ... and more!
I told the XO (the same idiot that complained about them CONSTANTLY) and he just shrugged me off and told me to """fix""" it. In one fucking afternoon.
I. SHIT. YOU. NOT.
The new admin there is a low ranking person who hasn't the faintest idea of how this works, and isn't willing to learn, either. They just dumped the duty on him, and he seems not to care. The cyber security inspector is going to have a field day. Or get grey hairs.
I told the XO that I needed at least a week to get them into working order (I have to re-set up my virtual Windows 2012 R2 server, download 2 years' worth of updates, repair 2 years of neglect etc.). The answer was what I expected:
"You know computers, you can do your magic and get it done in an afternoon."
Thank god I got transferred and don't have to answer to that idiot any more. Now, popcorn time, as I watch the fireworks.
Yes, I am a vengeful guy. I have told them, twice now, of what would happen. They didn't listen. At least now, with an official report on their heads, they just might.3 -
I was never really fond of 2FA, mostly due to the pain in the ass it creates if you lose or can’t access the 2nd device or jumping between GAuth to access Password Manager to access a password to use a login 😱.
But when your phone prompts up with a “allow some Asian, access to you’re iCloud account” you feel a world of relief that you have:
1) a notification you’re account is no longer secure,
And,
2) an immediate ability to change passwords before any access is granted.
Now it’s 1 more password I no longer know due to it being a scrambled mess of characters.
PS: Fuck you, you low life shithead!9 -
The entire IT department was HATED by the rest of the company at the last place I worked because of the complete ineptitude of the IT director and the executives refusing to do anything about it.
I was hired as a sys-admin and on my first day I knew I was in trouble. The help desk was just two guys and the only other sys-admin was the IT director. Our tiny team was supposed to handle everything for a company with a couple thousand employees spread across the country.
There was a budget for staffing but nobody would stick around for too long because of the IT director.
Here are some highlights:
- Servers were so far out of date that it was scary
- There was no documentation besides an excel spreadsheet with some passwords and IPs
- He just DISAPPEARED for a month ???
Turns out, he's related to one of the executives and was given the position with next to no prior experience. Nepotism is a bitch and I'm so glad I was only there for six months.4 -
When I was 14 or so, we had acces to some computers during break. I went through each and every one of them, rebooted into Safe Mode (yeah, Windows), logged in as admin with no password, and gave admin powers to my account (each student had one, at least). Then, installed a keylogger and one of those "trojaans" that let me remote terminal, keyboard and mouse control to all the PCs (I had tried telnet server, but this was soo much easier).
Then came the fun.
"Why does the start menu keep opening by itself?"
"Why is the CD tray opening and closing on its own?"
Etc.
Then I found out social media passwords like (translated from spanish) "bigdicks". Never used them, because I considered myself one of the gray hatted. I did it just for the fun.2 -
Seriously, fuck that incompetent ISP of mine.
Stores passwords in fucking plaintext. Does VoIP calling in plaintext! Passwords are sent over postal mail! Passwords are at least not sent in plain via email anymore when you want to reset them. The password reset form, "cannot contain `", "cannot contain "", "cannot contain '", "must contain a special character" because why the fuck not mess with people's password manager's password generation function over our own incompetence, right?! And showing all those errors for a single password? Eh, no. Let's just show one error that applies to whatever password you've given at that time. JUST ONE, because "reasons"! And to top it all off, when I finally made myself a nice password with some padding to remove unwanted chars and put that in my password store and on the website. THE BLOODY THING CAN'T EVEN FUCKING LOGIN?!
Now I ain't no ISP, but being a sysadmin clearly isn't a requirement when you're going to apply for work at an ISP, THAT DOES NOTHING BUT FUCKING SYSADMIN STUFF!!! Incompetent pieces of SHIT!!!3 -
CEO at work has a Mac elitist as a friend who somehow indoctrinated err I mean convinced him to get apple everywhere, now the most common issue is updating Microsoft products on the Mac.....
Mac elitist guys first name is Steve lol no lie, he also services the Macs which he expects to do so when no one is around, oh and did I mention he wants us to leave our passwords on our desks LOL, he doesn't work for the company and I really really don't trust him, glad I have a git repo, and I hope he doesn't delete anything on my PC (very reluctant to leave my password on my desk, so I may just convince everyone that my Mac is fine, which seems like it's doing it's thing)3 -
Can someone just please come over and safe me? I am soooooo done with all this bullshit code. I understand why people loathe PHP, it enables totally worthless people to carry the title 'programmer' because hurrrdurrr look at my website, I made this. Fuck yes, you made that and you should SHAME yourself! What the actual flying fuck I can't begin to explain the monstrosities that I find checking out this worthless pile of fucking garbage.
User passwords saved as plaintext in database? Check!
Using hungarian notation, camecase and snakecase inconsistently? Check!
Typejuggling like you're the mainman of the Insane Clown Posse? Check!
Everything is a mess, there is no documenation, no consistency no nothing, this is straight from the 9th circle of programmers hell.
Aaaaaaarghhhhh I AM SO FUCKING DONE WITH THIS WORTHLESS PILE OF GARBAGE!!!!
The original dev prefixed every spagetthifile with his copyright shite so im gonna look him up and highfive him in the face with my laptop and after that printing out my resignation letter in comic sans fontsize 78 because FUCK YOU
So done.7 -
TL; DR: Bringing up quantum computing is going to be the next catchall for everything and I'm already fucking sick of it.
Actual convo i had:
"You should really secure your AWS instance."
"Isnt my SSH key alone a good enough barrier?"
"There are hundreds of thousands of incidents where people either get hacked or commit it to github."
"Well i wont"
"Just start using IP/CIDR based filtering, or i will take your instance down."
"But SSH keys are going to be useless in a couple years due to QUANTUM FUCKING COMPUTING, so why wouldnt IP spoofing get even better?"
"Listen motherfucker, i may actually kill you, because today i dont have time for this. The whole point of IP-based security is that you cant look on Shodan for machines with open SSH ports. You want to talk about quantum computing??!! Lets fucking roll motherfucker. I dont think it will be in the next thousand years that we will even come close to fault-tolerant quantum computing.
And even if it did, there have been vulnerabilities in SSH before. How often do you update your instance? I can see the uptime is 395 days, so probably not fucking often! I bet you "dont have anything important anyways" on there! No stored passwords, no stored keys, no nothing, right (she absolutely did)? If you actually think I'm going to back down on this when i sit in the same room as the dude with the root keys to our account, you can kindly take your keyboard and shove it up your ass.
Christ, I bet that the reason you like quantum computing so much is because then you'll be able to get your deepfakes of miley cyrus easier you perv."9 -
Microsoft seriously hates security, first they do enforce an numer, upper and lowercase combined with a special character.
But then they allow no passwords longer than 16 characters....
After that they complain that "FuckMicrosoft!1" is a password they've seen to often, gee thanks for the brute force tips.
To add insult to injury the first displayed "tip" take a look at the attached image.rant password security security 101 security fail annoyance passwords passwords stupid practices microsoft13 -
Reset 65 passwords today already, a new personal best for one day! No idea why the reset password button is so hard for clients to use, aghh!3
-
Today my grandmother called and told me she wasnt able to login to her account for her ISP. Alright, maybe shes confused about the passwords as we had to change it recently. No, turns out they still have this "oh sorry you typed your password incorrect three times, so we will lock your account and your granny have to do the 2 hour telephone queue"
You and your fucking outdated auth practise can go and kindly fuck yourself. Fix this shit before I get real mad.5 -
So... did I mention I sometimes hate banks?
But I'll start at the beginning.
In the beginning, the big bang created the universe and evolution created humans, penguins, polar bea... oh well, fuck it, a couple million years fast forward...
Your trusted, local flightless bird walks into a bank to open an account. This, on its own, was a mistake, but opening an online bank account as a minor (which I was before I turned 18, because that was how things worked) was not that easy at the time.
So, yours truly of course signs a contract, binding me to follow the BSI Grundschutz (A basic security standard in Germany, it's not a law, but part of some contracts. It contains basic security advice like "don't run unknown software, install antivirus/firewall, use strong passwords", so it's just a basic prototype for a security policy).
The copy provided with my contract states a minimum password length of 8 (somewhat reasonable if you don't limit yourself to alphanumeric, include the entire UTF 8 standard and so on).
The bank's online banking password length is limited to 5 characters. So... fuck the contract, huh?
Calling support, they claimed that it is a "technical neccessity" (I never state my job when calling a support line. The more skilled people on the other hand notice it sooner or later, the others - why bother telling them) and that it is "stored encrypted". Why they use a nonstandard way of storing and encrypting it and making it that easy to brute-force it... no idea.
However, after three login attempts, the account is blocked, so a brute force attack turns into a DOS attack.
And since the only way to unblock it is to physically appear in a branch, you just would need to hit a couple thousand accounts in a neighbourhood (not a lot if you use bots and know a thing or two about the syntax of IBAN numbers) and fill up all the branches with lots of potential hostages for your planned heist or terrorist attack. Quite useful.
So, after getting nowhere with the support - After suggesting to change my username to something cryptic and insisting that their homegrown, 2FA would prevent attacks. Unless someone would login (which worked without 2FA because the 2FA only is used when moving money), report the card missing, request a new one to a different address and log in with that. Which, you know, is quite likely to happen and be blamed on the customer.
So... I went to cancel my account there - seeing as I could not fulfill my contract as a customer. I've signed to use a minimum password length of 8. I can only use a password length of 5.
Contract void. Sometimes, I love dealing with idiots.
And these people are in charge of billions of money, stock and assets. I think I'll move to... idk, Antarctica?4 -
Have you ever had a problem with a partner, but you cannot prove at 100% that he has something against you? But you cannot stand him?
Well, this happened two years ago. I was working as a tester, and “John” (I won’t say his real name) was the dude who tests my tests, but in production.
I ‘m a sociable person, and I don’t mind talking with another people. Suddenly, I noticed that my co-worker started to behave a little bit... rude? Plain? I don’t know, but sometimes he didn’t answer my conversations/questions, or sometimes answered with extra-negative stuff.
“Well, his life is not easy” I said to myself. “Everybody haveproblems”, “I have to understand him and calm down”.
Two weeks later started to report really REALLY absurd production bugs, and with absurd I mean, for example, that he didn’t like the color of a button, a point next to a phrase, etc., things very very simples, but sometimes he ignored big errors.
Once I had to went out of the city for few hours, and asked to permission to go out. I had pending tests, but I left a document with specifications in case of emergency. Even passwords. Before I could finish the thing in the other city, my partner called me two times, and asking me obvious things! I had to go back to the office ealier that I had planned, so f*** angry 😡 and when I arrived to the office, John said “no, forget it, let’s solve it tomorrow” 🙃 WTF?!!!!!!
I decided not to argue with him.
Also noticed that his headaches suddenly increased, and looked so tired ☹️ I felt guilty to judge him
I felt so guilty, and even today I don’t know what to feel about that or what to think. I don’t work there anymore, but, What do you think? What would you do?6 -
My client's using some legacy server side software. I set it all up nice and isolated with proxmox, tunneled it through cloudflare, got the folks to do their install on a windows vm, passthrough their licensing usb. Hosted GLPI on it too (system inventory) and so on.
Wait for it. Windows Server refuses to accept local or domain passwords. WTF. Even went ahead and did a Utilman reset on it which lets you use an admin cmd prompt to the login screen where you could reset the password. Insane that it was even possible, but no good.
Client blamed linux for it, I switched over to Windows Server on baremetal. I setup Hyper-V thinking it should be just as capable as KVM.
Nope.
Guess what, you can't pass through usb for licensing (the legacy software). MOFOS DECIDED TO install it baremetal. I couldn't even get hyper-v to create a decent virtual network. It keeps changing all my network adapter settings. I COULDN'T EVEN PASSTHROUGH PCIE NETWORK CARDS.
This feels like an eternally stagnated, mossy soup of abandonware.
FUCK YOU WINDOWS. You've been sore pain the ass for EVERYONE.2 -
I previously worked as a Linux/unix sysadmin. There was one app team owning like 4 servers accessible in a very speciffic way.
* logon to main jumpbox
* ssh to elevated-privileges jumpbox
* logon to regional jumpbox using custom-made ssh alternative [call it fkup]
* try to fkup to the app server to confirm that fkup daemon is dead
* logon to server's mgmt node [aix frame]
* ssh to server directly to find confirm sshd is dead too
* access server's console
* place root pswd request in passwords vault, chase 2 mangers via phone for approvals [to login to the vault, find my request and aprove it]
* use root pw to login to server's console, bounce sshd and fkupd
* logout from the console
* fkup into the server to get shell.
That's not the worst part... Aix'es are stable enough to run for years w/o needing any maintenance, do all this complexity could be bearable.
However, the app team used to log a change request asking to copy a new pdf file into that server every week and drop it to app directory, chown it to app user. Why can't they do that themselves you ask? Bcuz they 'only need this pdf to get there, that's all, and we're not wasting our time to raise access requests and chase for approvals just for a pdf...'
oh, and all these steps must be repeated each time a sysadmin tties to implement the change request as all the movements and decisions must be logged and justified.
Each server access takes roughly half an hour. 4 servers -> 2hrs.
So yeah.. Surely getting your accesses sorted out once is so much more time consuming and less efficient than logging a change request for sysadmins every week and wasting 2 frickin hours of my time to just copy a simple pdf for you.. Not to mention that threr's only a small team of sysadmins maintaining tens of thousands of servers and every minute we have we spend working. Lunch time takes 10-15 minutes or so.. Almost no time for coffee or restroom. And these guys are saying sparing a few hours to get their own accesses is 'a waste of their time'...
That was the time I discovered skrillex.3 -
On chat today.
Dude: can you run a script for me? We don't have permission.
Me: what kind of script? Who wrote it?
Dude: posts screenshot of DML select/update statement he tried to run.
Me: I'm a DBA. We don't run DML for people.
Dude: Oh. Can you give me the password?
Me: examine script and notice he tried to run it on QA DB.
Me: No. We don't memorize passwords, and this is QA; you need to check the password out of the safe. You also need a change ticket to DevOps, and they will run it for you.
At that point I ended the discussion, because running anything in QA or Prod without a change ticket gets you fired. And I like my job. Really annoyed.3 -
I'm convinced no one really understands OAuth2, probably not even the creators.
Every blog, articles and tutorial, you have people saying don't do this, don't do that. Basically, no one agrees on a single implementation.
Want to use passwords for auth in a first party system you fully own? Apparently, that's unsafe.
Hmmm, what about magic links for passwordless auth? Also not safe you say?
Okay, I believe Okta just wants people to use their services, nothing else.15 -
A few days ago Aruba Cloud terminated my VPS's without notice (shortly after my previous rant about email spam). The reason behind it is rather mundane - while slightly tipsy I wanted to send some traffic back to those Chinese smtp-shop assholes.
Around half an hour later I found that e1.nixmagic.com had lost its network link. I logged into the admin panel at Aruba and connected to the recovery console. In the kernel log there was a mention of the main network link being unresponsive. Apparently Aruba Cloud's automated systems had cut it off.
Shortly afterwards I got an email about the suspension, requested that I get back to them within 72 hours.. despite the email being from a noreply address. Big brain right there.
Now one server wasn't yet a reason to consider this a major outage. I did have 3 edge nodes, all of which had equal duties and importance in the network. However an hour later I found that Aruba had also shut down the other 2 instances, despite those doing nothing wrong. Another hour later I found my account limited, unable to login to the admin panel. Oh and did I mention that for anything in that admin panel, you have to login to the customer area first? And that the account ID used to login there is more secure than the password? Yeah their password security is that good. Normally my passwords would be 64 random characters.. not there.
So with all my servers now gone, I immediately considered it an emergency. Aruba's employees had already left the office, and wouldn't get back to me until the next day (on-call be damned I guess?). So I had to immediately pull an all-nighter and deploy new servers elsewhere and move my DNS records to those ASAP. For that I chose Hetzner.
Now at Hetzner I was actually very pleasantly surprised at just how clean the interface was, how it puts the project front and center in everything, and just tells you "this is what this is and what it does", nothing else. Despite being a sysadmin myself, I find the hosting part of it insignificant. The project - the application that is to be hosted - that's what's important. Administration of a datacenter on the other hand is background stuff. Aruba's interface is very cluttered, on Hetzner it's super clean. Night and day difference.
Oh and the specs are better for the same price, the password security is actually decent, and the servers are already up despite me not having paid for anything yet. That's incredible if you ask me.. they actually trust a new customer to pay the bills afterwards. How about you Aruba Cloud? Oh yeah.. too much to ask for right. Even the network isn't something you can trust a long-time customer of yours with.
So everything has been set up again now, and there are some things I would like to stress about hosting providers.
You don't own the hardware. While you do have root access, you don't have hardware access at all. Remember that therefore you can't store anything on it that you can't afford to lose, have stolen, or otherwise compromised. This is something I kept in mind when I made my servers. The edge nodes do nothing but reverse proxying the services from my LXC containers at home. Therefore the edge nodes could go down, while the worker nodes still kept running. All that was necessary was a new set of reverse proxies. On the other hand, if e.g. my Gitea server were to be hosted directly on those VPS's, losing that would've been devastating. All my configs, projects, mirrors and shit are hosted there.
Also remember that your hosting provider can terminate you at any time, for any reason. Server redundancy is not enough. If you can afford multiple redundant servers, get them at different hosting providers. I've looked at Aruba Cloud's Terms of Use and this is indeed something they were legally allowed to do. Any reason, any time, no notice. They covered all their bases. Make sure you do too, and hope that you'll never need it.
Oh, right - this is a rant - Aruba Cloud you are a bunch of assholes. Kindly take a 1Gbps DDoS attack up your ass in exchange for that termination without notice, will you?5 -
I know folks do their best, but come on Apple, this can't be that hard. Bought an IPhone at an estate sale (elderly individual died suddenly, so no one had knowledge of the apple id, passwords, etc) and I've been trying to convince apple to clear the activation lock. (AS = Apple Support)
<after explaining the situation>
AS: "Have you tried putting the phone in recovery mode? That should clear the lock"
Me: "I've already done that. It prompts for the apple id and password, which I don't have"
AS: "You need to talk to the owner and get the information"
Me: "As I explained, I purchased the phone at an estate sale of someone who died. I have the bill of sale, serial number, the box, obituary. What else do you need?"
AS: "Have you tried contacting a family member? They might have have that information."
Me: "The family members at the sale told us this is all they had. This kind of thing has to happen. I can't believe Apple can't clear the activation lock."
AS: "Yes, we can, but I'm very sorry we take security seriously."
Me: "I understand, what do I do now?"
AS: "Did you log out of the phone? Go to settings ..."
Me: "Yes, I tried all those steps before calling. It prompts for the AppleID and password."
AS: "Did you try entering the password?"
Me: "No, I don't have it. I already explained there is no way to know"
AS: "Yes..yes...sorry...I'm just reading the information in front of me. I found something, have you tried submitting a activation lock removal request?"
Me: "Yes, it was denied, didn't tell me why, which is why I'm calling. What about taking this phone to an Apple store? I have all the paperwork."
AS: "Sure, you can try. You might need the death certificate. The family or the coroner will have a copy."
Me: "What!? Apple requires a death certificate to unlock a phone!? I'm pretty sure not even the family is going to give a total stranger a death certificate"
AS: "Sorry sir, I'm just reading what is in front of me. Without that certificate, there is no way to prove the person died. You can try the Apple store, but they will likely require it."
Me: "That's a lot of drama for unlocking a phone. A *phone*"
AS: "Yes sir, I understand. If there anything else we can do let us know and thank you for being an a apple customer."
Next stop, the Apple Store.12 -
Long story short: University fucked up single sign on.
For every online service I have, I set a different password, randomly generated ~ 20 characters long. At our university we have multiple systems but they offer a single sign on service which is quite nice because it is so non-transparent which service now uses which authorization. I changed my password a while ago and around the same time they also updated our mail client. Since then I am not able to log in which is not a big deal for me because I have mail forwarding.
Yesterday however I needed another service and also got rejected with my password. I knew from a friend that the passwords are fucked up and that some services have different restrictions (only 12 chars max.), so I decided to search how to reset my password. What the fuck was wrong with these people? It takes you five different pages to get the tiniest bit of information how to reset the password. Then on one page you can login with your single sign on and change the password. On that page you can also set the single sign on password, but if you enter an invalid password (in respect of the the other services) guess what? No feedback that you just locked yourself out of half the systems. Nice job. Also the password requirements are not next to the input fields where you change the password. Noo. That would be way to easy, remember the little small one line on the wall of text three pages ago? There you go.
Ok step one done. Now it should work, shouldn't it? Ohh no not so fast. One needs to activate the seperate service. Where you ask? Perfectly fine question. On the top of page four is a fucking one line table which looks like some five year old had some fun in excel. The button which takes you to the activation page is nearly invisible because of the non existing contrast. Also it is not a button but some arrow pointer thingy. Behind set arrow you have a page listing all differnt kinds of services, the description which you find on page two btw. No padding to decipher this shit what so ever. Nearly on the bottom is your needed button. Yes finally.
Finally I want to login, no good. Try again. Still no good. Go back to the fucked up excel table look at my username and think to myself what's the difference here? The table is so small and again no margin or padding. Apparently they cut of the last character of my normal username which i have which is fucking ridiculous.
What is wrong with you people, we are a TECHNICAL UNIVERSITY, is it so hard for you to find someone decend to unify this shit?1 -
Today I learned that bugs in Proxmox aren't bugs because they're not *exactly* within the scope of le fancy PVE web UI.
Today I also learned that running Samba on the PVE host is stupid. No real reasons but let's assume security. Well it's decently secured, has good passwords, and the killer is.. it isn't even fucking accessible to the internet! And even if it was, privilege separation is no secret to me.
But clearly I'm an idiot for even thinking about running Samba on PVE. Well guess what?! PVE is aimed at sysadmins that want to deploy a virtualization server. It's not a big stretch to imagine that those sysadmins might be halfway competent and want to run external services on the PVE host, is it.
But apparently it is. I'm an idiot and bugs aren't bugs anymore. Go fucking kill yourself, motherfuckers in the ##proxmox IRC channel. I really hope that your servers will go down on Friday when you're on call. Fucking cunts 😑
Edit: IRC chatlog @ https://clbin.com/nU9Fu13 -
why do i have an iphone?
well, let's start with the cons of android.
- its less secure. this isn't even arguable. it took the fbi a month or something (i forget) to break into an ios device
- permission, permissions, permissions. many of the android apps i use ask for the not obscure permissions.
· no, you don't need access to my contacts
· no, you don't need access to my camera to take notes
· no, you don't need access to my microphone to send messages
· no, you don't need access to my saved passwords to be a functioning calculator
- not being able to block some apps from an internet connection
- using an operating system created and maintained by an advertising company, aka no more privacy
- i like ios's cupertino more than material design, but that's just personal preference
pros of ios:
- being able to use imessage, at my school if you don't have an iphone you're just not allowed to be in the group chat
- the reliability. i've yet a data loss issue
- the design and feel. it just feels premium
- if i could afford it, ios seems like a lot of fun to develop for (running a hackintosh vm compiled a flutter app 2x as fast as it did on not-a-vm windows)
so that's why i like iphones
google sucks55 -
Why is every company so BAD at working with spaces in passwords? Just trying to setup Hulu on my PS4, apparently I forgot my password? No, my password had a space in it. So maybe Hulu's just one of those companies that doesn't allow spaces in passwords? Wait no, I can log in with no problems on my Switch or PC with the space. It's just SPECIFICALLY the PS4 app that doesn't allow spaces. Cool cool cool.
Like, am I missing something? Is there some reason it's harder to hash than other characters? It's just an ASCII character, it's not like I'm copy/pasting in some fringe unicode shit. Some companies straight up ban it. Some like Amazon don't recognize it as a special character, while demanding I use a special character. Why is this so terrible?4 -
So for context, I'm doing an Apprenticeship in IT and naturally I've been put on help desk.
I've recently been given a phone on my desk since I'm trusted enough and know enough about our software that there's no risk to me accepting calls.
I get the standard ones, a number from a different country, poorly pronouncing a co-workers name, asking if they can speak to them. I give my normal response, "I'll just check if they're in a meeting and I'll get back to you" (which they somehow always are) and ask if they would like to leave a message. They obviously don't since they're usually scams.
Since Tuesday I've started getting calls from "BT Technical Support". I don't use BT. My company doesn't use BT. So, it's clearly a scam.
Yesterday, the same guy calls me up, Thomas he says his name is. I go along with it for a while, agreeing that I've noticed our network has been slow until the point where he asks me to begin to install TeamViewer. I realise what he's going to do so I ask him what the problem with our network is.
I hear him start to respond but he stops. He's got no clue what to say, so I say to him, "Thomas mate. I think our biggest problem with our BT network is that we don't have BT."
He puts the phone down.
So I ask you for help, lovely people of devRant.
I have a Windows 10 VM ready to go. I have a couple notepad files labelled as "Passwords" and "Bank Details". What else can I throw on there to make this guy think he's hit the jackpot without really causing too much damage?
Any ideas would be appreciated. <36 -
Worst hack/attack?
Probably developing a complex food ordering website and client just stole the website and didn’t pay as it turns out our PM didn’t let the client sign a contract. Can’t sue as we have no legal binding documents.
We did managed to get access to the database and decided to change our passwords manually, but like I don’t get paid much for this2 -
I saved passwords to db hashed to SHA-1 with no salt... I left that company but I'm sure that application is still actively used today.2
-
In other news, I have been forbidden by my boss to implement any security or performance improvements into the company infrastructure as this holds no business value. Furthermore, passwords are not to be a random alphanumeric+special-chars string but something legible.14
-
I don't understand how is possible that programmers today are developing applications that are storing plain password in the database.
I know it's kinda boring topic since everybody here is talking about it this week, but it's really confusing to me.
Every now and then some DB gets hacked, millions of passwords are leaked and then you have developers, who should be smart and logical people, who decide to do that.
Ok, maybe the project deadline was close or something similar, but I think there is no excuse for something like that. No matter how close or behind deadline project is, you should always be able to explain to your boss/client what could happen.3 -
I learned recently that you can inject SQL lines in some fields like Passwords or usernames on some websites. (Hacky hacky)
At work there is this intra website that is used to manage the parts of the radios and computers we repair.
Each piece has a specific number, and there is a tree with every pieces for each radio/computer.
When we get to repair one, we gotta change the pieces virtualy on the website. Sadly sometimes, the virtual pieces aren't marked like they followed the whole Radio from the place they come to the place we repair (we need it to replace the piece). People are just not doing their job, so we have to send emails and call for them do it so we can repair it. (This is already fucked up.)
Today, I had to replace a piece, but it was marked like it's not there. I called the guy, and it seems like he is on a vacation for weeks. My superior was super annoyed due to the urge of this task.
Guess who managed to change the _mainlocation_ of the _piece_ in the _radiopieces_ table. (Not actual names, you malicious cunt)
I spent 3 hours looking for the name of the fields and table. I don't know how many times I had to refresh the dam page to see I failed once again.
Hopefully I didn't have to guess all of them. Also the joy when I realised I succeed !!!
No one bats a eyes, and I'm here, feeling infinitely superior, as I might get punished for wanting to do my job.
I know it's basic moves to some of you, but dam it felt good.
Conclusion: Do what you have to, specially when it takes 5 minutes and people need it.10 -
Security fail here. I've just started a PPI claim and have been provided a link to a so called "very secure" client area.
There are no username or passwords and the screenshot is not a first time sign up screen.
All I need to login is a surname, postcode and DOB - all information easy enough to find online.
Pretty bad IMO, esp, so considering the effort required to add a proper login using a username/password combination.
I mean I'm logged in now and have no option to set an account password :|3 -
So I enventually spent 2 years working for that company with a strong b2b market. Everything from the checkouts in their 6 b2c stores to the softwares used by the 30-people sales team was dependant on the main ERP shit home-built with this monstruosity we call Windev here in France. If you don't know it just google and have some laugh : this is a proprieteray FRENCH language. Not french like made by french people, well that too, but mostly french like the fucking language is un fucking french ! Instructions are on french, everything. Hey that's my natural language okay, but for code, really ?
The php website was using the ERP database too, even all the software/hardware of the massive logistic installation they had (like a tiny Amazon depot), and of course the emails of all employees. Everything was just handled by this unique shitty and so sloooooow fucking app. When there was to many clients on the website or even too many salespeople connected to the ERP at the same time, every-fuckin-piece of the company was slowing down, and even worse facing critical bugs. So they installed a monitor in the corner of a desk constantly showing the live report page of Google analytics and they started panic attacks everytime it was counting more than 30 sessions on the website. That was at the time fun and sad to observe.
The whole shit was created 12 years ago and is since maintened locally by one unique old-fashion-microsoft dev who also have to maintain all the hardware of all the fucking 150+ people business. You know, when the keyboard of anyone is "broken" cause it's unplugged... That's his job too. The poor guy was totally overstressed on a daily basis and his tech knowledge just saddly losts themeselves somewhere in the way. He was my n+1 in a tech team of 3 people : him, a young and inexperimented so-called "php developer" who was in charge of the website (btw full of security holes I discovered and dealed with when I first arrive at the job), and myself.
The database was a hell of 100+ tables of business and marketing data with a ton of specific logic added on-the-go during years. No consistent data model or naming. No utf8. Fucked up relations that ends with queries long enough to fill books. And that's not all, all the customers passwords was just stored there uncrypted. Several very big companies and administrations were some of these clients. I was insisting on the passwords point litterally all the time, that was an easy security fix and a good start... But no, in two years of discussions on the subject I never achieved to have them focusing on other considerations than "our customers like that we can remind them their password by a simple phone call if they lost it". What. The. Fuck. WHATTHEFUCK!
Eventually I ran myself out of this nightmare. I had a few bad jobs already, and worked on shitty software already. But that one really blows my mind (and motivation for a time too). Happy it's over.1 -
Not as much of a rant as a share of my exasperation you might breathe a bit more heavily out your nose at.
My work has dealt out new laptops to devs. Such shiny, very wow. They're also famously easy to use.
.
.
.
My arse.
.
.
.
I got the laptop, transferred the necessary files and settings over, then got to work. Delivered ticket i, delivered ticket j, delivered the tests (tests first *cough*) then delivered Mr Bullet to Mr Foot.
Day 4 of using the temporary passwords support gave me I thought it was time to get with department policy and change my myriad passwords to a single one. Maybe it's not as secure but oh hell, would having a single sign-on have saved me from this.
I went for my new machine's password first because why not? It's the one I'll use the most, and I definitely won't forget it. I didn't. (I didn't.) I plopped in my memorable password, including special characters, caps, and numbers, again (carefully typed) in the second password field, then nearly confirmed. Curiosity, you bastard.
There's a key icon by the password field and I still had milk teeth left to chew any and all new features with.
Naturally I click on it. I'm greeted by a window showing me a password generating tool. So many features, options for choosing length, character types, and tons of others but thinking back on it, I only remember those two. I had a cheeky peek at the different passwords generated by it, including playing with the length slider. My curiosity sated, I closed that window and confirmed that my password was in.
You probably know where this is going. I say probably to give room for those of you like me who certifiably. did. not.
Time to test my new password.
*Smacks the power button to log off*
Time to put it in (ooer)
*Smacks in the password*
I N C O R R E C T L O G I N D E T A I L S.
Whoops, typo probably.
Do it again.
I N C O R R E C T L O G I N D E T A I L S.
No u.
Try again.
I N C O R R E C T L O G I N D E T A I L S.
Try my previous password.
Well, SUCCESS... but actually, no.
Tried the previous previous password.
T O O M A N Y A T T E M P T S
Ahh fuck, I can't believe I've done this, but going to support is for pussies. I'll put this by the rest of the fire, I can work on my old laptop.
Day starts getting late, gotta go swimming soonish. Should probably solve the problem. Cue a whole 40 minutes trying my 15 or so different passwords and their permutations because oh heck I hope it's one of them.
I talk to a colleague because by now the "days since last incident" counter has been reset.
"Hello there Ryan, would you kindly go on a voyage with me that I may retrace my steps and perhaps discover the source of this mystery?"
"A man chooses, a slave obeys. I choose... lmao ye sure m8, but I'm driving"
We went straight for the password generator, then the length slider, because who doesn't love sliding a slidey boi. Soon as we moved it my upside down frown turned back around. Down in the 'new password' and the 'confirm new password' IT WAS FUCKING AUTOCOMPLETING. The slidey boi was changing the number of asterisks in both bars as we moved it. Mystery solved, password generator arrested, shit's still fucked.
Bite the bullet, call support.
"Hi, I need my password resetting. I dun goofed"
*details tech support needs*
*It can be sorted but the tech is ages away*
Gotta be punctual for swimming, got two whole lengths to do and a sauna to sit in.
"I'm off soon, can it happen tomorrow?"
"Yeah no problem someone will be down in the morning."
Next day. Friday. 3 hours later, still no contact. Go to support room myself.
The guy really tries, goes through everything he can, gets informed that he needs a code from Derek. Where's Derek? Ah shet. He's on holiday.
There goes my weekend (looong weekend, bank holiday plus day flexi-time) where I could have shown off to my girlfriend the quality at which this laptop can play all our favourite animé, and probably get remind by her that my personal laptop has an i2350u with integrated graphics.
TODAY. (Part is unrelated, but still, ugh.)
Go to work. Ten minutes away realise I forgot my door pass.
Bollocks.
Go get a temporary pass (of shame).
Go to clock in. My fob was with my REAL pass.
What the wank.
Get to my desk, nobody notices my shame. I'm thirsty. I'll have the bottle from my drawer. But wait, what's this? No key that usually lives with my pass? Can't even unlock it?
No thanks.
Support might be able to cheer me up. Support is now for manly men too.
*Knock knock*
"Me again"
"Yeah give it here, I've got the code"
He fixes it, I reset my pass, sensibly change my other passwords.
Or I would, if the internet would work.
It connects, but no traffic? Ryan from earlier helps, we solve it after a while.
My passwords are now sorted, machine is okay, crisis resolved.
*THE END*
If you skipped the whole thing and were expecting a tl;dr, you just lost the game.
Otherwise, I absolve you of having lost the game.
Exactly at the char limit9 -
Hey there 👋
I am more or less throwing any burden (WhatsApp, Facebook, Google etc.) out of my life. Of course I will continue using the Google account for YouTube and some games that need it.
That's what it looks like right now:
Raspberry Pi 3B+
✅ webserver
- forum - complete (atm just for me)
- blog - no ideas and just installed october cms and nothing done yet
- nextcloud - complete and filled with my porn... eeh... data
✅ mailserver
(missing spamassassin, clam or sth. like this but it's working 😂)
✅ matrix-synapse
(as an additional alternative to messengers)
______________
Raspberry Pi 2
✅ catches dust
(any ideas?)
Of course, many more configurations and the like are necessary before everything is ready... but what then or what else is there?
At the moment I still use WhatsApp. Just wanna take time before sending everyone a message about changing the messenger and that it should be important for thinking about the own privacy, which alternatives there are bla...
Edit: For passwords I'm using Myki - didn't hear anything bad about it yet and it's very easy to use (Firefox add-on, Android app).
I love my passwords with 200 characters 😂
Maybe someone's knowing more about them?
Hope I didn't forget a thing... thanks in advance aaaaaaand... I'm gone. ☺23 -
I promised a friend to have a look over his dads website to add a small blog. No big deal, I've got it on my drive, can reuse it just need to adapt it to the environment.
I take a look at what I'm working with and I see the most terrifying piece of "Please, take my data" code I could possibly imagine (And I've seen passwords, in plain text in a script tag). I quote "function queryDB(mode, val) {
var query=" ";
if(mode==="findProd")
query="Select * from Products where ProdNam=" +val;
... (same shit for different cases)
sendQuery(query) ;
}
He literally built the query on the client side sent it to a php script (without validation) and inserted it into the database.
You could literally call window.sendQuery with any sql query and get the result printed into the console.
And other than the plain text passwords guy that wasn't some kid someone knew, this was a "Webdesign" Agency.
Now I took the entire thing offline, called my friends dad, explained it to him and try to sort this out. I would not charge a good friends father but that hack will get a quite hefty bill since my hourly rate just tripled.
And the worst thing : If I publicly name that asshole or warn the people in his portfolio I can, according to Google, be sued. (But, and I assume thats vague enough not to count as bad mouthing, if anyone of you has a customer from Rheinland-Pfalz, Germany with a preexisting page, please have a look at the database interface)
I will call that agency tomorrow, ask for a detailed explanation for why they apparently let trained monkeys write their code and anonymously warn everyone in their portfolio about those flaws...
I don't know if I'm cursed or if there are just that many bad devs but it seems that once a year I have to stumble over some "mistakes" that make me question my sanity.4 -
I'd never do anything "risky" in a prod environment if I considered it so at the time, but in retrospect there's *lots* of things considered risky now (both from a security and good practice viewpoint) that were standard practice not long ago:
- Not using any form of version control
- No tests (including no unit tests)
- Not considering XSS vulnerabilities
- Completely ignoring CSRF vulnerabilities
- Storing passwords as unsalted MD5 hashes (heck that was considered very *secure* in the days of plaintext password storage.)
...etc. I'm guilty of all of those previously. I daresay in the future there will be yet more things that may be standard practice now, but become taboos we look back on with similar disdain.1 -
Passwords.. how do you guys manage yours? I'm one of those who often used the same semi weak password for nearly everything
I'm more than likely going to get a password manager but I have no idea which, do you use any?30 -
*follow-up to https://devrant.com/rants/1887422*
The burnt remnants of my ID card's authentication information, waiting for the wind to come pick it up. It's stored in my password database now and committed to my git server, as it should be. Storing PIN and PUK codes on paper, whatever government cunt thought thought that that was a good idea...
If you've got identification papers containing authentication information like PIN and PUK codes, by all means add them to your password manager (if you're using Linux, I'd like to recommend GNU Pass) at once and burn the physical version. There's no reason why you'd want those on paper, unless you store your passwords on a post-it too.
At least that's as much as me and possibly you as citizens can do. Our governments are doomed anyway, given the shitty security policy they have, and likely the many COBOL mainframes still in use today. Honestly, the meddlings of Russia with the US elections doesn't seem too far-fetched, given this status quo. It actually surprises me that this kind of stuff doesn't happen more often, given that certain governments hire private pentesters yet can't secure their own infrastructure. -
Why are the MOST important passwords in my life (banks, financial, insurance) the LEAST secure (i.e. Max length 12, no special chars)
-
The most annoying co-worker(*team*) I have worked with just signed off a custom project that uses plain text passwords, hard coded into a file.. PLAIN TEXT!!! NO HASH!!! NOTHING!!! The same team also told me that working in feature branches cuts into their productivity, but they want CI/CD implemented NOW!3
-
It's a tie between 3 things for me.
1. md5 hashed passwords
2. post variable concatenated into sql with no checks
3. admin login over http
sad thing is that all 3 was one website I redid a few years ago8 -
I've been using keepass for everything and just recently I've just come to realization of just how hard it is to get into my accounts now that I've done this.
Literally, I'm useless if i don't have a computer to get my passwords. (I know it's for android too, but i need the database)
I was trying to log into my spotify, but I couldn't remember my password. Then I thought, oh i know i'll just log into facebook and do it that way.
LOL JK you don't know the password
Fuck... what about my email???
LOL NOPE!
Seriously if i was held at gun point and told to log into anything I'd be dead. I've literally secured myself out of my own accounts...
I guess if there is any silver lining, it's that no-one, and I mean 'no-one' is getting into my accounts any time soon.9 -
Let's talk about the cargo cult of N-factor authentication. It's not some magic security dust you can just sprinkle onto your app "for security purposes".
I once had a client who had a client who I did server maintenance for. Every month I was scheduled to go to the site, stick my fingerprint in their scanner, which would then display my recorded face prominently on their screens, have my name and purpose verified by the contact person, and only then would the guards let me in.
HAHA no of course not. On top of all of that, they ask for a company ID and will not let me in without one.
Because after all, I can easily forge my face, fingerprints, on-site client contact, appointment, and approval. But printing out and laminating a company ID is impossible.
---
With apologies to my "first best friend" in High School, I've forgotten which of the dozens of canonicalisations of which of your nicknames I've put in as my answer to your security question. I've also forgotten if I actually listed you as my first best friend, or my dog - which would actually be more accurate - and actually which dog, as there are times in my High School life that there were more tails than humans in the house.
I have not forgotten these out of spite, but simply because I have also forgotten which of the dozen services of this prominent bullshit computer company I actually signed up for way back in college, which itself has been more than a decade ago. That I actually apparently already signed up for the service before actually eludes me, because in fact, I have no love for their myriad products.
What I have NOT forgotten is my "end of the universe"-grade password, or email, or full legal name and the ability to demonstrate a clear line of continuity of my identity from wherever that was to now.
Because of previous security screwups in the past, this prominent bullshit company has forced its users to activate its second, third, and Nth factors. A possibly decade-old security question; a phone number long lost; whatever - before you can use your account.
Note: not "view sensitive data" about the account, like full name, billing address, and contact info. Not "change settings" of the account, such as changing account info, email, etc. Apparently all those are the lowest tier of security meant to be protected by mere "end of the universe"-grade passwords and a second factor such as email, which itself is likely to be sold by a company that also cargo cults N-factor auth. For REAL hard info, let's ask the guy who we just showed the address to "What street he lived in" and a couple others.
Explaining this to the company's support hotline is an exercise in...
"It's for your security."
"It's not. You're just locking me out of my account. I can show you a government ID corroborating all the other account info."
"But we can't, for security."
"It's not security. Get me your boss."
...
"It's for security."8 -
oh FFS my university pissed me off so bad right now that I had to wait 20 min to cool down to be able to write a rant about it...
so, one of the university department offer an email address which is the official university approved email for student packs like jetbrain's. I wanted to renew my jetbrains subscription, but for that I have to get a verification email on that address..
But since the only time I use it is this annual renewal I dont know the webmail's url..
So I search for it on the department pages, services and its nowhere to be found. Finaly I found it on a student maintained wiki page.
I try to log in.. no luck. try another password, still not it. Try all of the passwords that I remember using in the previous 3 year and no luck.
well fck it the password change is managed by a website where I can log in with a different method, so I change the password and try to log in again.
No fcking luck! And at this point I bashed my head against the wall because I found out that the password change takes them about 1 or 2 hours... hours! wtf...5 -
Okay so my brother in law has a laptop that is... To put it mildly, chockful of viruses of all sort, as it's an old machine still running w7 while still being online and an av about 7 years out of date.
So my bro in law (let's just call him my bro) asked me to install an adblock.
As I launched chrome and went to install it, how ever, the addon page said something like "Cannot install, chrome is managed by your company" - wtf?
Also, the out of date AV couldn't even be updated as its main service just wouldn't start.
Okay, something fishy going on... Uninstalled the old av, downloaded malware bytes and went to scan the whole pc.
Before I went to bed, it'd already found >150 detections. Though as the computer is so old, the progress was slow.
Thinking it would have enough time over night, I went to bed... Only to find out the next morning... It BSoD'd over night, and so none of the finds were removed.
Uuugh! Okay, so... Scanning out of a live booted linux it is I thought! Little did I know how much it'd infuriate me!
Looking through google, I found several live rescue images from popular AV brands. But:
1 - Kaspersky Sys Rescue -- Doesn't even support non-EFI systems
2 - Eset SysRescue -- Doesn't mount the system drive, terminal emulator is X64 while the CPU of the laptop is X86 meaning I cannot run that. Doesn't provide any info on username and passwords, had to dig around the image from the laptop I used to burn it to the USB drive to find the user was, in fact, called eset and had an empty password. Root had pass set but not in the image shadow file, so no idea really. Couldn't sudo as the eset user, except for the terminal emulator, which crashes thanks to the architecture mismatch.
3 - avast - live usb / cd cannot be downloaded from web, has to be installed through avast, which I really didn't want to install on my laptop just to make a rescue flash drive
4 - comodo - didn't even boot due to architecture mismatch
Fuck it! Sick and tired of this, I'm downloading Debian with XFCE. Switched to a tty1 after kernel loads, killed lightdm and Xserver to minimize usb drive reads, downloaded clamav (which got stuck on man-db update. After 20 minutes... I just killed it from a second tty, and the install finished successfully)
A definitions update, short manual skimover, and finally, got scanning!
Only... It's taking forever and not printing anything. Stracing the clamscan command showed it was... Loading the virus definitions lol... Okay, it's doing its thing, I can finally go have dinner
Man I didn't know x86 support got so weak in the couple years I haven't used Linux on a laptop lol.9 -
Just met a startup that has a programmer intern but no IT supervisor. I felt so sorry for her that I decided to show her a few cool tools that she can use in her work.
She was still using Xampp, Google Chrome, command prompt and paper trails (for all of the passwords she had to manage to different accounts)
Shown her how to use Docker, Git Bash and WSL, FireFox Developer Edition, VS Code (if she decides to not use that unregistered Sublime Text editor) and LastPass (personal preference).
Best of luck!2 -
The most annoying hack I've had to deal with was back when I did IT support, actually. Level 1 call center tech at the time. Apparently someone fell for a phishing email and gave out his outlook credentials. The phisher used that email account to send out another phishing email to roughly 1800 employees.
Security Operations noticed, because this guy's job didn't generally involve sending out mass-communication emails. They investigated, figured out what had happened, and opted for the nuclear option: they reset the password for EVERY SINGLE ACCOUNT that received the email. All 1800 of them. Over the weekend.
I walked into the call center Monday morning and checked the call stats, then did a double-take. There were over 300 people waiting in the queue. I almost left and called in sick. Turns out it wasn't that bad though. Annoying to reset so many passwords and having no downtime due to the full queue, but on the other hand my stats were better that day than any other, since every call was a 5-minute password reset.1 -
ZNC shenanigans yesterday...
So, yesterday in the midst a massive heat wave I went ahead, booze in hand, to install myself an IRC bouncer called ZNC. All goes well, it gets its own little container, VPN connection, own user, yada yada yada.. a nice configuration system-wise.
But then comes ZNC. Installed it a few times actually, and failed a fair few times too. Apparently Chrome and Firefox block port 6697 for ZNC's web interface outright. Firefox allows you to override it manually, Chrome flat out refuses to do anything with it. Thank you for this amazing level of protection Google. I didn't notice a thing. Thank you so much for treating me like a goddamn user. You know Google, it felt a lot like those plastic nightmares in electronics, ultrasonic welding, gluing shit in (oh that reminds me of the Nexus 6P, but let's not go there).. Google, you are amazing. Best billion dollar company I've ever seen. Anyway.
So I installed ZNC, moved the client to bouncer connection to port 8080 eventually, and it somewhat worked. Though apparently ZNC in its infinite wisdom does both web interface and IRC itself on the same port. How they do it, no idea. But somehow they do.
And now comes the good part.. configuration of this complete and utter piece of shit, ZNC. So I added my Freenode username, password, yada yada yada.. turns out that ZNC in its infinite wisdom puts the password on the stdout. Reminded me a lot about my ISP sending me my password via postal mail. You know, it's one thing that your application knows the plaintext password, but it's something else entirely to openly share that you do. If anything it tells them that something is seriously wrong but fuck! You don't put passwords on the goddamn stdout!
But it doesn't end there. The default configuration it did for Freenode was a server password. Now, you can usually use 3 ways to authenticate, each with their advantages and disadvantages. These are server password, SASL and NickServ. SASL is widely regarded to be the best option and if it's supported by the IRC server, that's what everyone should use. Server password and NickServ are pretty much fallback.
So, plaintext password, default server password instead of SASL, what else.. oh, yeah. ZNC would be a server, right. Something that runs pretty much forever, 24/7. So you'd probably expect there to be a systemd unit for it... Except, nope, there isn't. The ZNC project recommends that you launch it from the crontab. Let that sink in for a moment.. the fucking crontab. For initializing services. My whole life as a sysadmin was a lie. Cron is now an init system.
Fortunately that's about all I recall to be wrong with this thing. But there's a few things that I really want to tell any greenhorn developers out there... Always look at best practices. Never take shortcuts. The right way is going to be the best way 99% of the time. That way you don't have to go back and fix it. Do your app modularly so that a fix can be done quickly and easily. Store passwords securely and if you can't, let the user know and offer alternatives. Don't put it on the stdout. Always assume that your users will go with default options when in doubt. I love tweaking but defaults should always be sane ones.
One more thing that's mostly a jab. The ZNC software is hosted on a .in domain, which would.. quite honestly.. explain a lot. Is India becoming the next Chinese manufacturers for software? Except that in India the internet access is not restricted despite their civilization perhaps not being fully ready for it yet. India, develop and develop properly. It will take a while but you'll get there. But please don't put atrocities like this into the world. Lastly, I know it's hard and I've been there with my own distribution project too. Accept feedback. It's rough, but it is valuable. Listen to the people that criticize your project.9 -
i asked my dad for help with a GRUB issue (EFI file wasn't seen in my BIOS anymore, nor booted when pointed directly at, even after ALL THE CONFIGURATIONS POSSIBLE) and i walked away for a while, content he'd figure it out (there's still a few things he knows more than me about.) I come back 30 minutes later and he's zero-filled my main drive and is halfway through installing Win10. His reasoning? "I'm installing surveillance software since you won't give me your college passwords and I need access to your college's site and your account. I can't do that on Debian."
I didn't give him authorization for this, and I thought he had zeroed my backups drive too, but it turns out it was having I/O issues (my controller is finicky sometimes, a boot cycle with it removed fixed it, luckily I can't write to drives it doesn't like when it's being a shithead)
What do? I can't sue as he owns almost everything I use and the house I live in and would no doubt kick me out and take all "my" stuff, but I feel like this really can't go ignored. I can't just talk to him about it as he thinks anything he wants done has to be done as he sees himself as above all other people, so he just shouts me down...24 -
Thank you microsoft. You clearly got that right. If someone knows how to make passwords secure, it's you.
... Is this what you wanted to hear? Because it looks like you have no idea what you're doing.1 -
Best: chief university lab position, 12 yrs as a 👨🏫 system engineer teacher, really need a break, updating me as a pro.
Worst: last chief just left email with CISCO passwords. No F* VLANS reference, no technical manual, deleted all Sh* documents on PC.
So I about 4 days no internet on university, reseted 25+ CISCO switches, reorganizing fibers, all week 💤 6am-11pm or more. VTP server core nice and clean, nice VLans, ClearOS formated an licensed, ubnt portal for Wifi.
December, organizing all the administrative stuff. We are back stable and documenting. Moving and painting office, delegation of staff.
Now in vacations with a “tepache 🍻 “ 🍍2 -
The ticket system blokes - episode 3
So we always had and have very awful performance with our ticket system. You can't get anything to load in under ~4s normally. Now since it has gotten worse over the last weeks i decided to set aside a few hours to closely watch our SQL server.
After i identified a culprit that was hogging the CPU almost every 2 minutes i looked at other long running queries in the server and found out where exactly the 4s come from.
6 tables from various DBs. Sure, no problem.
Left Outer Join. Sure, why not.
Querying every fucking column in every fucking table explicitly adding up to a whopping 160 columns which they need not even 10% of. We're talking about session IDs, passwords, stock count, IBANs and all that stuff to show the work done on a ticket. Absolutely not.
So i extracted the query and reduced it to the stuff we need and the execution time went from 4 seconds to almost instant.
The funny thing is that their idea of performance optimization is throwing LIMIT around everywhere to get these monstrous queries under control.
So in the next few days I'll have an appointment with their lead programmer. I'm looking forwards to it.
So out of curiosity: does anyone know an SQL builder or toolset that does shit like
SELECT X AS [t0_c0],
SELECT Y AS [t0_c1],
SELECT Z AS [t1_c0],
and so on? I'd like to know how they got to this point.4 -
It's gotten to the point where I am legitimately impressed when I can tell a service is hashing their passwords.
All of these unnecessary complications of "must not have more than 2 of the same character in a row" but "can't be more than 12 characters" requirements make me think that the passwords are being saved in plain text.
Amazon and Dropbox do it right - present the user with an input box and no requirements printed anywhere.8 -
Windows 10 Action Center yesterday alerted me to set a PIN for my laptop.
Turned on PC this morning and typed in my regular password then realized it wanted the PIN.
Thinking how this feature came to be....
1. Windows wants you to link your login to your Microsoft/Hotmail Account and it makes it a pain in the ass to set a seperate one (Windows 8)
2. 2018 arrived an logins are a pain, everything is autologin or PIN/code based (aka short 'unsecure' passwords)
3. MS backtracks and realizes email logins are too long so they make a partial fix which basically reverts back to the pre-Win8 days of a seperate system login.. except now its called a new feature!
I realized now under enter a PIN the reason for the checkbox that says: Allow symbols and letters. It's a nice way of saying: please type in your old password again.
**Also rant #2: cuz i dont feel like waiting 1hr**
I felt great yesterday when my boss told me apparantly I have like an Expert designation at the company.
Feel like crap today cuz some user is complaining about some report:
- they asked us to create months ago
- now complaining its all wrong but never gave any formal requirements and actually did sign off on it during testing
- FIXED ASAP
HELLO!!!!!!!!!!! STOP MAKING IT SOUND LIKE IT'S MY FAULT U CAN'T BE BOTHERED TO PROVIDE CLEAR REQUIREMENTS AND THEN TAKING FOREVER TO COME BACK WITH UR PROBLEMS AND NOW NEED IT FIXED ASAP BY USING A NEW DATA SOURCE THAT I HAVE NO IDEA WHAT THE FUCK IS SINCE U USED A RANDOM ABBREVIATION LIKE I CAN MIND READ.
IF I COULD MINDREAD, ID BE WORKING ON A PLAN TO GET UR ASS FIRED.....
Happy friday and long weekend... Got 3 days to relax before i need to deal with this shit again...2 -
I really don't understand this particular Government Department's IT Unit. They have a system and network to maintain except:
- They don't have a DBA
- They don't have a dedicated Network Engineer or Security Staff
- Zero documentation on all of the systems that they are taking care of (its all in each assigned particular staff's brain they said)
- Unsure and untested way of restoring a backup into a system
- Server passwords are too simple and only one person was holding this whole time and its to an Administrator account. No individual user account.
- System was developed by an in-house developer who is now retired and left very little documentation on its usage but nothing on how its setup.
But, the system has been up and operational for the past 20 years and no major issues whatsoever with the users using it. I mean its a super simple system setup from the looks of it.
1 App Server connected to 1 DB Server, to serve 20-30 users. But it contains millions of records (2GB worth of data dump). I'm trying to swing to them to get me on a part time work to fix these gaps.
God save them for another 20 years.3 -
How do you get over the bad times? I keep having to work with shitty legacy systems that were written in perl and flash in the 90s, but my boss keeps telling me "No" on redoing some of the bigger stuff even though it is really needed. I mean, that is your goal here, right? Rebuilding this POS? FFS you still stored passwords in plain text twoo weeks ago! But no, you's rather dig around in Perl than upset some random user because his fucking interface looks different.
But then I also have to work with another system that I could redo in Cake/Laravel in two weeks (it's literally getting and writing data to one table, so two views and user auth), and the previous dev just... made a huge mess. I mean, why would you need to post data asynchronously when it's this one stupid form ? Just do a regular form submit? And the system is really not suitable for extending, because everything is in the database, EVERYTHING! Like, html form inputs? So to add a simple input to the template I have to create a new input type in the types table and then add that to the form structure table? Only to have the input checked by fucking regex? REGEX! Why? Seriously, this is not some high end CMS that needs this level of code reusability No. This is a simple fucking form.
And I can't get it to work. No documentation of course. No comments, either. All of this makes me feel like I'm just the shittiest dev ever. I feel dumb, and useless. Haven't turned on my private PC in weeks because I see no reason to work on any of my own stuff.
I used to have a job, working with Magento and Wordpress. And yeah, it was horrible, it was chaos, but it was fun and I was great at it. I bent that motherfucking system to fit my needs. People respected my opinion, they were convinced I could program this and that, and I proved them right. Did I make mistakes? Hell yeah. Did I give up? Fuck no!
But now, I just feel like I can't even write a simple fucking form any more. I'm just so close to giving up on development as a whole, even though I love it so much.5 -
Somebody, anybody, tell me what I'm missing here that makes this get mass-produced.
I've always been a bit if a pyro, and ive certainly made random, pointless texh for no valid reason beyond "why not?'. I also have dealt in international OEM sourcing and manufacturing. I even missed the selfie stick boom back before anyone knew they existed... muktille faxriries I've done signing business with were selling them(dead stock) below cost due to lack... silly me thought they were too ridiculous; one of my hudiness cards literally says ".Really cool stuff you almost alwats want... but never need". Most nonsense novelty is the majority of one if my businesses
...but seriously... who thinks a rechargeable battery, compact soeakers, and lit gas canister is a good idea??
I think I may need to re-rank my mental list of most asinine things I've encountered this week... wsl GUI capability built-in with default images and the reminder of pointoess features like passwords for groups, seem less worthy now.27 -
It was the last year of high school.
We had to submit our final CS homework, so it gets reviewed by someone from the ministry of education and grade it. (think of it as GPA or whatever that is in your country).
Now being me, I really didn’t do much during the whole year, All I did was learning more about C#, more about SQL, and learn from the OGs like thenewboston, derek banas, and of course kudvenkat. (Plus more)
The homework was a C# webform website of whatever theme you like (mostly a web store) that uses MS Access as DB and a C# web service in SOAP. (Don’t ask.)
Part 1/2:
Months have passed, and only had 2 days left to deadline, with nothing on my hand but website sketches, sample projects for ideas, and table schematics.
I went ahead and started to work on it, for 48 hours STRAIGHT.
No breaks, barely ate, family visited and I barely noticed, I was just disconnected from reality.
48 hours passed and finished the project, I was quite satisfied with my it, I followed the right standards from encrypting passwords to verifying emails to implementing SQL queries without the risk of SQL injection, while everyone else followed foot as the teacher taught with plain text passwords and… do I need to continue? You know what I mean here.
Anyway, I went ahead and was like, Ok, lets do one last test run, And proceeded into deleting an Item from my webstore (it was something similar to shopify).
I refreshed. Nothing. Blank page. Just nothing. Nothing is working, at all.
Went ahead to debug almost everywhere, nothing, I’ve gone mad, like REALLY mad and almost lose it, then an hour later of failed debugging attempts I decided to rewrite the whole project from scratch from rebuilding the db, to rewriting the client/backend code and ui, and whatever works just go with it.
Then I noticed a loop block that was going infinite.
NEVER WAIT FOR A DATABASE TO HAVE MINIMUM NUMBER OF ROWS, ALWAYS ASSUME THAT IT HAS NO VALUES. (and if your CPU is 100%, its an infinite loop, a hard lesson learned)
The issue was that I requested 4 or more items from a table, and if it was less it would just loop.
So I went ahead, fixed that and went to sleep.
Part 2/2:
The day has come, the guy from the ministry came in and started reviewing each one of the students homeworks, and of course, some of the projects crashed last minute and straight up stopped working, it's like watching people burning alive.
My turn was up, he came and sat next to me and was like:
Him: Alright make me an account with an email of asd@123.com with a password 123456
Me: … that won't work, got a real email?
Him: What do you mean?
Me: I implemented an email verification system.
Him: … ok … just show me the website.
Me: Alright as you can see here first of all I used mailgun service on a .tk domain in order to send verification emails you know like every single website does, encrypted passwords etc… As you can see this website allows you to sign up as a customer or as a merc…
Him: Good job.
He stood up and moved on.
YOU MOTHERFUCKER.
I WENT THROUGH HELL IN THE PAST 48 HOURS.
AND YOU JUST SAT THERE FOR A MINUTE AND GAVE UP ON REVIEWING MY ENTIRE MASTERPIECE? GO SWIM IN A POOL FULL OF BURNING OIL YOU COUNTLESS PIECE OF SHIT
I got 100/100 in the end, and I kinda feel like shit for going thought all that trouble for just one minute of project review, but hey at least it helped me practice common standards.2 -
Soo... Let me get this straight... My boss reeeeeeally wants me to reconfigure our database system to sync data between each of our 15 sites... Let me this about this...
Our database is an MS Access database originally written about 17 years ago. It was written as a standalone database that runs a unique instance for each of our sites.The person responsible for the database (still not the original developer) before I took over 6 years ago bragged about how they were "an 80s developer" (w...t...f!). Even with all of the fixes and additions (additions because... F&$#ing of course there are!) It's still basically held together by duct tape and spit.
Hmmm... Ok, still possible. What's the environment I'm working in... I have absolutely ZERO control of our workplace network... That's a whole other department. Due to the nature of the workplace (and it's sites) there is extreme limitation on network access.
Well... If I'm Reeeeeeally nice to the people in charge of the network, maaaaaybe they can give me access to a little server space.
A very long shot, but, doab.... Oh, the boss would really like this handled in the next couple months...
F$#k you! There is no way on God's (still) green earth that I... Alone... Can rewrite a legacy database... written across 4 or 5 different versions of FU$KING MS Access, and give 15 sites, with extremely limited networking, real time data sync in... Oh, a few months.
Now, I do not work with "computer people". I'm usually lucky when my coworkers remember their passwords (which, even if they don't, WHY tell ME! I don't run the network!)
And when I tell my boss basically what I just said... In a nice, pleasant way... They suggest I'm not giving the problem enough thought...
FU#K YOU IGNORANT ASS! Write me a ToDo list in MS Access (no, I'm not going to tell you where to start) in under an hour then, MAYBE, we can talk about... No... Just NO... Can't be done!
*Takes deep breath* so... Lovely weather we're having, right?3 -
Boss hired a freelancer to work on a new reporting dashboard. Freelancer also built a backed. Boss wants me to work on fixing that backend. I check out the DB first only to find plaintext passwords. I threw up a little.2
-
A long time ago you sent me an email with the subject 'I love you', I then got so excited that I forwarded the letter to all my contacts, and they forwarded it too.. I can't describe the words for the feelings I had back then for you. I felt into love with you, really. But there were always troubling moments for me.
For example when 'Code Red' showed up and found your backdoor. Man I was pissed at that time. I didn't know what to do next. But things settled, and we found each other again.
And then that other time when this girl named 'Melissa' was sending me some passwords to pr0n sites, I couldn't resist. She was really awesome, but you know, deep in my heart that was not what I wanted. I somehow managed to go back to you and say sorry. We even moved together in our first flat, and later in our own house. That was a really good time, I love to think back at those moments.
Then my friend 'Sasser' came over to us one night, do you remember how he claimed that big shelf in our living room, and overflooded it with his own stuff, so that we haven't a clue we are reading yet offshelve? Wow that was a disturbing experience.
But a really hard time has come when our dog 'Zeus' got kicked by this ugly trojan horse. I really don't want go into details how the mess looked like after we discovered him on our floor. Still, I am very sorry for him that he didn't survived it :(
Some months later this guy named 'Conficker' showed up one day. I shitted my pants when I discovered that he guessed my password on my computer and got access to all my private stuff on it. He even tried to find some network shares of us with our photos on it. God, I was happy that he didn't got access to the pics we stored there. Never thought that our homemade photos are not secure there.
We lived our lives together, we were happy until that day when you started the war. 'Stuxnet..'! you cried directly in my face, 'you are gonna blow up our centrifuges of our life', and yeah she was right. I was in a real bad mood that days back then. I even not tried to hide my anger. But really, I don't know why all this could happen. All I know is, that it started with that cool USB stick I found on the stairs of our house. After that I don't remember anything, as it is just erased from my memory.
The years were passing. And I say the truth here, we were not able to manage the mess of our relationship. But I still loved you when you opened me that you will leave. My 'Heartbleed' started immediately, you stabbed it where it causes the most pain, where I thought that my keys to your heart are secured. But no, you stabbed even harder.
Because not long after that you even encrypted our private photos on our NAS, and now I am really finished, no memory which can be refreshed with a look at our pictures, and you even want my money. I really 'WannaCry' now... -
What the hell is wrong with the browser on iOS....
For Christ sakes almost no input attributes work. I have a Sign Up feature that validates passwords with a pattern attribute; doesn't work, required attribute; doesn't work, input type number; doesn't work.
What the fuck is wrong with this thing. Even Internet Explorer knows what those attributes means. Absolute joke now i need to implement it manually. Fuck off apple.11 -
No idea what the fuck just happened, but my home router just dropped the internet connection and started demanding that I change the admin (default) password.
Now, I know that default passwords are bad and all that, but why the fuck now? This thing has been sitting there for over a year, and it only decided to complain now?
There have been some weird things going on lately, and I'm starting to worry that some of my systems may have been compromised in some way... but I'm not sure what/how, nor how to look for it...
Any tips for identifying a breach and disaster recovery?11 -
9000 internet cookie points to whoever figures out this shit:
I'm trying to import a secret gpg key into my keyring.
If I run "gpg2 --import secring.gpg" and manually type each possible password that I can think of, the import fails. So far, nothing unusual.
HOWEVER
If I type the same passwords into a file and run:
echo pwfile.txt | gpg2 --batch --import secring.gpg
IT ACTUALLY FUCKING WORKS
What the fuck??? How can it be that whenever I type the pw manually it fails, but when I import it from a file it works??
And no, it's not typos: I could type those passwords blindfolded from muscle memory alone, and still get them right 99% of the time. And I'm definitely not blindfolded right now.
BUT WAIT, THERE'S MORE!!
Suppose my pwfile.txt looks something like this:
password1
password2
password3
password4
password5
password6
Now, I'm trying to narrow it down and figure out which one is the right password, so I'm gonna split the file in two parts and see which one succeds. Easy, right?
$ cat pw1.txt
password1
password2
password3
$ cat pw2.txt
password4
password5
password6
$ echo pw1.txt | gpg2 --batch --import secring.gpg
gpg: key 149C7ED3: secret key imported
$ gpg2 --delete-secret-key "149C7ED3"
[confirm deletion]
$ echo pw2.txt | gpg2 --batch --import secring.gpg
gpg: key 149C7ED3: secret key imported
In other words, both files successfully managed to import the secret key, but there are no passwords in common between the two!!
Am I going retarded, or is there something really wrong here? WTF!4 -
<<prev. #wk235 advices>>
~ Study the Error log deeply, Google each line if needed. Don't give up.
~ Learn by doing. Don't just read/watch.
~ Practice breaking down the problem statement first in different components and hierarchies. Don't jump into coding right away.
~ Write some, review some. Don't put off review for later.
~ Even if you don't exactly follow the best security practices - always ensure that your program is safe for use. Especially for user-inputs, etc, pay attention.
~ Never distribute code with passwords/keys written in it.
~ Don't hard code stuff, use Config file, environment variables, etc.
~ Try to automate repetitive stuff like build and deploy etc
~ Save and backup you code.
~ No one knows everything, also, today's knowledge gets outdated tomorrow. Continuous learning is synonymous with this field.
<<next #wk235 advices>>1 -
I recently went to an office to open up a demat account
Manager: so your login and password will be sent to you and then once you login you'll be prompted to change the password
Me: *that's a good idea except that you're sending me the password which could be intercepted* ok
Manager: you'll also be asked to set a security question...
Me: *good step*
Manager: ...which you'll need to answer every time you want to login
Me: *lol what? Maybe that's good but kinda seems unnecessary. Instead you guys could have added two factor authentication* cool
Manager: after every month you'll have to change your password
Me : *nice* that's good
Manager: so what you can do change the password to something and then change it back to what it was. Also to remember it keep it something on your number or some date
Me: what? But why? If you suggest users to change it back to what it was then what is the point of making them change the password in the first place?
Manager: it's so that you don't have to remember so many different passwords
Me: but you don't even need to remember passwords, you can just use softwares like Kaspersky key manager where you can generate a password and use it. Also it's a bad practice if you suggest people who come here to open an account with such methods.
Manager: nothing happens, I'm myself doing that since past several years.
Me: *what a fucking buffoon* no, sir. Trust me that way it gets much easier to get access to your system/account. Also you shouldn't keep your passwords written down like that (there were some password written down on their whiteboard)
Manager: ....ok...so yeah you need sign on these papers and you'll be done
Me:(looking at his face...) Umm..ok4 -
Cause there's no really safe solution for that right now, finally release my favorite and verifiable secure linux password management tool for the web and as apps for iOS, Android and Windows Phone - including online synchronization, so you can access your passwords anywhere. (Web and Android first, the other platforms later).
At the moment it is still a pure gpg based Linux terminal application.2 -
I manage the infrastructure of an application. Responsible for setup, maintenance and upgrades of all the associated servers, databases, filesystems and tuning. The business area is responsible for maintaining the content and structure of the app.
A couple of weeks ago, the business area started asking me for the system admin passwords in an attempt to integrate a remote service. The reason was because he didn't want to store his own credentials in Jenkins. Imagine the shock when they were told no.
Then a week ago, they asked for the password again so they could update a properties file. Again, the answer was no.
We sent them an email yesterday asking for their change management number so we could make the change to the properties file. They were absolutely shocked to find out that we hadn't already updated the file because they had already deployed their code changes to go with the properties file last Thursday. They submitted the request to us on Friday.
Getting real tired of people screwing up and pointing the finger back at me. -
To all websites requiring at least one upper case, one lower case, one number, one special character, 25 emoji and 49 unicorns in the password when signing up.
If you say something is required, then your regex BETTER be checking ONLY for those things. You should not have hidden requirements for passwords that users are supposed to dream about and know. Especially if it's a super time-sensitive thing that they should have opened 2 Fridays ago.
I had to pull my hair out for 20 minutes (that felt like an hour) before looking at their code and reading their regex. The regex was different from what the page said the requirements actually were. What were they even thinking? 😑
The rest of everything related to this organization uses an SSO system, why can't they just use it? Isn't the whole point of SSO to avoid a different login for every tiny part of the system?
I wonder what the other less technically inclined people using the system are doing right now. Sadly, I have no way of letting them know.
I sincerely hope the dev that made that website faces the same thing while picking a password for creating an account somewhere else and realizes what he/she did.
I really needed to let it out.
I feel much better now.
Time to take out the stress ball :)1 -
iAPPLIED CS UNIVERSITY, DAY 1 (2018-09-24)
11:00 UTC+3: Arrived at the secretary's office to complete my registration. I met quite some people; I forgot the names of some. I spent some time over there, so I took the 13:00 class instead of the 11:00 one. It's still early, so we pick whichever we want.
13:00: Procedural Programming at the Computer's lab. The computers were running Windows 8.1! 😱 I might connect to my laptop via RDP. It would be very cool. The course was about C, but the first time was just an introduction. We are going to use Code::Blocks. We were also explained the (HTTP only) web platform in which we are logged in via our passwords and submit our assignments. The professor was very nice, but this day at least was very boring. I was watching CodeMinkey cartoons, trying to solve AdLitterams.
18:00: Back for Applied Mathematics I. At the same computer lab. No lesson did happen, because we have to s learn theory stuff first (every Friday I think). Back to home.
Tommorrow is going to be a hard day...:wq1 -
This is not a rant. Not really. It's more expressing my own insecurity with a certain topic, which somehow upsets me sometimes (the insecurity, not the topic though).
I have nearly no knowledge about security/privacy stuff. I mean, yeah, I know how to choose secure passwords and don't make stupid DAU mistakes. The very basics you would expect someone to have after a CS bachelor's degree.
But other than that... Nothing. And I would like to get a bit into that stuff, but I have no clue where to start. First getting my head wrapped around low-level stuff like network layers? Or something completely else.
This topic is so intimidating to me as it seems huge, I have no idea where to start, and I feel that if you don't have "full" knowledge, you are going to make mistakes which you might not even notice.
I sometimes get really scared about having an account hijacked or similar. Also in our job it seems to become more and more of a topic we should know about.
Anybody got any advice?
I am looking for a way to improve my knowledge in security in general for professional reasons and my knowledge about privacy for private reasons.
It's just, every time I start reading something related it seems that I am lacking some other knowledge etc...10 -
I've created instructions for myself the next time I encounter cpanel.
rallen@rallen ~ $ cheat cpanel
#SSH'ing into the fucking cpanel
#Figure out combination of 5 usernames and passwords given by client to log in.
#Pray that WHM isn't involved.
#Ignore several ssl warnings and cancel several .htaccess password prompts.
#Call in to enable that shit.
#Wait no less than 15 minutes on hold.
#SSH enabled.
#Create public private key pair.
#Notice the ppk conversion for windows 'devs'. Sigh.
#Copy key pair to ~/.ssh/
#chmod that shit to 600.
#Note for the user name it's not anything the clients given you or what you've named the key. Look in the cpanel for the /home/<user> directory.
ssh -i ~/.ssh/key <user>@<dedicatedip> -
The positive side of EnvVars...
So a couple of weeks ago I moved all api keys and db passwords to environmental variables on the server so that I didn't have to keep worrying if I'm live in my test environment.
Earlier I shat myself after an apt-get upgrade broke php and apache somehow decided it's a great idea to serve all .php files as plain text. I was super relieved to find no confidential information (apart from logic) was made public. -
Am I the only one not liking that shitty websites where you put almost no critical login information require insanely complicated password?
I don't want my complicated password ending up in a rainbow table because they store my passwords in text format...
There's only so much versions of passwords I can remember for trivial websites...24 -
Dashlane is a fucking mess.
1. This fucker won’t sync.
2. This fucker requires you to pick the american state when you enter addresses so no non-us addresses
3. This fucker uses a really bad vpn company under the hood as “its” vpn
4. This fucker somehow messed up the offline 2fa, the thing that students do successfully in their authenticator apps
I’m gonna go back to noo.js.org, that fucker will sync even without any connection, across infinite number of devices, instantly. Yes it does nothing but passwords, yes you can’t change passwords but at least you’re always synced. And it doesn’t sell your data because it doesn’t even have a server let alone a database.
FUCK YOU DASHLANE4 -
The name of today is Murphy.
So, the LAN at location A can't reach the one at location B. Turns out that something yet unknown is blowing fuses at location A, but after disconnecting a ton of unknowns, the router and a radio link station are up again. Yay Internet, but still no VPN connection to location B.
Needing the passwords for the OpenVPN servers, I notice that encfs4win refuses to mount the drive where the password manager files reside. Of course, any problem must have the company of other problems. Eventually, the encfs drive mounts on another computer.
So, I can access the OpenVPN computer running the client side and check the logs, which tell me that network B is unreachable.
Both networks and an encfs setup all die at the same time? Right, Murphy, what are you going to come up with next? No, don't tell me because I just got read errors from a hard drive. -
when a dev with absolutely no knowledge of the systems or whatsoever, tells a client "sure, easy. we can get your password if you forget" and that client then comes to you and doesnt understand he has to use the recovery function because its encrypted using a slow oneway hash...
needless to say, that dev thought passwords were stored in cleartext.. -
People at my home come to me every time they forget the passwords for their emails with no recovery options set and then ask me to recover their password. When I say I can't, I hear the taunt “what's the point of being a software engineer when you can't recover a password" :[
So a while back I added my email as recovery option to everyone's email. Life is good now.2 -
Token for App -> backend authentication is generated one time when the user signs up. Sniff it once and you've got access to the user account forever.
Passwords are hashed with one round of SHA1, no salt.
Everything including login data is sent over plain HTTP.
Luckily I got permission to fix that mess1 -
Not dev per sé but annoys see he'll out of me on a monthly basis... 30 day password expiration, how does that make things more secure?! The thing that makes it worse is that I can't use any previous 28 passwords or anything too similar... Now I'm stuck with a 36 character password which I have to put in everytime my work machine decides to lock out... Which is less than a minute of not touching it.
What's that? No I can't turn around and answer a question because if I do I'll be taking 20mins off of my future career prospects as I'm working on leveling up my inevitable arthritis6 -
so i'm about to deploy admin application which doesn't have admins passwords hashed
after asking him, wtf dude?
he replied, no worries mate
fml5 -
So, I’ve been given the task of sorting the security out in an application plugging the holes and whatnot as to be honest it’s shocking haha. It doesn’t help that we automate security audits but that’s a different rant for another day.
We’re using devise for authentication (rails standard, ♥️ devise), we have no password resets through the login page, it has to be manually reset by ringing support, why who knows, even though it’s built into the gem and we allow the user to login using an username instead of an email because for whatever reason someone thought it was a bright idea to not have the email field mandatory.
So I hop onto a call with the BAs, basically I go that we need to implement password resets into the login page so the user can do it themselves and also to cut down support calls a ticket is already in place for it. So I go through the standardised workflow for resetting a password. My manager goes.
“I don’t think this will be very secure”
Wait.. what. Have you never reset a password before? It’s following the same protocol as every other app.
We go back and fourth and I said I’ll get it checked with security just to keep him happy.
The issue mainly is well we can’t implement password resets due to 100s of users not having an email on there account.. 🙃 so before we push this change we need to try and notice all users to set a unique email.
Updated the tickets. All dandy.
Looking at the PRs to see what security things have been done if any and turns out one of the devs in India has just written a migration to add the same default email to every user that doesn’t have an email present and yep it got merged. So I go revert the change but talk about taking a “we don’t care about security approach”.
Eventually we want to have the user reset their passwords and login using their email and someone goes a head and does that. Not to mention the security risk.
Jesus Christ I wonder why I bother sometimes.2 -
Normal people : Save thier work regulary.
Me :
Oh no matter, notepadd++ saves opens files somewhere, i'm good with that.
There are important lohins, passwords, some temp stuf and work in progress for something, there are backups and information needed.8 -
I hate having too much security, on the user side. I have 2 step verification on anything that allows and also most of my passwords are up to a limit, seriously. This is why I have LastPass but obviously no work I ever been in allowed it. Except Freelancing and my own software / apps.
-
!rant
This is fucking how you do it!
Ticketmaster UK had a "data security incident" where they don't really know if any data was actually leaked/stolen/"accessed by an unknown third-party" — their response:
1. Disable the compromised service across their platforms
2. Send a mail to any customer that may have been affected (I got one in Danish because I had only interacted with them through a Danish subsidiary)
2b. All notified customers have their passwords reset and must go through the "Forgot password" process; the _temporary_ password they sent me was even pretty nicely random looking: ";~e&+oVX1RQOA`BNe4"
3. Do forensics and security reviews to understand how the data was compromised
3b. Take contact to relevant authorities, credit card companies, and banks
4. Establish a dedicated website (https://security.ticketmaster.co.uk/...) to explain the incident and answer customer questions
5. "We are offering impacted customers a free 12 month identity monitoring service with a leading provider. To request this service please visit [this page]"
EDIT: As mentioned and sourced in the first comment, the breach was apparently noticed by a banking provider and reported to Ticketmaster on the 12th of April and later to Mastercard on the 19th of April.
Ticketmaster's internal investigation found no evidence of breach (which makes sense, as it wasn't an internal breach), but when Mastercard issued an alert to banks about it on the 21st of June, Ticketmaster followed up by finding the actual breach and disabling the breached third party service on the 23rd of June.
I still think they did the right thing in the right way...2 -
I’m working on a new app I’m pretty excited about.
I’m taking a slightly novel (maybe 🥲) approach to an offline password manager. I’m not saying that online password managers are unreliable, I’m just saying the idea of giving a corporation all of my passwords gives me goosebumps.
Originally, I was going to make a simple “file encrypted via password” sort of thing just to get the job done. But I’ve decided to put some elbow grease into it, actually.
The elephant in the room is what happens if you forget your password? If you use the password as the encryption key, you’re boned. Nothing you can do except set up a brute-forcer and hope your CPU is stronger than your password was.
Not to mention, if you want to change your password, the entire data file will need to be re-encrypted. Not a bad thing in reality, but definitely kinda annoying.
So actually, I came up with a design that allows you to use security questions in addition to a password.
But as I was trying to come up with “good” security questions, I realized there is virtually no such thing. 99% of security question answers are one or two words long and come from data sets that have relatively small pools of answers. The name of your first crush? That’s easy, just try every common name in your country. Same thing with pet names. Ice cream flavors. Favorite fruits. Childhood cartoons. These all have data sets in the thousands at most. An old XP machine could run through all the permutations over lunch.
So instead I’ve come up with these ideas. In order from least good to most good:
1) [thinking to remove this] You can remove the question from the security question. It’s your responsibility to remember it and it displays only as “Question #1”. Maybe you can write it down or something.
2) there are 5 questions and you need to get 4 of them right. This does increase the possible permutations, but still does little against questions with simple answers. Plus, it could almost be easier to remember your password at this point.
All this made me think “why try to fix a broken system when you can improve a working system”
So instead,
3) I’ve branded my passwords as “passphrases” instead. This is because instead of a single, short, complex word, my program encourages entire sentences. Since the ability to brute force a password decreases exponentially as length increases, and it is easier to remember a phrase rather than a complicated amalgamation or letters number and symbols, a passphrase should be preferred. Sprinkling in the occasional symbol to prevent dictionary attacks will make them totally uncrackable.
In addition? You can have an unlimited number of passphrases. Forgot one? No biggie. Use your backup passphrases, then remind yourself what your original passphrase was after you log in.
All this accomplished on a system that runs entirely locally is, in my opinion, interesting. Probably it has been done before, and almost certainly it has been done better than what I will be able to make, but I’m happy I was able to think up a design I am proud of.8 -
You know what really grinds my gears? Products that have no right of linking your data to an online platform.
Case and point: Password Managers. Nearly all of them work only with an account on a given service, have the passwords stored on their servers and so on and so forth. There is 0 transparency and for that matter 0 security. I found my choice, though it infuriates me terribly.
Another thing are budget managers. The switch for YNAB from local to on servers really annoys me. They should have no business in storing my very private data on their server. I don't understand people using it either.1 -
so, a new day, a new ERP software to rant about:
this one features an email feature (heh) but with a catch.
only pop3, no imap, if you want ssl the software suggest that you use a 3rd party program, also every user has to be logged in by the admin cause they assume the sysadmin knows all passwords cause he has "password lists"
i called them to ask why their software is what it is, they answer "there was never a need to develop an IMAP functionality, SSL would be so much work and it never became a problem that the sysadmin didnt know all passwords"
in unrelated news, does anyone know a nice sub 100K ERP software with CRM, Material Management and Offer/Order Management that runs on a local server and offers german support for a company in the 50 to 500 worker bracket? -
What should I tell my boss if he wants me to hand over root passwords to everyone in the office just cause there should be more than one person available to handle problems if I'm not available.
All these other people in the office have no experience with Linux or servers at alll and will fuck it up I know for sure.7 -
Anybody heard of Clef - A new way to login? It's pretty coool! I've integrated it in one of my projects and it works like a charm..!
The best part being no need of any passwords or fingerprints or facial detection etc3 -
Not super ranty but what I’m interested in how passwords are managed in your organisation?
I feel dirty receiving passwords through slack and having a spreadsheet on a shared drive seems like madness.
I’ve worked at organisations before that have a single login to a password manager. However theoretically I still have access to that as no one would have changed the password.
Organisational password manager softwares are really expensive!14 -
Company automatically disables your employee login passwords after every 45 days, which is a good practice for ensuring security. However I get no notifications that my password is being disabled. The result, for the past 4 months, I've been going to IT support requesting them to let me change my password on their admin console because I forgot to change it 'once again'. Sigh.. :/2
-
I did an engineering quiz yesterday as a way of introducing a new database the school recently got access to. You had to sign up for the site.
- Passwords were max 20 characters (which is better than 10, but still, why???)
- You couldn't use special characters, but there was NO INDICATION ANYWHERE THAT THAT WAS THE CASE. It would just silently fail to log in. I had to open the browser console to figure out what wasn't working. FUCK -
So recently I've been feeling like I fooled myself into thinking I'm any good at anything regarding development.
Today I tried to deploy a Console Application that would run nightly. The production systems are much more guarded, as it should be, but I should still be able to schedule a windows task (yeah yeah, windows servers, not the time Linux fanboys and not my choice :P) no problem.
Except I didn't expect that network users can't run jobs, because of a Group Policy about saving passwords on network accounts.
I expected a local administrator account to be available, and it wasn't.
Also a web API isn't available, even though I could telnet to the address on port 443 (HTTPS). A proxy apparently accepts all HTTP/HTTPS traffic and so on.
All this I feel like I should have known....
So am I in my own head, or am I right in thinking maybe I'm not "pro" development yet? Maybe I don't deserve to be "pro".
Thoughts?4 -
Vivaldi browser seemed a good idea to escape Google's misfeatures without swapping it for Microsoft extensions (Edge) or Firefox / Gecko idiosyncrasies (size / magnification issues on Ubuntu, slow Android version, clunky UI). But there are some ongoing issues that I never experienced in any other user agent (maybe I will when switching to Chromium), like URL completion (port URLs without a protocol aren't prepended with https but trigger a xdg-open dialog, autocomplete prefers obscure deep links with long paths instead of the base URL, browsers seems to forget login passwords by default, etc.) - so Chromium seems like the obvious choice. But there seem to be no more Chromium builds for Android? Anyone else disappointed by Vivaldi has a preferred solution?4
-
I was given a perl script to help change ubnt airos devices passwords from the command line. I was give no instructions on how to use it and I am not use to working with perl If anyone can give me some help I would really appreciate it. Here is the code.
#!/usr/bin/perluse
FindBin qw($Bin $Script);
use WWW::Mechanize;
die "Syntax: $Script ...Changes the password on 1 or more AirOS units." unless @ARGV >= 6;
my $user = shift @ARGV;
my $op = shift @ARGV;
my $np = shift @ARGV;
my $rouser = shift @ARGV;
my $ropass = shift @ARGV;
my @addresses = @ARGV;
open L, ">>$Bin/$Script.log" or die "Unable to write to $Bin.log: $!";
sub l {
print STDERR @_;
print L @_;
}
for my $a (@addresses) {
l "Changing password on $a\n";
my $mech = WWW::Mechanize->new();
my $entry;
my $start = "http://$a/login.cgi?uri=/system.cgi";
$mech->get($start);
$mech->field('username',$user);
$mech->field('password',$op);
$response = $mech->submit();
# to get login cookie
if (!$response->is_success) {
l $response->status_line, "\n";
}
$mech->get(qq|http://$a/system.cgi|);
$mech->field('NewPassword',$np);
$mech->field('NewPassword2',$np);
$mech->field('OldPassword',$op);
$mech->field('ro_status', "enabled");
$mech->field('rousername', $rouser);
$mech->field('roPassword', $ropass);
$mech->field('hasRoPassword', "true");
$mech->click_button(name => "change");
$response = $mech->submit();
if (!$response->is_success) {
l $response->status_line, "\n";
}
$response = $mech->get(qq|http://$a/apply.cgi|);
if (!$response->is_success) {
l $response->status_line, "\n";
}
}close L;
exit 0;8 -
Is there a standard around checking the checksum of a bundled weapp to make sure it's the same as what the open source codebase would compile to?
I'm working on some opensource blockchain interface software and obviously blockchain passwords are pretty important, so we do all transaction signing client side and password storage client side, but there's no point doing that if the user can't verify that the password isn't being sent off to some server in secret, but the only way to ensure that is with open source software + a checksum check upon loading, because opensource software doesn't mean the deployed version is the exact opensource branch version.
Any ideas?1 -
I fucking hate mobile and iPad ui and general ux. I hate that I get shit for not being able to fix people's problems on them quickly enough with or without googling. Apparently that's my fucking line of work, no I'm just a fucking code monkey, I don't know where whichever asshat hide the setting to Jimmy or abysmal fucking browser implementations in fucking mobile chrome that makes it unable for you to buy car parts but it fucking works fine on a desktop browser. I ront want to reset your fucking weak passwords because you never remember them.
I can't even change my fucking phones background, or figure out or I lack voicemail because my plan or the fucking optoknnisnt present (one plus 2) and don't care enough to put more time or google it.
Maybe I'm just fucking incompetent. I like being able just to right click shift on desktop, going to properties or running both commands.
I never will stop being an imposter until I can fucking fix anything like a legit engineer. -
The fuck symfony again - passwords migration - no error but does not work. One guy in the comment wrote what fixed - I had wrong configuration. Why it cannot give fucking error when the configuration is wrong. And I did not see even in documentation that I need to do that. I do not know if symfony really deserves so much popularity if it wastes so much time. Checked my tracker - I have spent about 13 hours for symfony upgrade from I think 5.1 to 5.3 and password migration.