Hi, I am a Javascript apprentice. Can you help me with my project?

- Sure! What do you need?

Oh, it’s very simple, I just want to make a static webpage that shows a clock with the real time.

- Wait, why static? Why not dynamic?

I don’t know, I guess it’ll be easier.

- Well, maybe, but that’s boring, and if that’s boring you are not going to put in time, and if you’re not going to put in time, it’s going to be harder; so it’s better to start with something harder in order to make it easier.

You know that doesn’t make sense right?

- When you learn Javascript you’ll get it.

Okay, so I want to parse this date first to make the clock be universal for all the regions.

- You’re not going to do that by yourself right? You know what they say, don’t repeat yourself!

But it’s just two lines.

- Don’t reinvent the wheel!

Literally, Javascript has a built in library for t...

- One component per file!

I’m lost.

- It happens, and you’ll get lost managing your files as well. You should use Webpack or Browserify for managing your modules.

Doesn’t Javascript include that already?

- Yes, but some people still have previous versions of ECMAScript, so it wouldn’t be compatible.

What’s ECMAScript?

- Javascript

Why is it called ECMAScript then?

- It’s called both ways. Anyways, after you install Webpack to manage your modules, you still need a module and dependency manager, such as bower, or node package manager or yarn.

What does that have to do with my page?

- So you can install AngularJS.

What’s AngularJS?

- A Javascript framework that allows you to do complex stuff easily, such as two way data binding!

Oh, that’s great, so if I modify one sentence on a part of the page, it will automatically refresh the other part of the page which is related to the first one and viceversa?

- Exactly! Except two way data binding is not recommended, since you don’t want child components to edit the parent components of your app.

Then why make two way data binding in the first place?

- It’s backed up by Google. You just don’t get it do you?

I have installed AngularJS now, but it seems I have to redefine something called a... directive?

- AngularJS is old now, you should start using Angular, aka Angular 2.

But it’s the same name... wtf! Only 3 minutes have passed since we started talking, how are they in Angular 2 already?

- You mean 3.

2.

- 3.

4?

- 5.

6?

- Exactly.

Okay, I now know Angular 6.0, and use a component based architecture using only a one way data binding, I have read and started using the Design Patterns already described to solve my problem without reinventing the wheel using libraries such as lodash and D3 for a world map visualization of my clock as well as moment to parse the dates correctly. I also used ECMAScript 6 with Babel to secure backwards compatibility.

- That’s good.

Really?

- Yes, except you didn’t concatenate your html into templates that can be under a super Javascript file which can, then, be concatenated along all your Javascript files and finally be minimized in order to reduce latency. And automate all that process using Gulp while testing every single unit of your code using Jasmine or protractor or just the Angular built in unit tester.

I did.

- But did you use TypeScript?

Me: I have been working for you for almost 12 years now, and I feel that my current pay is not comparable to the work I currently produce. Therefore, in order to secure my future as your employee, I must request an immediate raise in pay to a level that is acceptable.

Boss: I can't afford it. If you want more money, you need to bring in more clients, plain and simple.

Me: I'm serious. If I don't get a raise, I will qui---

Girlfriend: Babe, stop talking to yourself and come to bed...

Me: Okay... [looks in mirror] This isn't finished...

The spam denier
_____

An old phone conversation with a client:

Me : Hello

Client : My website and server are suspended? why is that?

Me : Your server sends spam messages.

Client : We do not send spam messages, we are on vacation, there is none in the office.

Me : Yes, but it is not necessarily you, according to our logs, your server sent spam messages in Chinese and Russian, so someone from Russia or China....etc.

Client : I do not believe you, we do not speak russian or chinese, how could we then write spam messages in those languages?

Me : I told you, maybe someone exploited some vulnerability in your website or server firewall. And if you want to activate your services, please check with your webmaster and sysadmin to secure your ....

Client: I tell you my son, because I am old and I have more life experience than you ... I am 60 years old and I tell you, spam does not exist, and YOU suspended my website and server, and created issues to sell me more of your solutions and services.

I won't check my server, I won't hire a webmaster or a sysadmin, AND YOU WILL ACTIVATE MY SERVER NOW !

(I suddenly realized that I am talking to a wall, so I switched to a robotic tone).

Me : Please resolve the issue to activate your services..

Client : YOU WILL ACTIVATE MY S...

Me : Please resolve the issue to activate your services...

Client : WHAT IS THIS SPAM STORY ANYWAY, I DO NOT BELIEVE YOU ...

Me : Please google that word and you will understand what is spam is...

Client : YOU ARE F**ING LIARS, SPAM DOES NOT EXIST... ACTIVATE MY WEBSITE N.... Beeeep !

I hang up.

Well, I thought about configuring an automatic response for this client, or a for-loop.

His voice was really unpleasant, as if he is a heavy smoker.

Another one, teach secure programming for fucks sake! This always happened at my study:

Me: so you're teaching the students doing mysql queries with php, why not teach them PDO/prepared statements by default? Then they'll know how to securely run queries from the start!
Teachers: nah, we just want to go with the basics for now!

Me: why not teach the students hashing through secure algorithms instead of always using md5?
Teacher: nah, we just want to make sure they know the basics :)

For fucks fucking sake, take your fucking responsibilities.

Creating a new account is always fun...

"This Is My Secure Password" <-- Sorry, no spaces allowed.

"ThisIsMySecurePassword" <-- Sorry, Passwords must include a number

"ThisIsMySecurePassword1" <-- Sorry, Passwords must include a special character

"ThisIsMySecurePassword 1" <-- Sorry, no spaces allowed

"ThisIsMySecurePassword%1" <-- Sorry, the % character is not allowed

"ThisIsMySecurePassword_1" <-- Sorry, passwords must be shorter than 16 characters

"Fuck" <-- Sorry, passwords must longer than 6 characters

"Fuck_it" <-- Sorry, passwords can't contain bad language

"Password_1" <-- Accepted.

I was reviewing one dev's work. It was in PHP. He used MD5 for password hashing. I told him to use to password_hash function as MD5 is not secure...

He said no we can't get a password from MD5 hashed string. It's one way hashing...

So I asked him to take couple of passwords from the users table and try to decode those in any online MD5 decoder and call me after that if he still thinks MD5 is secure.

I have not got any call from him since.

You don't teach me security, Firefox.. 😂😂

Started talking with someone about general IT stuff. At some point we came to the subject of SSL certificates and he mentioned that 'that stuff is expensive' and so on.

Kindly told him about Let's Encrypt and also that it's free and he reacted: "Then I'd rather have no SSL, free certificates make you look like you're a cheap ass".

So I told him the principle of login/registration thingies and said that they really need SSL, whether it's free or not.

"Nahhh, then I'd still rather don't use SSL, it just looks so cheap when you're using a free certificate".

Hey you know what, what about you write that sentence on a whole fucking pack of paper, dip it into some sambal, maybe add some firecrackers and shove it up your ass? Hopefully that will bring some sense into your very empty head.

Not putting a secure connection on a website, (at all) especially when it has a FUCKING LOGIN/REGISTRATION FUNCTION (!?!?!?!!?!) is simply not fucking done in the year of TWO THOUSAND FUCKING SEVENTEEN.

'Ohh but the NSA etc won't do anything with that data'.

Has it, for one tiny motherfucking second, come to mind that there's also a thing called hackers? Malicious hackers? If your users are on hacked networks, it's easy as fuck to steal their credentials, inject shit and even deliver fucking EXPLOIT KITS.
Oh and you bet your ass the NSA will save that data, they have a whole motherfucking database of passwords they can search through with XKeyScore (snowden leaks).

Motherfucker.

Ranted about him before but this just came to my mind again.
The fucking windows (to the max) fanboy I had to deal with for too long.

Every time I mentioned something about what programming language to use in a project he was NOT part of:
"I know it's none of my business, BUT I think you should use .net"
(All backend JavaScript and php guys).

Every time I mentioned something about what server system to use:
"I know it's none of my business but I think you should use Windows server"
(All Linux guys)

Every time I'd say something positive about Linux he'd search as long as needed to prove that that was also a windows thing (didn't even come close sometimes)

Every time I told the devs there about a windows security issue (as in "guys they found this thing, install the next update to stay safe :)" - "ahhh will do, thanks for letting know man!") he'd search as long as needed to prove that Linux also had had security issues like that.
(Okay?!? I know?!? I'm just trying to notify people so their systems stay secure and they're genuinely happy with that so STFU)

MOTHERFUCKER.

A quite severe vulnerability was found in Skype (at least for windows, not sure about other systems) allowing anyone with system access (remote or local) to replace the update files skype downloads before updating itself with malicious versions because skype doesn't check the integrity of local files. This could allow an attacker to, once gaining access to the system, 'inject' any malicious DLL into skype by placing it in the right directory with the right file name and waiting for the user to update (except with auto updates of course).

From a company like Microsoft, taking in mind that skype has hundreds of millions of users worldwide, I'd expect them to take a very serious stance on this and work on a patch as soon as possible.

What they said about this: they won't be fixing it anytime soon as it would require a quite big rewrite of skype.

This kinda shit makes me so fucking angry, especially when it comes from big ass companies 😡. Take your fucking responsibility, Microsoft.

This is super childish but it's the gameserver insidstry and karma is a bitch.

TLDR: I hacked my boss

I was working for a gameserver and I did development for about 3 months and was promised pay after the network was released. I followed through with a bunch of dev friends and the guy ended up selling our work. He didn't know that I was aware of this as he tried to tell people to not tell us but one honest person came forward and said he sold our work for about 8x the price of what he owed ALL OF US collectively.

I proceeded to change the server password and when he asked why he couldn't log in I sent him an executable (a crypted remote access tool) and told him it was an "encryption tunnel" that makes ssh and file transfers secure. Being the idiot that he is he opened it and I snagged all of his passwords including his email and I changed them through a proxy on his machine to ensure I wouldn't get two factored with Google. After I was done I deleted system 32 :3

I hate this attitude of my study (when i studied):

"it might be a good idea to teach the students how to program securely by default?"

"oh no but we just want to teach them the basics"

"so why not the secure basics by default?!"

"nah we just want them to get started and understand it, that's all. We'll get to the secure way later on"

Well, fuck you.

"Do you have 2 factor auth for the database?"
a customer asked. I stared on the wall in front of me and suddenly fel and urge to punch and piss on something.
I took a deep breath while thinking to myself
*Oh boy, here we go. Another retard*
I put on my nice voice and asked:
"What you mean?"
The customer seems confused, as if my question did not make sense and he said:
"TWO FACTOR AUTHENTICATION! Dont you know what it is? To make the database more secure."

I was fucking right, this person reads to much shit. The fact that the email signature of that person said "Wordpress Developer" made me more angry.
I, still with the nice voice asked
"How would that work?"
"Two factor authentication when I am connecting to the database."
"So, do you want it by SMS then? You'll get alot of messages if it is going to send you one every time a query is made."
The following 7 seconds was dead silent until I heard the person hang up.

"We don't need to invest in security - noone is going to hack us anyway" == "We don't need a fire department in our city - fire is not going to start here anyway"

We don't need to invest in security - everything is public anyway" == "We don't need a fire department in our city - our buildings are made out of straws anyway"

-- my thoughts after seing a line in client's spec: "sensitive data is transferred via a secure tcp channel (https) and all the public data is transferred via an unencrypted tcp (http) channel"

"secure" messaging apps which aren't open source.

Isn't it common sense that, when you can't check an app for anything because it's closed source (backdoors, vulnerabilities etc), you technically can't be sure whether it's actually secure or not?

And no, I'm not going to trust an app dev on his/her blue fucking eyes on this one.

Our website once had it’s config file (“old” .cgi app) open and available if you knew the file name. It was ‘obfuscated’ with the file name “Name of the cgi executable”.txt. So browsing, browsing.cgi, config file was browsing.txt.
After discovering the sql server admin password in plain text and reporting it to the VP, he called a meeting.
VP: “I have a report that you are storing the server admin password in plain text.”
WebMgr: “No, that is not correct.”
Me: “Um, yes it is, or we wouldn’t be here.”
WebMgr: “It’s not a network server administrator, it’s SQL Server’s SA account. Completely secure since that login has no access to the network.”
<VP looks over at me>
VP: “Oh..I was not told *that* detail.”
Me: “Um, that doesn’t matter, we shouldn’t have any login password in plain text, anywhere. Besides, the SA account has full access to the entire database. Someone could drop tables, get customer data, even access credit card data.”
WebMgr: “You are blowing all this out of proportion. There is no way anyone could do that.”
Me: “Uh, two weeks ago I discovered the catalog page was sending raw SQL from javascript. All anyone had to do was inject a semicolon and add whatever they wanted.”
WebMgr: “Who would do that? They would have to know a lot about our systems in order to do any real damage.”
VP: “Yes, it would have to be someone in our department looking to do some damage.”
<both the VP and WebMgr look at me>
Me: “Open your browser and search on SQL Injection.”
<VP searches on SQL Injection..few seconds pass>
VP: “Oh my, this is disturbing. I did not know SQL injection was such a problem. I want all SQL removed from javascript and passwords removed from the text files.”
WebMgr: “Our team is already removing the SQL, but our apps need to read the SQL server login and password from a config file. I don’t know why this is such a big deal. The file is read-only and protected by IIS. You can’t even read it from a browser.”
VP: “Well, if it’s secured, I suppose it is OK.”
Me: “Open your browser and navigate to … browse.txt”
VP: “Oh my, there it is.”
WebMgr: “You can only see it because your laptop had administrative privileges. Anyone outside our network cannot access the file.”
VP: “OK, that makes sense. As long as IIS is securing the file …”
Me: “No..no..no.. I can’t believe this. The screen shot I sent yesterday was from my home laptop showing the file is publicly available.”
WebMgr: “But you are probably an admin on the laptop.”
<couple of awkward seconds of silence…then the light comes on>
VP: “OK, I’m stopping this meeting. I want all admin users and passwords removed from the site by the end of the day.”

Took a little longer than a day, but after reviewing what the web team changed:
- They did remove the SQL Server SA account, but replaced it with another account with full admin privileges.
- Replaced the “App Name”.txt with centrally located config file at C:\Inetpub\wwwroot\config.txt (hard-coded in the app)
When I brought this up again with my manager..
Mgr: “Yea, I know, it sucks. WebMgr showed the VP the config file was not accessible by the web site and it wasn’t using the SA password. He was satisfied by that. Web site is looking to beat projections again by 15%, so WebMgr told the other VPs that another disruption from a developer could jeopardize the quarterly numbers. I’d keep my head down for a while.”

I wonder why banks are always so terribly insecure, given how much money there's for grabs in there for hackers.

Just a while ago I got a new prepaid credit card from bpost, our local postal service that for some reason also does banking. The reason for that being that - thank you 'Murica! - a lot of websites out there don't accept anything but credit cards and PayPal. Because who in their right mind wouldn't use credit cards, right?! As it turns out, it's pretty much every European I've spoken to so far.

That aside, I got that card, all fine and dandy, it's part of the Mastercard network so at least I can get my purchases from those shitty American sites that don't accept anything else now. Looked into the manual of it because bpost's FAQ isn't very clear about what my login data for their online customer area now actually is. Not that their instruction manual was either.

I noticed in that manual that apparently the PIN code can't be changed (for "security reasons", totally not the alternative that probably they didn't want to implement it), and that requesting a forgotten PIN code can be done with as little as calling them up, and they'll then send the password - not a reset form, the password itself! IN THE FUCKING MAIL.

Because that's apparently how financial institutions manage their passwords. The fact that they know your password means that they're storing it in plain text, probably in a database with all the card numbers and CVC's next to it. Wouldn't that be a treasure trove for cybercriminals, I wonder? But YOU the customer can't change your password, because obviously YOU wouldn't be able to maintain a secure password, yet THEY are obviously the ones with all the security and should be the ones to take out of YOUR hands the responsibility to maintain YOUR OWN password.

Banking logic. I fucking love it.

As for their database.. I reckon that that's probably written in COBOL too. Because why wouldn't you.

Oh fuck and boy Jesus, how on earth is this still a thing 😦

MD fucking 5 is not a fucking “secure” crypto algorithm.

This site has 14 million breached accounts with fucking MD5 hashes.

I think I’ve had to much internet for today.

So I was at work and send to another location (distribution centers) and in the lunch break my guider for that day and I started a conversation about servers etc (he appeared to do loads of stuff with that). He recommended me all those programs but I didn't recognize anything so I asked him what kinda servers he ran. He runs a lot of Windows servers. No problem for me but I told him that I am into Linux servers myself.

Guy: "Linux guy, eh? That system is considered to be so secure but in reality it's insecure as fuck!".

Me: (If he would come up with real/good arguments I am not going to argue against that by the way!) Uhm howso/why would you think that?
Guy: "Well all those script kiddies being able to execute code on your system doesn't seem that secure.".

*me thinking: okay hold on, let's ask for an explanation as that doesn't make any fucking sense 😐*

Me: "Uhm how do you mean, could you elaborate on that?"

Guy: "Well since it's open source it allows anyone to run any shit on your system that they'd like. That's why windows rocks, it doesn't let outsiders execute bad code on it.".

Seriously I am wondering where the hell he heard that. My face at that moment (internally, I didn't want to start a heated discussion): 😐 😲.

Yeah that was one weird conversation and look on open source operating systems...

I hate Linux so much. I mean, how could anyone of you barbarians like it??

I don't understand the hate for windows. It's secure, emphasizes privacy, and it's Microsoft. What's not to love?

Linux is just proprietary malware.

My hubby saw me using Secure Shell to install some software on a cloud server I'm using through the terminal. After a few minutes of watching, he said, "Oh, the government better watch out for you!"

I've been unable to successfully convince him I'm not some elite super-hacker like he's used to seeing in movies and NCIS.

Biggest dev insecurity?

Probably http://
It’s not secure at all, never feeling very confident when browsing that protocol.

I still miss my college days. Our crappy IT Dept restricted internet usage on campus. Each student used to get 10 GB of internet data and they used Cyberoam for login (without HTTPS). 10 GB was so less (at least for me).

Now, thanks to CS50, I learned that HTTP was not secure and somehow you can access login credentials. I spent a night figuring things out and then bam!! Wireshark!!!!

I went to the Central Library and connected using Wireshark. Within a matter of minutes, I got more than 30 user ids and passwords. One of them belonged to a Professor. And guess what, it had unlimited data usage with multiple logins. I felt like I was a millionaire. On my farewell, I calculated how much data I used. It was in TBs.

Lesson: Always secure your URLs.

Following a conversation with a fellow devRanter this came to my mind ago, happened a year or two ago I think.

Was searching for an online note taking app which also provided open source end to end encryption.

After searching for a while I found something that looked alright (do not remember the URL/site too badly). They used pretty good open source JS crypto libraries so it seemed very good!

Then I noticed that the site itself did NOT ran SSL (putting the https:// in front of the site name resulted in site not found or something similar).

Went to the Q/A section because that's really weird.

Saw the answer to that question:

"Since the notes are end to end encrypted client side anyways, we don't see the point in adding SSL. It's secure enough this way".

😵

I emailed them right away explaing that any party inbetween their server(s) and the browser could do anything with the request (includingt the cryptographic JS code) so they should start going onto SSL very very fast.

Too badly I never received a reply.

People, if you ever work with client side crypto, ALWAYS use SSL. Also with valid certs!

The NSA for example has this thing known as the 'Quantum Insert' attack which they can deploy worldwide which basically is an attack where they detect requests being made to servers and reply quickly with their own version of that code which is very probably backdoored.

This attack cannot be performed if you use SSL! (of course only if they don't have your private keys but lets assume that for now)
Luckily Fox-IT (formerly Dutch cyber security company) wrote a Snort (Intrustion Detection System) module for detecting this attack.

Anyways, Always use SSL if you do anything at all with crypto/sensitive data! Actually, always use it but at the very LEAST really do it when you process the mentioned above!

The coolest project I've worked on was for a certain country's Navy. The project itself was cool and I'll talk about it below but first, even cooler than the project was the place were I worked on it.

I would go to this island off the coast where the navy had its armoury. Then to get into the armoury I'd go through this huge tunnel excavated in solid rock.

Finally, once inside I would have to go thru the thickest metal doors you've ever seen to get to crypto room, which was a tiny room with a bunch of really old men - cryptographers - scribbling math formulae all day long.

I can't give a lot of technical details on the project for security reasons but basically it was a bootable CD with a custom Linux distro on it. Upon booting up the system would connect to the Internet looking for other nodes (other systems booted with that CD). The systems would find each other and essentially create an ad-hoc "dark net".

The scenario was that some foreign force would have occupied the country and either destroyed or taken control of the Navy systems. In this case, some key people would boot these CDs in some PC somewhere not under foreign control (and off the navy grounds.) This would supposedly allow them to establish secure communications between surviving officers. There is a lot more to it but that's a good harmless outline.

As a bonus, I got to tour an active aircraft carrier :)

- Let's make the authentication system so the user can only login in one device at time, because this is more secure.
- You know that this will be a general-public application, right?
- Yeah!
- Sou you want to "punish" users with a logoff on the other device when he tries to login in a new one?
- Yeah!
- But before you said we will use Json Web Token to make the backend stateless.
- Yeah!
- And how will we check if the token is the last one generated?
- We will store the last generated token for this user on a table in our DB.
- So... you are basically describing the old authentication model, with session tokens stored on the backend and communicating them via cookies.
- Yeah, but the token will be sent on the Header, not on cookies
- Okay, so why will we use Json Web Token to do this in the first place?
- Because this is how they're doing now, and this will make the backend stateless.

A moment of silence, please.

I hate Wordpress. I hate Wordpress. I hate Wordpress.

Wordpress can take a big shit on itself and crawl into a deep dark hole far away from all that is good.

Who even uses Wordpress? Bloggers? Come on, let’s be honest, they’re using more intuitive sites like weebly, wix, and square space. So WHAT is Wordpress for? I’ll tell you, it’s just to FUCKING TORTURE PEOPLE.

So, being the “techy guy” of the family, a relative contacts me asking for some help with their website because they need to install an SSL certificate but they don’t know how to. I tell them I’d gladly do it because, sure, they’re family and how long can it possibly take to install a certificate? I’ve done it before!

Well, I get to work and log into the sluggish Wordpress dashboard and try to use a plugin that would issue a LetsEncrypt certificate because they are free and just as good as any other SSL. But one plugin after the next I keep getting errors about how my hosting wouldn’t allow it.

So I contact GoDaddy (don’t get me fucking started) and ask them about the issue. The guy tells me it’s “policy” to only be able to use GoDaddy’s certificates. How much do they cost? Oh, how about $100 a year?! Fuck you.

I figured out the only way to escape this hell was to ask them to open an economy Linux hosting account with cPanel on GoDaddy (the site was formerly hosted on a “Managed Wordpress” account which is just bullshit for not wanting to give you any control over your own goddamn content). So now I have to deal with migrating the site.

GoDaddy representative tells me that it should only take 20 minutes for me to do this (I’ve already spent way too much time on this but whatever) so I go forward with the new account. I decide I should migrate the site by exporting a backup and manually placing everything on the new server. Doesn’t it end up taking an entire hour to back up a 200MB site because GoDaddy throttled the processing speed?!

So, it’s another hour later and I’ve installed all the databases and carried over all the files. At this point, I’m really at the end of my rope and can’t wait to install the certificate and be done with this fuckery.

I install the certificate and finally get ready to be on my way, but then I see it. A warning. A warning from my browser telling me the site is only partially secure. It turns out the certificate was properly installed but whoever initially made the site HARDCODED ALL THE LINKS to images, websites, and style sheets to be http instead of https.

I’m gonna explode.

I swear, I’m gonna fucking explode.

After a total of 5 hours of work, I finally get the site secure by using search and replace on every fucking file.

Wordpress can go suck a big one. Actually, Wordpress can go suck the largest fuckin one in existence and choke on it.

TL;DR I agree to install an SSL certificate but end up with much more work than I bargained.

I'm not sure if this entirely qualifies and I might have ranted about it a few years ago but fuck it.

My last internship. Company was awesome and my mentor/technical manager got along very well with me to the point that he often asked me to help out with Linux based stuff (he preferred Linux but was a C# guy and wasn't as familiar with it as me (Linux)).

We had to build an internal site thingy (don't remember what it was) and we delivered (me and some interns) and then the publishing moment came so I went to out project manager (a not-as-technical one) and asked if he could install a LetsEncrypt certificate on the site (he knew how and was one of the only ones who had direct access to the server).

He just stared at us and asked why the fuck we needed that since it was an internal thing anyways.
I kindly told that since it's free and can secure the connection, I preferred that and since its more secure, why the fuck not?
He wasn't convinced so it was off.

Next day I came in early and asked my mentor if he could do the SSL since he usually had access to that stuff. He stared at me with "what?" eyes and I explained what the PM said.

Then he immediately ssh'd in and got the damn cert with "we're going to go secure by default, of course!"

A minute later it was all set.

!rant && sarcasm

For a long time now I've been trying to convince people to use secure communication. I'm used to getting called "paranoid", but the killer phrase always was (and still is): "Why do you want me to encrypt my communication, I HAVE NOTHING TO HIDE, so I don't care who's reading it" - "It's not about hiding something, it's about private stuff staying private" - "Yeah, whatever"

"I have nothing to hide". That always killed the conversation... until I asked them to hand me their phones, unlocked, for 5 minutes.

"No" - "Why? I thought, you had nothing to hide and don't care who's reading it?" - "Uhmmm..."

More and more people around me are popping up in my Signal contact list.
Looks like they suddenly care a lot about private stuff staying private </sarcasm>

Would the web be better off, if there was zero frontend scripting? There would be HTML5 video/audio, but zero client side JS.

Browsers wouldn't understand script tags, they wouldn't have javascript engines, and they wouldn't have to worry about new standards and deprecations.

Browsers would be MUCH more secure, and use way less memory and CPU resources.

What would we really be missing?

If you build less bloated pages, you would not really need ajax calls, page reloads would be cheap. Animated menus do not add anything functionally, and could be done using css as well. Complicated webapps... well maybe those should just be desktop/mobile apps.

Pages would contain less annoying elements, no tracking or crypto mining scripts, no mouse tracking, no exploitative spam alerts.

Why don't we just deprecate JS in the browser, completely?

I think it would be worth it.

I've got a confession to make.

A while ago I refurbished this old laptop for someone, and ended up installing Bodhi on it. While I was installing it however, I did have some wicked thoughts..

What if I could ensure that the system remains up-to-date by running an updater script in a daily cron job? That may cause the system to go unstable, but at least it'd be up-to-date. Windows Update for Linux.

What if I could ensure that the system remains protected from malware by periodically logging into it and checking up, and siphoning out potential malware code? The network proximity that's required for direct communication could be achieved by offering them free access to one of my VPN servers, in the name of security or something like that. Permanent remote access, in the name of security. I'm not sure if Windows has this.

What if I could ensure that the system remains in good integrity by disabling the user from accessing root privileges, and having them ask me when they want to install a piece of software? That'd make the system quite secure, with the only penetration surface now being kernel exploits. But it'd significantly limit what my target user could do with their own machine.

At the end I ended up discarding all of these thoughts, because it'd be too much work to implement and maintain, and it'd be really non-ethical. I felt filthy from even thinking about these things. But the advantages of something like this - especially automated updates, which are a real issue on my servers where I tend to forget to apply them within a couple of weeks - can't just be disregarded. Perhaps Microsoft is on to something?

"please use a secure password*"

* But don't make it too secure, 20 Charakters is enough.

Why would you fucking do this? The only reason I can think about is a scenario like this:
"How do we store the passwords in the database?"
"Just like anything else?"
"So I create a VARCHAR(20)?"
"Yeah why not? It's good enough for a name, and you shouldn't use your or anyone else's name as a password, so it should be perfect"

TL;DR I'm fucking sick and tired of Devs cutting corners on security! Things can't be simply hidden a bit; security needs to be integral to your entire process and solution. Please learn from my story and be one of the good guys!

As I mentioned before my company used plain text passwords in a legacy app (was not allowed to fix it) and that we finally moved away from it. A big win! However not the end of our issues.

Those Idiot still use hardcoded passwords in code. A practice that almost resulted in a leak of the DB admin password when we had to publish a repo for deployment purposes. Luckily I didn't search and there is something like BFG repo cleaner.

I have tried to remedy this by providing a nice library to handle all kinds of config (easy config injection) and a default json file that is always ignored by git. Although this helped a lot they still remain idiots.
The first project in another language and boom hardcoded password. Dev said I'll just remove before going live. First of all I don't believe him. Second of all I asked from history? "No a commit will be good enough..."

Last week we had to fix a leak of copyrighted contend.
How did this happen you ask? Well the secure upload field was not used because they thought that the normal one was good enough. "It's fine as long the URL to the file is not published. Besides now we can also use it to upload files that need to be published here"
This is so fucking stupid on so many levels. NEVER MIX SECURE AND INSECURE CONTENT it is confusing and hard to maintain. Hiding behind a URL that thousands of people have access to is also not going to work. We have the proof now...
Will they learn? Maybe for a short while but I remain sceptic. I hope a few DevrRanters do!

I'm not secure if I'm a good developer or I'm a good "googlelator"

Client reads about MomgoDB ransomware attacks online.

Him: I heard that the MongoDB is not secure, we should use something else in our system.
Me: Those databases got attacked because security features were turned off. If you want you can have an external security team to test the system when it's done.
Him: I don't wana take any risk, so I we should use something else.

We have been working on this system for almost a year and the final stage was supposed to be delivered in a month.

He wants me to replace it with MySQL

Some 'wk306' highlights from different people:

Walk around the office in his underwear, because he forgot he left his trousers in the bathroom

Run a red light outside the office due to not wearing his required glasses. When questioned by co-workers, replied "I don't follow those facist rules"

Asking if we work less will we get paid more, because the project will take longer to do (while in a startup with no funding trying to secure some)

Tell a senior dev to stop testing in his spare time, as we won't be able to release on time if he keeps finding critical security bugs

Telling me "your timezone is not my concern", when asking for help with new tooling so we don't have to be online at the same time

Blaming my team for requesting too much help, leading to his team missing deadlines, in a meeting with very senior managers. When the reason we were requesting help was the handover doc we were given was filled with lies about features being finished and "ready to ship" and lacking any unit tests

Being accused of bullying and harassment to the CEO, because someone asked "did you follow up with X about the partnership they emailed us about". The person who was responsible, forgot 4 times, and saw it as an "attack" to mention it in team meetings

Telling an entire office/building mid November they've secured funding for at least the next year, then announcing in January after the Christmas break that its cheaper to move to India, so they are closing the office in 30 days

*logs out of Google on Android*
*has this persistent Google search bar on launcher which I keep on accidentally tapping*

Alright, so I'm not logged into Google to see how it goes. Kind of an experiment to see just how intertwined Android and my life are with Google. And it's going quite well actually, except for my prime apps that I can't seem to get around.

*reads Google privacy policy*
"We protect your data by keeping it secure!"
Hmm, yeah.. you and 3 letter agencies are keeping it secure and out of the hands of other individuals.. that makes sense.
Don't be evil.. unless you're the devil, right?
Fuck you, I won't login like this.

*accidentally opens Google*
*le trending results show up*

- KSI vs Logan Paul weigh-in!
- KSI vs Logan Paul Manchester!
- KSI vs Logan Paul arena fight!

*opens up NewPipe in which I am not logged in either*
- KSI vs Logan Paul!!!
- Did you see the KSI vs Logan Paul stuff yet?!

*logs back into Google straight away*
Personalized search engine.. many hate it, but boy do I fucking love it.

Warning: long read....

I got a call this morning from a client who was panicking about not being able to login to his web panel.

So I went to the web panel and tried to login and was just redirected back to the login page. No errors or anything (at least visible on the page). Went looking for an error_log file and found it.

It turns out there was an error was showing: Disk quota exceeded.

So I went into the cPanel and checked, he used about 16GB out of 100GB and that got me confused. So I looked around and found out he was using about 510000/500000 inodes.

Went looking trough FTP to see where he has so many files and try and remove some.

Well it turns out that there were about 7 injected websites (warez, online casino, affiliate one etc) and a full hacking web panel on his FTP. After detailed analysis some who actually built the site (I just maintain some parts) made an upload form available to public with any checks on it. Meaning anyone could upload whatever they wanted and the form would allow it.

The worst part is that the client is not allowing us to secure the form with some sort of login or remove it completely (the best option) as it is not really needed but he uses it to upload some pdf catalogs or something.

TL; DR;
Old programmer created an upload form that was accessible to anyone on the web without adding any security or check as to see what kind of files was getting uploaded. Which lead to having maximum number on inodes used on server and client being unable to login.

Side note:
And ofc I had to go and fix the mess behind him again, even though he stopped working a long time ago and I started just recently and have been having nightmares of this project.

Let me explain a tiny corner of some awful code I read earlier today, in layman’s terms.

It’s a method to see if the user is in a secure session — not to set up the session, just to see if it exists. The method ends with a question mark, so it’s basically a question. It should look up the info (without changing anything) and should always give a clear yes/no answer. Makes sense, right?

Let’s say the question is “am I in school right now?”

The code… well.

If there isn’t a student, the answer it gives is null, not yes or no. Null is a fancy word for no, pretty much, so that’s kinda fine, but it really should be a simple no.

It then checks to see if the school is open today. If it is open, it then checks to see if I made my lunch, if I took my backpack, and if I rode the bus — and makes these things happen if they didn’t. Forgot my backpack? Just ask “am I in school today?” And poof! There’s my backpack! … but only if the school is open.

It then, finally, checks to see if I’m actually in the school, and gives that answer.

It could just see if I’m in the school — I mean, I could be in school without a backpack, or walked there on the weekend, right? Ha! You and your silly logic have no place here.

So, by asking if the user is in a secure session, we change the answer: they weren’t before, but the act of asking makes it so. This isn’t profound or anything: I don’t work with Schrödinger. My coworkers are just idiots.

And no, the rest of the code isn’t any better…

Sometimes I wonder how compromised my parents online security would be without my intervention.

My mom logged into her gmail and there was an red bar on top informing about Google preventing an attempted login from an unknown device.

Like typical parents / old people, that red bar didn't caught her attention but I noticed it immediately. I took over and looked into it. It showed an IP address and a location that was quite odd.

I went ahead with the Account security review and I was shocked to find that she had set her work email address as the recovery email!!

I explained her that work email accounts cannot be trusted and IT department of the workplace can easily snoop emails and other info on that email address and should not be related to personal accounts.

After fixing that issue, me being a typical skeptic and curious guy, I decided to find more info about that IP address.

I looked up the IP address on a lookup website and it showed an ISP that was related to the corporate office of her workplace. I noticed the location Google reported also matched with the corporate office location of her work.

Prior to this event, few days ago, I had made her change her gmail account password to a more secure one. ( Her previous password was her name followed by birth date!! ). This must have sent a notification to the recovery mail address.

All these events are connected. It is very obvious that someone at corporate office goes through employees email addresses and maybe even abuse those information.

My initial skeptism of someone snooping throguh work email addresses was right.

You're welcome mom!

A few years ago I configured my wifi extender.
Got everything working as I wanted.
Changed password to my favorite 24char password.
Can't login again...
Meh... It's working as I want and is secure, not even I can login.

It's still running in this state.

I love how the Keybase Linux client installs itself straight into /keybase. Unix directory structure guidelines? Oh no, those don't apply to us. And after uninstalling the application they don't even remove the directory. Leaving dirt and not even having the courtesy to clean it up. Their engineers sure are one of a kind.

Also, remember that EFAIL case? I received an email from them at the time, stating some stuff that was about as consistent as their respect for Unix directory structure guidelines. Overtyping straight from said email here:

[…] and our filesystem all do not use PGP.
> whatever that means.

The only time you'll ever use PGP encryption in Keybase is when you're sitting there thinking "Oh, I really want to use legacy PGP encryption."
> Legacy encryption.. yeah right. Just as legacy as Vim is, isn't it?

You have PGP as part of your cryptographic identity.
> OH REALLY?! NO SHIT!!! I ACTIVELY USED 3 OS'S AND FAILED ON 2 BECAUSE OF YOUR SHITTY CLIENT, JUST TO UPLOAD MY FUCKING PUBLIC KEY!!!

You'll want to remove your PGP key from your Keybase identity.
> Hmm, yeah you might want to do so. Not because EFAIL or anything, just because Keybase clearly is a total failure on all levels.

Written quickly,
the Keybase team
> Well that's fucking clear. Could've taken some time to think before hitting "Send" though.

Don't get me wrong, I love the initiatives like this with all my heart, and greatly encourage secure messaging that leverages PGP. But when the implementation sucks this much, I start to ask myself questions about whether I should really trust this thing with my private conversations. Luckily I refrained from uploading my private key to their servers, otherwise I would've been really fucked.

Foday my father argued with me that:
* "HTML programmers" get payed a lot
* WordPress is awesome
* wordpress programmers get payed a lot
* WordPress doesn't need to be secure
* FileMaker is 100% virus-free (probably malware free), because not many people use it
* UX and UI design are exactly the same

Can someone explain to me why the fuck I should even care about the fact, that some companies collect, use and sell my data? I'm not famous, I'm not a politician and I'm not a criminal, I think most of us aren't and won't ever be. We aren't important. So what is this whole bullshittery all about? I seriously don't get it and I find it somewhat weird that especially tech guys and IT "experts" in the media constantly just make up these overly creepy scenarios about big unsafe data collecting companies "stealing" your "private" information. Welcome to the internet, now get the fuck over it or just don't be online. It's your choice, not their's.

I honestly think, some of these "security" companies and "experts" are just making this whole thing bigger than it actually is, because it's a damn good selling point. You can tell people that your app is safe and they'll believe you and buy your shit app because they don't understand and don't care what "safe" or "unsafe" means in this context. They just want to be secure against these "evil monster" companies. The same companies, which you portrayed them as "evil" and "unfair" and "mean" and "unrepentant" for over a decade now.

Just stop it now. All your crappy new "secure" messenger apps have failed awesomely. Delete your life now, please. This isn't about net neutrality or safety on the internet. This is all about you, permanently exaggerating about security and permanently training people to be introverted paranoid egoistic shit people so that they buy your elitist bullshit software.

Sorry for my low english skills, but please stop to exist, thank you.

I mean, what’s not to trust? I’m sure it’s virtually secure and private.

The cleaning lady saga continues yet again..

Here in Belgium, cleaning ladies are paid with cheques. All fine and dandy, and apparently the parent organization (Sodexo) even migrated to digital cheques. Amazing!!!

If only they did it properly.

Just now I received an email with my login data.
Login: ${FIRSTNAME}${FIRST2CHARSOFLASTNAME}
Password: I won't reveal the amount of characters.. but it's not even hex. It's just uppercase letters, and far from what I'd deem even remotely secure. Hopefully I'll be able to change that shitty password shortly, and not get it mailed back, even when I ask for recovery. Guess I'll have to check that later - the person who made that account was pretty incompetent when it comes to tech after all. Don't ask me why they did it instead of me. I honestly don't really know either.

With that said, this is a government organization after all... Can I really expect them to hash their passwords?

What. The. Actual. Fuck.

My co-workers just tried to convince me that the following is a secure password:

"ThisIsASecurePassword2018"

Just... I mean... Why? *sigh*

Their argumentation is based on the new NIST guidelines.

If they've read these guidelines CAREFULLY though... (not only the appendix) it actually states "Don't use words from the dictionary". Passwords like these should even be rejected right away.

Me : I should start building user authentication system.
inner self : there are enough free and secure ones out there, just go read the documentation.
Me : fuck I'm not reading 10000 pages of documentation written in alien language.
inner self : well then you better start building
Me : **writes code
Inner self : you better add the data validation and security while coding
Me : I just want it to work !
Me after a few days trying not to suicide : the site is hacked, the code is bugged, hello darkness my friend

Ten Immutable Laws Of Security

Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.

When you ask the IT-Department of a company collab with Microsoft, why you aren't allowed to use Firefox instead of IE.

The answer is: "It's insecure because it's open source"

YOU FUCKING KIDDING ME INSECURE ??? IT IS MORE SECURE AS IE!!! INSECURE BECAUSE OPEN SOURCE? THAN LET'S USE CHROME OR OPERA INSTEAD BUT NOT IE

I've been training a client for a few months now to not use Slack for sharing passwords and other secure materials.

I really thought I had made great progress. I even had him using a password manager. Then out of nowhere he sends the wildcard SSL key pair to me and a handful of other devs in a Slack thread.

At least we aren't storing important information like medical records. Oh wait, that's exactly what we're doing.

When I get on a site that is like “your password must contain upper case, lower case, a number, a symbol”, at first I’m like ooook, security I guess I’ll generate a long password, but then they sit there and say “and be at least 6 but not more than 10 characters”

WTF you fuckers really don’t know anything do you.

@netikras since when does proprietary mean bad?

Lemme tell you 3 stories.

CISCO AnyConnect:
- come in to the office
- use internal resources (company newsletter, jira, etc.)
- connect to client's VPN using Cisco AnyConnect
- lose access to my company resources, because AnyConnect overwrites routing table (rather normal for VPN clients)
- issue a route command updating routing table so you could reach confluence page in the intranet
- route command executes successfully, `route -n` shows nothing has changed
- google this whole WTF case
- Cisco AnyConnect constantly overwrites OS routing table to ENFORCE you to use VPN settings and nothing else.

Sooo basically if you want to check your company's email, you have to disconnect from client's VPN, check email and reconnect again. Neat!

Can be easily resolved by using opensource VPN client -- openconnect

CISCO AnyConnect:
- get a server in your company
- connect it to client's VPN and keep the VPN running for data sync. VPN has to be UP at all times
- network glitch [uh-oh]
- VPN is no longer working, AnyConnect still believes everything is peachy. No reconnect attempts.
- service is unable to sync data w/ client's systems. Data gets outdated and eventually corrupted

OpenConnect (OSS alternative to AnyConnect) detects all network glitches, reports them to the log and attempts reconnect immediatelly. Subsequent reconnect attempts getting triggered with longer delays to not to spam network.

SYMANTEC VIP (alleged 2FA?):
- client's portal requires Sym VIP otp code to log in
- open up a browser in your laptop
- navigate to the portal
- enter your credentials
- click on a Sym VIP icon in the systray
- write down the shown otp number
- log in

umm... in what fucking way is that a secure 2FA? Everything is IN the same fucking device, a single click away.

Can be easily solved by opensource alternatives to Sym VIP app: they make HTTP calls to Symantec to register a new token and return you the whole totp url. You can convert that url to a qr code and scan it w/ your phone (e.g. Google's Authenticator). Now you have a true 2FA.

Proprietary is not always bad. There are good propr sw too. But the ones that are core to your BAU and are doing shit -- well these ARE bad. and w/o an oppurtunity to workaround/fix it yourself.

I just blocked some of the top management from connecting to our WLAN because I was testing a verifing feature for said WiFi that kicks all devices not listed in the DB.
It happened while my boss/senior/guidance was trying to show them the advantages of a centrally managed infrastructure.
He covered my ass well and tried to sell it to them as proof of a secure solution, that unknown devices couldn't log in.
I feel like human trash right now, but that's what you get for testing in production.

Can someone please explain to me WHY THE FUCK non devs feel like they know shit. I DON'T GIVE A FUCK ABOUT HOW YOU FOUND SOME UNTRUE SHIT ON GIZMODO. I'VE KNOW SO MUCH ABOUT THIS SHIT, AND YOU LOOKED UP THE FIRST EXAMPLE YOU COULD FIND THE SUPPORTS YOUR CASE. The most recent time this happened was OVER THE LAST FEW DAYS when this DUMBASS that my friends and I BULLY but HE STILL HANGS AROUND. (By bully, yes sometimes we are mean to him, but we're not out to get him. He comes to us and we don't wanna be with him). So after the SEVENTH groupchat (on two apps) he created that night, HE WANTED TO SWITCH BACK TO ANOTHER APP I SPENT A WEEK TRYING TO GET THEM TO SWITCH FROM PREVIOUSLY (It was whatsapp, i got them to switch to telegram). THEN HE TRIED to ARGUE with me about how TELEGRAM wasnt secure. HE SEARCHED "is telegram secure" on Google and chose the FIRST ARTICE from the previously mentioned, GIZMODO which says that TELEGRAM chats ARENT ENCRYPTED by DEFAULT. HOW THE FUCK DO DUMBASSES GET THIS KIND OF PUBLICITY. There's a difference between ENCRYPTION and END TO END DUMBASS. Then he told me whatsapp is more secure than telegram. NO ITS FUCKING NOT. In telegram, your encryption keys CHANGE every chat, or every 100 messages. To my best research, whatsapp only has ONE key per USER. I could go on forever about how chat backups in whatsapp are UNENCRYPTED or how FACEBOOK stores your data, but blocked you works to.

At my previous job we had to complete an online security training exercise. It shows you how to behave secure in the work place, to not open unknown links etc. The scary part was that the entire training thing was BUILT IN FUCKING FLASH. So I'm suppose to listen to some god damn virus shitting flash application on how to do online security?! Get your shit together before teaching others.

So this PR company hired my firm to convert their client's Wix website to WordPress to have better control over content and SEO, not to mention get away from the piss-poor "absolute position everything" setup of Wix. This is a single page design. 2 days later, we deliver it, performing faster than Wix and with a few extra goodies on the UI.

The client's director of IT wants to stay on Wix, because it's "the most secure provider", and will only move their ONE PAGE INFORMATIONAL WEBSITE to another platform and host if they answer a 133 item "security questionnaire". Short of SSNs, they want to basically know everything, including our proprietary and confidential security practices. You aren't Google...stop acting like you are...

How are people this stupid a "director" of anything?

I request the VPN credential to access to an italian big company network.
The ask me the email to send the new credentials.
I reply sviluppo@mycompany.it
They say it's not good, it's not associated only to me.
I said I'm the only developer (sviluppo) in my company.
They reply the is more secure my private gmail account.
They sent the credentials to my gmail account.

The company I work for is requiring customers to submit credit card info in an online form which then gets stored into our "secure database". Which employees then pull and charge the card later on. They're also telling customers that the form is "encrypted". This is all because they're too fucking lazy and not patient enough to wait for someone to integrate a payment gateway. This is a lawsuit waiting to happen.

Earlier i ranted about how someone hacked our site and he had our source code.
Now finally we found how was our site code stolen, thanks to @dfox he mentioned how can we pull code from got server at that time I checked trying commamds to dowload git folder but it was secure but later we found that we had another subdomain running for pur project and its git folder was not secured

To this day I can't figure out why people still drink the windows koolaid.

It's less secure, slower, bloatier (is that a word?), Comes with ads, intrudes on privacy, etc. People say it's easier to use than Linux, but 99% of what anyone does happens on a chrome based web browser which is the same on all systems!

When it comes to dev, it boggles the mind that people will virtualize a Linux kernel in Windows to use npm, docker, k8s, pip, composer, git, vim, etc. What is Windows doing for you but making your life more complicated? All your favorite browsers and IDEs work on Linux, and so will your commands out of the box.

Maybe an argument can be made for gaming, but that's a chicken an egg scenario. Games aren't built for Linux because the Linux market is too small to be worth supporting, not that the games won't work on it...

Situation: My lead dev (read as in, my employee that has the lead developer position, not my superior) is complaining about certain decisions being made in regards to a rather large project that has been stagnated by executive political bullshit.

Me: let them fuck themselves over, it is their decision to have a voice on this and we are not the ones developing it, merely managing the resources.

Him: Well they do not know what they are asking! everyone is wanting to have an opinion! a voice!!!

Me: and by their own volition they will fuck themselves over and I have the proper documentation to show everyone that if the project is delayed, it will be by popular vote. I have already spoke to our VP to let him know that we are not taking part in their decision planning process, that we provide the necessary feedback, they get to do with it what they want regarding their decisions.

Him: they are being really stupid and inconsiderate

Me: they are indeed, but as long as I show that you, me, and the rest of the team provided input, they disregarded it and went with their decision, then then the fault is on them, not you or our team. Let them fuck themselves over, I have the documentation needed to secure our asses, I record every conversation and I have every email saved. Really, if they don't want to listen to you they will not be able to point the issues that will inevitably rise back to you or us.

Him: .... you are evil

Me: fuck with me team see what happens. Their face and reaction is what makes me get a hard on after the fact.

Ain't no one touching my team.

About browsers and whole SSL CERT thing...

Most likely everyone here noticed, that https site with broken certificate will throw these big red warnings, in your face and there is so much wording like "ITS NOT SECUREEEE" or "ITS HACKEDDD" almost like it was written by passionate fanatic.

But when you are on plaintext http browsers reaction is like ¯\_(ツ)_/¯
Even if you have plaintext with password, it will for example in chromium put small little red thingy that almost no one notices.

I believe that broken cert with some error like invalid date is MORE secure than plaintext password, yet still there is this hypocracy with browsers...

I dont say that broken SSL cert is good, or something, Im just pointing out contrast of "broken" https vs plain http.... One looks for casual Joe like end of the world is coming and second is bearly noticable. Da fuck?

I disagree with this approach

Massive payment gateway (not gonna say names) with more then 10k transactions / hour telling md5 is one of most secure encryptions they have. Only to made worse by the fact that they send the key and hashed key in the same request.

I am advising all our clients to change payment gateway asap if they use this one.

Rant:
Why in the freezing cold all people think that linux = secure. Ransomware... Bla bla not happening on linux bla bla... Linux is secure.

If Linux would have been the most popular one people will pretty much run everything on root and install every stupid package available and never run: apt-get update.

Users were so dumb they got scammed by a phising mail... In freaking 2017... This is user stupidity not OS fault...

God its stupidly annoying seeing the same stuff : Linux secure...
Everything can be secure if you paid attention to the same stuff in freaking 2000.

Im getting a bit tired of programming.

I have been struggling for years regarding programming. I did have some moments of perceived success, but most of the time it has been depressing.

I’m not sure if I dislike programming. But there are some aspects of it that make me feel not as passionate about it.

First of, programs are invisible. No one sees your program or you (assuming we’re talking about a non artistic dev job).

People can’t see lines of code executing, but even if they did it would be gibberish to them.

Users can only become aware of bad software and that kind of breaks my heart a bit.

You could write fast, stable, secure, easy to read, easy to update software. People won’t notice. Hell, even your boss/coworkers might not notice.

In fact, sometimes you try to do the good thing, you try to become a better dev, you try to write tests first, you try to i18n, and what do you get? “Uhh, that’s taking too much time and I don’t see the benefit”.

I know some people will say that people noticing bad service happens on every job.

But programming is the ultimate isolation job. No client has ever told me “hey that code you wrote was pretty good”. They can’t even read code.

I don’t know the users, the users don’t know me, and the users can only judge my program by the result, they can only judge the visual interface.

Let’s say you write a cool project at github. The code is great. Guess what, every language’s ecosystem out there is saturated. Everything is already written. GitHub is saturated. Your best project ends up being a just for yourself enjoyment.

I’m not saying you shouldn’t enjoy code for yourself. That’s how I bet most prolific coders start. I’ve been doing that for many years now. But at some point you want to be part of something with humans.

Imagine I’m stranded on an island with nothing no humans, just food, water and a computer. Would I write code just for myself, just for fun? I think I would off myself 3 months in.

Maybe I should do develop a more social talent...

One of the more memorable computer problems I solved were when I added some lego blocks to solve a recurring windows bluescreen
A friend had a Pentium 3 (slot 1) that kept throwing him several bluescrens per day so I decided to help
I open up the computer and saw that the processor were not properly securred in it's place and the plastic pieces that should have holding it in place were gone, so I improvised pressing in some lego pieces that I found somewhere to secure that the processor didn't move if someone were walking close to the computer and after that he didn't have any more bluescreens than the rest of us

!rant

In july chrome will mark all http-pages as not secure and firefox will follow.
Worst of all, those insecure pages won't be allowed to access the microphone and other features any more. What will i do in cafes now?

TL; DR: Bringing up quantum computing is going to be the next catchall for everything and I'm already fucking sick of it.

Actual convo i had:

"You should really secure your AWS instance."

"Isnt my SSH key alone a good enough barrier?"

"There are hundreds of thousands of incidents where people either get hacked or commit it to github."

"Well i wont"

"Just start using IP/CIDR based filtering, or i will take your instance down."

"But SSH keys are going to be useless in a couple years due to QUANTUM FUCKING COMPUTING, so why wouldnt IP spoofing get even better?"

"Listen motherfucker, i may actually kill you, because today i dont have time for this. The whole point of IP-based security is that you cant look on Shodan for machines with open SSH ports. You want to talk about quantum computing??!! Lets fucking roll motherfucker. I dont think it will be in the next thousand years that we will even come close to fault-tolerant quantum computing.

And even if it did, there have been vulnerabilities in SSH before. How often do you update your instance? I can see the uptime is 395 days, so probably not fucking often! I bet you "dont have anything important anyways" on there! No stored passwords, no stored keys, no nothing, right (she absolutely did)? If you actually think I'm going to back down on this when i sit in the same room as the dude with the root keys to our account, you can kindly take your keyboard and shove it up your ass.

Christ, I bet that the reason you like quantum computing so much is because then you'll be able to get your deepfakes of miley cyrus easier you perv."

I'm sick of the tyranny of websites who say your password must include at least one shady character, one special agent, and a number of other filthy things. Only makes your passwords impossible to remember, hard to type, and not a bit more secure.
"mynameisronalddumpandimanorangehairedorangutan" is a million times more secure than "P4$$word".

I think most people are annoyed by the new design of chrome, for all the wrong reasons - I just noticed the TLS indicator lock is now gray when encrypted, giving you the idea of a website being not fully secure imho

Hey! You there!
Are you sick of windows 10 sending you intrusive reminders about updates? Are you tired of random unscheduled restarts? Tired of feeling like you have no control over your own computer?

Take back control!
DO THE FUCKING UPDATE, YOU FUCKING INCOMPETENT, USELESS, LAZY, PIECE OF DRY WANK!

Seriously guys: pick a time convenient to you, and take 5 or 10 minutes (when you're likely spending hours at your computer), and do them. Not only will you get rid of the annoying notifications, but you'll also keep your pc safe and secure by keeping up with security patches. C'mon people, it's really not that difficult.

And can we please, for the love of all things holy, stop the circlejerking? You're developers, you are the computer proficient. The only things a PC will do are the things you tell it to do. Dig deep, dig into the registry, dig into the services manager, dig into the fucking settings cos a good number of the most common complaints can be fixed in the basic options menu. Tell your computer to stop doing the things you don't like and it will stop.

It's really not hard!

Being a programmer for a while now it always irritates me to try to explain what I'm working on to friends and family. I forget what I knew before I developed. I'm always like "I made the strings in the database- oh I mean the words...well they're actually more like strings of letters- well anyway I made a code to sanitize the user input- I mean make it so it is secure before uhhh saving." I spend so much time watering what I'm saying down I forget what I'm talking about

It's not even funny. It'd be funny if one single person in my family or friend group understood what I meant to some degree.

One thing every junior web developer learns is how to implement a login system.
They may not make it the most secure, but it works.
It boggles my mind how Microsoft still don't know how to make a login that works consistently.
Every Microsoft login page requires like 30 redirections to work.
The Teams app on my PC fails to login at least once a week, just because another Microsoft app is logged in using the same account (usually office), but Windows is not.
Microsoft needs to take it's head out of it's ass and BEG Google to teach them how to make a decent login system.

When you spend 5+ minutes creating a secure password for your new bank account and you get a message saying the password must be between 6 and 12 characters long.

Not sure I want to open this account any more.

Fuck me.

watching the online course for CEH... dude used the Death Star as a tangible example of how exploits work.
IDK if I should love it for the nerdiness, or be slightly sad that someone needs that type of example of what a vulnerability vs an exploit is, when they're going for the Certified Ethical Hacker certification...
Might be better in an introduction to Network Security class?

Also, while discussing the security, usability, and functionality triangle, he reference the Staples "Easy Button" - does one thing, not very secure, and not very functional (in that it has more than one function)...

Security lifehacks 101

Why pay for password managers? Just use one secure password for every service you use! Password managers are really designed for fools who don’t know that you can just use one password for every service and who are ready to pay for that shit.

The best practice is to use your name starting with a capital letter + your main credit card number + CVC code from the back of that card as your go-to password. It’s long and hard to bruteforce and you can remember everything that way! You just need to remember that one password and you’ll always remember your payment info! No need for apple’s bad Apple Pay which is not so secure after all like everything else that Apple offers.

I'm a game designer student in a Brazilian university. In my class I'm the only one who likes code and made the secure choice to be a future game programmer.

But recently some dudes on my class started to discourage me and telling me to give up that course and change to a computer science course.

I didn't feel that way... I think game programmers who know all the stuff and process of game development( modelling, concepts etc) are better professionals than the ones who just knows the scripting process. But sometimes their opinion flows up my head and I feel so unknown if I staying in the right way or not.

(Sry if my english still bad..hope you all understand anyway)

Just went to book something online. About to click the "Pay" button and noticed the page wasn't secure. Who the hell, in 2017, captures credit card details via insecure 'http'??? And 'https' worked on the home page but not the payment page!! Backed out of that, messaged them and we'll see if anything comes of it.

!rant
For the second time in a row, one of our customers decided not to pay their server. The server, on which a lot of the work we did for them (online shop) was hosted. Shortly after completion, we specifically told them to backup their stuff on a daily basis, secure their server and regularly update it... Guess who did neither of those things, in addition to not paying their server after more than 5 reminders, and still complains about their shop being offline. Fucking idiots.

ESET Antivirus is a strange animal. On one hand, it seems reasonably well written, because unlike Norton or F-Secure, it doesn't subject your computer to death by constant disk access and 100% CPU load for 10 minutes when you start it.

On the other hand, when I clicked the link in the mail about renewing licenses and filled out the form, I was not redirected to a page where I could enter credit cart details.

Instead, I got message that some representative would get back to me in 1-2 work days. Eh, what? It's a digital product for f***'s sake. Now, I suppose they'll send me a hand written letter (written using a quill, no doubt), delivered by a bloke riding a horse and wearing a tricorn.

Well, at least ESET virus definition updates are pushed on the internet, and not sent out on 5.25" diskettes.

Clients r wankers. He wants to be able to send login details incl passwords in email to his clients when he adds them in the cms. The passwords are encrypted and generated on creation of a new user. Ive told him that sending credentials in email is shit and not secure. The stubborn bastard wont budge, so instead i've put explicit instructions to reset password once logged in with the credentials they send. Any other suggestions?

We are required to use corporate SSO for any authenticated internal websites, and one of the features they require you to implement is a "logout" button.

They provide a whole slew of specifications, including size and placement/visibility, etc. They provide an SSO logout URL you must redirect to after you take care of your own application logout tasks.

Makes sense... except the logout URL they provide to serve the actual SSO logout function broke over 3 months ago, and remains non-functional to this day.

Apparently I'm the first person (and perhaps one of the only people) who reported it, and was told "just not to worry about it".

So, we have a standing feature request to provide a button... that doesn't actually work.

Corporate Security - Making your corporation _appear_ more secure every day...

why do i have an iphone?

well, let's start with the cons of android.

- its less secure. this isn't even arguable. it took the fbi a month or something (i forget) to break into an ios device

- permission, permissions, permissions. many of the android apps i use ask for the not obscure permissions.
· no, you don't need access to my contacts
· no, you don't need access to my camera to take notes
· no, you don't need access to my microphone to send messages
· no, you don't need access to my saved passwords to be a functioning calculator

- not being able to block some apps from an internet connection

- using an operating system created and maintained by an advertising company, aka no more privacy

- i like ios's cupertino more than material design, but that's just personal preference

pros of ios:

- being able to use imessage, at my school if you don't have an iphone you're just not allowed to be in the group chat

- the reliability. i've yet a data loss issue

- the design and feel. it just feels premium

- if i could afford it, ios seems like a lot of fun to develop for (running a hackintosh vm compiled a flutter app 2x as fast as it did on not-a-vm windows)

so that's why i like iphones
google sucks

My arguments about Apple:
- "iPhone 12 camera can be better than anything else because it's more advanced, it has LiDAR and 10-bit codecs"
- "I can copy on my iPhone and paste on my MacBook and vice versa out of the box"
- "My Beats can seamlessly switch from playing from my MacBook to my iPhone to my Apple Watch. I can be exercising with only my Apple Watch and my Beats, no need for iPhone"
- "2K screen with nice colors in a 900g laptop is rare if you consider the price. Apple one is the cheapest one with that characteristics"
- "Apple Pay is convenient"
- "Fingerprint scanners fail with wet fingers no matter if it's ultrasonic or optical, LiDAR Face ID is objectively more secure than any camera-based unlock mechanism"
- "Stainless steel frame feels better than aluminum one"

I'm not saying Apple is the best. I'm not saying that Google Pay doesn't exist or that Apple Pay is better. I'm not saying that Apple has no downsides.

However, these are responses I get:
"But Apple IS crapple, immutably"
"Why are you even looking at apple crap if you want something good"

If you want to bash Apple, bash it for something real like that butterfly keyboard fails, unconventional AirPods shape that makes most people's ears hurt, screen coating fails on MacBooks, App Store commissions.

My mom asked me to speed up her PC's startup process. I looked into it and and probably found the problem: G Data.

I told her she has to delete it, there is windows defender anyways (and virus scanners are just snake oil). She refused and said: But I bought it from the local IT shop. They said it is the best.

I said: Yeah because they cannot sell windows defender...

She still argued that she paid for it and wants to keep it.

That was were I said: then enjoy your slow startups.

She also said she feels more secure with it. 🙄

I would not even be able to work with that PC! Its not old at all, but the permanent scanning comes at a high cost and probably does not help much.

But she trusts that local it store guy more than me apparently.

Anything I (am able to) build myself.
Also, things that are reasonably standardized. So you probably won't see me using a commercial NAS (needing a web browser to navigate and up-/download my files, say what?) nor would I use something like Mega, despite being encrypted. I don't like lock-in into certain clients to speak some proprietary "secure protocol". Same reason why I don't use ProtonMail or that other one.. Tutanota. As a service, use the standards that already exist, implement those well and then come offer it to me.

But yeah. Self-hosted DNS, email (modified iRedMail), Samba file server, a blog where I have unlimited editing capabilities (God I miss that feature here on devRant), ... Don't trust the machines nor the services you don't truly own, or at least make an informed decision about them. That is not to say that any compute task should be kept local such as search engines or AI or whatever that's best suited for centralized use.. but ideally, I do most of my computing locally, in a standardized way, and in a way that I completely control. Most commercial cloud services unfortunately do not offer that.

Edit: Except mail servers. Fuck mail servers. Nastiest things I've ever built, to the point where I'd argue that it was wrong to ever make email in the first place. Such a broken clusterfuck of protocols, add-ons (SPF, DKIM, DMARC etc), reputation to maintain... Fuck mail servers. Bloody soulsuckers those are. If you don't do system administration for a living, by all means do use the likes of ProtonMail and Tutanota, their security features are nonstandard but at least they (claim to) actually respect your privacy.

So a few weeks ago I wiped my MacBook Pro to regain some space and speed, it wasn't really that slow I just had the disk partitioned into two installments of MacOS. When I erased the disk I thought the secure thing to do would be to set the format to journaled, encrypted rather than just journaled. Everything was working fine, there seemed to be this weird step of login when I restarted but whatever, except iCloud Drive. On my iMac it works fine but for whatever reason my MacBook Pro doesn't want to download custom folders (ones that aren't created by an app and don't have an app icon on folder icon) from my account despite them being clearly available in iCloud.com. So after this much time of messing with it I'm wiping my MacBook Pro again and formatting it as journaled (not encrypted). Wish me luck...

!dev && rant

Can we talk about banks? Those fuckers! Suposed to keep our money save and be competent... They today gave me the biggest scare of my live and I've run one an update query on a prod db without a where clause! (Okay I knew we had a backup but still pretty scarry moment!)

As a few know, besides being a dev I help to organize a small openair music festival here in Switzerland. The openair was this weekend. Every thing wen't well, until I checked our ebanking account today. There was only 2/3 of the money that should be there. A quick call to the bank and they told me, nope they never received it. As we've thrown it in a secure locker during the night, we didn't receive any receipt or something like that. It took those fuckers 3.5 hours to actually go and check the looker, just to find the remaining money in the corner of it. What the fuck people, can't you open your fucking eyes and not give me a fucking heartatack? I thought you guys are professionals!

Note locker: we get a key to open it from the outside, place our payment during the night, as soon as we close it, it falls inside a vault, so there it's a pay in only system, for lack of a better word, I called it locker.

My heart is still beating like mad, because of them.

Despite common sense, I think technology is not making our lives easier. It's just build chaos on top of chaos.

Take server-side programming for instance.

First you have to find someone to host your thing, or a PaaS provider. Then you have to figure out how much RAM and storage you need, which OS you're going to use. And then there's Docker (which will run on top of a VM on AWS or GCP anyway, making even less sense). And then there's the server technology: nginx, Apache (and many many more; if, that is, you're using a server at all). And then there are firewalls, proxies, SSL. And then you go back to the start, because you have to check if your hosting provider will support the OS or Docker or your server. (I smell infinite recursion here.)

Each of these moving parts come with their own can of worms in terms of configuration and security. A whole bible to read if you want to have the slightest clue about what you're doing.

And then there's the programming language to use and its accompanying frameworks. Can they replace the server technology? Should you? Will they conflict with each other and open yet another backdoor into your system? Is it supported by your hosting provider? (Did I mention an infinite recursion somewhere?)

And then there's the database. Does it have a port to the language/framework of your choosing? Why does it expose an web interface? Is it supposed to replace your server? And why are its security features optional again? (Just so I have to test both the insecure and the secure environments?)

And you haven't written a single line of code yet, mind you.

I rarely tell this story because it's hard to believe and would show me in a bad light if people don't believe its details. I know there have been foolish moves from my part, and more stuff should have been agreed to in writing, and I did step into a legal grey area. However I am pleased with what I did and how it all turned out, and this is as close to the truth as possible without needing to explain too many details.

I was once a team lead in an outsourcing company. We had a flexible payment plan depending on results. That helped me motivate myself and my team. Things worked great.

But then the boss started acting like shit:
1. Flexible payment means minimum, right?
2. Promises are made to be broken, as long as your employees have hope and work overtime for a whole month just to finish an important project before schedule, right?
3. Who needs a good, comfortable, SAFE work environment when you can save 30$ on not buying a new crappy chair in place of the old broken crappy chair, if it can be maintained standing by just a bit of duct tape and careful balancing on it? It's not like that developer who earns 30$ per hour has anything else to think about than balancing on a broken chair, right?

I'm a very calm person at work. I never ever raised my voice at anyone for 10 years of my career. Except this situation. I pulled the boss out of the office so his secretary wouldn't hear what I had to say. I threw this everything into his face.
A guy from sales got out of the office to go to the bathroom, and when he heard me, he carefully snuck back into the office (I didn't see him. He told me this over a beer after he left).

Of course I quit on the spot, convinced most of my team members to leave (wasn't hard, I just had to offer a secure plan, which I did), and helped my team members to get good positions elsewhere, and assisted others in starting their own business, by stealing customers from this company (the asshole did not foresee this when he prepared the labour contracts), after he accused me of plagiarism (that I stole code from somewhere else) and used that excuse to not pay me what we agreed upon.

I didn't want litigation. I just used karma, while remaining in the legal realm.

Within a month after this, more than half of his company was gone, and he was left with only a fraction of the revenue he was making before, since the only ones left were people that did not produce value (sales that had nothing to sell, accounting that had nothing to account, etc.), and just one person maintaining one remaining contract that was bringing barely enough money to sustain half of these people.

Now I want to congratulate you for actually finishing reading this :)

Guys what I want to know is how do you secure your code so that they pay you after you deliver the code to them?
So recently I was in this internship that I secured with an over-the-phone interview and the guy who was contacting me was the CEO of the company (I'm going to refer to him as "the fucking cunt" from now on). He asked me to do some OCR and translations and I managed to write a few scripts that automate the entire process. The fucking cunt made me login remotely to his desktop which was connected to the server (who the fuck does that) and I had to operate on the server from his system. I helped him with the installation and taught him how to use the scripts by altering the parameters and stuff, and you know what the fucking cunt did from the next day onward? Dropped contact. Like completely. I kept bombing emails upon emails and tried calling him day after day, the fucking cunt either picked up and cut the call immediately on recognising its me or didn't pick up at all. And the reason he wasn't able to pay me was, and I quote, "I am in US right now, will pay you when I get back to India." I was like "The fuck was PayPal invented for?" Being the naive fool that I was, I believed him (it was my first time) and waited patiently till the date he mentioned and then lodged a complain in the portal itself where he had posted the job initially. They raised a concern with the employer and you know what the fucking cunt replied? "He has not been able to achieve enough accuracy on the translations". Doesn't even know good translation systems don't exist till date ( BTW I used a client for the google translate API). It has been weeks now and still the bitch has not yet resolved the issue.And the worst part of it was I got a signed contract and gave him a copy of my ID for verification purposes.
I'm thinking of making a mail bomb and nagging him every single day for the rest of his life. What do you guys think?

Managed to land 2 interviews:

The first one was for a startup that was looking for a react programmer (I've never used react before).

The later was a php job at a big company. They told me they used cakephp which is a framework I had not used before either.

Still, I'm more familiar with php than react so I felt more confident with the second interview. However, I felt there was a lot of good chemistry going on in the first interview.

The interviewer was incredibly nice (he was the lead dev, not an HR person as opposed to the second interviewer)

He gave me a small react test to be completed within a week. I barely managed to do it in time but I felt good about the solution.

Just as I was sending it, I get a call from the second interviewer saying I landed the php job.

I wasn't sure if my novice react skills would be impressive enough to secure me the react job (and I really needed a job) so I accepted.

After explaining everything to the guy who was interviewing me for the react job, he understood and was kind enough to schedule a code review where he walked through my novice code explaining what could be improved, helping me learn more in the process.

I regret not accepting the react position. The PHP they got me working with is fucking PHP5 with Cake2 :/

Don't get me wrong, I like the salary and the people are nice but the tech stack they're using (lacking source control by the way!), as well as all the lengthy meetings are soul-draining.

I'd never do anything "risky" in a prod environment if I considered it so at the time, but in retrospect there's *lots* of things considered risky now (both from a security and good practice viewpoint) that were standard practice not long ago:

- Not using any form of version control
- No tests (including no unit tests)
- Not considering XSS vulnerabilities
- Completely ignoring CSRF vulnerabilities
- Storing passwords as unsalted MD5 hashes (heck that was considered very *secure* in the days of plaintext password storage.)

...etc. I'm guilty of all of those previously. I daresay in the future there will be yet more things that may be standard practice now, but become taboos we look back on with similar disdain.

Providing a web site to pay electricity and other services, but guess what? THE CONNECTION IS NOT SeCuRe !! (What can possibly can go wRoNg).
This retarded country have a lot of skilled people, but the dinosaurs who in charge are literally afraid of new technology.
Wake up bitches, it's almost 2020

A classmate saw me using Firefox today and laughed at me saying Chrome is more secure. I'm not very knowledgeable about the security; I use Firefox because it uses less memory and it's more stable on my machine.

I doubt that info of his is current so can someone who actually knows about the security give me some counter-arguments for him? The more facts the better :D

I don't understand privacy advocators.

Am I the only one who wouldn't give up practicality in exchange for "potentially more secure"?

I don't understand so much what the deal is with people who avoid Facebook, or don't trust Google or Microsoft, just in the basis of "privacy" or "security".

Websites tracking you to serve ads? Well, it's pointless because I very rarely buy something from the internet or let myself be influenced, ads are waste of time, just use an adblocker.

I can pretty much upload my whole life or documents on Google drive, even if I made it public no one would really care or read it all. It's like that GitHub project you uploaded but never documented, so no one cares. I usually use alternative software not because of "privacy" but because it has features other software doesn't have.

In reality you realize people aren't that interested in your life more than their own life.

Security fail here. I've just started a PPI claim and have been provided a link to a so called "very secure" client area.

There are no username or passwords and the screenshot is not a first time sign up screen.

All I need to login is a surname, postcode and DOB - all information easy enough to find online.

Pretty bad IMO, esp, so considering the effort required to add a proper login using a username/password combination.

I mean I'm logged in now and have no option to set an account password :|

Boss: We don't want to use PHP because it's open source we want to keep all the applications secure and want Microsoft to support us whenever some thing happens to ASP.NET applications.

Me: But we will be using PHP on intranet applications and it won't be for public. ASP.NET is also open source.

Boss: No, we cant take that risk.

I'm not sure whose right over here. PS: All the applications we built are for internal purpose only.

Does that mean that that it's not safe and secure?

The worst thing I have seen a dev do?

- Have all the APIs work without an access token for our main product which handles ~10k requests a day.
- Calling our architecture secure in the crucial investor meeting and being 'confident' that our database can not be compromised. No wonder we did not get funded.

In my school, eleventh grade (so nearly "Abitur", A levels), we got the task to create a program which will be running on every computer here which should replace the Classbook (like a book where homework and lessons and stuff is written down).
Now, the class before mine already did a part of that, a program to share who is ill/not at school, with a mark whether it is excused or not.
So far so good. They all seemed not that bad when they were presenting it to us. Then, the first thing: they didn't know what git is. Well, okay I thought.
Next, there was this password field to access the program. One of them entered the password and clicked enter. That seemed suspiciously fast for an actual secure login. So fast, the password could have been in the Code...
Yesterday I copied that program and put it into a decompiler.
And... I was right.
There were the login credentials in plain text. Also, haven't thought of it but, IP address + username + password + database name were there in plain text, too.
Guess I am going to rewrite this program down to the core

Suck my hairy asshole, devs who disable paste for web forms. Or more likely, management softs who read in a trade magazine that paste is bad.

When i was younger, lesser experienced and more naive than now; i got away with a lot of things. By lot of things i mean security flaws in my applications and overall architecture. I realise now i could've so easily been pawned.

Not that i claim to be totally secure even now, or would ever. It is a process, slow and painful one - Learning.

What i wish to point out is the role of favorable probability (non believers would call it luck). Security is so much about it. You get away with so many things for so long. And bang one day the roll of dice is unfavorable. On such rare occasions, just look back and wonder - damn i should've been breached long ago.

Hmm...recently I've seen an increase in the idea of raising security awareness at a user level...but really now , it gets me thinking , why not raise security awareness at a coding level ? Just having one guy do encryption and encoding most certainly isn't enough for an app to be considered secure . In this day an age where most apps are web based and even open source some of them , I think that first of all it should be our duty to protect the customer/consumer rather than make him protect himself . Most of everyone knows how to get user input from the UI but how many out here actually think that the normal dummy user might actually type unintentional malicious code which would break the app or give him access to something he shouldn't be allowed into ? I've seen very few developers/software architects/engineers actually take the blame for insecure code . I've seen people build apps starting on an unacceptable idea security wise and then in the end thinking of patching in filters , encryptions , encodings , tokens and days before release realise that their app is half broken because they didn't start the whole project in a more secure way for the user .

Just my two cents...we as devs should be more aware of coding in a way that makes apps more secure from and for the user rather than saying that we had some epic mythical hackers pull all the user tables that also contained unhashed unencrypted passwords by using magix . It certainly isn't magic , it's just our bad coding that lets outside code interact with our own code .

My boss did not care about making things secure in our early development stage, even though I told him several times.
After 1 day our elastic search cluster was filled with random crappy data.

Fix: Apply security schemes provided by AWS

My best prank: A year ago I was at my friends flat, which he finally rented with his new girlfriend. He is a kind of person, which has like constantly opened 110 tabs in chrome, three or four instances of chrome running, torrenting at full speed and in the meanwhile a few films having opened to "watch" later. He is very very secure about his computer and NEVER leaves me or anyone else alone with his computer. That day we were just talking in the same room, and he goes for some food. I was like yeah thats my chance to prank him. So I opened a new tab and came with an idea - what If I change his desktop background to some random chick, to prank both him and his gf. I knew she will not be mad but his reaction would be priceless (it was his first gf). So I started googling, found a three pretty naked chicks. This was like soft porn, they were still "dressed" but not much. I did not wanted to use a porn for this.
So I was about to download image - right click - save as - little window opened and..

...what the hell, that guy had literally like terabytes of porn in download folder, all totally in one chaos, thousands of images, millions of downloaded videos, all categories just everything from gangbang to milfs or old/ young, what the fuck that computer was like cursed station of porn.

In that point I was like fuck that. This prank has no sense then. So I just closed that little window and did nothing. Prank failed.

Nowdays, He still does not know what I know about his "hobbies". And I will never say him lol. About a months after he broke with his gf and moved to different house. He has now three monitors attached to his computer and 4tb of space. He is still complaining about "lack of space" and "too big downloaded movies" but we all know what is going on lol. We call his "working deck" a sacred porn station.

Whelp. I started making a very simple website with a single-page design, which I intended to use for managing my own personal knowledge on a particular subject matter, with some basic categorization features and a simple rich text editor for entering data. Partly as an exercise in web development, and partly due to not being happy with existing options out there. All was going well...

...and then feature creep happened. Now I have implemented support for multiple users with different access levels; user profiles; encrypted login system (and encrypted cookies that contain no sensitive data lol) and session handling according to (perceived) best practices; secure password recovery; user-management interface for admins; public, private and group-based sections with multiple categories and posts in each category that can be sorted by sort order value or drag and drop; custom user-created groups where they can give other users access to their sections; notifications; context menus for everything; post & user flagging system, moderation queue and support system; post revisions with comparison between different revisions; support for mobile devices and touch/swipe gestures to open/close menus or navigate between posts; easily extendible css themes with two different dark themes and one ugly as heck light theme; lazy loading of images in posts that won't load until you actually open them; auto-saving of posts in case of browser crash or accidental navigation away from page; plus various other small stuff like syntax highlighting for code, internal post linking, favouriting of posts, free-text filter, no-javascript mode, invitation system, secure (yeah right) image uploading, post-locking...

On my TODO-list: Comment and/or upvote system, spoiler tag, GDPR compliance (if I ever launch it haha), data-limits, a simple user action log for admins/moderators, overall improved security measures, refactor various controllers, clean up the code...

It STILL uses a single-page design, and the amount of feature requests (and bugs) added to my Trello board increases exponentially with every passing week. No other living person has seen the website yet, and at the pace I'm going, humanity will have gone through at least one major extinction event before I consider it "done" enough to show anyone.

help

I need some advice here... This will be a long one, please bear with me.

First, some background:
I'm a senior level developer working in a company that primarily doesn't produce software like most fast paced companies. Lots of legacy code, old processes, etc. It's very slow and bureaucratic to say the least, and much of the management and lead engineering talent subscribes to the very old school way of managing projects (commit up front, fixed budget, deliver or else...), but they let us use agile to run our team, so long as we meet our commitments (!!). We are also largely populated by people who aren't really software engineers but who do software work, so being one myself I'm actually a fish out of water... Our lead engineer is one of these people who doesn't understand software engineering and is very types when it comes to managing a project.

That being said, we have this project we've been working for a while and we've been churning on it for the better part of two years - with multiple changes in mediocre contribution to development along the way (mainly due to development talent being hard to secure from other projects). The application hasn't really been given the chance to have its core architecture developed to be really robust and elegant, in favor of "just making things work" in order to satisfy fake deliverables to give the customer.

This has led us to have to settle for a rickety architecture and sloppy technical debt that we can't take the time to properly fix because it doesn't (in the mind of the lead engineer - who isn't a software engineer mind you) deliver visible value. He's constantly changing his mind on what he wants to see working and functional, he zones out during sprint planning, tries to work stories not on the sprint backlog on the side, and doesn't let our product owner do her job. He's holding us to commitments we made in January and he's not listening when the team says we don't think we can deliver on what's left by the end of the year. He thinks it's reasonable to expect us to deliver and he's brushing us off.

We have a functional product now, but it's not very useful yet and still has some usability issues. It's still missing features, which we're being put under pressure to get implemented (even half-assed) by the end of the year.

TL;DR
Should I stand up for what I know is the right way to write software and push for something more stable sometime next year or settle for a "patch job" that we *might* deliver that will most definitely be buggy and be harder to maintain going forward? I feel like I'm fighting an uphill battle in trying to write good quality code in lieu of faster results and I just can't get behind settling for crap just because.

Webmin because why not ✓
Lamp stack ✓
Dynamic DNS client ✓
PhpMyAdmin X

Dear DigitalOcean. SINCE WHEN do you consider a PMA installation
without Https SECURE?
And why the fuck do you make me install an aptitude package that skips both file system AND Apache config cleanup on purging?
It's just a raspberry, but if it runs lamp I want PMA, and if it runs anything, I want Https. Is that too much to ask for from a tutorial source otherwise so reliable that I do anything you say without a questioning thought?

Colleagues cannot seem to grasp that allowing a user to manually update a field via an Api, that only business process should update is a bad idea.

The entire team of around 10 'software developers' cannot grasp that just because the frontend website won't set it doesn't mean its secure. I have tried many times now...

Just an example honestly... Our project follows a concrete repository pattern using no interfaces or inheritance, returning anaemic domain models (they are just poco) that then get mapped into 'view models' (its an api). The domain models exist to map to 'view models' and have no methods on them. This is in response to my comments over the last 2 years about returning database models as domain transfer objects and blindly trusting all Posts of those models being a bad idea due to virtual fields in Ef.

Every comment on a pull request triggers hours of conversation about why we should make a change vs its already done so just leave it. Even if its a 5 minute change.

After 2 years the entire team still can't grasp restful design, or what the point is.

Just a tiny selection of constant incompetence that over the years has slowly warn me down to not really caring.

I can't really understand anymore if this is normal.

Tried to dual boot Arch with Windows yesterday.

Everything was going smoothly. Shrunk the C: partition, ran the installer, installed the OS fine. But it was still booting straight to Windows.

So I edited the BCD to point to Grub instead of Wilndows. Then the plan was to boot into Arch, find Windows, and add it to Grub, problem solved.

Wrong. I had forgotten to disable secure boot. Arch and Grub were booting in BIOS mode, but Windows was UEFI. Grub couldn't boot or even see Windows.

So now I was stuck with just Arch. So I flashed a Windows drive, booted from that, automatic startup repair failed. Opened up the command prompt, tried to rebuild the BCD from there. Surely I can just rebuild it and forget about trying to dual boot right? I just want to get back to being able to use my PC.

Wrong again. Didn't find Windows. Had to get rid of the BCD file before I could rebuild it, but couldn't find it. Found out that I could use diskpart to mount the system partition and assign it a drive letter, renamed the BCD, rebuilt it, and finally was able to reboot into Windows.

Learn from my arrogance. First time Linux users should not attempt to install Arch, let alone do it alongside Windows on the same disk.

I had a wonderful run-in with corporate security at a credit card processing company last year (I won't name them this time).
I was asked design an application that allowed users in a secure room to receive instructions for putting gift cards into envelopes, print labels and send the envelopes to the post. There were all sorts of rules about what combinations of cards could go in which envelopes etc etc, but that wasn't the hard part.
These folks had a dedicated label printer for printing the address labels, in their secure room.
The address data was in a database in the server room.
On separate networks.
And there was absolutely no way that the corporate security folks would let an application that had access to a printer that was on a different network also have access to the address data.
So I took a look at the legacy application to see what they did, to hopefully use as a precedent.
They had an unsecured web page (no, not an API, a web page) that listed the addresses to be printed. And a Windows application running on the users' PC that was quietly scraping that page to print the labels.
Luckily, it ceased to be an issue for me, as the whole IT department suddenly got outsourced to India, so it became some Indian's problem to solve.

A "secure" IoT framework, that integrates with the current system and helps in future implementations as well.
More importantly it would be universally adopted, open source and not proprietary .
Kinda working on something like it for a side project but really dunno where it'll end up! :/

For all the hate against windows I built over the now 8 years using linux as my main os. Now I feel windows 10 is quite good.

I got a little beefier desktop lately, been using just laptops from the last 8 years(8D) so I got this urge to get a desktop for gaming, I bought an entry level machine. ryzen 5 2400g, put my lovely linux mint and... the fucking machine was hanging up when the load was too high, and the load was too high too often because react/node etc.

I gave up in less than a day, I just did a quick search and some people said about secure boot or whatnot, some other claimed that ryzen cpus had no problem with mint, I got fed up quickly and did not try any solution with linux. Then I installed windows 10, installed the godamned drivers from the provided dvd ... since then it was a breeze.

The dark mode is gorgeous and no hanging up at all... I'm just sad that mint did not worked soo well. I wanted to have consistency between my laptop/desktop and I loved mint above everything. But well, some things improve while you're not looking at them, win 10 is quite good, I'll keep my desktop as gaming/programming pc with win 10, and well, the laptop will be auxiliar programming machine.

¯\_(ツ)_/¯

So... I finally decided to secure my VPS, so I started with sudo less /var/log/auth.log ...
Short story, not even gonna read every line, just gonna reset my VPS lol

Do you know what angers me more than anything else ?

Wasted potential. Thats what. That there are people out there that look at their bank account and see a large number and spend large amounts of time finding ways to push people down during sensitive times where they could be learning and growing and have the right attitude and energy to do so, just because it makes their horrible selves feel secure knowing how 'superior' daddy made them, not to mention likely factories filled with half naked Chinese kids sewing shoes and soccer balls and separating out precious metals with blow torches.

I cannot help but think about this again as I'm frustrated that I had to relearn something just now which created more questions which I once everything is dashed to pieces again I won't think to or know to look into, if the information even exists, all so some easily duped younger people can form the next generation of well... us, and fall for the same tricks while I feel like I'm falling behind.

I was once asked to create a fully secure chat system prototype (the ui didn't matter) in 2 days. We ended up building a client in python (which I wrote) and it kinda worked and a c# backend that didn't really work.

1 hour before we had to present the project to some high up management we decided that we couldn't fix the bugs in the system.

So I came up with a cool idea. Why not use ssh?
So I set up a bash script that writes to a file and tail -f that reads from the file. That way you could chat securely with another person.
I made it 15 minutes before the presentation with no Internet working :) they said it was hacky but a cool solution they saw that day :p I felt happy and that I had to thank Linux for being there for me

Workarounds are great. I remember one time, I had a server that let anyone access any file as long as the knew the right path. I wanted to store data in a .txt (it wasnt secure passwords or anything, so calmyourtities), but then had access too it. Now, this server wasn't running anything except PHP, so I created a database.php, and within was just some php tags. I ended up modifying the database.php from other PHP scripts and storing all the data as PHP comment, then parsing thru it as I needed, so loading mydomain.biz/database.php wouldn't show the data. ex of my database.php (to all that might not understand because I'm bad at explaining):
<?php
//USER1:DATA1
//USER2:DATA2
?>

Decrypt api responses in an iOS app which my “senior” dev thinks it is more secure to encrypt responses in stead of setting up a proper SSL cert (they use plain http to save money 🙄)

They disable the encryption since it does not function as we wanted and set up SSL instead🙄

# Retrospective as Backend engineer

Once upon a time, I was rejected by a startup who tries to snag me from another company that I was working with.
They are looking for Senior / Supervisor level backend engineer and my profile looks like a fit for them.
So they contacted me, arranged a technical test, system design test, and interview with their lead backend engineer who also happens to be co-founder of the startup.

## The Interview

As usual, they asked me what are my contribution to previous workplace.
I answered them with achievements that I think are the best for each company that I worked with, and how to technologically achieve them.

One of it includes designing and implementing a `CQRS+ES` system in the backend.
With complete capability of what I `brag` as `Time Machine` through replaying event.

## The Rejection

And of course I was rejected by the startup, maybe specifically by the co-founder. As I asked around on the reason of rejection from an insider.

They insisted I am a guy who overengineer thing that are not needed, by doing `CQRS+ES`, and only suitable for RND, non-production stuffs.

Nobody needs that kind of `Time Machine`.

## Ironically

After switching jobs (to another company), becoming fullstack developer, learning about react and redux.
I can reflect back on this past experience and say this:

The same company that says `CQRS+ES` is an over engineering, also uses `React+Redux`.
Never did they realize the concept behind `React+Redux` is very similar to `CQRS+ES`.

- Separation of concern
- CQRS: `Command` is separated from `Query`
- Redux: Side effect / `Action` in `Thunk` separated from the presentation
- Managing State of Application
- ES: Through sequence of `Event` produced by `Command`
- Redux: Through action data produced / dispatched by `Action`
- Replayability
- ES: Through replaying `Event` into the `Applier`
- Redux: Through replay `Action` which trigger dispatch to `Reducer`

---

The same company that says `CQRS` is an over engineering also uses `ElasticSearch+MySQL`.
Never did they realize they are separating `WRITE` database into `MySQL` as their `Single Source Of Truth`, and `READ` database into `ElasticSearch` is also inline with `CQRS` principle.

## Value as Backend Engineer

It's a sad days as Backend Engineer these days. At least in the country I live in.
Seems like being a backend engineer is often under-appreciated.
Company (or people) seems to think of backend engineer is the guy who ONLY makes `CRUD` API endpoint to database.

- I've heard from Fullstack engineer who comes from React background complains about Backend engineers have it easy by only doing CRUD without having to worry about application.
- The same guy fails when given task in Backend to make a simple round-robin ticketing system.
- I've seen company who only hires Fullstack engineer with strong Frontend experience, fails to have basic understanding of how SQL Transaction and Connection Pool works.
- I've seen company Fullstack engineer relies on ORM to do super complex query instead of writing proper SQL, and prefer to translate SQL into ORM query language.
- I've seen company Fullstack engineer with strong React background brags about Uncle Bob clean code but fail to know on how to do basic dependency injection.
- I've heard company who made webapp criticize my way of handling `session` through http secure cookie. Saying it's a bad practice and better to use local storage. Despite my argument of `secure` in the cookie and ability to control cookie via backend.

Dev Diary Entry #56
Dear diary, the part of the website that allows users to post their own articles - based on an robust rights system - through a rich text editor, is done! It has a revision system and everything. Now to work on a secure way for them to upload images and use these in their articles, as I don't allow links to external images on the site.

Dev Diary Entry #57
Dear diary, today I finally finished the image uploading feature for my website, and I have secured it as well as I can.

First, I check filesize and filetype client-side (for user convenience), then I check the same things serverside, and only allow images in certain formats to be uploaded.

Next, I completely disregard the original filename (and extension) of the image and generate UUIDs for them instead, and use fileinfo/mimetype to determine extension. I then recreate the image serverside, either in original dimensions or downsized if too large, and store the new image (and its thumbnail) in a non-shared, private folder outside the webpage root, inaccessible to other users, and add an image entry in my database that contains the file path, user who uploaded it, all that jazz.

I then serve the image to the users through a server-side script instead of allowing them direct access to the image. Great success. What could possibly go horribly wrong?

Dev Diary Entry #58
Dear diary, I am contemplating scrapping the idea of allowing users to upload images, text, comments or any other contents to the website, since I do not have the capacity to implement the copyright-filter that will probably soon become a requirement in the EU... :(

Wat to do, wat to do...

Wanted to make an account on Payoneer to get paid from 99designs for the stuff I make there.

Entered my password, got error.
"Please use only the latin alphabet, a-z and 0-9"

SERIOUSLY, it's banking stuff. how can they not allow secure passwords? *sitting here, crying"

I absolutely hate software to the point where I started converting from sysadmin to becoming more like a dev. That way I could just write my own implementations at will. Easier said than done, that's for sure. And it goes both ways.

I think that in order to be a good dev, you need these skills the most:
- Problem solving skills
- Creativity, you're making stuff
- Logical reasoning
- Connecting the dots
- Reading complex documentation
- Breaking down said documentation
- A strong desire to create order and patterns
- ...

If you don't have the above, you may still be able to become a dev.. but it would be harder for sure, and in some cases acceptance will be lower (seriously, learn to Google!)

One thing I don't think you need in development is mathematics. Sure there's a correlation between it and logic reasoning, but you're not solving big mathematical monsters here. At most you'd probably be dealing with arrays and loops (well.. program logic).

Also, written and spoken English! The language of the internet must be known. If it's not your first language, learn it. All the good (and crucial) documentation out there is in English after all.

One final thing would be security in my opinion, since you're releasing your application to the internet and may even run certain services, and deal with a lot of user data. Making those things secure takes some effort and knowledge on security, but it's so worth it. At the most basic level, it requires a certain mindset: "how would I break this thing I just made?"

Screw all the people who think standard email is "secure". It is not suitible for sending passwords and SSN numbers.

How can something Equifax or Marriott hacks have happened and people are still ok sending out information like this in plain text?!

I know their hacks weren't email released but still.....should be a good time to up some security standards. Right?

RANT!

I still struggle to find the suitable address book software for our company. It supposed to be secure and inexpensive. But how so? It's flipping not possible to have both!
My boss answer to almost everything I say: Just do it! - in German: einfach machen! Please hulp!

I'm currently planning to set myselv up with some vps/dedicated server's for a project. What i plan to do to secure these servers is.
*Use centos 7
* Setup Wireguard and join all of the servers +1 client (my pc) to that network
*Disable SSH Access from outside that VPN
*Only allow RSA Key login to the Servers
*Install Cockpit for monitoring
*Intall docker/kubernetes for the applications i plan to run

What do you guys think of that as a baseline? Im not sure if my lower powered VPS (VPS M SSD from Contabo) will work as Kubernetes Nodes, does anyone have experience with that?

In general these Servers will be used for my projects and other fooling around.

If you guys have other suggestions for Securing/monitoring or other software i could put on to have more control without eating up to much of the Servers power, let me know :D

Do you, guys, have any VPN suggestions? I'm mostly looking for a VPN that doesn't throttle your speed, allows and encrypts P2P connections and is secure and reliable. I'm not quite sure what other more specific requirements I'm looking for, since I'm not too knowledgeable in this domain, but I'm nonetheless thanking you in advance :D

A peeve of mine is when someone in the software industry denigrates a technology/tool/framework outside of his role eg webdevs on sysadmin stuff or viceversa.

I'm not trying to shame anyone for having subjective experiences, I just think that if you're gonna talk about tools that are not on your domain, then you need to be twice as humble as usual.

I'm a webdev and I don't post around how I KNOW how to make ssh secure, while other people devote their entire careers to that and all related matters.

What prompted me is seeing some not webdevs do this here that seem to be sysadmins/devops (can't tell for sure since I don't know them), but in real life, I've seen people from any role do this, webdevs too, even testers!

Imagine you had cancer, and you had a tumor extraction, and the oncologist said to the surgeon "step aside son, let me show you how to deal with cancer".

I got notified that tomorrow I'm gonna start a porting project from a FileNet ecosystem.

Well, I don't know what is FileNet, but at least I've enough time to study its architecture. Let's start from the official IBM page:

The FileNet® P8 platform offers enterprise-level scalability and flexibility to handle the most demanding content challenges, the most complex business processes, and integration to all your existing systems. FileNet P8 is a reliable, scalable, and highly available enterprise platform that enables you to capture, store, manage, secure, and process information to increase operational efficiency and lower total cost of ownership.

Thank you IBM, now I surely know how to use FileNet. Well, I hope that wikipedia explains me what it is:

FileNet is a company acquired by IBM, developed software to help enterprises manage their content and business processes.

Oh my god. I tried searching half an hour so far and everything I found was just advertisements and not a clue about what it is.

Then they wonder why I hate IBM so much

Am I the only one worried with the OS wars lately? Microsoft and Apple trying to gain even more control on everything and Linux remaining at less than 2% on the desktop. People are oblivious to the fact that their personal freedom is at risk, and don't you dare tell me otherwise. Companies knowing what we search or what files we have on our computer, having the ability to control us and force us to follow their rules. We have a choice, and I'm not talking about destroying the economical system a la Mr. Robot, but moving to the Open Source world, not because it's more secure, faster or some such shit, but because it's the only way to ensure freedom on one of the biggest part of our lifes, the digital part. My concerns may be exceeding the normal, and I'll hate it to be right, but I'm afraid that if this goes on, in a few years, we'll understand that we made a big mistake...

Sometimes life takes unexpected turns:

I studied mechanical engineering and did some "computer stuff" in my free time, you know, "programming" with Java, toyed around with HTML/CSS/PHP a few years ago, some local server stuff with a raspberry pi, nothing fancy.

Half a year ago i got hired as engineer first but they said they needed an "IT Guy" also.

What i did since then
*Researching, Testing and Planning the introduction of an ERP software
*Planning, coordinating and (partially) setting up a new server for the company (actually two cause redundancy (heavy lifting got done by our IT partner, its not like i suddenly know how to do the entire windows server administration)
*Writing 3 minor tools for some guys in the company in java
*Creating numereous excel vba scripts that make work a lot easier
*doing all the day to day business that comes up when absolutly noone know how to use a pc in the company
*consulting the boss about webshops and websites in general and finding a decent partner
*and some engineering

Did i mentioned that i studied mechanical engineering? I know nothing about all this, or rather, i know enough to know that i know not enough.

My current side project is creating a small intranet, so creating a new VM in Hyper V, setting up some OS (probably slim CentOS), getting a Webserver running and making it somewhat secure. Then i need to create some content, i am very close to just install a mediawiki and call it a day. If i write anything in PHP i fear that i make way to many erros or just reinvent the wheel, on the other hand, i couldnt find anything resembling what i need. I also had to create the front end side, i knew CSS around 2010, there is probably tons of stuff i dont know and i will make so many errors.

This is frustrating, everything i touch feels like i am venturing the beaten path but noone ever showed me the ropes so everything i do feels like childs play. I need an adult. Also the biggest Question remains: What i am?

THREE DAYS of debugging, reading all the logs I could find, creating tens of new logs in our appliaction, and SUDDENLY an email from your IT admin:

"Hey your CURL requests are being rejected by my !oh so secure! firewall rule".

Not that I haven't said at the beggining, that THIS IS YOUR F...G NETWORK PROBLEM because we get "connection reset by peer" errors, and you ASSURED that everything is CHECKED and OK!

Dev industry develop so fast. This is because information available anywhere in the internet and people try to learn any programming language they want . But only few know whether they following secure coding practice or not

But the thing is most of Dev people dosent care about security. They focus just to develop a application but not to secure it?

Gotta love the IoT.

They set up a new surveillance camera in the company, that can stream live footage over the network and that little shit picked the IP adress of a coworker one day AFTER being set up.
Hurray for static routing. Hurray to the person who didn't disable DHCP on the router (Should probably configure my PC to use a static IP as well lel)

Anyways, this happened outta nowhere when I, the only guy who knows shit about IT and is usually present at yhe office, wasn't there and could not connect remotely.

The other, remote programmer, who set up the network, could guide the coworker to get a new IP but, he was worried that we got ourselves an intruder.

Since nobody told me yet that we (should) have static routing, I thought there was a mastermind at work who could get into a network without a wifi-access point and spoof the coworker in order to access the some documents.

The adrenaline rush was real 😨

Scanning the network with nmap solved the mystery rather quickly but thought me that I need to set up a secure way to get remote access on the network.

I would appreciate some input on the set up I thought of:
A raspberry Pi connected to a vpn that runs ssh with pw auth disabled and the ssh port moved.
Would set up the vpn in a similar fashion.

-Rant-
How do you (not) secure your Rest based web service?
1. Chain it to shady organic authentication system built by a hoard of monkeys high on Tequila.
2. have secret keys that get copy pasted into config flat files, and index them on your code search engine.
3. make the onboarding extremely platform specific that you need 500 environment variables, 50 scripts, 5 fancy device presses and a tap dance to make a GET call to the service.
4. fish through 500 rotating log files that the authentication system generates for each API call made.
5. Leave traces all over the host so if you have to start over, you should sudo rm -rf / and set fire to your computer.

Pentesting for undisclosed company. Let's call them X as to not get us into trouble.
We are students and are doing our first pentest at an actual company instead of assignments at school. So we're very anxious. But today was a good day.
We found some servers with open ports so we checked a few of them out. I had a set of them with a bunch of open ports like ftp and... 8080. Time to check this out.
"please install flash player"... Security risk 1 found!

System seemed to be some monitoring system. Trying to log in using admin admin... Fucking works. Group loses it cause the company was being all high and mighty about being secure af. Other shit is pretty tight though.

Able to see logs, change password, add new superuser, do some searches for USERS_LOGGEDIN_TODAY! I shit you not, the system even had SUGGESTIONS for usernames to search for. One of which had something to do with sftp and auth keys. Unfortunatly every search gave a SQL syntax error. Used sniffing tools to maybe intercept message so we could do some queries of our own but nothing. Query is probably not issued from the local machine.

Tried to decompile the flash file but no luck. Only for some weird lines and a few function names I presume. But decompressing it and opening it in a text editor allowed me to see and search text. No GET or POST found. No SQL queries or name checks or anything we could think of.

That's all I could do for today. So we'll have to think of stuff for next week. We've already planned xss so maybe we can do that on this server as well.

We also found some older network printers with open telnet. Servers with a specific SQL variant with a potential exploit to execute terminal commands and some ftp and smb servers we need to check out next week.

Hella excited about this!

If you guys have any suggestions let us know. We are utter noobs when it comes to this.

For all the hate that Java gets, this *not rant* is to appreciate the Spring Boot/Cloud & Netty for without them I would not be half as productive as I am at my job.

Just to highlight a few of these life savers:
- Spring security: many features but I will just mention robust authorization out of the box
- Netflix Feign & Hystrix: easy circuit breaking & fallback pattern.
- Spring Data: consistent data access patterns & out of the box functionality regardless of the data source: eg relational & document dbs, redis etc with managed offerings integrations as well. The abstraction here is something to marvel at.
- Spring Boot Actuator: Out of the box health checks that check all integrations: Db, Redis, Mail,Disk, RabbitMQ etc which are crucial for Kubernetes readiness/liveness health checks.
- Spring Cloud Stream: Another abstraction for the messaging layer that decouples application logic from the binder ie could be kafka, rabbitmq etc
- SpringFox Swagger - Fantastic swagger documentation integration that allows always up to date API docs via annotations that can be converted to a swagger.yml if need be.
- Last but not least - Netty: Implementing secure non-blocking network applications is not trivial. This framework has made it easier for us to implement a protocol server on top of UDP using Java & all the support that comes with Spring.

For these & many more am grateful for Java & the big big community of devs that love & support it.

I wanna go back to the age where a C program was considered secure and isolated based on its system interface rathe than its speed. I want a future where safety does not imply inefficiency. I hate spectre and I hate that an abstraction as simple and robust as assembly is so leaky that just by exposing it you've pretty much forfeited all your secrets.
And I especially hate that we chose to solve this by locking down everything rather than inventing an abstraction that's a similarly good compile target but better represents CPUs and therefore does not leak.

Oh god where do I start!?

In my current role I've had horrific experiences with management and higher ups.

The first time I knew it would be a problem: I was on a Java project that was due to go live within the month. The devs and PM on the project were all due to move on at the end. I was sitting next to the PM, and overheard him saying "we'll implement [important key feature] in hypercare"... I blew my top at him, then had my managers come and see if I was OK.

That particular project overran with me and the permanent devs having to implement the core features of the app for 6mo after everyone else had left.

I've had to be the bearer of bad news a lot.

I work now and then with the CTO, my worst with her:
We had implemented a prototype for the CEO of a sister company, he was chuffed with it. She said something like "why is it not on brand" - there was no brand, so I winged it and used a common design pattern that the CEO had suggested he would like with the sister company's colours and logo. The CTO said something like "the problem is we have wilful amateurs designing..." wilful amateurs. Having worked in web design since I was 12 I'm better than a wilful amateur, that one cut deep.

I've had loads with PMs recently, they basically go:

PM: we need this obscure set up.
Me & team: why not use common sense set up.
PM: I don't care, just do obscure set up.

The most recent was they wanted £250k infrastructure for something that was being done on an AWS TC2.small.

Also recently, and in another direction:

PM: we want this mobile app deploying to our internal MDM.
Us: we don't know what the hell it is, what is it!?
PM: it's [megacorp]'s survey filler app that adds survey results into their core cloud platform
Us: fair enough, we don't like writing form fillers, let us have a look at it.

*queue MITM plain text login, private company data being stored in plain text at /sdcard/ on android.

Us: really sorry guys, this is in no way secure.
Pm: *in a huff now because I took a dump on his doorstep*

I'll think of more when I can.

Who would be interested in reviewing an old peice of Python code I wrote..? It's a few years old, and it uses basic procedual generation to cypher text (entry, or ASCII files) using a hashed password. It's a command line tool.

I used to brag about how "secure" it was, and now I'm curious if it is secure or not.

I plan on picking it back up and open-sourcing it, but I want to know what problems might be wrong with it now.

Had to do a change tonight - not once but twice my server secure login account was locked. And server security don't answer their pages. I couldn't even reverse my changes if my changes break something else.

My account has not been locked in over a year but happens twice in a 90 minute window. What are the chances?