Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "not secure"
-
Hi, I am a Javascript apprentice. Can you help me with my project?
- Sure! What do you need?
Oh, it’s very simple, I just want to make a static webpage that shows a clock with the real time.
- Wait, why static? Why not dynamic?
I don’t know, I guess it’ll be easier.
- Well, maybe, but that’s boring, and if that’s boring you are not going to put in time, and if you’re not going to put in time, it’s going to be harder; so it’s better to start with something harder in order to make it easier.
You know that doesn’t make sense right?
- When you learn Javascript you’ll get it.
Okay, so I want to parse this date first to make the clock be universal for all the regions.
- You’re not going to do that by yourself right? You know what they say, don’t repeat yourself!
But it’s just two lines.
- Don’t reinvent the wheel!
Literally, Javascript has a built in library for t...
- One component per file!
I’m lost.
- It happens, and you’ll get lost managing your files as well. You should use Webpack or Browserify for managing your modules.
Doesn’t Javascript include that already?
- Yes, but some people still have previous versions of ECMAScript, so it wouldn’t be compatible.
What’s ECMAScript?
- Javascript
Why is it called ECMAScript then?
- It’s called both ways. Anyways, after you install Webpack to manage your modules, you still need a module and dependency manager, such as bower, or node package manager or yarn.
What does that have to do with my page?
- So you can install AngularJS.
What’s AngularJS?
- A Javascript framework that allows you to do complex stuff easily, such as two way data binding!
Oh, that’s great, so if I modify one sentence on a part of the page, it will automatically refresh the other part of the page which is related to the first one and viceversa?
- Exactly! Except two way data binding is not recommended, since you don’t want child components to edit the parent components of your app.
Then why make two way data binding in the first place?
- It’s backed up by Google. You just don’t get it do you?
I have installed AngularJS now, but it seems I have to redefine something called a... directive?
- AngularJS is old now, you should start using Angular, aka Angular 2.
But it’s the same name... wtf! Only 3 minutes have passed since we started talking, how are they in Angular 2 already?
- You mean 3.
2.
- 3.
4?
- 5.
6?
- Exactly.
Okay, I now know Angular 6.0, and use a component based architecture using only a one way data binding, I have read and started using the Design Patterns already described to solve my problem without reinventing the wheel using libraries such as lodash and D3 for a world map visualization of my clock as well as moment to parse the dates correctly. I also used ECMAScript 6 with Babel to secure backwards compatibility.
- That’s good.
Really?
- Yes, except you didn’t concatenate your html into templates that can be under a super Javascript file which can, then, be concatenated along all your Javascript files and finally be minimized in order to reduce latency. And automate all that process using Gulp while testing every single unit of your code using Jasmine or protractor or just the Angular built in unit tester.
I did.
- But did you use TypeScript?37 -
Me: I have been working for you for almost 12 years now, and I feel that my current pay is not comparable to the work I currently produce. Therefore, in order to secure my future as your employee, I must request an immediate raise in pay to a level that is acceptable.
Boss: I can't afford it. If you want more money, you need to bring in more clients, plain and simple.
Me: I'm serious. If I don't get a raise, I will qui---
Girlfriend: Babe, stop talking to yourself and come to bed...
Me: Okay... [looks in mirror] This isn't finished...12 -
The spam denier
_____
An old phone conversation with a client:
Me : Hello
Client : My website and server are suspended? why is that?
Me : Your server sends spam messages.
Client : We do not send spam messages, we are on vacation, there is none in the office.
Me : Yes, but it is not necessarily you, according to our logs, your server sent spam messages in Chinese and Russian, so someone from Russia or China....etc.
Client : I do not believe you, we do not speak russian or chinese, how could we then write spam messages in those languages?
Me : I told you, maybe someone exploited some vulnerability in your website or server firewall. And if you want to activate your services, please check with your webmaster and sysadmin to secure your ....
Client: I tell you my son, because I am old and I have more life experience than you ... I am 60 years old and I tell you, spam does not exist, and YOU suspended my website and server, and created issues to sell me more of your solutions and services.
I won't check my server, I won't hire a webmaster or a sysadmin, AND YOU WILL ACTIVATE MY SERVER NOW !
(I suddenly realized that I am talking to a wall, so I switched to a robotic tone).
Me : Please resolve the issue to activate your services..
Client : YOU WILL ACTIVATE MY S...
Me : Please resolve the issue to activate your services...
Client : WHAT IS THIS SPAM STORY ANYWAY, I DO NOT BELIEVE YOU ...
Me : Please google that word and you will understand what is spam is...
Client : YOU ARE F**ING LIARS, SPAM DOES NOT EXIST... ACTIVATE MY WEBSITE N.... Beeeep !
I hang up.
Well, I thought about configuring an automatic response for this client, or a for-loop.
His voice was really unpleasant, as if he is a heavy smoker.7 -
Another one, teach secure programming for fucks sake! This always happened at my study:
Me: so you're teaching the students doing mysql queries with php, why not teach them PDO/prepared statements by default? Then they'll know how to securely run queries from the start!
Teachers: nah, we just want to go with the basics for now!
Me: why not teach the students hashing through secure algorithms instead of always using md5?
Teacher: nah, we just want to make sure they know the basics :)
For fucks fucking sake, take your fucking responsibilities.31 -
Creating a new account is always fun...
"This Is My Secure Password" <-- Sorry, no spaces allowed.
"ThisIsMySecurePassword" <-- Sorry, Passwords must include a number
"ThisIsMySecurePassword1" <-- Sorry, Passwords must include a special character
"ThisIsMySecurePassword 1" <-- Sorry, no spaces allowed
"ThisIsMySecurePassword%1" <-- Sorry, the % character is not allowed
"ThisIsMySecurePassword_1" <-- Sorry, passwords must be shorter than 16 characters
"Fuck" <-- Sorry, passwords must longer than 6 characters
"Fuck_it" <-- Sorry, passwords can't contain bad language
"Password_1" <-- Accepted.25 -
I was reviewing one dev's work. It was in PHP. He used MD5 for password hashing. I told him to use to password_hash function as MD5 is not secure...
He said no we can't get a password from MD5 hashed string. It's one way hashing...
So I asked him to take couple of passwords from the users table and try to decode those in any online MD5 decoder and call me after that if he still thinks MD5 is secure.
I have not got any call from him since.18 -
Started talking with someone about general IT stuff. At some point we came to the subject of SSL certificates and he mentioned that 'that stuff is expensive' and so on.
Kindly told him about Let's Encrypt and also that it's free and he reacted: "Then I'd rather have no SSL, free certificates make you look like you're a cheap ass".
So I told him the principle of login/registration thingies and said that they really need SSL, whether it's free or not.
"Nahhh, then I'd still rather don't use SSL, it just looks so cheap when you're using a free certificate".
Hey you know what, what about you write that sentence on a whole fucking pack of paper, dip it into some sambal, maybe add some firecrackers and shove it up your ass? Hopefully that will bring some sense into your very empty head.
Not putting a secure connection on a website, (at all) especially when it has a FUCKING LOGIN/REGISTRATION FUNCTION (!?!?!?!!?!) is simply not fucking done in the year of TWO THOUSAND FUCKING SEVENTEEN.
'Ohh but the NSA etc won't do anything with that data'.
Has it, for one tiny motherfucking second, come to mind that there's also a thing called hackers? Malicious hackers? If your users are on hacked networks, it's easy as fuck to steal their credentials, inject shit and even deliver fucking EXPLOIT KITS.
Oh and you bet your ass the NSA will save that data, they have a whole motherfucking database of passwords they can search through with XKeyScore (snowden leaks).
Motherfucker.68 -
Ranted about him before but this just came to my mind again.
The fucking windows (to the max) fanboy I had to deal with for too long.
Every time I mentioned something about what programming language to use in a project he was NOT part of:
"I know it's none of my business, BUT I think you should use .net"
(All backend JavaScript and php guys).
Every time I mentioned something about what server system to use:
"I know it's none of my business but I think you should use Windows server"
(All Linux guys)
Every time I'd say something positive about Linux he'd search as long as needed to prove that that was also a windows thing (didn't even come close sometimes)
Every time I told the devs there about a windows security issue (as in "guys they found this thing, install the next update to stay safe :)" - "ahhh will do, thanks for letting know man!") he'd search as long as needed to prove that Linux also had had security issues like that.
(Okay?!? I know?!? I'm just trying to notify people so their systems stay secure and they're genuinely happy with that so STFU)
MOTHERFUCKER.17 -
A quite severe vulnerability was found in Skype (at least for windows, not sure about other systems) allowing anyone with system access (remote or local) to replace the update files skype downloads before updating itself with malicious versions because skype doesn't check the integrity of local files. This could allow an attacker to, once gaining access to the system, 'inject' any malicious DLL into skype by placing it in the right directory with the right file name and waiting for the user to update (except with auto updates of course).
From a company like Microsoft, taking in mind that skype has hundreds of millions of users worldwide, I'd expect them to take a very serious stance on this and work on a patch as soon as possible.
What they said about this: they won't be fixing it anytime soon as it would require a quite big rewrite of skype.
This kinda shit makes me so fucking angry, especially when it comes from big ass companies 😡. Take your fucking responsibility, Microsoft.20 -
This is super childish but it's the gameserver insidstry and karma is a bitch.
TLDR: I hacked my boss
I was working for a gameserver and I did development for about 3 months and was promised pay after the network was released. I followed through with a bunch of dev friends and the guy ended up selling our work. He didn't know that I was aware of this as he tried to tell people to not tell us but one honest person came forward and said he sold our work for about 8x the price of what he owed ALL OF US collectively.
I proceeded to change the server password and when he asked why he couldn't log in I sent him an executable (a crypted remote access tool) and told him it was an "encryption tunnel" that makes ssh and file transfers secure. Being the idiot that he is he opened it and I snagged all of his passwords including his email and I changed them through a proxy on his machine to ensure I wouldn't get two factored with Google. After I was done I deleted system 32 :337 -
I hate this attitude of my study (when i studied):
"it might be a good idea to teach the students how to program securely by default?"
"oh no but we just want to teach them the basics"
"so why not the secure basics by default?!"
"nah we just want them to get started and understand it, that's all. We'll get to the secure way later on"
Well, fuck you.16 -
"Do you have 2 factor auth for the database?"
a customer asked. I stared on the wall in front of me and suddenly fel and urge to punch and piss on something.
I took a deep breath while thinking to myself
*Oh boy, here we go. Another retard*
I put on my nice voice and asked:
"What you mean?"
The customer seems confused, as if my question did not make sense and he said:
"TWO FACTOR AUTHENTICATION! Dont you know what it is? To make the database more secure."
I was fucking right, this person reads to much shit. The fact that the email signature of that person said "Wordpress Developer" made me more angry.
I, still with the nice voice asked
"How would that work?"
"Two factor authentication when I am connecting to the database."
"So, do you want it by SMS then? You'll get alot of messages if it is going to send you one every time a query is made."
The following 7 seconds was dead silent until I heard the person hang up.3 -
Alright people, I'm gonna be blunt here, which is something not often seen from me. Thankfully this platform is used to it.
I am absolutely sick of people hating Windows/MacOS just because of the fucking practices of the companies. Let's take a look at a pro/con list of each OS type respectively.
Windows:
Pro - Most computers built for it
Pro - Average consumer friendly
Pro - Most games made for it
------------------------------------------
Con - Proprietary
Con - Shady info collection (disableable)
Con - Can take some work to customize
~
Linux:
Pro - Open source
Pro - Hundreds of versions/distros
Pro - Incredibly customizable on all fronts
------------------------------------------
Con - Can have limited modern hardware support
Con - The good stuff has a steep learning curve
Con - Tends to have unoptimized programs or semi-failed copies of Windows programs
~
MacOS:
Pro - Actually quite secure in general
Pro - Optimized to all hell (on Apple devices)
Pro - Usually just works
------------------------------------------
Con - Only (legally) usable on Apple devices
Con - Proprietary
Con - Locked down customization
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
See? None of them are perfect. Fucking get over it already. Maybe I want to use Windows because it works for me, and it actually does what I need it to. I can disable the spying shit through a few nice programs. Just because I work in IT doesn't mean that I HAVE to hate Windows and LOVE Linux! I mean, Linux is absolutely SPECTACULAR for all of my servers, but as a Desktop OS? Not there for me yet. Check one of my other rants: https://devrant.com/rants/928935/... and you'll see a lot of my gripes with Linux that Windows actually executes well. FUCK!38 -
"We don't need to invest in security - noone is going to hack us anyway" == "We don't need a fire department in our city - fire is not going to start here anyway"
We don't need to invest in security - everything is public anyway" == "We don't need a fire department in our city - our buildings are made out of straws anyway"
-- my thoughts after seing a line in client's spec: "sensitive data is transferred via a secure tcp channel (https) and all the public data is transferred via an unencrypted tcp (http) channel"3 -
"secure" messaging apps which aren't open source.
Isn't it common sense that, when you can't check an app for anything because it's closed source (backdoors, vulnerabilities etc), you technically can't be sure whether it's actually secure or not?
And no, I'm not going to trust an app dev on his/her blue fucking eyes on this one.28 -
Our website once had it’s config file (“old” .cgi app) open and available if you knew the file name. It was ‘obfuscated’ with the file name “Name of the cgi executable”.txt. So browsing, browsing.cgi, config file was browsing.txt.
After discovering the sql server admin password in plain text and reporting it to the VP, he called a meeting.
VP: “I have a report that you are storing the server admin password in plain text.”
WebMgr: “No, that is not correct.”
Me: “Um, yes it is, or we wouldn’t be here.”
WebMgr: “It’s not a network server administrator, it’s SQL Server’s SA account. Completely secure since that login has no access to the network.”
<VP looks over at me>
VP: “Oh..I was not told *that* detail.”
Me: “Um, that doesn’t matter, we shouldn’t have any login password in plain text, anywhere. Besides, the SA account has full access to the entire database. Someone could drop tables, get customer data, even access credit card data.”
WebMgr: “You are blowing all this out of proportion. There is no way anyone could do that.”
Me: “Uh, two weeks ago I discovered the catalog page was sending raw SQL from javascript. All anyone had to do was inject a semicolon and add whatever they wanted.”
WebMgr: “Who would do that? They would have to know a lot about our systems in order to do any real damage.”
VP: “Yes, it would have to be someone in our department looking to do some damage.”
<both the VP and WebMgr look at me>
Me: “Open your browser and search on SQL Injection.”
<VP searches on SQL Injection..few seconds pass>
VP: “Oh my, this is disturbing. I did not know SQL injection was such a problem. I want all SQL removed from javascript and passwords removed from the text files.”
WebMgr: “Our team is already removing the SQL, but our apps need to read the SQL server login and password from a config file. I don’t know why this is such a big deal. The file is read-only and protected by IIS. You can’t even read it from a browser.”
VP: “Well, if it’s secured, I suppose it is OK.”
Me: “Open your browser and navigate to … browse.txt”
VP: “Oh my, there it is.”
WebMgr: “You can only see it because your laptop had administrative privileges. Anyone outside our network cannot access the file.”
VP: “OK, that makes sense. As long as IIS is securing the file …”
Me: “No..no..no.. I can’t believe this. The screen shot I sent yesterday was from my home laptop showing the file is publicly available.”
WebMgr: “But you are probably an admin on the laptop.”
<couple of awkward seconds of silence…then the light comes on>
VP: “OK, I’m stopping this meeting. I want all admin users and passwords removed from the site by the end of the day.”
Took a little longer than a day, but after reviewing what the web team changed:
- They did remove the SQL Server SA account, but replaced it with another account with full admin privileges.
- Replaced the “App Name”.txt with centrally located config file at C:\Inetpub\wwwroot\config.txt (hard-coded in the app)
When I brought this up again with my manager..
Mgr: “Yea, I know, it sucks. WebMgr showed the VP the config file was not accessible by the web site and it wasn’t using the SA password. He was satisfied by that. Web site is looking to beat projections again by 15%, so WebMgr told the other VPs that another disruption from a developer could jeopardize the quarterly numbers. I’d keep my head down for a while.”8 -
I wonder why banks are always so terribly insecure, given how much money there's for grabs in there for hackers.
Just a while ago I got a new prepaid credit card from bpost, our local postal service that for some reason also does banking. The reason for that being that - thank you 'Murica! - a lot of websites out there don't accept anything but credit cards and PayPal. Because who in their right mind wouldn't use credit cards, right?! As it turns out, it's pretty much every European I've spoken to so far.
That aside, I got that card, all fine and dandy, it's part of the Mastercard network so at least I can get my purchases from those shitty American sites that don't accept anything else now. Looked into the manual of it because bpost's FAQ isn't very clear about what my login data for their online customer area now actually is. Not that their instruction manual was either.
I noticed in that manual that apparently the PIN code can't be changed (for "security reasons", totally not the alternative that probably they didn't want to implement it), and that requesting a forgotten PIN code can be done with as little as calling them up, and they'll then send the password - not a reset form, the password itself! IN THE FUCKING MAIL.
Because that's apparently how financial institutions manage their passwords. The fact that they know your password means that they're storing it in plain text, probably in a database with all the card numbers and CVC's next to it. Wouldn't that be a treasure trove for cybercriminals, I wonder? But YOU the customer can't change your password, because obviously YOU wouldn't be able to maintain a secure password, yet THEY are obviously the ones with all the security and should be the ones to take out of YOUR hands the responsibility to maintain YOUR OWN password.
Banking logic. I fucking love it.
As for their database.. I reckon that that's probably written in COBOL too. Because why wouldn't you.23 -
So today (or a day ago or whatever), Pavel Durov attacked Signal by saying that he wouldn't be surprised if a backdoor would be discovered in Signal because it's partially funded by the US government (or, some part of the us govt).
Let's break down why this is utter bullshit.
First, he wouldn't be surprised if a backdoor would be discovered 'within 5 years from now'.
- Teeny tiny little detail: THE FUCKING APP IS OPEN SOURCE. So yeah sure, go look through the code! Good idea! You might actually learn something from it as your own crypto seems to be broken! (for the record, I never said anything about telegram not being open source as it is)
sources:
http://cryptofails.com/post/...
http://theregister.co.uk/2015/11/...
https://security.stackexchange.com/...
- The server side code is closed (of signal and telegram both). Well, if your app is open source, enrolled with one of the strongest cryptographic protocols in the world and has been audited, then even if the server gets compromised, the hackers are still nowhere.
- Metadata. Signal saves the following and ONLY the following: timestamp of registration, timestamp of the last connection with the server (both rounded to the day so not on the second), your phone number and your contact details (if you authorize it) (only phone numbers) in HASHED (BCrypt I thought?) format.
There have been multiple telegram metadata leaks and it's pretty known that it saves way more than neccesary.
So, before you start judging an app which is open, uses one of the best crypto protocols in the world while you use your own homegrown horribly insecure protocol AND actually tries its best to save the least possible, maybe try to fix your own shit!
*gets ready for heavy criticism*20 -
Worst thing you've seen another dev do? So many things. Here is one...
Lead web developer had in the root of their web application config.txt (ex. http://OurPublicSite/config.txt) that contained passwords because they felt the web.config was not secure enough. Any/all applications off of the root could access the file to retrieve their credentials (sql server logins, network share passwords, etc)
When I pointed out the security flaw, the developer accused me of 'hacking' the site.
I get called into the vice-president's office which he was 'deeply concerned' about my ethical behavior and if we needed to make any personnel adjustments (grown-up speak for "Do I need to fire you over this?")
Me:"I didn't hack anything. You can navigate directly to the text file using any browser."
Dev: "Directory browsing is denied on the root folder, so you hacked something to get there."
Me: "No, I knew the name of the file so I was able to access it just like any other file."
Dev: "That is only because you have admin permissions. Normal people wouldn't have access"
Me: "I could access it from my home computer"
Dev:"BECAUSE YOU HAVE ADMIN PERMISSIONS!"
Me: "On my personal laptop where I never had to login?"
VP: "What? You mean ...no....please tell me I heard that wrong."
Dev: "No..no...its secure....no one can access that file."
<click..click>
VP: "Hmmm...I can see the system administration password right here. This is unacceptable."
Dev: "Only because your an admin too."
VP: "I'll head home over lunch and try this out on my laptop...oh wait...I left it on...I can remote into it from here"
<click..click..click..click>
VP: "OMG...there it is. That account has access to everything."
<in an almost panic>
Dev: "Only because it's you...you are an admin...that's what I'm trying to say."
Me: "That is not how our public web site works."
VP: "Thank you, but Adam and I need to discuss the next course of action. You two may go."
<Adam is her boss>
Not even 5 minutes later a company wide email was sent from Adam..
"I would like to thank <Dev> for finding and fixing the security flaw that was exposed on our site. She did a great job in securing our customer data and a great asset to our team. If you see <Dev> in the hallway, be sure to give her a big thank you!"
The "fix"? She moved the text file from the root to the bin directory, where technically, the file was no longer publicly visible.
That 'pattern' was used heavily until she was promoted to upper management and the younger webdev bucks (and does) felt storing admin-level passwords was unethical and found more secure ways to authenticate.5 -
Oh fuck and boy Jesus, how on earth is this still a thing 😦
MD fucking 5 is not a fucking “secure” crypto algorithm.
This site has 14 million breached accounts with fucking MD5 hashes.
I think I’ve had to much internet for today.17 -
So I was at work and send to another location (distribution centers) and in the lunch break my guider for that day and I started a conversation about servers etc (he appeared to do loads of stuff with that). He recommended me all those programs but I didn't recognize anything so I asked him what kinda servers he ran. He runs a lot of Windows servers. No problem for me but I told him that I am into Linux servers myself.
Guy: "Linux guy, eh? That system is considered to be so secure but in reality it's insecure as fuck!".
Me: (If he would come up with real/good arguments I am not going to argue against that by the way!) Uhm howso/why would you think that?
Guy: "Well all those script kiddies being able to execute code on your system doesn't seem that secure.".
*me thinking: okay hold on, let's ask for an explanation as that doesn't make any fucking sense 😐*
Me: "Uhm how do you mean, could you elaborate on that?"
Guy: "Well since it's open source it allows anyone to run any shit on your system that they'd like. That's why windows rocks, it doesn't let outsiders execute bad code on it.".
Seriously I am wondering where the hell he heard that. My face at that moment (internally, I didn't want to start a heated discussion): 😐 😲.
Yeah that was one weird conversation and look on open source operating systems...21 -
I hate Linux so much. I mean, how could anyone of you barbarians like it??
I don't understand the hate for windows. It's secure, emphasizes privacy, and it's Microsoft. What's not to love?
Linux is just proprietary malware.26 -
My hubby saw me using Secure Shell to install some software on a cloud server I'm using through the terminal. After a few minutes of watching, he said, "Oh, the government better watch out for you!"
I've been unable to successfully convince him I'm not some elite super-hacker like he's used to seeing in movies and NCIS.8 -
Biggest dev insecurity?
Probably http://
It’s not secure at all, never feeling very confident when browsing that protocol.5 -
I still miss my college days. Our crappy IT Dept restricted internet usage on campus. Each student used to get 10 GB of internet data and they used Cyberoam for login (without HTTPS). 10 GB was so less (at least for me).
Now, thanks to CS50, I learned that HTTP was not secure and somehow you can access login credentials. I spent a night figuring things out and then bam!! Wireshark!!!!
I went to the Central Library and connected using Wireshark. Within a matter of minutes, I got more than 30 user ids and passwords. One of them belonged to a Professor. And guess what, it had unlimited data usage with multiple logins. I felt like I was a millionaire. On my farewell, I calculated how much data I used. It was in TBs.
Lesson: Always secure your URLs.5 -
Following a conversation with a fellow devRanter this came to my mind ago, happened a year or two ago I think.
Was searching for an online note taking app which also provided open source end to end encryption.
After searching for a while I found something that looked alright (do not remember the URL/site too badly). They used pretty good open source JS crypto libraries so it seemed very good!
Then I noticed that the site itself did NOT ran SSL (putting the https:// in front of the site name resulted in site not found or something similar).
Went to the Q/A section because that's really weird.
Saw the answer to that question:
"Since the notes are end to end encrypted client side anyways, we don't see the point in adding SSL. It's secure enough this way".
😵
I emailed them right away explaing that any party inbetween their server(s) and the browser could do anything with the request (includingt the cryptographic JS code) so they should start going onto SSL very very fast.
Too badly I never received a reply.
People, if you ever work with client side crypto, ALWAYS use SSL. Also with valid certs!
The NSA for example has this thing known as the 'Quantum Insert' attack which they can deploy worldwide which basically is an attack where they detect requests being made to servers and reply quickly with their own version of that code which is very probably backdoored.
This attack cannot be performed if you use SSL! (of course only if they don't have your private keys but lets assume that for now)
Luckily Fox-IT (formerly Dutch cyber security company) wrote a Snort (Intrustion Detection System) module for detecting this attack.
Anyways, Always use SSL if you do anything at all with crypto/sensitive data! Actually, always use it but at the very LEAST really do it when you process the mentioned above!31 -
"Pre-Installed Malware Found On 5 Million Popular Android Phones"
"added somewhere along the supply chain"
See below how to check if it's installed
Sources:
- (new) https://thehackernews.com/2018/03/...
- (new) https://research.checkpoint.com/rot...
- (old relevant news) https://thehackernews.com/2017/03/...
---
"Rottensys" a malware which covers devices from: Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE
---
"According to our findings, the RottenSys malware began propagating in September 2016. By March 12, 2018, 4,964,460 devices were infected by RottenSys," researchers said.
"At this moment, the massive malware campaign pushes an adware component to all infected devices that aggressively displays advertisements on the device’s home screen, as pop-up windows or full-screen ads to generate fraudulent ad-revenues."
---
If you have one of the affected devices, here's how I checked mine:
1. Install ADB (Windows: https://forum.xda-developers.com/sh...)
2. Connect your device in USB-debugging mode
3. execute "adb shell 'pm list packages -f' > output.txt" (On windows navigate to C:\adb and replace "adb" with ".\adb.exe")
4. open the now created output.txt
5. search for any of those:
com.android.yellowcalendarz (每日黄历)
com.changmi.launcher (畅米桌面)
com.android.services.securewifi (系统WIFI服务)
com.system.service.zdsgt20 -
The coolest project I've worked on was for a certain country's Navy. The project itself was cool and I'll talk about it below but first, even cooler than the project was the place were I worked on it.
I would go to this island off the coast where the navy had its armoury. Then to get into the armoury I'd go through this huge tunnel excavated in solid rock.
Finally, once inside I would have to go thru the thickest metal doors you've ever seen to get to crypto room, which was a tiny room with a bunch of really old men - cryptographers - scribbling math formulae all day long.
I can't give a lot of technical details on the project for security reasons but basically it was a bootable CD with a custom Linux distro on it. Upon booting up the system would connect to the Internet looking for other nodes (other systems booted with that CD). The systems would find each other and essentially create an ad-hoc "dark net".
The scenario was that some foreign force would have occupied the country and either destroyed or taken control of the Navy systems. In this case, some key people would boot these CDs in some PC somewhere not under foreign control (and off the navy grounds.) This would supposedly allow them to establish secure communications between surviving officers. There is a lot more to it but that's a good harmless outline.
As a bonus, I got to tour an active aircraft carrier :)8 -
- Let's make the authentication system so the user can only login in one device at time, because this is more secure.
- You know that this will be a general-public application, right?
- Yeah!
- Sou you want to "punish" users with a logoff on the other device when he tries to login in a new one?
- Yeah!
- But before you said we will use Json Web Token to make the backend stateless.
- Yeah!
- And how will we check if the token is the last one generated?
- We will store the last generated token for this user on a table in our DB.
- So... you are basically describing the old authentication model, with session tokens stored on the backend and communicating them via cookies.
- Yeah, but the token will be sent on the Header, not on cookies
- Okay, so why will we use Json Web Token to do this in the first place?
- Because this is how they're doing now, and this will make the backend stateless.
A moment of silence, please.8 -
I hate Wordpress. I hate Wordpress. I hate Wordpress.
Wordpress can take a big shit on itself and crawl into a deep dark hole far away from all that is good.
Who even uses Wordpress? Bloggers? Come on, let’s be honest, they’re using more intuitive sites like weebly, wix, and square space. So WHAT is Wordpress for? I’ll tell you, it’s just to FUCKING TORTURE PEOPLE.
So, being the “techy guy” of the family, a relative contacts me asking for some help with their website because they need to install an SSL certificate but they don’t know how to. I tell them I’d gladly do it because, sure, they’re family and how long can it possibly take to install a certificate? I’ve done it before!
Well, I get to work and log into the sluggish Wordpress dashboard and try to use a plugin that would issue a LetsEncrypt certificate because they are free and just as good as any other SSL. But one plugin after the next I keep getting errors about how my hosting wouldn’t allow it.
So I contact GoDaddy (don’t get me fucking started) and ask them about the issue. The guy tells me it’s “policy” to only be able to use GoDaddy’s certificates. How much do they cost? Oh, how about $100 a year?! Fuck you.
I figured out the only way to escape this hell was to ask them to open an economy Linux hosting account with cPanel on GoDaddy (the site was formerly hosted on a “Managed Wordpress” account which is just bullshit for not wanting to give you any control over your own goddamn content). So now I have to deal with migrating the site.
GoDaddy representative tells me that it should only take 20 minutes for me to do this (I’ve already spent way too much time on this but whatever) so I go forward with the new account. I decide I should migrate the site by exporting a backup and manually placing everything on the new server. Doesn’t it end up taking an entire hour to back up a 200MB site because GoDaddy throttled the processing speed?!
So, it’s another hour later and I’ve installed all the databases and carried over all the files. At this point, I’m really at the end of my rope and can’t wait to install the certificate and be done with this fuckery.
I install the certificate and finally get ready to be on my way, but then I see it. A warning. A warning from my browser telling me the site is only partially secure. It turns out the certificate was properly installed but whoever initially made the site HARDCODED ALL THE LINKS to images, websites, and style sheets to be http instead of https.
I’m gonna explode.
I swear, I’m gonna fucking explode.
After a total of 5 hours of work, I finally get the site secure by using search and replace on every fucking file.
Wordpress can go suck a big one. Actually, Wordpress can go suck the largest fuckin one in existence and choke on it.
TL;DR I agree to install an SSL certificate but end up with much more work than I bargained.38 -
I'm not sure if this entirely qualifies and I might have ranted about it a few years ago but fuck it.
My last internship. Company was awesome and my mentor/technical manager got along very well with me to the point that he often asked me to help out with Linux based stuff (he preferred Linux but was a C# guy and wasn't as familiar with it as me (Linux)).
We had to build an internal site thingy (don't remember what it was) and we delivered (me and some interns) and then the publishing moment came so I went to out project manager (a not-as-technical one) and asked if he could install a LetsEncrypt certificate on the site (he knew how and was one of the only ones who had direct access to the server).
He just stared at us and asked why the fuck we needed that since it was an internal thing anyways.
I kindly told that since it's free and can secure the connection, I preferred that and since its more secure, why the fuck not?
He wasn't convinced so it was off.
Next day I came in early and asked my mentor if he could do the SSL since he usually had access to that stuff. He stared at me with "what?" eyes and I explained what the PM said.
Then he immediately ssh'd in and got the damn cert with "we're going to go secure by default, of course!"
A minute later it was all set.2 -
!rant && sarcasm
For a long time now I've been trying to convince people to use secure communication. I'm used to getting called "paranoid", but the killer phrase always was (and still is): "Why do you want me to encrypt my communication, I HAVE NOTHING TO HIDE, so I don't care who's reading it" - "It's not about hiding something, it's about private stuff staying private" - "Yeah, whatever"
"I have nothing to hide". That always killed the conversation... until I asked them to hand me their phones, unlocked, for 5 minutes.
"No" - "Why? I thought, you had nothing to hide and don't care who's reading it?" - "Uhmmm..."
More and more people around me are popping up in my Signal contact list.
Looks like they suddenly care a lot about private stuff staying private </sarcasm>12 -
Would the web be better off, if there was zero frontend scripting? There would be HTML5 video/audio, but zero client side JS.
Browsers wouldn't understand script tags, they wouldn't have javascript engines, and they wouldn't have to worry about new standards and deprecations.
Browsers would be MUCH more secure, and use way less memory and CPU resources.
What would we really be missing?
If you build less bloated pages, you would not really need ajax calls, page reloads would be cheap. Animated menus do not add anything functionally, and could be done using css as well. Complicated webapps... well maybe those should just be desktop/mobile apps.
Pages would contain less annoying elements, no tracking or crypto mining scripts, no mouse tracking, no exploitative spam alerts.
Why don't we just deprecate JS in the browser, completely?
I think it would be worth it.22 -
"Use a .dev domain? Not anymore."
Just read a medium article and thought some would be interested in reading it too, as I personally didn't know many of the information published there, for example:
- .dev gTLD belongs to google and nobody can register one
- .dev TLD are required to have a secure connection in chromium/chrome from now on, forcing you to use self signed certs across all development machines
"When applications opened for gTLDs in 2012, Google didn’t just apply for .dev. They applied for 101 gTLDs, including .google, .play, and .app. However, Google wasn’t the only company to apply for many of these gTLDs. For some applications, it took years for applicants to negotiate who would end up with the rights to the name. Google’s application for .dev was pending for over a year. Finally, in December 2014, their application for .dev was granted."
"In 2015, Chromium added the entire .google TLD to the HSTS preload list with little fanfare. It was the first and only TLD entry in the list for two years, until .dev was added in September and shortly followed by .foo, .page, .app, and .chrome — all Google-owned gTLDs."
Source: “Use a .dev domain? Not anymore.” @koop https://medium.engineering/use-a-de...35 -
I've got a confession to make.
A while ago I refurbished this old laptop for someone, and ended up installing Bodhi on it. While I was installing it however, I did have some wicked thoughts..
What if I could ensure that the system remains up-to-date by running an updater script in a daily cron job? That may cause the system to go unstable, but at least it'd be up-to-date. Windows Update for Linux.
What if I could ensure that the system remains protected from malware by periodically logging into it and checking up, and siphoning out potential malware code? The network proximity that's required for direct communication could be achieved by offering them free access to one of my VPN servers, in the name of security or something like that. Permanent remote access, in the name of security. I'm not sure if Windows has this.
What if I could ensure that the system remains in good integrity by disabling the user from accessing root privileges, and having them ask me when they want to install a piece of software? That'd make the system quite secure, with the only penetration surface now being kernel exploits. But it'd significantly limit what my target user could do with their own machine.
At the end I ended up discarding all of these thoughts, because it'd be too much work to implement and maintain, and it'd be really non-ethical. I felt filthy from even thinking about these things. But the advantages of something like this - especially automated updates, which are a real issue on my servers where I tend to forget to apply them within a couple of weeks - can't just be disregarded. Perhaps Microsoft is on to something?11 -
"please use a secure password*"
* But don't make it too secure, 20 Charakters is enough.
Why would you fucking do this? The only reason I can think about is a scenario like this:
"How do we store the passwords in the database?"
"Just like anything else?"
"So I create a VARCHAR(20)?"
"Yeah why not? It's good enough for a name, and you shouldn't use your or anyone else's name as a password, so it should be perfect"10 -
draw.io is moving to diagrams.net, because .io domains are not secure.
Source: https://diagrams.net/blog/...12 -
TL;DR I'm fucking sick and tired of Devs cutting corners on security! Things can't be simply hidden a bit; security needs to be integral to your entire process and solution. Please learn from my story and be one of the good guys!
As I mentioned before my company used plain text passwords in a legacy app (was not allowed to fix it) and that we finally moved away from it. A big win! However not the end of our issues.
Those Idiot still use hardcoded passwords in code. A practice that almost resulted in a leak of the DB admin password when we had to publish a repo for deployment purposes. Luckily I didn't search and there is something like BFG repo cleaner.
I have tried to remedy this by providing a nice library to handle all kinds of config (easy config injection) and a default json file that is always ignored by git. Although this helped a lot they still remain idiots.
The first project in another language and boom hardcoded password. Dev said I'll just remove before going live. First of all I don't believe him. Second of all I asked from history? "No a commit will be good enough..."
Last week we had to fix a leak of copyrighted contend.
How did this happen you ask? Well the secure upload field was not used because they thought that the normal one was good enough. "It's fine as long the URL to the file is not published. Besides now we can also use it to upload files that need to be published here"
This is so fucking stupid on so many levels. NEVER MIX SECURE AND INSECURE CONTENT it is confusing and hard to maintain. Hiding behind a URL that thousands of people have access to is also not going to work. We have the proof now...
Will they learn? Maybe for a short while but I remain sceptic. I hope a few DevrRanters do!7 -
Client reads about MomgoDB ransomware attacks online.
Him: I heard that the MongoDB is not secure, we should use something else in our system.
Me: Those databases got attacked because security features were turned off. If you want you can have an external security team to test the system when it's done.
Him: I don't wana take any risk, so I we should use something else.
We have been working on this system for almost a year and the final stage was supposed to be delivered in a month.
He wants me to replace it with MySQL11 -
Some 'wk306' highlights from different people:
Walk around the office in his underwear, because he forgot he left his trousers in the bathroom
Run a red light outside the office due to not wearing his required glasses. When questioned by co-workers, replied "I don't follow those facist rules"
Asking if we work less will we get paid more, because the project will take longer to do (while in a startup with no funding trying to secure some)
Tell a senior dev to stop testing in his spare time, as we won't be able to release on time if he keeps finding critical security bugs
Telling me "your timezone is not my concern", when asking for help with new tooling so we don't have to be online at the same time
Blaming my team for requesting too much help, leading to his team missing deadlines, in a meeting with very senior managers. When the reason we were requesting help was the handover doc we were given was filled with lies about features being finished and "ready to ship" and lacking any unit tests
Being accused of bullying and harassment to the CEO, because someone asked "did you follow up with X about the partnership they emailed us about". The person who was responsible, forgot 4 times, and saw it as an "attack" to mention it in team meetings
Telling an entire office/building mid November they've secured funding for at least the next year, then announcing in January after the Christmas break that its cheaper to move to India, so they are closing the office in 30 days2 -
*logs out of Google on Android*
*has this persistent Google search bar on launcher which I keep on accidentally tapping*
Alright, so I'm not logged into Google to see how it goes. Kind of an experiment to see just how intertwined Android and my life are with Google. And it's going quite well actually, except for my prime apps that I can't seem to get around.
*reads Google privacy policy*
"We protect your data by keeping it secure!"
Hmm, yeah.. you and 3 letter agencies are keeping it secure and out of the hands of other individuals.. that makes sense.
Don't be evil.. unless you're the devil, right?
Fuck you, I won't login like this.
*accidentally opens Google*
*le trending results show up*
- KSI vs Logan Paul weigh-in!
- KSI vs Logan Paul Manchester!
- KSI vs Logan Paul arena fight!
*opens up NewPipe in which I am not logged in either*
- KSI vs Logan Paul!!!
- Did you see the KSI vs Logan Paul stuff yet?!
*logs back into Google straight away*
Personalized search engine.. many hate it, but boy do I fucking love it.rant disney idiots obnoxious cunts fuck that logan fuck that jake kid too wtf is wrong with people who the fuck watches those morons4 -
Warning: long read....
I got a call this morning from a client who was panicking about not being able to login to his web panel.
So I went to the web panel and tried to login and was just redirected back to the login page. No errors or anything (at least visible on the page). Went looking for an error_log file and found it.
It turns out there was an error was showing: Disk quota exceeded.
So I went into the cPanel and checked, he used about 16GB out of 100GB and that got me confused. So I looked around and found out he was using about 510000/500000 inodes.
Went looking trough FTP to see where he has so many files and try and remove some.
Well it turns out that there were about 7 injected websites (warez, online casino, affiliate one etc) and a full hacking web panel on his FTP. After detailed analysis some who actually built the site (I just maintain some parts) made an upload form available to public with any checks on it. Meaning anyone could upload whatever they wanted and the form would allow it.
The worst part is that the client is not allowing us to secure the form with some sort of login or remove it completely (the best option) as it is not really needed but he uses it to upload some pdf catalogs or something.
TL; DR;
Old programmer created an upload form that was accessible to anyone on the web without adding any security or check as to see what kind of files was getting uploaded. Which lead to having maximum number on inodes used on server and client being unable to login.
Side note:
And ofc I had to go and fix the mess behind him again, even though he stopped working a long time ago and I started just recently and have been having nightmares of this project.2 -
Let me explain a tiny corner of some awful code I read earlier today, in layman’s terms.
It’s a method to see if the user is in a secure session — not to set up the session, just to see if it exists. The method ends with a question mark, so it’s basically a question. It should look up the info (without changing anything) and should always give a clear yes/no answer. Makes sense, right?
Let’s say the question is “am I in school right now?”
The code… well.
If there isn’t a student, the answer it gives is null, not yes or no. Null is a fancy word for no, pretty much, so that’s kinda fine, but it really should be a simple no.
It then checks to see if the school is open today. If it is open, it then checks to see if I made my lunch, if I took my backpack, and if I rode the bus — and makes these things happen if they didn’t. Forgot my backpack? Just ask “am I in school today?” And poof! There’s my backpack! … but only if the school is open.
It then, finally, checks to see if I’m actually in the school, and gives that answer.
It could just see if I’m in the school — I mean, I could be in school without a backpack, or walked there on the weekend, right? Ha! You and your silly logic have no place here.
So, by asking if the user is in a secure session, we change the answer: they weren’t before, but the act of asking makes it so. This isn’t profound or anything: I don’t work with Schrödinger. My coworkers are just idiots.
And no, the rest of the code isn’t any better…7 -
If programming languages had honest slogans, what would they be?
C: If you want a horse, make sure you feed it, clean it and secure it yourself. No warranties.
C++: If you want a horse, you need to buy a circus along with it.
Java: Before you buy a horse - buy a piece of land, build a house in that land, build a barn beside the house & if you are not bankrupt yet, buy the horse and then put the horse in the barn.
C#: You don’t want a horse, but Microsoft wants you to have a horse. Now it’s up to you if you want Microsoft or not.
Swift: Don’t buy an overpriced Unicorn if all you wanted was a horse.
JavaScript: If you want to buy a horse & confidently ride it, make sure you read a book named "You don't know horse".
PHP: After enough optimization, your horse can compete the top most horses in the world; but deep down, you'll always know it's an ass.
Hack: Let's face it, even if you take the ass from the ass lovers and give them back a horse in exchange, not many will ride it.
Ruby: If you want a horse, make sure you ride it on top of rail roads, even if the horse can't run fast on rails.
Python: Don't ride your horse and eat your sandwich on the same line, until you indent it on the next line.
Bash: Your horse may shit everywhere, but at least it gets the job done.
R: You are the horse. R will ride you.
Got this from Quora.
https://quora.com/If-programming-la...7 -
Sometimes I wonder how compromised my parents online security would be without my intervention.
My mom logged into her gmail and there was an red bar on top informing about Google preventing an attempted login from an unknown device.
Like typical parents / old people, that red bar didn't caught her attention but I noticed it immediately. I took over and looked into it. It showed an IP address and a location that was quite odd.
I went ahead with the Account security review and I was shocked to find that she had set her work email address as the recovery email!!
I explained her that work email accounts cannot be trusted and IT department of the workplace can easily snoop emails and other info on that email address and should not be related to personal accounts.
After fixing that issue, me being a typical skeptic and curious guy, I decided to find more info about that IP address.
I looked up the IP address on a lookup website and it showed an ISP that was related to the corporate office of her workplace. I noticed the location Google reported also matched with the corporate office location of her work.
Prior to this event, few days ago, I had made her change her gmail account password to a more secure one. ( Her previous password was her name followed by birth date!! ). This must have sent a notification to the recovery mail address.
All these events are connected. It is very obvious that someone at corporate office goes through employees email addresses and maybe even abuse those information.
My initial skeptism of someone snooping throguh work email addresses was right.
You're welcome mom!9 -
A few years ago I configured my wifi extender.
Got everything working as I wanted.
Changed password to my favorite 24char password.
Can't login again...
Meh... It's working as I want and is secure, not even I can login.
It's still running in this state.3 -
I love how the Keybase Linux client installs itself straight into /keybase. Unix directory structure guidelines? Oh no, those don't apply to us. And after uninstalling the application they don't even remove the directory. Leaving dirt and not even having the courtesy to clean it up. Their engineers sure are one of a kind.
Also, remember that EFAIL case? I received an email from them at the time, stating some stuff that was about as consistent as their respect for Unix directory structure guidelines. Overtyping straight from said email here:
[…] and our filesystem all do not use PGP.
> whatever that means.
The only time you'll ever use PGP encryption in Keybase is when you're sitting there thinking "Oh, I really want to use legacy PGP encryption."
> Legacy encryption.. yeah right. Just as legacy as Vim is, isn't it?
You have PGP as part of your cryptographic identity.
> OH REALLY?! NO SHIT!!! I ACTIVELY USED 3 OS'S AND FAILED ON 2 BECAUSE OF YOUR SHITTY CLIENT, JUST TO UPLOAD MY FUCKING PUBLIC KEY!!!
You'll want to remove your PGP key from your Keybase identity.
> Hmm, yeah you might want to do so. Not because EFAIL or anything, just because Keybase clearly is a total failure on all levels.
Written quickly,
the Keybase team
> Well that's fucking clear. Could've taken some time to think before hitting "Send" though.
Don't get me wrong, I love the initiatives like this with all my heart, and greatly encourage secure messaging that leverages PGP. But when the implementation sucks this much, I start to ask myself questions about whether I should really trust this thing with my private conversations. Luckily I refrained from uploading my private key to their servers, otherwise I would've been really fucked.1 -
Foday my father argued with me that:
* "HTML programmers" get payed a lot
* WordPress is awesome
* wordpress programmers get payed a lot
* WordPress doesn't need to be secure
* FileMaker is 100% virus-free (probably malware free), because not many people use it
* UX and UI design are exactly the same6 -
Can someone explain to me why the fuck I should even care about the fact, that some companies collect, use and sell my data? I'm not famous, I'm not a politician and I'm not a criminal, I think most of us aren't and won't ever be. We aren't important. So what is this whole bullshittery all about? I seriously don't get it and I find it somewhat weird that especially tech guys and IT "experts" in the media constantly just make up these overly creepy scenarios about big unsafe data collecting companies "stealing" your "private" information. Welcome to the internet, now get the fuck over it or just don't be online. It's your choice, not their's.
I honestly think, some of these "security" companies and "experts" are just making this whole thing bigger than it actually is, because it's a damn good selling point. You can tell people that your app is safe and they'll believe you and buy your shit app because they don't understand and don't care what "safe" or "unsafe" means in this context. They just want to be secure against these "evil monster" companies. The same companies, which you portrayed them as "evil" and "unfair" and "mean" and "unrepentant" for over a decade now.
Just stop it now. All your crappy new "secure" messenger apps have failed awesomely. Delete your life now, please. This isn't about net neutrality or safety on the internet. This is all about you, permanently exaggerating about security and permanently training people to be introverted paranoid egoistic shit people so that they buy your elitist bullshit software.
Sorry for my low english skills, but please stop to exist, thank you.65 -
The cleaning lady saga continues yet again..
Here in Belgium, cleaning ladies are paid with cheques. All fine and dandy, and apparently the parent organization (Sodexo) even migrated to digital cheques. Amazing!!!
If only they did it properly.
Just now I received an email with my login data.
Login: ${FIRSTNAME}${FIRST2CHARSOFLASTNAME}
Password: I won't reveal the amount of characters.. but it's not even hex. It's just uppercase letters, and far from what I'd deem even remotely secure. Hopefully I'll be able to change that shitty password shortly, and not get it mailed back, even when I ask for recovery. Guess I'll have to check that later - the person who made that account was pretty incompetent when it comes to tech after all. Don't ask me why they did it instead of me. I honestly don't really know either.
With that said, this is a government organization after all... Can I really expect them to hash their passwords?24 -
What. The. Actual. Fuck.
My co-workers just tried to convince me that the following is a secure password:
"ThisIsASecurePassword2018"
Just... I mean... Why? *sigh*
Their argumentation is based on the new NIST guidelines.
If they've read these guidelines CAREFULLY though... (not only the appendix) it actually states "Don't use words from the dictionary". Passwords like these should even be rejected right away.15 -
Me : I should start building user authentication system.
inner self : there are enough free and secure ones out there, just go read the documentation.
Me : fuck I'm not reading 10000 pages of documentation written in alien language.
inner self : well then you better start building
Me : **writes code
Inner self : you better add the data validation and security while coding
Me : I just want it to work !
Me after a few days trying not to suicide : the site is hacked, the code is bugged, hello darkness my friend5 -
Ten Immutable Laws Of Security
Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.3 -
When you ask the IT-Department of a company collab with Microsoft, why you aren't allowed to use Firefox instead of IE.
The answer is: "It's insecure because it's open source"
YOU FUCKING KIDDING ME INSECURE ??? IT IS MORE SECURE AS IE!!! INSECURE BECAUSE OPEN SOURCE? THAN LET'S USE CHROME OR OPERA INSTEAD BUT NOT IE2 -
I've been training a client for a few months now to not use Slack for sharing passwords and other secure materials.
I really thought I had made great progress. I even had him using a password manager. Then out of nowhere he sends the wildcard SSL key pair to me and a handful of other devs in a Slack thread.
At least we aren't storing important information like medical records. Oh wait, that's exactly what we're doing.6 -
When I get on a site that is like “your password must contain upper case, lower case, a number, a symbol”, at first I’m like ooook, security I guess I’ll generate a long password, but then they sit there and say “and be at least 6 but not more than 10 characters”
WTF you fuckers really don’t know anything do you.2 -
@netikras since when does proprietary mean bad?
Lemme tell you 3 stories.
CISCO AnyConnect:
- come in to the office
- use internal resources (company newsletter, jira, etc.)
- connect to client's VPN using Cisco AnyConnect
- lose access to my company resources, because AnyConnect overwrites routing table (rather normal for VPN clients)
- issue a route command updating routing table so you could reach confluence page in the intranet
- route command executes successfully, `route -n` shows nothing has changed
- google this whole WTF case
- Cisco AnyConnect constantly overwrites OS routing table to ENFORCE you to use VPN settings and nothing else.
Sooo basically if you want to check your company's email, you have to disconnect from client's VPN, check email and reconnect again. Neat!
Can be easily resolved by using opensource VPN client -- openconnect
CISCO AnyConnect:
- get a server in your company
- connect it to client's VPN and keep the VPN running for data sync. VPN has to be UP at all times
- network glitch [uh-oh]
- VPN is no longer working, AnyConnect still believes everything is peachy. No reconnect attempts.
- service is unable to sync data w/ client's systems. Data gets outdated and eventually corrupted
OpenConnect (OSS alternative to AnyConnect) detects all network glitches, reports them to the log and attempts reconnect immediatelly. Subsequent reconnect attempts getting triggered with longer delays to not to spam network.
SYMANTEC VIP (alleged 2FA?):
- client's portal requires Sym VIP otp code to log in
- open up a browser in your laptop
- navigate to the portal
- enter your credentials
- click on a Sym VIP icon in the systray
- write down the shown otp number
- log in
umm... in what fucking way is that a secure 2FA? Everything is IN the same fucking device, a single click away.
Can be easily solved by opensource alternatives to Sym VIP app: they make HTTP calls to Symantec to register a new token and return you the whole totp url. You can convert that url to a qr code and scan it w/ your phone (e.g. Google's Authenticator). Now you have a true 2FA.
Proprietary is not always bad. There are good propr sw too. But the ones that are core to your BAU and are doing shit -- well these ARE bad. and w/o an oppurtunity to workaround/fix it yourself.13 -
I just blocked some of the top management from connecting to our WLAN because I was testing a verifing feature for said WiFi that kicks all devices not listed in the DB.
It happened while my boss/senior/guidance was trying to show them the advantages of a centrally managed infrastructure.
He covered my ass well and tried to sell it to them as proof of a secure solution, that unknown devices couldn't log in.
I feel like human trash right now, but that's what you get for testing in production.4 -
Can someone please explain to me WHY THE FUCK non devs feel like they know shit. I DON'T GIVE A FUCK ABOUT HOW YOU FOUND SOME UNTRUE SHIT ON GIZMODO. I'VE KNOW SO MUCH ABOUT THIS SHIT, AND YOU LOOKED UP THE FIRST EXAMPLE YOU COULD FIND THE SUPPORTS YOUR CASE. The most recent time this happened was OVER THE LAST FEW DAYS when this DUMBASS that my friends and I BULLY but HE STILL HANGS AROUND. (By bully, yes sometimes we are mean to him, but we're not out to get him. He comes to us and we don't wanna be with him). So after the SEVENTH groupchat (on two apps) he created that night, HE WANTED TO SWITCH BACK TO ANOTHER APP I SPENT A WEEK TRYING TO GET THEM TO SWITCH FROM PREVIOUSLY (It was whatsapp, i got them to switch to telegram). THEN HE TRIED to ARGUE with me about how TELEGRAM wasnt secure. HE SEARCHED "is telegram secure" on Google and chose the FIRST ARTICE from the previously mentioned, GIZMODO which says that TELEGRAM chats ARENT ENCRYPTED by DEFAULT. HOW THE FUCK DO DUMBASSES GET THIS KIND OF PUBLICITY. There's a difference between ENCRYPTION and END TO END DUMBASS. Then he told me whatsapp is more secure than telegram. NO ITS FUCKING NOT. In telegram, your encryption keys CHANGE every chat, or every 100 messages. To my best research, whatsapp only has ONE key per USER. I could go on forever about how chat backups in whatsapp are UNENCRYPTED or how FACEBOOK stores your data, but blocked you works to.6
-
At my previous job we had to complete an online security training exercise. It shows you how to behave secure in the work place, to not open unknown links etc. The scary part was that the entire training thing was BUILT IN FUCKING FLASH. So I'm suppose to listen to some god damn virus shitting flash application on how to do online security?! Get your shit together before teaching others.5
-
So this PR company hired my firm to convert their client's Wix website to WordPress to have better control over content and SEO, not to mention get away from the piss-poor "absolute position everything" setup of Wix. This is a single page design. 2 days later, we deliver it, performing faster than Wix and with a few extra goodies on the UI.
The client's director of IT wants to stay on Wix, because it's "the most secure provider", and will only move their ONE PAGE INFORMATIONAL WEBSITE to another platform and host if they answer a 133 item "security questionnaire". Short of SSNs, they want to basically know everything, including our proprietary and confidential security practices. You aren't Google...stop acting like you are...
How are people this stupid a "director" of anything?3 -
I request the VPN credential to access to an italian big company network.
The ask me the email to send the new credentials.
I reply sviluppo@mycompany.it
They say it's not good, it's not associated only to me.
I said I'm the only developer (sviluppo) in my company.
They reply the is more secure my private gmail account.
They sent the credentials to my gmail account.3 -
The company I work for is requiring customers to submit credit card info in an online form which then gets stored into our "secure database". Which employees then pull and charge the card later on. They're also telling customers that the form is "encrypted". This is all because they're too fucking lazy and not patient enough to wait for someone to integrate a payment gateway. This is a lawsuit waiting to happen.5
-
A friend of mine and I decided we wanted to fork linux and port it to C++.
Sounds crazy yea, but there are many benefits:
1) More secure due to ability to use references
2) More sustainable due to the extensive standard lib
Not only would we port linux to C++, we would improve it as far as possible.
So now for the part of the rant where I misuse devRant as an advertizement platform. to those interested in helping, here is the poll where you can get included into the mailing list:
https://docs.google.com/forms/d/...11 -
I finally moved to Fedora Silverblue 30 which is a really awesome OS.
Silverblue Edition unlike the standard version, runs a immutable core. That means the entire FS is not writable except for certain parts that are mounted to /var. While this is limiting, this allows for atomic updates, which is the whole point of Silverblue.
Now this also might throw off even myself, because I might need to run VSCode in the host and I might need C++ libs. Fortunately there's a tool named toolbox that allows you to use standard DNF inside a OCI container. Now the thing is, now you need to tell your IDE to use it after installing it.
I wrote a little helper script to do just that. I wrote it primarily for VSCode but it should also work for your IDE if you happen to want to try to use Silverblue.
Helper script: https://t.co/sXYOgcwLBg?amp=1
Also if you wanna try Silverblue for yourself, here's some notes:
* To install apps, you need to run flatpak. Make sure you also have the flathub repo listed.
* don't use the Flatpak version of the IDEs. If possible, use the RPM versions. Silverblue allows you to install traditional packages (to some degree, not everything works in this thing because of the immutable design) in the host. So as much as possible if you need dev libs, use toolbox for those.
* Silverblue also comes with podman and buildah installed (aka what if Docker had no daemon and was more secure?)
*Do your updates via rpm-ostree upgrade, or turn the auto updater on if you're lazy
All in all I like this environment, I've used this kind of workspace before (Chrome OS), so its pretty easy for me to get used to.
What do you think guys, think you'll give it a shot?5 -
Earlier i ranted about how someone hacked our site and he had our source code.
Now finally we found how was our site code stolen, thanks to @dfox he mentioned how can we pull code from got server at that time I checked trying commamds to dowload git folder but it was secure but later we found that we had another subdomain running for pur project and its git folder was not secured16 -
To this day I can't figure out why people still drink the windows koolaid.
It's less secure, slower, bloatier (is that a word?), Comes with ads, intrudes on privacy, etc. People say it's easier to use than Linux, but 99% of what anyone does happens on a chrome based web browser which is the same on all systems!
When it comes to dev, it boggles the mind that people will virtualize a Linux kernel in Windows to use npm, docker, k8s, pip, composer, git, vim, etc. What is Windows doing for you but making your life more complicated? All your favorite browsers and IDEs work on Linux, and so will your commands out of the box.
Maybe an argument can be made for gaming, but that's a chicken an egg scenario. Games aren't built for Linux because the Linux market is too small to be worth supporting, not that the games won't work on it...25 -
Situation: My lead dev (read as in, my employee that has the lead developer position, not my superior) is complaining about certain decisions being made in regards to a rather large project that has been stagnated by executive political bullshit.
Me: let them fuck themselves over, it is their decision to have a voice on this and we are not the ones developing it, merely managing the resources.
Him: Well they do not know what they are asking! everyone is wanting to have an opinion! a voice!!!
Me: and by their own volition they will fuck themselves over and I have the proper documentation to show everyone that if the project is delayed, it will be by popular vote. I have already spoke to our VP to let him know that we are not taking part in their decision planning process, that we provide the necessary feedback, they get to do with it what they want regarding their decisions.
Him: they are being really stupid and inconsiderate
Me: they are indeed, but as long as I show that you, me, and the rest of the team provided input, they disregarded it and went with their decision, then then the fault is on them, not you or our team. Let them fuck themselves over, I have the documentation needed to secure our asses, I record every conversation and I have every email saved. Really, if they don't want to listen to you they will not be able to point the issues that will inevitably rise back to you or us.
Him: .... you are evil
Me: fuck with me team see what happens. Their face and reaction is what makes me get a hard on after the fact.
Ain't no one touching my team.10 -
About browsers and whole SSL CERT thing...
Most likely everyone here noticed, that https site with broken certificate will throw these big red warnings, in your face and there is so much wording like "ITS NOT SECUREEEE" or "ITS HACKEDDD" almost like it was written by passionate fanatic.
But when you are on plaintext http browsers reaction is like ¯\_(ツ)_/¯
Even if you have plaintext with password, it will for example in chromium put small little red thingy that almost no one notices.
I believe that broken cert with some error like invalid date is MORE secure than plaintext password, yet still there is this hypocracy with browsers...
I dont say that broken SSL cert is good, or something, Im just pointing out contrast of "broken" https vs plain http.... One looks for casual Joe like end of the world is coming and second is bearly noticable. Da fuck?
I disagree with this approach18 -
Massive payment gateway (not gonna say names) with more then 10k transactions / hour telling md5 is one of most secure encryptions they have. Only to made worse by the fact that they send the key and hashed key in the same request.
I am advising all our clients to change payment gateway asap if they use this one.1 -
Rant:
Why in the freezing cold all people think that linux = secure. Ransomware... Bla bla not happening on linux bla bla... Linux is secure.
If Linux would have been the most popular one people will pretty much run everything on root and install every stupid package available and never run: apt-get update.
Users were so dumb they got scammed by a phising mail... In freaking 2017... This is user stupidity not OS fault...
God its stupidly annoying seeing the same stuff : Linux secure...
Everything can be secure if you paid attention to the same stuff in freaking 2000.34 -
Im getting a bit tired of programming.
I have been struggling for years regarding programming. I did have some moments of perceived success, but most of the time it has been depressing.
I’m not sure if I dislike programming. But there are some aspects of it that make me feel not as passionate about it.
First of, programs are invisible. No one sees your program or you (assuming we’re talking about a non artistic dev job).
People can’t see lines of code executing, but even if they did it would be gibberish to them.
Users can only become aware of bad software and that kind of breaks my heart a bit.
You could write fast, stable, secure, easy to read, easy to update software. People won’t notice. Hell, even your boss/coworkers might not notice.
In fact, sometimes you try to do the good thing, you try to become a better dev, you try to write tests first, you try to i18n, and what do you get? “Uhh, that’s taking too much time and I don’t see the benefit”.
I know some people will say that people noticing bad service happens on every job.
But programming is the ultimate isolation job. No client has ever told me “hey that code you wrote was pretty good”. They can’t even read code.
I don’t know the users, the users don’t know me, and the users can only judge my program by the result, they can only judge the visual interface.
Let’s say you write a cool project at github. The code is great. Guess what, every language’s ecosystem out there is saturated. Everything is already written. GitHub is saturated. Your best project ends up being a just for yourself enjoyment.
I’m not saying you shouldn’t enjoy code for yourself. That’s how I bet most prolific coders start. I’ve been doing that for many years now. But at some point you want to be part of something with humans.
Imagine I’m stranded on an island with nothing no humans, just food, water and a computer. Would I write code just for myself, just for fun? I think I would off myself 3 months in.
Maybe I should do develop a more social talent...14 -
One of the more memorable computer problems I solved were when I added some lego blocks to solve a recurring windows bluescreen
A friend had a Pentium 3 (slot 1) that kept throwing him several bluescrens per day so I decided to help
I open up the computer and saw that the processor were not properly securred in it's place and the plastic pieces that should have holding it in place were gone, so I improvised pressing in some lego pieces that I found somewhere to secure that the processor didn't move if someone were walking close to the computer and after that he didn't have any more bluescreens than the rest of us4 -
!rant
In july chrome will mark all http-pages as not secure and firefox will follow.
Worst of all, those insecure pages won't be allowed to access the microphone and other features any more. What will i do in cafes now?12 -
TL; DR: Bringing up quantum computing is going to be the next catchall for everything and I'm already fucking sick of it.
Actual convo i had:
"You should really secure your AWS instance."
"Isnt my SSH key alone a good enough barrier?"
"There are hundreds of thousands of incidents where people either get hacked or commit it to github."
"Well i wont"
"Just start using IP/CIDR based filtering, or i will take your instance down."
"But SSH keys are going to be useless in a couple years due to QUANTUM FUCKING COMPUTING, so why wouldnt IP spoofing get even better?"
"Listen motherfucker, i may actually kill you, because today i dont have time for this. The whole point of IP-based security is that you cant look on Shodan for machines with open SSH ports. You want to talk about quantum computing??!! Lets fucking roll motherfucker. I dont think it will be in the next thousand years that we will even come close to fault-tolerant quantum computing.
And even if it did, there have been vulnerabilities in SSH before. How often do you update your instance? I can see the uptime is 395 days, so probably not fucking often! I bet you "dont have anything important anyways" on there! No stored passwords, no stored keys, no nothing, right (she absolutely did)? If you actually think I'm going to back down on this when i sit in the same room as the dude with the root keys to our account, you can kindly take your keyboard and shove it up your ass.
Christ, I bet that the reason you like quantum computing so much is because then you'll be able to get your deepfakes of miley cyrus easier you perv."9 -
I'm sick of the tyranny of websites who say your password must include at least one shady character, one special agent, and a number of other filthy things. Only makes your passwords impossible to remember, hard to type, and not a bit more secure.
"mynameisronalddumpandimanorangehairedorangutan" is a million times more secure than "P4$$word".13 -
I think most people are annoyed by the new design of chrome, for all the wrong reasons - I just noticed the TLS indicator lock is now gray when encrypted, giving you the idea of a website being not fully secure imho6
-
Hey! You there!
Are you sick of windows 10 sending you intrusive reminders about updates? Are you tired of random unscheduled restarts? Tired of feeling like you have no control over your own computer?
Take back control!
DO THE FUCKING UPDATE, YOU FUCKING INCOMPETENT, USELESS, LAZY, PIECE OF DRY WANK!
Seriously guys: pick a time convenient to you, and take 5 or 10 minutes (when you're likely spending hours at your computer), and do them. Not only will you get rid of the annoying notifications, but you'll also keep your pc safe and secure by keeping up with security patches. C'mon people, it's really not that difficult.
And can we please, for the love of all things holy, stop the circlejerking? You're developers, you are the computer proficient. The only things a PC will do are the things you tell it to do. Dig deep, dig into the registry, dig into the services manager, dig into the fucking settings cos a good number of the most common complaints can be fixed in the basic options menu. Tell your computer to stop doing the things you don't like and it will stop.
It's really not hard!19 -
Being a programmer for a while now it always irritates me to try to explain what I'm working on to friends and family. I forget what I knew before I developed. I'm always like "I made the strings in the database- oh I mean the words...well they're actually more like strings of letters- well anyway I made a code to sanitize the user input- I mean make it so it is secure before uhhh saving." I spend so much time watering what I'm saying down I forget what I'm talking about
It's not even funny. It'd be funny if one single person in my family or friend group understood what I meant to some degree.3 -
One thing every junior web developer learns is how to implement a login system.
They may not make it the most secure, but it works.
It boggles my mind how Microsoft still don't know how to make a login that works consistently.
Every Microsoft login page requires like 30 redirections to work.
The Teams app on my PC fails to login at least once a week, just because another Microsoft app is logged in using the same account (usually office), but Windows is not.
Microsoft needs to take it's head out of it's ass and BEG Google to teach them how to make a decent login system.4 -
When you spend 5+ minutes creating a secure password for your new bank account and you get a message saying the password must be between 6 and 12 characters long.
Not sure I want to open this account any more.
Fuck me.6 -
watching the online course for CEH... dude used the Death Star as a tangible example of how exploits work.
IDK if I should love it for the nerdiness, or be slightly sad that someone needs that type of example of what a vulnerability vs an exploit is, when they're going for the Certified Ethical Hacker certification...
Might be better in an introduction to Network Security class?
Also, while discussing the security, usability, and functionality triangle, he reference the Staples "Easy Button" - does one thing, not very secure, and not very functional (in that it has more than one function)...1 -
Security lifehacks 101
Why pay for password managers? Just use one secure password for every service you use! Password managers are really designed for fools who don’t know that you can just use one password for every service and who are ready to pay for that shit.
The best practice is to use your name starting with a capital letter + your main credit card number + CVC code from the back of that card as your go-to password. It’s long and hard to bruteforce and you can remember everything that way! You just need to remember that one password and you’ll always remember your payment info! No need for apple’s bad Apple Pay which is not so secure after all like everything else that Apple offers.19 -
I'm a game designer student in a Brazilian university. In my class I'm the only one who likes code and made the secure choice to be a future game programmer.
But recently some dudes on my class started to discourage me and telling me to give up that course and change to a computer science course.
I didn't feel that way... I think game programmers who know all the stuff and process of game development( modelling, concepts etc) are better professionals than the ones who just knows the scripting process. But sometimes their opinion flows up my head and I feel so unknown if I staying in the right way or not.
(Sry if my english still bad..hope you all understand anyway)17 -
Just went to book something online. About to click the "Pay" button and noticed the page wasn't secure. Who the hell, in 2017, captures credit card details via insecure 'http'??? And 'https' worked on the home page but not the payment page!! Backed out of that, messaged them and we'll see if anything comes of it.3
-
!rant
For the second time in a row, one of our customers decided not to pay their server. The server, on which a lot of the work we did for them (online shop) was hosted. Shortly after completion, we specifically told them to backup their stuff on a daily basis, secure their server and regularly update it... Guess who did neither of those things, in addition to not paying their server after more than 5 reminders, and still complains about their shop being offline. Fucking idiots.2 -
ESET Antivirus is a strange animal. On one hand, it seems reasonably well written, because unlike Norton or F-Secure, it doesn't subject your computer to death by constant disk access and 100% CPU load for 10 minutes when you start it.
On the other hand, when I clicked the link in the mail about renewing licenses and filled out the form, I was not redirected to a page where I could enter credit cart details.
Instead, I got message that some representative would get back to me in 1-2 work days. Eh, what? It's a digital product for f***'s sake. Now, I suppose they'll send me a hand written letter (written using a quill, no doubt), delivered by a bloke riding a horse and wearing a tricorn.
Well, at least ESET virus definition updates are pushed on the internet, and not sent out on 5.25" diskettes.3 -
Clients r wankers. He wants to be able to send login details incl passwords in email to his clients when he adds them in the cms. The passwords are encrypted and generated on creation of a new user. Ive told him that sending credentials in email is shit and not secure. The stubborn bastard wont budge, so instead i've put explicit instructions to reset password once logged in with the credentials they send. Any other suggestions?3
-
We are required to use corporate SSO for any authenticated internal websites, and one of the features they require you to implement is a "logout" button.
They provide a whole slew of specifications, including size and placement/visibility, etc. They provide an SSO logout URL you must redirect to after you take care of your own application logout tasks.
Makes sense... except the logout URL they provide to serve the actual SSO logout function broke over 3 months ago, and remains non-functional to this day.
Apparently I'm the first person (and perhaps one of the only people) who reported it, and was told "just not to worry about it".
So, we have a standing feature request to provide a button... that doesn't actually work.
Corporate Security - Making your corporation _appear_ more secure every day...2 -
why do i have an iphone?
well, let's start with the cons of android.
- its less secure. this isn't even arguable. it took the fbi a month or something (i forget) to break into an ios device
- permission, permissions, permissions. many of the android apps i use ask for the not obscure permissions.
· no, you don't need access to my contacts
· no, you don't need access to my camera to take notes
· no, you don't need access to my microphone to send messages
· no, you don't need access to my saved passwords to be a functioning calculator
- not being able to block some apps from an internet connection
- using an operating system created and maintained by an advertising company, aka no more privacy
- i like ios's cupertino more than material design, but that's just personal preference
pros of ios:
- being able to use imessage, at my school if you don't have an iphone you're just not allowed to be in the group chat
- the reliability. i've yet a data loss issue
- the design and feel. it just feels premium
- if i could afford it, ios seems like a lot of fun to develop for (running a hackintosh vm compiled a flutter app 2x as fast as it did on not-a-vm windows)
so that's why i like iphones
google sucks56 -
My arguments about Apple:
- "iPhone 12 camera can be better than anything else because it's more advanced, it has LiDAR and 10-bit codecs"
- "I can copy on my iPhone and paste on my MacBook and vice versa out of the box"
- "My Beats can seamlessly switch from playing from my MacBook to my iPhone to my Apple Watch. I can be exercising with only my Apple Watch and my Beats, no need for iPhone"
- "2K screen with nice colors in a 900g laptop is rare if you consider the price. Apple one is the cheapest one with that characteristics"
- "Apple Pay is convenient"
- "Fingerprint scanners fail with wet fingers no matter if it's ultrasonic or optical, LiDAR Face ID is objectively more secure than any camera-based unlock mechanism"
- "Stainless steel frame feels better than aluminum one"
I'm not saying Apple is the best. I'm not saying that Google Pay doesn't exist or that Apple Pay is better. I'm not saying that Apple has no downsides.
However, these are responses I get:
"But Apple IS crapple, immutably"
"Why are you even looking at apple crap if you want something good"
If you want to bash Apple, bash it for something real like that butterfly keyboard fails, unconventional AirPods shape that makes most people's ears hurt, screen coating fails on MacBooks, App Store commissions.47 -
My mom asked me to speed up her PC's startup process. I looked into it and and probably found the problem: G Data.
I told her she has to delete it, there is windows defender anyways (and virus scanners are just snake oil). She refused and said: But I bought it from the local IT shop. They said it is the best.
I said: Yeah because they cannot sell windows defender...
She still argued that she paid for it and wants to keep it.
That was were I said: then enjoy your slow startups.
She also said she feels more secure with it. 🙄
I would not even be able to work with that PC! Its not old at all, but the permanent scanning comes at a high cost and probably does not help much.
But she trusts that local it store guy more than me apparently.5 -
Anything I (am able to) build myself.
Also, things that are reasonably standardized. So you probably won't see me using a commercial NAS (needing a web browser to navigate and up-/download my files, say what?) nor would I use something like Mega, despite being encrypted. I don't like lock-in into certain clients to speak some proprietary "secure protocol". Same reason why I don't use ProtonMail or that other one.. Tutanota. As a service, use the standards that already exist, implement those well and then come offer it to me.
But yeah. Self-hosted DNS, email (modified iRedMail), Samba file server, a blog where I have unlimited editing capabilities (God I miss that feature here on devRant), ... Don't trust the machines nor the services you don't truly own, or at least make an informed decision about them. That is not to say that any compute task should be kept local such as search engines or AI or whatever that's best suited for centralized use.. but ideally, I do most of my computing locally, in a standardized way, and in a way that I completely control. Most commercial cloud services unfortunately do not offer that.
Edit: Except mail servers. Fuck mail servers. Nastiest things I've ever built, to the point where I'd argue that it was wrong to ever make email in the first place. Such a broken clusterfuck of protocols, add-ons (SPF, DKIM, DMARC etc), reputation to maintain... Fuck mail servers. Bloody soulsuckers those are. If you don't do system administration for a living, by all means do use the likes of ProtonMail and Tutanota, their security features are nonstandard but at least they (claim to) actually respect your privacy.2 -
So a few weeks ago I wiped my MacBook Pro to regain some space and speed, it wasn't really that slow I just had the disk partitioned into two installments of MacOS. When I erased the disk I thought the secure thing to do would be to set the format to journaled, encrypted rather than just journaled. Everything was working fine, there seemed to be this weird step of login when I restarted but whatever, except iCloud Drive. On my iMac it works fine but for whatever reason my MacBook Pro doesn't want to download custom folders (ones that aren't created by an app and don't have an app icon on folder icon) from my account despite them being clearly available in iCloud.com. So after this much time of messing with it I'm wiping my MacBook Pro again and formatting it as journaled (not encrypted). Wish me luck...undefined this must just be a bug or a security feature... probs a bug tho i still like apple products this stuff usually works for me3
-
!dev && rant
Can we talk about banks? Those fuckers! Suposed to keep our money save and be competent... They today gave me the biggest scare of my live and I've run one an update query on a prod db without a where clause! (Okay I knew we had a backup but still pretty scarry moment!)
As a few know, besides being a dev I help to organize a small openair music festival here in Switzerland. The openair was this weekend. Every thing wen't well, until I checked our ebanking account today. There was only 2/3 of the money that should be there. A quick call to the bank and they told me, nope they never received it. As we've thrown it in a secure locker during the night, we didn't receive any receipt or something like that. It took those fuckers 3.5 hours to actually go and check the looker, just to find the remaining money in the corner of it. What the fuck people, can't you open your fucking eyes and not give me a fucking heartatack? I thought you guys are professionals!
Note locker: we get a key to open it from the outside, place our payment during the night, as soon as we close it, it falls inside a vault, so there it's a pay in only system, for lack of a better word, I called it locker.
My heart is still beating like mad, because of them.4 -
Despite common sense, I think technology is not making our lives easier. It's just build chaos on top of chaos.
Take server-side programming for instance.
First you have to find someone to host your thing, or a PaaS provider. Then you have to figure out how much RAM and storage you need, which OS you're going to use. And then there's Docker (which will run on top of a VM on AWS or GCP anyway, making even less sense). And then there's the server technology: nginx, Apache (and many many more; if, that is, you're using a server at all). And then there are firewalls, proxies, SSL. And then you go back to the start, because you have to check if your hosting provider will support the OS or Docker or your server. (I smell infinite recursion here.)
Each of these moving parts come with their own can of worms in terms of configuration and security. A whole bible to read if you want to have the slightest clue about what you're doing.
And then there's the programming language to use and its accompanying frameworks. Can they replace the server technology? Should you? Will they conflict with each other and open yet another backdoor into your system? Is it supported by your hosting provider? (Did I mention an infinite recursion somewhere?)
And then there's the database. Does it have a port to the language/framework of your choosing? Why does it expose an web interface? Is it supposed to replace your server? And why are its security features optional again? (Just so I have to test both the insecure and the secure environments?)
And you haven't written a single line of code yet, mind you.4 -
I rarely tell this story because it's hard to believe and would show me in a bad light if people don't believe its details. I know there have been foolish moves from my part, and more stuff should have been agreed to in writing, and I did step into a legal grey area. However I am pleased with what I did and how it all turned out, and this is as close to the truth as possible without needing to explain too many details.
I was once a team lead in an outsourcing company. We had a flexible payment plan depending on results. That helped me motivate myself and my team. Things worked great.
But then the boss started acting like shit:
1. Flexible payment means minimum, right?
2. Promises are made to be broken, as long as your employees have hope and work overtime for a whole month just to finish an important project before schedule, right?
3. Who needs a good, comfortable, SAFE work environment when you can save 30$ on not buying a new crappy chair in place of the old broken crappy chair, if it can be maintained standing by just a bit of duct tape and careful balancing on it? It's not like that developer who earns 30$ per hour has anything else to think about than balancing on a broken chair, right?
I'm a very calm person at work. I never ever raised my voice at anyone for 10 years of my career. Except this situation. I pulled the boss out of the office so his secretary wouldn't hear what I had to say. I threw this everything into his face.
A guy from sales got out of the office to go to the bathroom, and when he heard me, he carefully snuck back into the office (I didn't see him. He told me this over a beer after he left).
Of course I quit on the spot, convinced most of my team members to leave (wasn't hard, I just had to offer a secure plan, which I did), and helped my team members to get good positions elsewhere, and assisted others in starting their own business, by stealing customers from this company (the asshole did not foresee this when he prepared the labour contracts), after he accused me of plagiarism (that I stole code from somewhere else) and used that excuse to not pay me what we agreed upon.
I didn't want litigation. I just used karma, while remaining in the legal realm.
Within a month after this, more than half of his company was gone, and he was left with only a fraction of the revenue he was making before, since the only ones left were people that did not produce value (sales that had nothing to sell, accounting that had nothing to account, etc.), and just one person maintaining one remaining contract that was bringing barely enough money to sustain half of these people.
Now I want to congratulate you for actually finishing reading this :)1 -
Guys what I want to know is how do you secure your code so that they pay you after you deliver the code to them?
So recently I was in this internship that I secured with an over-the-phone interview and the guy who was contacting me was the CEO of the company (I'm going to refer to him as "the fucking cunt" from now on). He asked me to do some OCR and translations and I managed to write a few scripts that automate the entire process. The fucking cunt made me login remotely to his desktop which was connected to the server (who the fuck does that) and I had to operate on the server from his system. I helped him with the installation and taught him how to use the scripts by altering the parameters and stuff, and you know what the fucking cunt did from the next day onward? Dropped contact. Like completely. I kept bombing emails upon emails and tried calling him day after day, the fucking cunt either picked up and cut the call immediately on recognising its me or didn't pick up at all. And the reason he wasn't able to pay me was, and I quote, "I am in US right now, will pay you when I get back to India." I was like "The fuck was PayPal invented for?" Being the naive fool that I was, I believed him (it was my first time) and waited patiently till the date he mentioned and then lodged a complain in the portal itself where he had posted the job initially. They raised a concern with the employer and you know what the fucking cunt replied? "He has not been able to achieve enough accuracy on the translations". Doesn't even know good translation systems don't exist till date ( BTW I used a client for the google translate API). It has been weeks now and still the bitch has not yet resolved the issue.And the worst part of it was I got a signed contract and gave him a copy of my ID for verification purposes.
I'm thinking of making a mail bomb and nagging him every single day for the rest of his life. What do you guys think?7 -
Managed to land 2 interviews:
The first one was for a startup that was looking for a react programmer (I've never used react before).
The later was a php job at a big company. They told me they used cakephp which is a framework I had not used before either.
Still, I'm more familiar with php than react so I felt more confident with the second interview. However, I felt there was a lot of good chemistry going on in the first interview.
The interviewer was incredibly nice (he was the lead dev, not an HR person as opposed to the second interviewer)
He gave me a small react test to be completed within a week. I barely managed to do it in time but I felt good about the solution.
Just as I was sending it, I get a call from the second interviewer saying I landed the php job.
I wasn't sure if my novice react skills would be impressive enough to secure me the react job (and I really needed a job) so I accepted.
After explaining everything to the guy who was interviewing me for the react job, he understood and was kind enough to schedule a code review where he walked through my novice code explaining what could be improved, helping me learn more in the process.
I regret not accepting the react position. The PHP they got me working with is fucking PHP5 with Cake2 :/
Don't get me wrong, I like the salary and the people are nice but the tech stack they're using (lacking source control by the way!), as well as all the lengthy meetings are soul-draining.6 -
I'd never do anything "risky" in a prod environment if I considered it so at the time, but in retrospect there's *lots* of things considered risky now (both from a security and good practice viewpoint) that were standard practice not long ago:
- Not using any form of version control
- No tests (including no unit tests)
- Not considering XSS vulnerabilities
- Completely ignoring CSRF vulnerabilities
- Storing passwords as unsalted MD5 hashes (heck that was considered very *secure* in the days of plaintext password storage.)
...etc. I'm guilty of all of those previously. I daresay in the future there will be yet more things that may be standard practice now, but become taboos we look back on with similar disdain.2 -
After a court ruling, the privacy focused email provider Tutanota has been forced to create plaintext copies of emails.
In the future, a court can order copies of emails, before they are saved encrypted on the email servers. Tutanota says, end-to-end encrypted emails would remain secure and they would "rather want to implement extended privacy enhancements for customers instead of extended access for government entities", but they would follow the law.
A few months ago, in a similar case, the constitutional court ordered another mail provider - Posteo - to save IP addresses on court request, even if they do not save them regularly.
Interestingly, the law the court based its decision on, might be not longer relevant for mail services.
Source (German): https://sueddeutsche.de/digital/...9 -
Providing a web site to pay electricity and other services, but guess what? THE CONNECTION IS NOT SeCuRe !! (What can possibly can go wRoNg).
This retarded country have a lot of skilled people, but the dinosaurs who in charge are literally afraid of new technology.
Wake up bitches, it's almost 2020 -
A classmate saw me using Firefox today and laughed at me saying Chrome is more secure. I'm not very knowledgeable about the security; I use Firefox because it uses less memory and it's more stable on my machine.
I doubt that info of his is current so can someone who actually knows about the security give me some counter-arguments for him? The more facts the better :D14 -
I don't understand privacy advocators.
Am I the only one who wouldn't give up practicality in exchange for "potentially more secure"?
I don't understand so much what the deal is with people who avoid Facebook, or don't trust Google or Microsoft, just in the basis of "privacy" or "security".
Websites tracking you to serve ads? Well, it's pointless because I very rarely buy something from the internet or let myself be influenced, ads are waste of time, just use an adblocker.
I can pretty much upload my whole life or documents on Google drive, even if I made it public no one would really care or read it all. It's like that GitHub project you uploaded but never documented, so no one cares. I usually use alternative software not because of "privacy" but because it has features other software doesn't have.
In reality you realize people aren't that interested in your life more than their own life.24 -
Security fail here. I've just started a PPI claim and have been provided a link to a so called "very secure" client area.
There are no username or passwords and the screenshot is not a first time sign up screen.
All I need to login is a surname, postcode and DOB - all information easy enough to find online.
Pretty bad IMO, esp, so considering the effort required to add a proper login using a username/password combination.
I mean I'm logged in now and have no option to set an account password :|3 -
Boss: We don't want to use PHP because it's open source we want to keep all the applications secure and want Microsoft to support us whenever some thing happens to ASP.NET applications.
Me: But we will be using PHP on intranet applications and it won't be for public. ASP.NET is also open source.
Boss: No, we cant take that risk.
I'm not sure whose right over here. PS: All the applications we built are for internal purpose only.15 -
The worst thing I have seen a dev do?
- Have all the APIs work without an access token for our main product which handles ~10k requests a day.
- Calling our architecture secure in the crucial investor meeting and being 'confident' that our database can not be compromised. No wonder we did not get funded.3 -
In my school, eleventh grade (so nearly "Abitur", A levels), we got the task to create a program which will be running on every computer here which should replace the Classbook (like a book where homework and lessons and stuff is written down).
Now, the class before mine already did a part of that, a program to share who is ill/not at school, with a mark whether it is excused or not.
So far so good. They all seemed not that bad when they were presenting it to us. Then, the first thing: they didn't know what git is. Well, okay I thought.
Next, there was this password field to access the program. One of them entered the password and clicked enter. That seemed suspiciously fast for an actual secure login. So fast, the password could have been in the Code...
Yesterday I copied that program and put it into a decompiler.
And... I was right.
There were the login credentials in plain text. Also, haven't thought of it but, IP address + username + password + database name were there in plain text, too.
Guess I am going to rewrite this program down to the core2 -
Suck my hairy asshole, devs who disable paste for web forms. Or more likely, management softs who read in a trade magazine that paste is bad.1
-
Hello fellas! 👋
I recently told you that I’m planning to pull out Chaaat – a fully open source messenger that doesn’t track you and doesn’t share your data: https://devrant.com/rants/1549251/....
The project is also mentioned here: https://devrant.com/rants/1570178/...
So, I’m here to tell you good news – a great developer, @not-a-muggle, decided to join me, and now we made a team!
I also made some conversations and acquired “chaaat” name from another team on Heroku, so now we have consistent domain name on both Heroku and GitHub Pages.
We have Trello board with very well described tasks almost anyone can do. We also have Slack to have both business and free conversations.
If you’re seeking a place to contribute and gain some NodeJS / React / PWA / WebRTC experience with detailed code review from experienced developer, just mention me here or shoot me an email on hello@miloslav.website. Provide your email so I’ll be able to contact you.
Our main goals are:
1. Have fun and some experience
2. Make it to Chrome Experiments mention
Marketing/advertising help is much appreciated.
Feel free to email me anytime!8 -
When i was younger, lesser experienced and more naive than now; i got away with a lot of things. By lot of things i mean security flaws in my applications and overall architecture. I realise now i could've so easily been pawned.
Not that i claim to be totally secure even now, or would ever. It is a process, slow and painful one - Learning.
What i wish to point out is the role of favorable probability (non believers would call it luck). Security is so much about it. You get away with so many things for so long. And bang one day the roll of dice is unfavorable. On such rare occasions, just look back and wonder - damn i should've been breached long ago.rant hindsight security fail looking back security luck vulnerabilities food for thought musings naive probability2 -
My grandfather is at age 72 & don't know much about technology. He forward me this message on whatsapp bcz I'm a software engineer. He made my day...
What is the difference between http and https ?
Time to know this with 32 lakh debit cards compromised in India.
Many of you may be aware of this difference, but it is
worth sharing for any that are not.....
The main difference between http:// and https:// is all
about keeping you secure
HTTP stands for Hyper Text Transfer Protocol
The S (big surprise) stands for "Secure".. If you visit a
Website or web page, and look at the address in the web browser, it is likely begin with the following: http:///.
This means that the website is talking to your browser using
the regular unsecured language. In other words, it is possible for someone to "eavesdrop" on your computer's conversation with the Website. If you fill out a form on the website, someone might see the information you send to that site.
This is why you never ever enter your credit card number in an
Http website! But if the web address begins with https://, that means your computer is talking to the website in a
Secure code that no one can eavesdrop on.
You understand why this is so important, right?
If a website ever asks you to enter your Credit/Debit card
Information, you should automatically look to see if the web
address begins with https://.
If it doesn't, You should NEVER enter sensitive
Information....such as a credit/debit card number.
PASS IT ON (You may save someone a lot of grief).
GK:
While checking the name of any website, first look for the domain extension (.com or .org, .co.in, .net etc). The name just before this is the domain name of the website. Eg, in the above example, http://amazon.diwali-festivals.com, the word before .com is "diwali-festivals" (and NOT "amazon"). So, this webpage does not belong to amazon.com but belongs to "diwali-festivals.com", which we all haven't heard before.
You can similarly check for bank frauds.
Before your ebanking logins, make sure that the name just before ".com" is the name of your bank. "Something.icicibank.com" belongs to icici, but icicibank.some1else.com belongs to "some1else".
👆 *Simple but good knowledge to have at times like these* 👆3 -
With the movement of people recently deleting their facebook accounts, this actually covers a valid concern I didn't even think of, since I personally don't use that feature at all, nor have I ever used it.
People that used the "login with facebook" a lot, especially with websites that exclusively use it, will flush not only their facebook account doing that, but also all accounts they have ever used to log in with facebook, if not actually thought as far as checking the apps section of facebook and trying to migrate your account, which is also rarely possible.
So basically many people that do use it, simply won't delete their facebook account, because it has this backup parachute attached with its strings, that does not allow for an easy exit, except for literally ripping it all out and losing every account it seems.
Ignore dashlanes self advertisement bullshit at the bottom, the blog itself is still highly valuable in itself.
Source: https://blog.dashlane.com/delete-fa...12 -
Hmm...recently I've seen an increase in the idea of raising security awareness at a user level...but really now , it gets me thinking , why not raise security awareness at a coding level ? Just having one guy do encryption and encoding most certainly isn't enough for an app to be considered secure . In this day an age where most apps are web based and even open source some of them , I think that first of all it should be our duty to protect the customer/consumer rather than make him protect himself . Most of everyone knows how to get user input from the UI but how many out here actually think that the normal dummy user might actually type unintentional malicious code which would break the app or give him access to something he shouldn't be allowed into ? I've seen very few developers/software architects/engineers actually take the blame for insecure code . I've seen people build apps starting on an unacceptable idea security wise and then in the end thinking of patching in filters , encryptions , encodings , tokens and days before release realise that their app is half broken because they didn't start the whole project in a more secure way for the user .
Just my two cents...we as devs should be more aware of coding in a way that makes apps more secure from and for the user rather than saying that we had some epic mythical hackers pull all the user tables that also contained unhashed unencrypted passwords by using magix . It certainly isn't magic , it's just our bad coding that lets outside code interact with our own code . -
My boss did not care about making things secure in our early development stage, even though I told him several times.
After 1 day our elastic search cluster was filled with random crappy data.
Fix: Apply security schemes provided by AWS1 -
My best prank: A year ago I was at my friends flat, which he finally rented with his new girlfriend. He is a kind of person, which has like constantly opened 110 tabs in chrome, three or four instances of chrome running, torrenting at full speed and in the meanwhile a few films having opened to "watch" later. He is very very secure about his computer and NEVER leaves me or anyone else alone with his computer. That day we were just talking in the same room, and he goes for some food. I was like yeah thats my chance to prank him. So I opened a new tab and came with an idea - what If I change his desktop background to some random chick, to prank both him and his gf. I knew she will not be mad but his reaction would be priceless (it was his first gf). So I started googling, found a three pretty naked chicks. This was like soft porn, they were still "dressed" but not much. I did not wanted to use a porn for this.
So I was about to download image - right click - save as - little window opened and..
...what the hell, that guy had literally like terabytes of porn in download folder, all totally in one chaos, thousands of images, millions of downloaded videos, all categories just everything from gangbang to milfs or old/ young, what the fuck that computer was like cursed station of porn.
In that point I was like fuck that. This prank has no sense then. So I just closed that little window and did nothing. Prank failed.
Nowdays, He still does not know what I know about his "hobbies". And I will never say him lol. About a months after he broke with his gf and moved to different house. He has now three monitors attached to his computer and 4tb of space. He is still complaining about "lack of space" and "too big downloaded movies" but we all know what is going on lol. We call his "working deck" a sacred porn station.1 -
Whelp. I started making a very simple website with a single-page design, which I intended to use for managing my own personal knowledge on a particular subject matter, with some basic categorization features and a simple rich text editor for entering data. Partly as an exercise in web development, and partly due to not being happy with existing options out there. All was going well...
...and then feature creep happened. Now I have implemented support for multiple users with different access levels; user profiles; encrypted login system (and encrypted cookies that contain no sensitive data lol) and session handling according to (perceived) best practices; secure password recovery; user-management interface for admins; public, private and group-based sections with multiple categories and posts in each category that can be sorted by sort order value or drag and drop; custom user-created groups where they can give other users access to their sections; notifications; context menus for everything; post & user flagging system, moderation queue and support system; post revisions with comparison between different revisions; support for mobile devices and touch/swipe gestures to open/close menus or navigate between posts; easily extendible css themes with two different dark themes and one ugly as heck light theme; lazy loading of images in posts that won't load until you actually open them; auto-saving of posts in case of browser crash or accidental navigation away from page; plus various other small stuff like syntax highlighting for code, internal post linking, favouriting of posts, free-text filter, no-javascript mode, invitation system, secure (yeah right) image uploading, post-locking...
On my TODO-list: Comment and/or upvote system, spoiler tag, GDPR compliance (if I ever launch it haha), data-limits, a simple user action log for admins/moderators, overall improved security measures, refactor various controllers, clean up the code...
It STILL uses a single-page design, and the amount of feature requests (and bugs) added to my Trello board increases exponentially with every passing week. No other living person has seen the website yet, and at the pace I'm going, humanity will have gone through at least one major extinction event before I consider it "done" enough to show anyone.
help4 -
API Documentation: All API request should be made over https connections.
Me: Ok, (sees url bar), SECURE, good!
(sees curl code)
curl -X GET 'http://shittyapi.com/api/v2/users'
Me: (gasps) huh?
(heads to http://shittyapi.com/api/v2)
Me: Ok, (sees address bar) NOT SECURE
.
.
.
.
.
(long silence)5 -
I need some advice here... This will be a long one, please bear with me.
First, some background:
I'm a senior level developer working in a company that primarily doesn't produce software like most fast paced companies. Lots of legacy code, old processes, etc. It's very slow and bureaucratic to say the least, and much of the management and lead engineering talent subscribes to the very old school way of managing projects (commit up front, fixed budget, deliver or else...), but they let us use agile to run our team, so long as we meet our commitments (!!). We are also largely populated by people who aren't really software engineers but who do software work, so being one myself I'm actually a fish out of water... Our lead engineer is one of these people who doesn't understand software engineering and is very types when it comes to managing a project.
That being said, we have this project we've been working for a while and we've been churning on it for the better part of two years - with multiple changes in mediocre contribution to development along the way (mainly due to development talent being hard to secure from other projects). The application hasn't really been given the chance to have its core architecture developed to be really robust and elegant, in favor of "just making things work" in order to satisfy fake deliverables to give the customer.
This has led us to have to settle for a rickety architecture and sloppy technical debt that we can't take the time to properly fix because it doesn't (in the mind of the lead engineer - who isn't a software engineer mind you) deliver visible value. He's constantly changing his mind on what he wants to see working and functional, he zones out during sprint planning, tries to work stories not on the sprint backlog on the side, and doesn't let our product owner do her job. He's holding us to commitments we made in January and he's not listening when the team says we don't think we can deliver on what's left by the end of the year. He thinks it's reasonable to expect us to deliver and he's brushing us off.
We have a functional product now, but it's not very useful yet and still has some usability issues. It's still missing features, which we're being put under pressure to get implemented (even half-assed) by the end of the year.
TL;DR
Should I stand up for what I know is the right way to write software and push for something more stable sometime next year or settle for a "patch job" that we *might* deliver that will most definitely be buggy and be harder to maintain going forward? I feel like I'm fighting an uphill battle in trying to write good quality code in lieu of faster results and I just can't get behind settling for crap just because.9 -
Webmin because why not ✓
Lamp stack ✓
Dynamic DNS client ✓
PhpMyAdmin X
Dear DigitalOcean. SINCE WHEN do you consider a PMA installation
without Https SECURE?
And why the fuck do you make me install an aptitude package that skips both file system AND Apache config cleanup on purging?
It's just a raspberry, but if it runs lamp I want PMA, and if it runs anything, I want Https. Is that too much to ask for from a tutorial source otherwise so reliable that I do anything you say without a questioning thought?8 -
Anyone wanting to improve OpenSSL fulltime?
Understanding of Cryptography or ability to write secure code are not required...
https://openssl.org/blog/blog/...4 -
Colleagues cannot seem to grasp that allowing a user to manually update a field via an Api, that only business process should update is a bad idea.
The entire team of around 10 'software developers' cannot grasp that just because the frontend website won't set it doesn't mean its secure. I have tried many times now...
Just an example honestly... Our project follows a concrete repository pattern using no interfaces or inheritance, returning anaemic domain models (they are just poco) that then get mapped into 'view models' (its an api). The domain models exist to map to 'view models' and have no methods on them. This is in response to my comments over the last 2 years about returning database models as domain transfer objects and blindly trusting all Posts of those models being a bad idea due to virtual fields in Ef.
Every comment on a pull request triggers hours of conversation about why we should make a change vs its already done so just leave it. Even if its a 5 minute change.
After 2 years the entire team still can't grasp restful design, or what the point is.
Just a tiny selection of constant incompetence that over the years has slowly warn me down to not really caring.
I can't really understand anymore if this is normal.3 -
Tried to dual boot Arch with Windows yesterday.
Everything was going smoothly. Shrunk the C: partition, ran the installer, installed the OS fine. But it was still booting straight to Windows.
So I edited the BCD to point to Grub instead of Wilndows. Then the plan was to boot into Arch, find Windows, and add it to Grub, problem solved.
Wrong. I had forgotten to disable secure boot. Arch and Grub were booting in BIOS mode, but Windows was UEFI. Grub couldn't boot or even see Windows.
So now I was stuck with just Arch. So I flashed a Windows drive, booted from that, automatic startup repair failed. Opened up the command prompt, tried to rebuild the BCD from there. Surely I can just rebuild it and forget about trying to dual boot right? I just want to get back to being able to use my PC.
Wrong again. Didn't find Windows. Had to get rid of the BCD file before I could rebuild it, but couldn't find it. Found out that I could use diskpart to mount the system partition and assign it a drive letter, renamed the BCD, rebuilt it, and finally was able to reboot into Windows.
Learn from my arrogance. First time Linux users should not attempt to install Arch, let alone do it alongside Windows on the same disk.4 -
I had a wonderful run-in with corporate security at a credit card processing company last year (I won't name them this time).
I was asked design an application that allowed users in a secure room to receive instructions for putting gift cards into envelopes, print labels and send the envelopes to the post. There were all sorts of rules about what combinations of cards could go in which envelopes etc etc, but that wasn't the hard part.
These folks had a dedicated label printer for printing the address labels, in their secure room.
The address data was in a database in the server room.
On separate networks.
And there was absolutely no way that the corporate security folks would let an application that had access to a printer that was on a different network also have access to the address data.
So I took a look at the legacy application to see what they did, to hopefully use as a precedent.
They had an unsecured web page (no, not an API, a web page) that listed the addresses to be printed. And a Windows application running on the users' PC that was quietly scraping that page to print the labels.
Luckily, it ceased to be an issue for me, as the whole IT department suddenly got outsourced to India, so it became some Indian's problem to solve.2 -
A "secure" IoT framework, that integrates with the current system and helps in future implementations as well.
More importantly it would be universally adopted, open source and not proprietary .
Kinda working on something like it for a side project but really dunno where it'll end up! :/2 -
For all the hate against windows I built over the now 8 years using linux as my main os. Now I feel windows 10 is quite good.
I got a little beefier desktop lately, been using just laptops from the last 8 years(8D) so I got this urge to get a desktop for gaming, I bought an entry level machine. ryzen 5 2400g, put my lovely linux mint and... the fucking machine was hanging up when the load was too high, and the load was too high too often because react/node etc.
I gave up in less than a day, I just did a quick search and some people said about secure boot or whatnot, some other claimed that ryzen cpus had no problem with mint, I got fed up quickly and did not try any solution with linux. Then I installed windows 10, installed the godamned drivers from the provided dvd ... since then it was a breeze.
The dark mode is gorgeous and no hanging up at all... I'm just sad that mint did not worked soo well. I wanted to have consistency between my laptop/desktop and I loved mint above everything. But well, some things improve while you're not looking at them, win 10 is quite good, I'll keep my desktop as gaming/programming pc with win 10, and well, the laptop will be auxiliar programming machine.
¯\_(ツ)_/¯5 -
So... I finally decided to secure my VPS, so I started with sudo less /var/log/auth.log ...
Short story, not even gonna read every line, just gonna reset my VPS lol10 -
Do you know what angers me more than anything else ?
Wasted potential. Thats what. That there are people out there that look at their bank account and see a large number and spend large amounts of time finding ways to push people down during sensitive times where they could be learning and growing and have the right attitude and energy to do so, just because it makes their horrible selves feel secure knowing how 'superior' daddy made them, not to mention likely factories filled with half naked Chinese kids sewing shoes and soccer balls and separating out precious metals with blow torches.
I cannot help but think about this again as I'm frustrated that I had to relearn something just now which created more questions which I once everything is dashed to pieces again I won't think to or know to look into, if the information even exists, all so some easily duped younger people can form the next generation of well... us, and fall for the same tricks while I feel like I'm falling behind.4 -
I was once asked to create a fully secure chat system prototype (the ui didn't matter) in 2 days. We ended up building a client in python (which I wrote) and it kinda worked and a c# backend that didn't really work.
1 hour before we had to present the project to some high up management we decided that we couldn't fix the bugs in the system.
So I came up with a cool idea. Why not use ssh?
So I set up a bash script that writes to a file and tail -f that reads from the file. That way you could chat securely with another person.
I made it 15 minutes before the presentation with no Internet working :) they said it was hacky but a cool solution they saw that day :p I felt happy and that I had to thank Linux for being there for me2 -
Workarounds are great. I remember one time, I had a server that let anyone access any file as long as the knew the right path. I wanted to store data in a .txt (it wasnt secure passwords or anything, so calmyourtities), but then had access too it. Now, this server wasn't running anything except PHP, so I created a database.php, and within was just some php tags. I ended up modifying the database.php from other PHP scripts and storing all the data as PHP comment, then parsing thru it as I needed, so loading mydomain.biz/database.php wouldn't show the data. ex of my database.php (to all that might not understand because I'm bad at explaining):
<?php
//USER1:DATA1
//USER2:DATA2
?>2 -
Decrypt api responses in an iOS app which my “senior” dev thinks it is more secure to encrypt responses in stead of setting up a proper SSL cert (they use plain http to save money 🙄)
They disable the encryption since it does not function as we wanted and set up SSL instead🙄4 -
# Retrospective as Backend engineer
Once upon a time, I was rejected by a startup who tries to snag me from another company that I was working with.
They are looking for Senior / Supervisor level backend engineer and my profile looks like a fit for them.
So they contacted me, arranged a technical test, system design test, and interview with their lead backend engineer who also happens to be co-founder of the startup.
## The Interview
As usual, they asked me what are my contribution to previous workplace.
I answered them with achievements that I think are the best for each company that I worked with, and how to technologically achieve them.
One of it includes designing and implementing a `CQRS+ES` system in the backend.
With complete capability of what I `brag` as `Time Machine` through replaying event.
## The Rejection
And of course I was rejected by the startup, maybe specifically by the co-founder. As I asked around on the reason of rejection from an insider.
They insisted I am a guy who overengineer thing that are not needed, by doing `CQRS+ES`, and only suitable for RND, non-production stuffs.
Nobody needs that kind of `Time Machine`.
## Ironically
After switching jobs (to another company), becoming fullstack developer, learning about react and redux.
I can reflect back on this past experience and say this:
The same company that says `CQRS+ES` is an over engineering, also uses `React+Redux`.
Never did they realize the concept behind `React+Redux` is very similar to `CQRS+ES`.
- Separation of concern
- CQRS: `Command` is separated from `Query`
- Redux: Side effect / `Action` in `Thunk` separated from the presentation
- Managing State of Application
- ES: Through sequence of `Event` produced by `Command`
- Redux: Through action data produced / dispatched by `Action`
- Replayability
- ES: Through replaying `Event` into the `Applier`
- Redux: Through replay `Action` which trigger dispatch to `Reducer`
---
The same company that says `CQRS` is an over engineering also uses `ElasticSearch+MySQL`.
Never did they realize they are separating `WRITE` database into `MySQL` as their `Single Source Of Truth`, and `READ` database into `ElasticSearch` is also inline with `CQRS` principle.
## Value as Backend Engineer
It's a sad days as Backend Engineer these days. At least in the country I live in.
Seems like being a backend engineer is often under-appreciated.
Company (or people) seems to think of backend engineer is the guy who ONLY makes `CRUD` API endpoint to database.
- I've heard from Fullstack engineer who comes from React background complains about Backend engineers have it easy by only doing CRUD without having to worry about application.
- The same guy fails when given task in Backend to make a simple round-robin ticketing system.
- I've seen company who only hires Fullstack engineer with strong Frontend experience, fails to have basic understanding of how SQL Transaction and Connection Pool works.
- I've seen company Fullstack engineer relies on ORM to do super complex query instead of writing proper SQL, and prefer to translate SQL into ORM query language.
- I've seen company Fullstack engineer with strong React background brags about Uncle Bob clean code but fail to know on how to do basic dependency injection.
- I've heard company who made webapp criticize my way of handling `session` through http secure cookie. Saying it's a bad practice and better to use local storage. Despite my argument of `secure` in the cookie and ability to control cookie via backend.18 -
Dev Diary Entry #56
Dear diary, the part of the website that allows users to post their own articles - based on an robust rights system - through a rich text editor, is done! It has a revision system and everything. Now to work on a secure way for them to upload images and use these in their articles, as I don't allow links to external images on the site.
Dev Diary Entry #57
Dear diary, today I finally finished the image uploading feature for my website, and I have secured it as well as I can.
First, I check filesize and filetype client-side (for user convenience), then I check the same things serverside, and only allow images in certain formats to be uploaded.
Next, I completely disregard the original filename (and extension) of the image and generate UUIDs for them instead, and use fileinfo/mimetype to determine extension. I then recreate the image serverside, either in original dimensions or downsized if too large, and store the new image (and its thumbnail) in a non-shared, private folder outside the webpage root, inaccessible to other users, and add an image entry in my database that contains the file path, user who uploaded it, all that jazz.
I then serve the image to the users through a server-side script instead of allowing them direct access to the image. Great success. What could possibly go horribly wrong?
Dev Diary Entry #58
Dear diary, I am contemplating scrapping the idea of allowing users to upload images, text, comments or any other contents to the website, since I do not have the capacity to implement the copyright-filter that will probably soon become a requirement in the EU... :(
Wat to do, wat to do...1 -
Wanted to make an account on Payoneer to get paid from 99designs for the stuff I make there.
Entered my password, got error.
"Please use only the latin alphabet, a-z and 0-9"
SERIOUSLY, it's banking stuff. how can they not allow secure passwords? *sitting here, crying"6 -
I absolutely hate software to the point where I started converting from sysadmin to becoming more like a dev. That way I could just write my own implementations at will. Easier said than done, that's for sure. And it goes both ways.
I think that in order to be a good dev, you need these skills the most:
- Problem solving skills
- Creativity, you're making stuff
- Logical reasoning
- Connecting the dots
- Reading complex documentation
- Breaking down said documentation
- A strong desire to create order and patterns
- ...
If you don't have the above, you may still be able to become a dev.. but it would be harder for sure, and in some cases acceptance will be lower (seriously, learn to Google!)
One thing I don't think you need in development is mathematics. Sure there's a correlation between it and logic reasoning, but you're not solving big mathematical monsters here. At most you'd probably be dealing with arrays and loops (well.. program logic).
Also, written and spoken English! The language of the internet must be known. If it's not your first language, learn it. All the good (and crucial) documentation out there is in English after all.
One final thing would be security in my opinion, since you're releasing your application to the internet and may even run certain services, and deal with a lot of user data. Making those things secure takes some effort and knowledge on security, but it's so worth it. At the most basic level, it requires a certain mindset: "how would I break this thing I just made?"4 -
Screw all the people who think standard email is "secure". It is not suitible for sending passwords and SSN numbers.
How can something Equifax or Marriott hacks have happened and people are still ok sending out information like this in plain text?!
I know their hacks weren't email released but still.....should be a good time to up some security standards. Right?5 -
RANT!
I still struggle to find the suitable address book software for our company. It supposed to be secure and inexpensive. But how so? It's flipping not possible to have both!
My boss answer to almost everything I say: Just do it! - in German: einfach machen! Please hulp!10 -
I'm currently planning to set myselv up with some vps/dedicated server's for a project. What i plan to do to secure these servers is.
*Use centos 7
* Setup Wireguard and join all of the servers +1 client (my pc) to that network
*Disable SSH Access from outside that VPN
*Only allow RSA Key login to the Servers
*Install Cockpit for monitoring
*Intall docker/kubernetes for the applications i plan to run
What do you guys think of that as a baseline? Im not sure if my lower powered VPS (VPS M SSD from Contabo) will work as Kubernetes Nodes, does anyone have experience with that?
In general these Servers will be used for my projects and other fooling around.
If you guys have other suggestions for Securing/monitoring or other software i could put on to have more control without eating up to much of the Servers power, let me know :D13 -
Do you, guys, have any VPN suggestions? I'm mostly looking for a VPN that doesn't throttle your speed, allows and encrypts P2P connections and is secure and reliable. I'm not quite sure what other more specific requirements I'm looking for, since I'm not too knowledgeable in this domain, but I'm nonetheless thanking you in advance :D7
-
A peeve of mine is when someone in the software industry denigrates a technology/tool/framework outside of his role eg webdevs on sysadmin stuff or viceversa.
I'm not trying to shame anyone for having subjective experiences, I just think that if you're gonna talk about tools that are not on your domain, then you need to be twice as humble as usual.
I'm a webdev and I don't post around how I KNOW how to make ssh secure, while other people devote their entire careers to that and all related matters.
What prompted me is seeing some not webdevs do this here that seem to be sysadmins/devops (can't tell for sure since I don't know them), but in real life, I've seen people from any role do this, webdevs too, even testers!
Imagine you had cancer, and you had a tumor extraction, and the oncologist said to the surgeon "step aside son, let me show you how to deal with cancer".5 -
I got notified that tomorrow I'm gonna start a porting project from a FileNet ecosystem.
Well, I don't know what is FileNet, but at least I've enough time to study its architecture. Let's start from the official IBM page:
The FileNet® P8 platform offers enterprise-level scalability and flexibility to handle the most demanding content challenges, the most complex business processes, and integration to all your existing systems. FileNet P8 is a reliable, scalable, and highly available enterprise platform that enables you to capture, store, manage, secure, and process information to increase operational efficiency and lower total cost of ownership.
Thank you IBM, now I surely know how to use FileNet. Well, I hope that wikipedia explains me what it is:
FileNet is a company acquired by IBM, developed software to help enterprises manage their content and business processes.
Oh my god. I tried searching half an hour so far and everything I found was just advertisements and not a clue about what it is.
Then they wonder why I hate IBM so much4 -
Am I the only one worried with the OS wars lately? Microsoft and Apple trying to gain even more control on everything and Linux remaining at less than 2% on the desktop. People are oblivious to the fact that their personal freedom is at risk, and don't you dare tell me otherwise. Companies knowing what we search or what files we have on our computer, having the ability to control us and force us to follow their rules. We have a choice, and I'm not talking about destroying the economical system a la Mr. Robot, but moving to the Open Source world, not because it's more secure, faster or some such shit, but because it's the only way to ensure freedom on one of the biggest part of our lifes, the digital part. My concerns may be exceeding the normal, and I'll hate it to be right, but I'm afraid that if this goes on, in a few years, we'll understand that we made a big mistake...21
-
Sometimes life takes unexpected turns:
I studied mechanical engineering and did some "computer stuff" in my free time, you know, "programming" with Java, toyed around with HTML/CSS/PHP a few years ago, some local server stuff with a raspberry pi, nothing fancy.
Half a year ago i got hired as engineer first but they said they needed an "IT Guy" also.
What i did since then
*Researching, Testing and Planning the introduction of an ERP software
*Planning, coordinating and (partially) setting up a new server for the company (actually two cause redundancy (heavy lifting got done by our IT partner, its not like i suddenly know how to do the entire windows server administration)
*Writing 3 minor tools for some guys in the company in java
*Creating numereous excel vba scripts that make work a lot easier
*doing all the day to day business that comes up when absolutly noone know how to use a pc in the company
*consulting the boss about webshops and websites in general and finding a decent partner
*and some engineering
Did i mentioned that i studied mechanical engineering? I know nothing about all this, or rather, i know enough to know that i know not enough.
My current side project is creating a small intranet, so creating a new VM in Hyper V, setting up some OS (probably slim CentOS), getting a Webserver running and making it somewhat secure. Then i need to create some content, i am very close to just install a mediawiki and call it a day. If i write anything in PHP i fear that i make way to many erros or just reinvent the wheel, on the other hand, i couldnt find anything resembling what i need. I also had to create the front end side, i knew CSS around 2010, there is probably tons of stuff i dont know and i will make so many errors.
This is frustrating, everything i touch feels like i am venturing the beaten path but noone ever showed me the ropes so everything i do feels like childs play. I need an adult. Also the biggest Question remains: What i am?1 -
THREE DAYS of debugging, reading all the logs I could find, creating tens of new logs in our appliaction, and SUDDENLY an email from your IT admin:
"Hey your CURL requests are being rejected by my !oh so secure! firewall rule".
Not that I haven't said at the beggining, that THIS IS YOUR F...G NETWORK PROBLEM because we get "connection reset by peer" errors, and you ASSURED that everything is CHECKED and OK!5 -
Dev industry develop so fast. This is because information available anywhere in the internet and people try to learn any programming language they want . But only few know whether they following secure coding practice or not
But the thing is most of Dev people dosent care about security. They focus just to develop a application but not to secure it?2 -
Gotta love the IoT.
They set up a new surveillance camera in the company, that can stream live footage over the network and that little shit picked the IP adress of a coworker one day AFTER being set up.
Hurray for static routing. Hurray to the person who didn't disable DHCP on the router (Should probably configure my PC to use a static IP as well lel)
Anyways, this happened outta nowhere when I, the only guy who knows shit about IT and is usually present at yhe office, wasn't there and could not connect remotely.
The other, remote programmer, who set up the network, could guide the coworker to get a new IP but, he was worried that we got ourselves an intruder.
Since nobody told me yet that we (should) have static routing, I thought there was a mastermind at work who could get into a network without a wifi-access point and spoof the coworker in order to access the some documents.
The adrenaline rush was real 😨
Scanning the network with nmap solved the mystery rather quickly but thought me that I need to set up a secure way to get remote access on the network.
I would appreciate some input on the set up I thought of:
A raspberry Pi connected to a vpn that runs ssh with pw auth disabled and the ssh port moved.
Would set up the vpn in a similar fashion. -
-Rant-
How do you (not) secure your Rest based web service?
1. Chain it to shady organic authentication system built by a hoard of monkeys high on Tequila.
2. have secret keys that get copy pasted into config flat files, and index them on your code search engine.
3. make the onboarding extremely platform specific that you need 500 environment variables, 50 scripts, 5 fancy device presses and a tap dance to make a GET call to the service.
4. fish through 500 rotating log files that the authentication system generates for each API call made.
5. Leave traces all over the host so if you have to start over, you should sudo rm -rf / and set fire to your computer. -
Pentesting for undisclosed company. Let's call them X as to not get us into trouble.
We are students and are doing our first pentest at an actual company instead of assignments at school. So we're very anxious. But today was a good day.
We found some servers with open ports so we checked a few of them out. I had a set of them with a bunch of open ports like ftp and... 8080. Time to check this out.
"please install flash player"... Security risk 1 found!
System seemed to be some monitoring system. Trying to log in using admin admin... Fucking works. Group loses it cause the company was being all high and mighty about being secure af. Other shit is pretty tight though.
Able to see logs, change password, add new superuser, do some searches for USERS_LOGGEDIN_TODAY! I shit you not, the system even had SUGGESTIONS for usernames to search for. One of which had something to do with sftp and auth keys. Unfortunatly every search gave a SQL syntax error. Used sniffing tools to maybe intercept message so we could do some queries of our own but nothing. Query is probably not issued from the local machine.
Tried to decompile the flash file but no luck. Only for some weird lines and a few function names I presume. But decompressing it and opening it in a text editor allowed me to see and search text. No GET or POST found. No SQL queries or name checks or anything we could think of.
That's all I could do for today. So we'll have to think of stuff for next week. We've already planned xss so maybe we can do that on this server as well.
We also found some older network printers with open telnet. Servers with a specific SQL variant with a potential exploit to execute terminal commands and some ftp and smb servers we need to check out next week.
Hella excited about this!
If you guys have any suggestions let us know. We are utter noobs when it comes to this.6 -
For all the hate that Java gets, this *not rant* is to appreciate the Spring Boot/Cloud & Netty for without them I would not be half as productive as I am at my job.
Just to highlight a few of these life savers:
- Spring security: many features but I will just mention robust authorization out of the box
- Netflix Feign & Hystrix: easy circuit breaking & fallback pattern.
- Spring Data: consistent data access patterns & out of the box functionality regardless of the data source: eg relational & document dbs, redis etc with managed offerings integrations as well. The abstraction here is something to marvel at.
- Spring Boot Actuator: Out of the box health checks that check all integrations: Db, Redis, Mail,Disk, RabbitMQ etc which are crucial for Kubernetes readiness/liveness health checks.
- Spring Cloud Stream: Another abstraction for the messaging layer that decouples application logic from the binder ie could be kafka, rabbitmq etc
- SpringFox Swagger - Fantastic swagger documentation integration that allows always up to date API docs via annotations that can be converted to a swagger.yml if need be.
- Last but not least - Netty: Implementing secure non-blocking network applications is not trivial. This framework has made it easier for us to implement a protocol server on top of UDP using Java & all the support that comes with Spring.
For these & many more am grateful for Java & the big big community of devs that love & support it. -
I wanna go back to the age where a C program was considered secure and isolated based on its system interface rathe than its speed. I want a future where safety does not imply inefficiency. I hate spectre and I hate that an abstraction as simple and robust as assembly is so leaky that just by exposing it you've pretty much forfeited all your secrets.
And I especially hate that we chose to solve this by locking down everything rather than inventing an abstraction that's a similarly good compile target but better represents CPUs and therefore does not leak.31 -
Oh god where do I start!?
In my current role I've had horrific experiences with management and higher ups.
The first time I knew it would be a problem: I was on a Java project that was due to go live within the month. The devs and PM on the project were all due to move on at the end. I was sitting next to the PM, and overheard him saying "we'll implement [important key feature] in hypercare"... I blew my top at him, then had my managers come and see if I was OK.
That particular project overran with me and the permanent devs having to implement the core features of the app for 6mo after everyone else had left.
I've had to be the bearer of bad news a lot.
I work now and then with the CTO, my worst with her:
We had implemented a prototype for the CEO of a sister company, he was chuffed with it. She said something like "why is it not on brand" - there was no brand, so I winged it and used a common design pattern that the CEO had suggested he would like with the sister company's colours and logo. The CTO said something like "the problem is we have wilful amateurs designing..." wilful amateurs. Having worked in web design since I was 12 I'm better than a wilful amateur, that one cut deep.
I've had loads with PMs recently, they basically go:
PM: we need this obscure set up.
Me & team: why not use common sense set up.
PM: I don't care, just do obscure set up.
The most recent was they wanted £250k infrastructure for something that was being done on an AWS TC2.small.
Also recently, and in another direction:
PM: we want this mobile app deploying to our internal MDM.
Us: we don't know what the hell it is, what is it!?
PM: it's [megacorp]'s survey filler app that adds survey results into their core cloud platform
Us: fair enough, we don't like writing form fillers, let us have a look at it.
*queue MITM plain text login, private company data being stored in plain text at /sdcard/ on android.
Us: really sorry guys, this is in no way secure.
Pm: *in a huff now because I took a dump on his doorstep*
I'll think of more when I can. -
Who would be interested in reviewing an old peice of Python code I wrote..? It's a few years old, and it uses basic procedual generation to cypher text (entry, or ASCII files) using a hashed password. It's a command line tool.
I used to brag about how "secure" it was, and now I'm curious if it is secure or not.
I plan on picking it back up and open-sourcing it, but I want to know what problems might be wrong with it now.9 -
Had to do a change tonight - not once but twice my server secure login account was locked. And server security don't answer their pages. I couldn't even reverse my changes if my changes break something else.
My account has not been locked in over a year but happens twice in a 90 minute window. What are the chances? -
Is it legal to destroy other company's site or app. because they didn't pay your money in the past?
and also app they created is not secure.
The company is in another country.
.
.
.
If "No"
I'll still do that. I don't care.4 -
I never understood how people have any problems with getting paid for freelancing work, when middleman/escrow platforms like upwork exist, just don't be retarded when applying for a job. I am so sick of those shit ass stories from people telling me "my client didnt pay meeee 😭😭😭" ITS YOUR FAULT. I never had any client not paying, if you don't have the option of escrow, then just fucking put remote execution via "update" system in for fucks sake or give remote control to the client while monitoring it, there is so much fucking ways to secure yourself, just don't be retarded and many clients instantly show their character when talking budget and turnaround time.15
-
Officially faster bruteforcing:
https://pastebin.com/uBFwkwTj
Provided toy values for others to try. Haven't tested if it works with cryptographic secure prime pairs (gcf(p, q) == 1)
It's a 50% reduction in time to bruteforce a semiprime. But I also have some inroads to a/30.
It's not "broke prime factorization for good!" levels of fast, but its still pretty nifty.
Could use decimal support with higher precision so I don't cause massive overflows on larger numbers, but this is just a demonstration after all.13 -
Firefox developer fucked up this morning my development after the update -_-
The fucking "Enhancing Tracking Protection" was on a local Wi-Fi IP address(192.168...) which automatically redirected to the https of that IP, but I did setup kestrel to listen on HTTP, which resulted in a nice "Cannot enstablich a secure connection(and suck it up because ¯\_(ツ)_/¯)"
Fortunately it's easy to get rid off this cunt, just go on the shield nearby the address and disable that motherfucker.
ps: sorry for the lil rage, my morning train trip development brain cells should not be bothered by this automatic technical troubles
Further question to the Firefox developers:
WHAT THE FUCK are you thinking when you force developers to automatic HTTPS redirection when you should know more than anyone that development is 360deg(and not 90 like your mom)1 -
Question for people familiar/knowledgeable about hardware keys;
Do you know if the OnlyKey could be considered safe/secure and if not, any idea as for alternatives?
My requirements would be nearly all the features that OnlyKey has, water/shockproof and the system should at least be open source.6 -
Thoughts on Session as a secure messenger? It looks fine at a glance, especially not using PII like a phone number, but I haven’t delved into it — and honestly don’t have the mental energy to.
What’s everyone’s thoughts on it?7 -
I can be manipulated. Yes, I’m now more resilient to manipulation than ever because I’m autistically good at recognising patterns, yet I’m not perfect.
For a manipulator, there is just one problem — now and then, my disorder obliterates my entire worldview, together with the foreign manipulative framework, so I can start with a blank slate. It protects me. Yes, this protection is akin to our body’s “we’ll boil all the germs in our own blood” tactic that instead of defining winners and losers only leave survivors, yet the force is unstoppable. You cannot secure the land that is hit by a tornado every three months.
That inner Nemesis is so strong that it even defeated a complex, almost fractal-like manipulation of my own mother that I lived in since birth, leaving her with a wound that will never heal. Wannabe manipulator exes didn’t even stand a chance. I don’t care if that force destroys me or not, as during that time, there is no “me”.
About my mom, long story short, she told me “I want to stop treating my cancer to die as soon as possible just to not see you anymore” after my coming-out. Full story is here:
- part 1: https://devrant.com/rants/4923052/...
- part 2: https://devrant.com/rants/4924040/...7 -
I seriously love rsync. Whoever made that utility is my hero. Not only that its CLI client is amazing and full of features, but rsync in daemon mode makes secure file synchronization a breeze! <38
-
How do you guys fight the urge to just screw it and implement a not so secure way of doing things, when you've been fighting with a bug for weeks?
No one would know!! 😂1 -
TLDR, i am not performing as I used to in my job before i made my side hussle and idk if i should do anything about it.
every since covid started and companies started laying off people, I started realizing im in danger when no company was able to match my current salary, and the ones that do would, make me do a hunger games hackerrank competition with thousands of other people which I don't really wanna take part of..
My company even laid off a lot of people due to budget cuts a while back and i didn't feel secure at all, and knowing that i might end up with less salary should i get fired and settle for the next company that accepts me, kinda made me lose any trust i had for the whole being an employee thing... I have financial goals i want to meet and depending on this one company to not fire me is scary...
I registered a tech company and hoped I could take on some high budget projects, got nothing the first year but slowly i started getting some projects and now im hiring contractors to help with projects and its going great and im really happy and excited about it.
But i often need to manage said contractors, have calls with clients and even do some coding myself. Some of that i end up having to do in secret in my company time... we work in a big co-working space so i get to sneak into a meeting booth and do all that.
my manager lives in another country and basically im in a situation where i can get away with it without anyone noticing.
However, I used to be one of the top contributors in the company. I used to finish a butt load of tasks every day and i ended up being promoted to manager, but i still get some coding tasks. But generally, if it weren't for my side hussle i would still be a top contributor and shine like i used to, but now i mostly do what is expected on me, and im afraid someone would ask me at some point why im not as productive as I used to be.
nobody asked me anything but i just feel kinda guilty and miss having the one job to focus on and taking credit for a lot of things and helping everyone, but at the same time i dont trust that the company cares about me enough to give me any guarantees or stocks or bonuses so i feel i need to keep growing my side hussle to have a safety net..
thank you for reading my rant1 -
What makes free ssl "Unsuitable for e-commerce websites", Please read to end to see my view point.
From Namecheap:
Free Certificates are domain validation only which means they don't certify the identity of the website owner, they simply ensure a secure connection. Customers can't be sure of the integrity and trustworthiness of the website owner. If you need to secure credit card and personal information on e-commerce websites, free certificates aren't the answer. It's important your customers trust your business is safe enough to hand over these details. To gain this trust, you need a certification of your authenticity, which you can only get with a (paid) Business Validation or Extended Validation SSL Certificates.
https://namecheap.com/security/...
* "To gain this trust, you need a certification of your authenticity"
~ But isn't that just Domain Verification and other Extras, What justifies somebody or business's authenticity? Tax Id, Valid Address, Nobody is going to study the ssl cert to make sure that amazon.com is a valid business and has a tax Id.
* "domain validation only which means they don't certify the identity of the website owner,"
~ Wouldn't this just be the domain validation test that is required when using services like LetsEncrypt using Certbot etc, or are we referencing back to this idea that they look for a Valid Tax Id sort of thing?
* "If you need to secure credit card and personal information on e-commerce websites, free certificates aren't the answer"
~ Why is the paid version going to do double encryption, is the CA going to run a monitoring tool to scan for intrusions like a IDS or IPS? (disregard the use of DNS Validation being in the picture)
Am I missing something, this just seems like well crafted text to get people to buy a cert, I could understand if the encryption was handled differently, Maybe if they checked the site for HSTS or HTTPs Redirect or even, They blocked wildcard SSL before and now with the paid its included, but overall it doesn't sound like anything special. Now I'm not just picking on namecheap because domain.com does the same.14 -
I discovered a commit message from one of my (senior) colleagues today. It made me shudder. It read, 'Just adding some changes made outside of source control and deployed (over last 12 months)'.
I genuinely think he can't follow any processes he didn't design. He controls the servers too, so it's not like any pipeline would prevent him from just doing what he wants. It's a bit scary to be honest, he thinks MD5 is a secure password hash! -
My very first time was when I first saw a Web page, I really wanted to know how they did it. Two weeks later I built an intranet at home and I thought I was so cool I was shitting out ice cubes.
The very first programme I ever wrote was a secret diary application(C#) for myself I thought it was really secure because I had my own file extension. Not one of my finer moments.4 -
Not much of a SQL Dev, still an apprentice and had a basic run throughs. Client needed a migration script to run, which I was assigned. Took me a good 6/7 days to make, transfer over a secure (and VERY slow) network took 2 hours. Infrastructure 3rd party took 2 days to clear and run. After all that process. I then realise, I left the fucking rollback in1
-
My university has "Economics and Technic" on its name and it straight up fails on the technical side.
We don't have proper wifi because nobody from the management wants to be responsible for whatever the fuck students do, so they borrow the public (not secure/shitty) wifi from the state for us. Great. We could also use Eduroam, except it only works OUTSIDE of the university for some fujing reason.
Also, our classrooms don't have plugs to charge our notebooks so that's not an option, I guess they just think: "well if they can't use their notebooks they might as well not use any internet at all".
With the heatwave in Europe the servers almost fried bcs management was not sure if they should turn it off or not. We got no server a day.
To top it off, for some reason, every time I access the Intranet from the university it won't login and it literally blocks my dns requests. FANTASTICAL. I even tried restoring my computer and it does the same shit, so I just gave up on it entirely.
TL;DR: My university has shitty IT-Infrastructure and I need to rant about it.
Thank you for sharing ze pain™6 -
Project with partner company, during the meeting I asked them how can we secure the communication between two services. I suggested api keys, tokens. They were like nope, no need. But I asked them for their IPs to do whitelisting on our side in Nginx.
But their side, nah not even whitelisting, no tokens, no validations. If one has address, can send anything from anywhere.
How hard would it be to do at least, AT LEAST simple token validation. And they are using the very old IIS server. I think for them as long as data flows in as expected, it is fine.3 -
So, WPA2 was proven not fully secure. Wonder how much time it will take for most devices to be patched...2
-
Someone mentioned that client want to use wordpress instead of they current website because it is cheaper! Ok lets see how cheap it is.. each time wp release update after updating you need go through all website and check if nothing is broken.. plugins will need update as well because usually they run on specific wp version. Fixing theme and plugins requires dev time.. despite all those things.. have common sense. Maybe it is good for some type of business to host few pages without any business logic or use as blog without scare to loose everything and do not store users data.. someone mentioned that it is secure to run anything because updates are the best security to avoid security breaches. So why banks are not running on WP? Why health service is not using WP?
-
I am trying to "invent" secure client-side authentication where all data are stored in browser encrypted and only accessible with the correct password. My question is, what is your opinion about my idea. If you think it is not secure or there is possible backdoor, let me know.
// INPUT:
- test string (hidden, random, random length)
- password
- password again
// THEN:
- hash test string with sha-512
- encrypt test string with password
- save hash of test string
// AUTH:
- decrypt test string
- hash decrypted string with sha-512
- compare hashes
- create password hash sha-512 (and delete password from memory, so you cannot get it somehow - possible hole here because hash is reversible with brute force)
// DATA PROCESSING
- encrypt/decrypt with password hash as secret (AES-256)
Thanks!
EDIT: Maybe some salt for test string would be nice8 -
Plz help...
I’m a student and developer, working every night my butt off for the last 2 years, not going to sleep till 2,3,4,5am, and taking tablets to keep my brain running and not fall asleep. Getting clients and about to sell my programming company in 2 months...
My programming teacher teaches the class such basic shit, she explains the topic very well, but for me she’s explaining how to do 2+2... last time I starred of to the window and almost started crying...
I’m very passionate about programming, Work sucks cause I need to make secure smart systems with math that take forever, I want to at least enjoy it In class, but it’s torture, fucking torture...
What should I do?6 -
Under the guise of being security conscious, our section had a informal "doughnut charter" whereby if you leave your computer unlocked and someone managed to send an email to the section (cc'ing you) shouting everyone doughnuts then you must comply with the "promise". I was referred to at the time as the "god of email" and everyone knew not to do it to me or I would retaliate. This is because it happened once before. In that case, I set up a secure hidden rule in the person's email so that if they received a doughnut email they would automatically send a doughnut email from them... this also meant it was possible to trigger it at any time. They quickly begged for it to be removed. From then on, no dared touch my unlocked computer. When we got a new boss he was informed of the charter and was repeatedly warned not to 'doughnut' me but one day he ignored the warnings. In his case I set up a rule so that if he sent any email, he also sent out a doughnut email as well. Over the next four days he sent sooo many doughnut emails... He went from happy, to frustrated, to angry and then simply desperate. No one dared tell him I was my doing... He eventually came out of his office and begged for it to stop... Seeing his desperation, I stopped it. He was very appreciative but never put two-and-two together (that his actions caused it). He didn't find out till three months later that I was the one who did it to him. That was the second and last time I was ever doughnut'd.
-
I just got my third 128GB MicroSD card off Amazon, this time SanDisk. Yet again, trying to do anything not involving the OEM full-disk exFAT partition staying intact (which, fuck that, all that uses that is Windows and Linux, i'm looking for splitting this thicc bih up) shifts EVERYTHING, including MBR+PT/GPT down the disk by 16MB exactly inserting data from... the atmosphere? whatever's using it? ...do SD cards have that secure key/DRM store space thing still?
(EDIT: I do verify that they ARE genuinely the right size after purchasing before reformatting or repartitioning, by the way.)
First it was a Silicon Power card, then a Samsung card, now a SanDisk.
(Also, why all S?)
Luckily, this time it wasn't a pain in the ass to get it to read as anything but "Bad Card" or a 0-byte/empty/non-existent device in Windows/Linux (respectively) so I was able to see that it was indeed the same issue without taking 3 days to jump through device hoops to finally get it to do it again but in such a way that it shifts out and back in all zeroes.2 -
Sus!
yesterday I bought a cool domain in namecheap, I was very lucky to find short and good one for my case.
Today (at weekends!!!!) I receive a letter:
>Hello **redacted name**,
>
>We are contacting you from the Namecheap Risk Management Team regarding your '**redacted name account**' account.
>
>Unfortunately, your Namecheap account was flagged by our fraud screening system as requiring verification and was locked.
>
>Please follow the instructions below to get your account verified:
>
>- take a color photo of the credit card used for the payment at **redacted link**
>
>Please make sure all of the edges of the credit card are visible, and that we can clearly see the card holder's name, expiration, and last four digits of the card number. The screenshots or images of the card cannot be accepted for verification. >If the submission does not meet these requirements, we can either request to submit the details again or permanently suspend your account.
>
>- provide a valid phone number and the best time to call you (within normal business hours, US Pacific time).
>
>If we do not hear back from you within 24 hours, we will be forced to cancel your orders.
>
>We apologize for any inconvenience that may result from this process. This extra verification is done for your security and to ensure that orders are legitimate. This industry, unfortunately, has a high rate of fraudulent orders, and this sort of >verification helps us drastically reduce fraud and ensure our customers remain secure. Such documents are used for verification only and are not provided to third parties in any way. Account verification is a one-time procedure, after your account >is verified, you will never face this issue again.
>
>Looking forward to your reply.
>
>---------------
>Dmitriy K.
>Risk Management
> Namecheap, Inc.
what if I did not notice it in 24 hours? It is the weekend for god's sake! People usually rest until monday.
They would what, cancel order and scalpel it to super high price?!
I have some doubts if the request is trully having anti fraudulent origins.
What if I used digital visa card? How was I supposed to photo it?
And the service they provided for photoing accepts only photos from web camera. I was lucky that I bought recently web camera with high enough amount of pixel power and manual focus. What if I did not?
That's all really SUS!
The person can not notice the letter within 24 hours time frame until the morning, when it would be already too late.10 -
Why do some people feel the need to prove their stupidity and utter lack of skill in the face of the world?!?!
Yesterday I learned that a sister company is hiring an intern civil engineer to code some application plugins connected to our IS ?!?!? How the fuck do you think he can only understand what the fuck we do?
To put it in context, I'm kind of the CDO of a French medium group (a little cluster of companies), as the group is in the construction industry I'm the CTO for all Computer things. Inside the group, I'm the CTO of the digital factory. So the group IS is a microservice decentralized API REST-based architecture.
Next Monday we'll have a meeting, so I can explain to them why it's a FUCKING STUPID IDEA!!!! The only good thing is that any application programming done outside of the Digital Factory will be handled as an External Company Application, so it's not my problem to secure it, debug it, or simply make it work. And they already know that I'll enforce this ruling!!!
But WHY the fuck do they still think any mother fucker can professionally program!!!!!! Every time I have to deal with them It's horrendous!!!! I had to prove them why using a not encrypted external drive for a high security mission It's stupid!!!, and why having the same password for every account is FUCKING STUPID!!!
The most ridiculous part is they have a guy who really believe he has some IT skills!! Saying things like "SVN" it's a today tool (WTF), firewall are useless, etc....
WHY!!!! WHY!!!!2 -
So yesterday I installed Arch. Well, sort of. So far the GUI isn't configured so it's literally less convenient than an equally unconfigured TTY. But I'm getting there, today I connected to a secure Wi-Fi network. Tomorrow I expect to install something for power efficiency and start configuring stuff/creating a proper DE. Last time, when I stripped down Ubuntu and installed i3wm there, the first thing that bothered me was the lack of a wallpaper so I never got to issues like the keyring not unlocking, the x11 default font being two physical pixels tall, or added peripherals not being handled. This time my plan is to solve every issue as soon as I get there. For this reason I'll use a queue for managing my tasks rather than a stack like Google Keep.10
-
Not promoting any app, but people should care more about what they use. The most used services are the least secure8
-
Creating an secure authentication system is not that easy...
Especially if you create it for a community full of devs.
But I think I've found a secure solution.
Maybe some security experts on here could review the code after I'm finished.
Here's the GitHub repo but the auth system is not up yet:
https://github.com/DevRant-Docs/... -
Guys, please use caddyserver as your webserver! It creates official tls certs for you without you having to do anything. Help making the web secure. There are too many websites that do not have any security.8
-
I’m back on this platform after an awesome year of progress in my dev career. Here is the back story:
1. I was a junior dev at a financial technologies company for a little over a year.
2. The company was looking to hire an Integration Manager for its software with both our vendors and customers.
3. The pay was good and I was offered that position as a promotion.
4. I accepted it and said to myself that this is temporary. It will help me pay the bills and secure a better life, which it did.
5. Lost two years of my dev career in that position doing nothing but basic integrations (rest apis, web and mobile sdks, and work arounds for what does not work). Zero challenge. This is when I started to use devRant often.
6. On the bright side, the bills were paid and life style got better.
7. Two years in, any way out of the integration department is something I am willing to accept. So I approached every one and worked extra hard as an Application Support Engineer for every product in the firm for free, in the hopes of making good connections and eventually be snatched by someone. This lasted six months.
8. Finally! Got an offer to become the Product Manager for one of the apllications that I supported.
9. Accepted the offer, left the department, and started working with the new team in an Agile fashion. This is when I stopped using devRant because the time was full of work.
10. Five months in, I was leading a team of developers to deliver features and provide the solutions we market. That was an awesome experience and every thing could not have been better.
Except…
Every developer was far better than me, which made me realize that I need to go back on that track, build solutions myself, and become a knowledgable engineer before moving into leading positions.
11. After about a 100 job applications online, I’m back as a Junior developer in another company building both Web and Voice Applications. Very, very happy.
Finally, lessons learned:
1. The path that pays more now is not necessarily the one you wanna take. Plan ahead.
2. There is always a way out. Working for free can get you connections, which can then make you money.
3. Become a knowledgable and experienced engineer before leading other engineers. The difference will show.
4. Love what you do and have fun doing it.
Two cents.1 -
A long time ago you sent me an email with the subject 'I love you', I then got so excited that I forwarded the letter to all my contacts, and they forwarded it too.. I can't describe the words for the feelings I had back then for you. I felt into love with you, really. But there were always troubling moments for me.
For example when 'Code Red' showed up and found your backdoor. Man I was pissed at that time. I didn't know what to do next. But things settled, and we found each other again.
And then that other time when this girl named 'Melissa' was sending me some passwords to pr0n sites, I couldn't resist. She was really awesome, but you know, deep in my heart that was not what I wanted. I somehow managed to go back to you and say sorry. We even moved together in our first flat, and later in our own house. That was a really good time, I love to think back at those moments.
Then my friend 'Sasser' came over to us one night, do you remember how he claimed that big shelf in our living room, and overflooded it with his own stuff, so that we haven't a clue we are reading yet offshelve? Wow that was a disturbing experience.
But a really hard time has come when our dog 'Zeus' got kicked by this ugly trojan horse. I really don't want go into details how the mess looked like after we discovered him on our floor. Still, I am very sorry for him that he didn't survived it :(
Some months later this guy named 'Conficker' showed up one day. I shitted my pants when I discovered that he guessed my password on my computer and got access to all my private stuff on it. He even tried to find some network shares of us with our photos on it. God, I was happy that he didn't got access to the pics we stored there. Never thought that our homemade photos are not secure there.
We lived our lives together, we were happy until that day when you started the war. 'Stuxnet..'! you cried directly in my face, 'you are gonna blow up our centrifuges of our life', and yeah she was right. I was in a real bad mood that days back then. I even not tried to hide my anger. But really, I don't know why all this could happen. All I know is, that it started with that cool USB stick I found on the stairs of our house. After that I don't remember anything, as it is just erased from my memory.
The years were passing. And I say the truth here, we were not able to manage the mess of our relationship. But I still loved you when you opened me that you will leave. My 'Heartbleed' started immediately, you stabbed it where it causes the most pain, where I thought that my keys to your heart are secured. But no, you stabbed even harder.
Because not long after that you even encrypted our private photos on our NAS, and now I am really finished, no memory which can be refreshed with a look at our pictures, and you even want my money. I really 'WannaCry' now... -
I am looking for new programming language to learn and I found D language. It looks interesting but I think that community is weak and there is lack of some usefull libraries.
For example I can not find secure PRNG.
So my questions are:
> Have you any experience with this language?
> It is worth to learn?3 -
This is not a rant. Not really. It's more expressing my own insecurity with a certain topic, which somehow upsets me sometimes (the insecurity, not the topic though).
I have nearly no knowledge about security/privacy stuff. I mean, yeah, I know how to choose secure passwords and don't make stupid DAU mistakes. The very basics you would expect someone to have after a CS bachelor's degree.
But other than that... Nothing. And I would like to get a bit into that stuff, but I have no clue where to start. First getting my head wrapped around low-level stuff like network layers? Or something completely else.
This topic is so intimidating to me as it seems huge, I have no idea where to start, and I feel that if you don't have "full" knowledge, you are going to make mistakes which you might not even notice.
I sometimes get really scared about having an account hijacked or similar. Also in our job it seems to become more and more of a topic we should know about.
Anybody got any advice?
I am looking for a way to improve my knowledge in security in general for professional reasons and my knowledge about privacy for private reasons.
It's just, every time I start reading something related it seems that I am lacking some other knowledge etc...11 -
So tired of explaining other stupid developers that POST is not more secure than GET in a ReST api. I have heard many times if you use GET you will be hacked :|
-
I'm 22 years old and 1.5 years into my first Startup Job. (and second Dev job)
I feel kind of uncomfortable now and I would like to ask your opinions.
I'll start with the work related description of my situation and later add a bit of my life situation.
I develop as hobby since I can think. I'm pretty engaged and love to do things right. So I quickly found myself in the position of the de-facto lead fullstack Developer.
Although, to be clear, were only a few devs - which are now replaced by not so many other devs. I feel often like the only person able to design and decide and implement in a way that won't kill us later (and I spend half of my time fixing technical debt).
I mostly like what I do , because it's a challenge and I feel needed. I learn new things and I am pretty flexible in work time. (but I also often work till late in the night, sacrificing friendship time)
But there are so many things I would love to do and used to do, but now I have no motivation to develop outside of my job.
I don't really feel that what my company is doing is something I find valuable. (Image rights management)
I earn pretty well - in comparison to what I'm used to: 20€/hour, Brutto 2.800 / month for 32 hours a week. In Berlin. (Minus tax and stuff it's 1.800€). It's more than enough for what I need.
But when I see what others in similar positions earn (~4.000), I feel weird. I got promised a raise since nearly a year now. I don't feel I could demand it. I also got the hint that I could get virtual shares. But nothing happened.
Now what further complicates the situation is that I will go to Portugal in April for at least half a year, for joining a social project I love. My plan used to be that I work from there for a few hours a week - but I'm starting to hesitate as I fear that I will actually work more and it will keep me from fully being there.
So, I kind of feel emotionally attached - I like (some of) the people, I know (or at least believe) that the company will have a big problem without me. (I hold a lot of the knowledge for legacy applications) .
But I also feel like I'm putting too much of myself into the company and it is not really giving me back. And it's also not so much worth it... Or is it?
Should I stick to the company and keep my pretty secure position and be financially supported during my time in Portugal, while possibly sacrificing my time there?
Should I ask for a raise (possibly even retroactively) and then still quit later? (they will probably try to get my 1 month of cancelation period upped to 3).
Also, is this a risk for my "career"?question work-life what? purpose startup safety hobby work-life balance life career career advice bugfixing7 -
Asking for a friend: Well actually a friend asked me (since "I'm good with computers", you know it ;)) and no real solution came to my mind, so I thought, why not ask the internet
Anyways. She's an artist and does a project (kind of a documentation) about the Egyptian revolution. She currently lives in Europe but still has her Egypian passport. As an Egyptian national, she fears, that she could be holden back for a while and have her laptop/external HD with all the photos/videos/interviews confiscated and/or searched. She asked me for help to have a "backup solution".
The requirements: a way to backup work (from a mac) to a secure location (I would offer my server running linux for it).
The upload would have to be encrypted (if possible, I suggested to use a VPN, is this enough?)
Access to the files should only be granted if you have the propper password (in my opinion the VPN tunnel should work here too, as when it's down, you can't just reopen it without a password.
What are your thoughts on this?10 -
SCW (Secure Code Warrior) IS TOTAL, COMPLETE AND UTTER SHIT!
I keep finding outright and definite mistakes... for example: two solutions that are 100% identical - I copied and diff'd them to be sure I wasn't stoned... the code they show has ZERO comments, so you have ZERO context for anything (and it's written like shit on top of it - I'd fire a motherfucker if they turned in ridiculous crap like this regularly)... I've found answers where one is a subset of another so the "superset" answer should be considered correct as well, so you effectively have two right answers (in other words: this is one of those "you better pick the EXACT answer we WANT you to pick, even if another is TECHNICALLY correct too, doesn't matter, you gotta divine which WE say is right" situations)... there's not enough information given in some cases to even realistically attack the problem... and so on.
It's just fucking garbage, but now I HAVE to get a passing score on the fucking thing to meet a work requirement and you think anyone is going to give two shits if I point out the problems? Of COURSE not! Just need to check the box, so now I have to waste hours of my day fighting through this horseshit just to say I did it.
Is there any value in it? FUCK NO! It's actually NEGATIVE value since now I'm not doing what I'm actually paid to do.
And the worst part is I absolutely, 100% know all this shit! It's not like it's a problem because I fundamentally don't know the concepts. But because your platform is a joke it's making it a nightmare for me.
FUCK THIS SHIT! Friday is over early because of this, I'll bash my head against the wall again on Monday.2 -
My school is awesome, their network infrastructure is so secure (not),
that you can easily control other people's desktops with Windows' basic tools. -
FUCK you "WP iThemes Security Pro".
First of all, your FUCKing services isn't really secure, more like security by obscurity.
Don't get me started on how you probably don't have a dedicated team of security experts.
But oh well, the customer insisted I must install you, despite my advise.
Second of all, Don't FUCKing send me emails regarding "Scheduled malware scan failed" without it containing the FUCKing error message, not some generic "http_request_failed" error, why did it FUCKing fail?
Last but not least: Don't FUCKing clutter is with with your giant ass logo that takes up half my screen or FUCKing spam such as your upcoming events, newly published books/articles, incorrect "documentation"2 -
when you spend all day making the app secure & client shouts of not seeing any visible changes....4
-
Im having a sort of dilema. I recently started taking freelance work for web developement (and design ack) and Im uncomfortable with the state of the industry. Ill explain: Say if I bid a client for a simple 1-3 page site w contact form (a new page, not migration) My suggestion is to use djangocms, django, or just static html/css/js (ie bootstrap), which produces clean, fairly secure, and fast sites. Of course I can throw a templated unoriginal wordpress site together in a few hours 2 days latest, so I offer that option as a sidenote on the bid, charging almost 2x more. For some reason I dont understand they choose the wp shitshow. I explain all the reasons that not the way to go( which I wont list, if u dont know, u never used it. google up) but they dont care abt the details, they rather pay more for shit job. OFC I reluctantly deliver what they want, but as a result my portfolio is full of unoriginal shit Im not happy showing off. I have a few sites Ive done on the side my prefered way, but they not deployed and sit in my github for all intents n purposes unviewable to potential clients.
I want to be proud of my portfolio, and it to be a representation of what Im capable of. BUT, I gotta eat, and work is better than no work.
There are so many "wordpress designers" oversaturaring the field and it lowering the overall standard of what we are capable of. I just begining my dev journey, but if I cant have a body of work Im proud of, theres no way I can see doing this the rest of my life, and that makes me really sad. My love of developing, coding, and IT/computers in general drove me to change careers from audio engineering to web development, and the fact that this fucking mr. potatoe head of a CMS is slowly turning that love into hate really pisses me off. So Im ending this !rant looking for hope.
Your thoughts?1 -
I know someone that’s constantly paranoid about being spied on by the government and fears companies stealing his code e.g. github, Microsoft etc.
His solution:
do nothing until we find a secure platform to write code on so that our ‘billion dollar ideas don’t get stolen’
Suffice to say that he’s a very bad coder, not that I’m really that good but compared to him I’m light years ahead.1 -
While attempting to quit smoking and after spending a full day trying to understand why the previous devs took this approach to encrypting a string and my lack of nicotine addled brain not allowing me to see that this was a “Secure”String and so uses a machine specific key (that’s why the code that worked locally wouldn’t run on production 😑) this is my rant on comments added to the helper I had to write
/// <summary>
/// If you are using this class and it's not for backward compatibility - then you probably shouldn't be using it
/// Nothing good comes from "Secure" strings
/// Further to this Secure strings are only "useful" for single user crypto as the encryption uses the login creds, transferring
/// this data to another client will result in them never being able to decrypt it
///
/// Windows uses the user's login password to generate a master key.
/// This master key is protected using the user's password and then stored along with the user's profile.
/// This master key then gets used to derive a number of other keys and it's these other keys that are used to protect the data.
///
/// This is also a broken crypto method via injection (see Hawkeye http://hawkeye.codeplex.com/) plus the string is stored in plain
/// text in memory, along with numerous other reasons not to use it.
/// </summary>
public class SecureStringHelper
{3 -
Anti-features need to be fought with fire (metaphorically speaking).
This means they must be eliminated, not just made optional.
Why? Because an optional anti-feature is just one step away from a mandatory anti-feature.
For example, "secure" booting: https://youtu.be/vvaWrmS3Vg4?t=750 (Jody Bruchon)
Another example are disguised remote kill switches, such as add-on signing ( https://digdeeper.club/articles/... ). It started as optional and people were able to opt out, and everyone accepted it because no one expected what would come next.
All that was left was removing the ability to opt out, and then Mozilla has control over which extensions users are allowed to use.
For years, this feature sat dormant and users did not know of its existence. But in early May 2019, the metaphorical thread snapped and an expired certificate remotely disabled all extensions, wasting millions of man-hours of productivity.
From the digdeeper.club article:
"The funny thing is, the whole point of the extension prison was allegedly to increase security - and yet today, all security addons got disabled because of it! Shows how freedom always has to trump over security or it ends up in a disaster like this."
Evil needs to be nipped in the bud before it can flourish.2 -
Okay this is my first time posting on this site. I've browsed it (definitely not in class) and the community looks beautiful, so I'm going to just kind of slide in here. Anyways this is the part where I use my caps lock button and type lots of naughty words I guess...
<rant type = 'school'>
Our programming classes are fucking DISMAL uuugh... Okay so we have four technology classes: Tech Exploration, Coding 1, Coding 2, and Intro to CS (a 'high school' level class)... So this means a fuck ton of kids in programming classes, mostly because I WANNA MAKE MINCERAFT AND BE A KEWL BOI LIKE GAME DEV BUT I'M ALSO A FUCKING IDIOT AND WILL NOT LEARN ANYTHING YAAAAAAY but that's a mood and so there's a fucking tidal wave of dumb kids in these classes. So right we're dealing with like 80 kids per class period. Sorry if I'm repeating myself but there are a FUCKTON of students. Now, we have... wait for it... ONE FUCKING TEACHER. ONE. I fucking swear this district does not give a SINGLE SHIT about possibly THE SINGLE FUCKING MOST IMPORTANT SUBJECT WHYYYYYY... Okay so the teacher is kinda overworked as fuck lol. She can't really teach eighty kids at once so she mostly gives us exercises from websites but when she can she teaches us shit herself and actually knows a good bit about her field of study. She's usually pretty grumpy, understandably, but if you ask her a good question that makes her think you can see the passion there lol. So anyways that's a mood. Now at the other school it's even worse. They have this new asshole as a teacher that knows NOTHING about ANYTHING IT IS SO FUCKING REDICULOUS OH MY UUUUUGH... THEY STILL DON'T EVEN KNOW WHAT A FUCKING LOOP IS LIKE OKAY YOU'VE BEEN TEACHING PROGRAMMING FOR A YEAR AND YOU'RE THE ONLY ONE TEACHING IT AT THAT DISTRICT SO MAYBE YOU SHOULD AT LEAST FUCKING TRY WHAT IS WRONG WITH YOU... so he just makes them do shit from a website and obviously can't do half of the shit he assigns it's so fucking sad... I swear this district is supposed to be good but maybe not for the ONE THING I WANT IT TO BE GOOD FOR. Funny story: in elementary school once I wrote down school usernames for people I didn't really know and shared them a google doc that said "you have been hacked make a more secure password buddy" etc etc and made them the owner and these dull shits report it to the principal... So I'm in the principles office... Just a fucking dumb elementary school kid lol and the principal is like hAcKiNg Is BaD yOu ShOuLd NoT dO iT and I'm like how did you know it was me... so he goes on to say some bullshit about 'digital footprint' and 'tracing' me to it... he obviously has no clue what he's saying but anyways afterwards he points to where it says last change made by MY SCHOOL ACCOUNT... HOW DULL CAN YOU FUCKING POSSIBLY BE IT WAS FROM MY ACCOUNT THAT LITERALLY PROVED THAT I DID --NOT-- 'HACK' INTO THEIR ACCOUNT YOU DUMB FUCK. Okay so basically my school is a burning pile of garbage but it's better than most apparently but it's GARBAGE MY GOD... Please fucking tell me it gets better...
okay lol that was longer than I thought it would be guess I just needed to vent... later I guess
</rant>12 -
Our ISP asked if I was satisfied with their service. I told them that it's okay, but some of our computers don't have enough powerful network card, and they can't use the internet on maximum speed, and they said that they could see it, too. WTF? I knew that the ISP's router is not the most secure thing, but it has a remote mode, which if of course OFF, and they still can see this, and maybe even more. Monitoring your traffic is a thing, but a home network should be private...2
-
While trying to fall asleep, I came to the conclusion that a solution to privacy would be an encrypted p2p messenger. You'd need a dns-like system that can tell the peers how to contact their communication partners. Then I searched for one, and there was a good looking one, but it wasn't open source. looks secure otherwise, but perfection looks different.
Can anyone recommend something similar to kripter/tell me why it would be secure/insecure to use their service instead of, say, signal? Not that I truly NEED this, but I at least want to try it :)5 -
BT "We'll give you BT Virus Protect, which protects against viruses, phishing and other online attacks."
Or... For a start, let your users provide a good secure password when signing up? More than 8 characters is a bit ambiguous. 20 minutes later and several attempts to find out it can't be longer than 20 characters, only upper and lower case letter and numbers aaaand must start with a letter is a bit s**t. Not to mention LatPass doesn't like it as you can't copy and paste.1 -
If you do not push something (language, education, people, cars, design, medicine ...etc etc) how the hell do you expect to mature, surpass expectations and become better. Java didn't start off as good or as bad as it is today. It was through testing, abuse, use and pushing it harder do more and more amazing things that it wasn't built for. PHP has changed alot since I started using and it's through people efforts that it gets better. Before the javascript wave came it was a nuisance to use and sucked as most browsers had it switched off by default but it's become more secure, fluent and able to do more amazing things and people are loving it right now.
I really wish people would stop with half arsed and uneducated comments.1 -
This is the story of probably the least secure CMS ever, at least for the size of it's consumer base. I ran into this many years ago, before I knew anything about how websites work, and the CMS doesn't exist anymore, so I can't really investigate why everything behaved so strangely, but it was strange.
This CMS was a kind of blog platform, except only specially authorised users could view it. It also included hosting. I was helping my friend set it up, and it basically involved sending everybody who was authorized a email with a link to create an account.
The first thing my friend got complaints about was the strange password system. The website had two password boxes, with a limit of (I think) 5 characters each. So when creating a account we recomended people simply insert the first 5 characters in the first box, and the rest in the second. I can not really think of a good explanation for this system, except maybe a shitty way to make sure password are at least 5 characters? Anyway, since this website was insecure the password was emailed to you after the account was created. This is not yet the WTF part.
The CMS forced sidebar with navigation, it also showed the currently logged in users. Except for being unreadable due to a colorful background image, there where many strange behaviors. The sidebar would generally stay even when navigating to external websites. Some internal links would open a second identical sidebar right next to the third. Now, I think that the issue was the main content was in an iframe with the sidebar outside it, but I didn't know about iframe's back then.
So far, we had mostly tested on my friends computer, which was logged in as the blog administrator. At some point, we tried testing with a different account. However, the behavior of sidebars was even stranger now. Now internal links that had previously opened a second, identical sidebar opened a sidebar slightly different from the first: One where the administrator was logged in.
We expirimented somewhat, and found that by clicking links in the second sidebar, we could, with only the login of a random user, change and edit all the settings of the site. Further investigation revealed these urls had a ending like ?user=administrator2J8KZV98YT where administrator was the my friends username. We weren't sure of the exact meaning of the random digits at the end, maybe a hash of the password?
Despite my advice, my friend decided to keep using this CMS. There was also a proper way to do internal links instead of copying the address bar, and he put a warning up not to copy links to on the homepage. Only when the CMS shut down did he finally switch to a system where formatting a link wrong could give anybody admin access. -
Gaining root in Macs by not using a password, a vulnerability in HomeKit devices allowing unauthorized remote access.
https://9to5mac.com/2017/12/...
Next you tell me FaceID isn't as secure as you want me to believe.
Oh, wait...1 -
Finally decided to get myself some remote server on DO, faffing around and setting things up, and suddenly I decide to look at my access logs, someone was trying to figure out how to connect to mysql, phpMyAdmin and what's not... Too bad for him I won't have any of those installed until I know how to properly secure all this :)
Heh... Welcome to the real world I guess?4 -
TL;DR Does Telegram really secure?
Some people say Telegram is the most secure and safe messenger, some say it's not. If you're familiar with it you may know from news that Telegram did not gave its clients' info to government, you may have heard that Telegram's encryption is not the best one, BUT my question is does it store peoples' private chats' keys? Actually it does with normal chats because if you reinstall Telegram you can easily get normal chats' messages. Also my friend said that any application in mobile stores like App Store sign a agreement with stores owner company that if some points met, the application owner have to share info of its clients. So dear friend what do you think, should I continue using Telegram)?
P.S. sorry for my not the best English5 -
"Your connection is not secure". It is too! The certificate is valid to 2019, and in Chrome it's no problem. Stupid Firefox!3
-
Going back and forth with Microsoft technical support right now over a SharePoint issue. Good Lord I want to reach across the wire and smack them in the face with a sea bass. Not enough to hurt, but get their attention and smell like fish for a while.
No genius, the warning on the PowerPivot Data Refresh page 'Warning: this page is not encrypted for secure communication ..' IS NOT the problem. The error messages I sent *three times* from the ULS logs are the symptoms you need to be researching. Stop guessing and trying to blame any random message you see on our configuration.1 -
The importance of not using static salt / IVs.
I've been working on a project that encrypts files using a user-provided password as key. This is done on the local machine which presents some challenges which aren't present on a hosted environment. I can't generate random salt / IVs and store them securely in my database. There's no secure way to store them - they would always end up on the client machine in plain text.
A naive approach would be to use static data as salt and IV. This is horrendously harmful to your security for the reason of rainbow tables.
If your encryption system is deterministic in the sense that encrypting / hashing the same string results in the same output each time, you can just compile a massive data set of input -> output and search it in no time flat, making it trivial to reverse engineer whatever password the user input so long as it's in the table.
For this reason, the IVs and salt are paramount. Because even if you generate and store the IVs and salt on the user's computer in plaintext, it doesn't reveal your key, but *does* make sure that your hashing / encryption isn't able to be looked up in a table1 -
client: "can you build out a staging server for us? here's all the code, everything you need"
me: "awesome, looking good, i have almost everything i need, just give me the credentials for the server, and I'll get started installing all the infrastructure"
client: "ok, try these!"
me: "doesn't work"
client: "this one?"
me: "doesn't work..."
client: "how about this one?"
me: "STILL NOT WORKING!!!"
imagine you want someone to do stuff on your server and you don't even know the root SSH password.... smh
why is this always a problem, use fucking 1password or something its 40 bucks a year, secure, and you can organize alllll your passwords. don't be a fucking boomer and write them on a piece of paper, or worse, apparently like my client, never know it or have it in the first place.5 -
I made a wordpress website to one of my friends long time back as he wants to teach online and sell his videos. (he is studying MBBS)
Yesterday suddenly he calls me and says our site has been compromised and its not longer secure.
Me: After seeing screenshot, no actually site doesn't have ssl and in recent chrome updates http site is being flagged.
He: Okay, I saw video on youtube how to buy ssl.
Me: its not just installing the certs, all the links and images has to be on https so it will take sometime for me.
He: Today, Website is no longer opening please help after putting ssl as per the video...
Me: What the hell? Who asked you to do that? Are you nuts?
He:................. Sorry, 😐2 -
Alright guys, I need some advice now from you..
My employer is super impressed with my worked and they are willing to relocate me to the US (Seattle).
As you all are aware that I am actively trying to move out of my country but lately have realised that no matter what, it's home.
Also, I am way to close to my mother and don't want to leave her alone for an extended period of time as both my parents are ageing and I cannot be a selfish fuck to ignore them during their last phase of life.
I want to make the most to spend time with them.
Some key points that I need help with
- I am more inclined towards the UK/EU than US
- Need to spend time with parents/family
- Need to secure some cash for some key life moments
Some challenges:
- Cannot take parents along because they'd not be able to settle for more than 1.5 month outside for various reasons
- If I am moving out, why shouldn't I go to a place I love than a place I don't?
Some plans:
Plan A: Move to Seattle (6 months) > FAANG > Get a high paying high in India (all this in 2 year duration) > Settle down > Periodically travel Europe and explore hobbies
Plan B: Move to Seattle (6 months) > FAANG (optional) > Find a job in the UK/EU (4.5 year duration) > Fullfill EU dreams > Get a high paying job in India > Settle > Continue exploring hobbies
Plan C: Stay in India with current company (6 months) > IJP or EJP to the UK/EU (5 year duration) > Fullfill EU dreams > Get a high paying job in India > Settle > Continue exploring hobbies
I need to pick one while keeping in my that I can spend more time with parents and fullfill my dreams as well. I am confident that money will follow and I'll save enough for my retirement. Willing to trade off some extremely high paying jobs for a happier lifestyle.28 -
Disclaimer: This is all theoretical. Neither me nor my friend (with whom I discussed this) are stupid enough to even try to pursue this, but as an idea, i believe it might generate cool/new ideas/ways for handling secure communications across social groups.
Let's do some role play. Let's design a delivery app for drug dealers, think Seamless or Uber Eats, but for drugs. Not for big deliveries, like kilograms of coke, but smaller stuff. Maybe a few grams of it or something. The clients could rate dealers, and vide-versa. This would build a level of trust within the system. There would be no names, just anonymous reviews, ratings, and prices. Only the info you'd need to know.
The biggest (only?) problem we found (besides legality) was that, how would you prove that you're a client and not a snitch (or cop). This would have to somehow be handled both on signup, as well as when ordering (let's imagine that all who are clients are pure and won't ever snitch).
One of the ways we found to combat this was to have the app invite-only. This would, in theory, do away with the problem of having snitches signing up. However, what if the phone got stolen/breached by a snitch, and they also got full access to the account. One way we thought we could combat this would be with a "dispose number" or something similar. Basically, you call a number, or send a text, or message a Signal bot etc, which would lead to the account's instant termination, no traces of that user left. Hence, a dispose number.
The flow of the app would be as follows:
A client wants some amount of heroin. He opens the app, searches for a dealer, sends the him the desired amount, and in return gets back a price from the dealer. If both parties agree on the amount and price, the deal would start.
The app would then select a random time (taken from the client's selected timeframe and the dealer's "open" time) and a location (within a certain radius of both them, somewhere in between them both for convenience). If both of them accept the time and place, they'll have to meet up at said time and place.
The actual delivery could also be done using two dead drops - the client drops the money at one of them, the dealer drops the goods at the other one. Yes, this might be subject to abuse, but it wouldn't be that bad. I doubt that clients would make huge orders to unknown/badly rated dealers, as well as dealers accepting offers from badly rated clients. My idea is that they would start small, just so if they do lose their money/goods, the actual loss wouldn't be as big for them, but for the other party, having bad ratings would mean less clients willing to buy or dealers willing to sell.
A third way would be to use crypto, but the reason I left this as the last one is because it's not that wide-spread yet, at least not in local drug dealing. With this method, the client would initiate the order, the crypto would be sent to either the dealer or an escrow account, the dealer would then drop the goods at a random place and let the client know where to go to get them. After the client has gotten the goods, they could both review/rate the quality as well as the overall experience with that dealer, which would either make or break the dealer's upcoming deals. This would be pretty much like other DNM's, but on a local scale, making deliveries faster.
So far, this would seem like something that would work. Are there any ideas that might improve this? Anything that might make things more secure/anonymous?
My reason for this post is to spark a conversation about security and anonymity, not to endorse drugs or other illegal stuff.
Cheers!
PS. Really loving the new PC design of devRant14 -
Area of focus: security and automation
Why: before I turned 18 i was a hacker for 5 years and i saw the kind of crap security most websites and programs had and even if the site was secure you could usually email somebody with a spoofed email and get in. And when i say hacker i mean i wrote my own stuff not skiddy.8 -
!rant, but funny
tl;dr I made something that was to protect me in case the customer doesn't pay, wanted to check if it's still there, messed up a little :D
>do an Android app project for almost 6 months
>issues with payment for it
> =.=
>firebase
>"Add new application"
>Remote Config
>add single integer variable
>back to app code
>if (integerFromFirebase != 0) navigateTo(new Fragment())
>mwahahahaha
>but they ended up paying me in the end
>huh...
>see another post on how to secure yourself if customer doesn't want to pay
>well, consider yours as more sophisticated
>hmm... wonder if they removed it
>firebaseconsole.exe
>change "enableJavaScript" (needed a legit name, so it can't be easily backtracked) to 1
>publish changes
>app still works fine
>mhhh... they removed it? really?
>can't fking believe it
>apkpure.com
>search for the app
>download apk
>unzip
>decompile dex file
>find the fragment
>can't find the code that navigates to blank fragment, but the config fetch is still there
>wtf
>look at the app
>restart it
>SHIT ITS NOT WORKING NOW XDDDDD
>changed the variable back to 0
>found out that the lambda in which I navigate to the blank fragment is in other .java file. New thing learned :v
>idk if I'm in trouble but I highly doubt it (console shows max 10 active users atm)
Was fun tho :v3 -
Not dev per sé but annoys see he'll out of me on a monthly basis... 30 day password expiration, how does that make things more secure?! The thing that makes it worse is that I can't use any previous 28 passwords or anything too similar... Now I'm stuck with a 36 character password which I have to put in everytime my work machine decides to lock out... Which is less than a minute of not touching it.
What's that? No I can't turn around and answer a question because if I do I'll be taking 20mins off of my future career prospects as I'm working on leveling up my inevitable arthritis6 -
1) Simple, secure and powerful technology for website user interface design which will replace HTML, CSS and JS.
2) Simple and practical technology to be able to utilize HTML for all kinds of documents which will replace paper page based document formats like PDF and Word.
3) One technology for native mobile app development to rule them all. So that it's not necessary to use HTML and JS.1 -
Colleague: "My client says asp.net is more secure and has a better performance compared to php"
Me: "Hmm ok. But it all comes down the implementati..."
Him: "hE waNtS AsP.neT nOt PhP"1 -
One of Biggest dev insecurity i think poor quality of user passwords. Users have not yet understood how to create secure passwords.2
-
I’m having this issue for the online marketplace I’m working on the side. It’s blockchain tech where you can purchase normal goods and services(no, not like Amazon or Fiverr, eww, this one’s more inclined with promoting organic growth for small businesses and freelancers).
I’m stuck with what solution is in the best interest of the user and the business for the long-term.
The dilemma about anonymity, online freedom and privacy is yes, it protects users from predators and attackers, but then, it’s harder for authorities to hunt down people who uses platforms for malicious intent, and also, digital footprint is helpful during litigation as evidence.
You don’t know who to trust.
-There is nothing to differentiate normal users with spammers, scammers, etc.
-There is no accountability for if they break the rules. They can easily delete and create a new account.
Platforms, communities big or small are plagued with these.
There are a lot of people out there who would rather project their insecurities on other people than to seek therapy.
Also, how platforms uses psychology tricks to make platforms addicting, it’s safe to assume that it’s bound to get toxic. Fixation on these platforms, leads to other needs being neglected or people forget to stay present.
Another thing, automated moderation is not that effective as there are still biases in data and human verification is still required. But then, human moderators get exposed to extreme violence, gore, etc that leads to poor mental health. (see Facebook got sued by moderators)
Also, I’ve had a recent experience where some unstable dev was stalking and harassing me. During that turmoil, I’ve found the many loopholes in every platform out there and how crappy their support is. Like they’ll just say, “make your account more secure”, bitch it’s your platform not providing enough security, your blocking feature means nothing coz anyone can still create accounts and message anyone.
It happened like February-August (it ended coz I quit going online and made private all my accounts). UGH I MISS ALL MY FRIENDS THO. FUCK THAT DUDE. He deserves to be in jail TBH
Lol if this product booms, now u know the back story lololol -
So, I’ve been given the task of sorting the security out in an application plugging the holes and whatnot as to be honest it’s shocking haha. It doesn’t help that we automate security audits but that’s a different rant for another day.
We’re using devise for authentication (rails standard, ♥️ devise), we have no password resets through the login page, it has to be manually reset by ringing support, why who knows, even though it’s built into the gem and we allow the user to login using an username instead of an email because for whatever reason someone thought it was a bright idea to not have the email field mandatory.
So I hop onto a call with the BAs, basically I go that we need to implement password resets into the login page so the user can do it themselves and also to cut down support calls a ticket is already in place for it. So I go through the standardised workflow for resetting a password. My manager goes.
“I don’t think this will be very secure”
Wait.. what. Have you never reset a password before? It’s following the same protocol as every other app.
We go back and fourth and I said I’ll get it checked with security just to keep him happy.
The issue mainly is well we can’t implement password resets due to 100s of users not having an email on there account.. 🙃 so before we push this change we need to try and notice all users to set a unique email.
Updated the tickets. All dandy.
Looking at the PRs to see what security things have been done if any and turns out one of the devs in India has just written a migration to add the same default email to every user that doesn’t have an email present and yep it got merged. So I go revert the change but talk about taking a “we don’t care about security approach”.
Eventually we want to have the user reset their passwords and login using their email and someone goes a head and does that. Not to mention the security risk.
Jesus Christ I wonder why I bother sometimes.2 -
My answer to their survey -->
What, if anything, do you most _dislike_ about Firebase In-App Messaging?
Come on, have you sit a normal dev, completely new to this push notification thing and ask him to make run a simple app like the flutter firebase_messaging plugin example? For sure you did not oh dear brain dead moron that found his college degree in a Linux magazine 'Ruby special edition'.
Every-f**kin thing about that Firebase is loose end. I read all Medium articles, your utterly soporific documentation that never ends, I am actually running the flutter plugin example firebase_messaging. Nothing works or is referenced correctly: nothing. You really go blind eyes in life... you guys; right? Oh, there is a flimsy workaround in the 100th post under the Github issue number 10 thousand... lets close the crash report. If I did not change 50 meaningless lines in gradle-what-not files to make your brick-of-puke to work, I did not changed a single one.
I dream of you, looking at all those nonsense config files, with cross side eyes and some small but constant sweat, sweat that stinks piss btw, leaving your eyes because you see the end, the absolute total fuckup coming. The day where all that thick stinky shit will become beyond salvation; blurred by infinite uncontrolled and skewed complexity; your creation, your pathetic brain exposed for us all.
For sure I am not the first one to complain... your whole thing, from the first to last quark that constitute it, is irrelevant; a never ending pile of non sense. Someone with all the world contained sabotage determination would not have done lower. Thank you for making me loose hours down deep your shit show. So appreciated.
The setup is: servers, your crap-as-a-service and some mobile devices. For Christ sake, sending 100 bytes as a little [ beep beep + 'hello kitty' ] is not fucking rocket science. Yet you fuckin push it to be a grinding task ... for eternity!!!
You know what, you should invent and require another, new, useless key-value called 'Registration API Key Plugin ID Service' that we have to generate and sync on two machines, everyday, using something obscure shit like a 'Gradle terminal'. Maybe also you could deprecate another key, rename another one to make things worst and I propose to choose a new hash function that we have to compile ourselves. A good candidate would be a C buggy source code from some random Github hacker... who has injected some platform dependent SIMD code (he works on PowerPC and have not test on x64); you know, the guy you admire because he is so much more lowlife that you and has all the Pokemon on his desk. Well that guy just finished a really really rapid hash function... over GPU in a server less fashion... we have an API for it. Every new user will gain 3ms for every new key. WOW, Imagine the gain over millions of users!!! Push that in the official pipe fucktard!.. What are you waiting for? Wait, no, change the whole service name and infrastructure. Move everything to CLSG (cloud lambda service ... by Google); that is it, brilliant!
And Oh, yeah, to secure the whole void, bury the doc for the new hash under 3000 words, lost between v2, v1 and some other deprecated doc that also have 3000 and are still first result on Google. Finally I think about it, let go the doc, fuck it... a tutorial, for 'weak ass' right.
One last thing, rewrite all your tech in the latest new in house language, split everything in 'femto services' => ( one assembly operation by OS process ) and finally cramp all those in containers... Agile, for sure it has to be Agile. Users will really appreciate the improvements of your mandatory service. -
Is it so much to ask to feel appreciated and secure at a job if you make sacrifices and endure ridiculous stress of ownership and responsibility?
Why do I have to constantly go through life wondering if my name is going to be a top level item on a budget sheet ready for the cut ? And then I’m not supposed to be upset
Just work to the end like a good little monkey and HOPE I Have another job on its way1 -
Apparently,some universities don’t understand it’s not a good idea to send passwords ove an unencrypted connection. And btw, post requests work the same as get ones, it’s not more secure.
Not going to put the website for privacy reasons, but 🖕 this university!🖕🖕3 -
It has to be Keybase.
It is exactly what I need - A secure yet practical cloud storage, where only you own the crypto key, with the added bonus of maintaining a blockchain-based identity online, with proof system and all.
Also has a secure PKI-Based E2E chat when I want to talk to someone about something I don't want the general government to necessarily know.
Definitely recommend the service! Even with the odd decision to include an option of a Lumen crypto wallet or whatever, you can just ignore that feature if you're not into it and it doesn't slow you down.2 -
I love it when I see posts on any social media site or app where it's like
"Looking for someone to hack a <insert social site> account"
Do they not know how secure those sites tend to be?
Do they think it's as easy as CSI makes it out to be?
or
Maybe they're the police trying to trick us -
I just finished posting this but think it deserves its own post.
If you're creating a business or "startup" (as people like to call it these days) don't assume the idea is novel or investors will just jump on board. Focus on the business fundementals, money and cash flow, even before launch, unless you can afford not to. But really you can't afford not to. Selling before launch means that you're effectively doing two things 1 you're collecting new customers and income for the business and 2 you're. raising awareness at the same time. Obscurity is death and failure.
Get you a good sales team and marketer when the time is right.
Have a year of runway.
Identify the sites and groups your target audience and investors frequent. Start conversations now, buzz is the hardest thing to generate.
Start building relations with customers and potential clients now. Discuss launch, ask them if they'd be willing to pay up front before launch, in order to secure a "lifetime membership", offer it as an early opportunity and charge extra. Giving a discount out of the gate is a mistake B/c it says to potential investors that you don't think it's ready or worth it yet. Of course if it's between making 1. Some money or 2. No money, don't let it be a deal breaker, offer a discount. Going from no clients to any clients is a BIG deal. If you can do 1 you can make it to 10, if 10, you can reach 100, we etc.
No one likes asking for money and yet it is as important if not more important than development. -
!rant
I see a lot of people complain about uni degrees and stuff because they don't learn how to code etc. Is this really the standard?
I mean I'm only in fourth semester bachelor and had coding knowledge before starting uni. But we had basic to intermediate java in the first two semester, now learning how to write secure code and OS-Level stuff in C++, we had a module with practical Assembly coding all while still learning all the theory.
At the end of the first semester we had to write a terminal game in Java. I mean of course that's not "real experience" but if you dive in you definitely learn the basics you need to get started in real life.
Or am I wrong completely / just in a weird uni?6 -
Currently trying to make a multi boot machine, with a lot of linux distros inside, like debian, fedora, gentoo and arch.
I know I will have to format everything a lot of time, because of stupid mistakes, I want to try to put /home in common, and play with some more SSD, and to put a preempt_rt patched kernel somewhere.
I am starting from debian,
Format counter: 3
Reason 0: because i need to install at least once...
Reason 1: I am stupid
Reason 2: I disconnected the SSD,to connect a disk with windows. Now bootloader doesn't find any os in the SSD anymore... still no clue, and in case of doubt: give windows the fault 😠😠😠
DAMN YOU WINDOWS, how did you find that I want to use debian? What did you do to break it?? (Despite it wasn't even connected?!?)
I have checked everything about secure boot, and I am sure it is disabled...
And every search online gives results about dual boot, but it is not my case... :/ -
Everything I know is self taught... From a time I dunno when I'm 20, so likely just after the year 2000
From my perspective I think different from most devs more formally trained, which can be to my advantage , the downside of this I'm terrible with names, everything in computing has a anagram.
I'm bad with names anyway... Dyslexic 😉. But if explained to me I know what it is your on about.
I consider myself a good dev, not experienced but otherwise good. But I want to be the best...
I'm also a hacker (nice one) which I think helps me build better more secure programs knowing common vulnerabilitys
I'm proud of what I've achieved so far. Whilst I'm not perfect nor is my work that's what I work towards ... As should every dev -
Jeesh! In the last 12 months I've had a lot of emails from the different services I've used that they've been compromised and a database of emails and hashed passwords have been exposed 😒1
-
Yeah, so when you create an account just about anywhere nowadays, you need to choose a strong password. Fair enough. But then, some sites/services/systems require a second password, sort of a password hint as an extra security for retrieving your first password in case you forget it. Well OK...That hint question just becomes very *in*secure when you must choose from some extremely stupid presets like "In which town were you born?" or "What was your mother's maiden name?", all of which are trivia that for most people can be easily googled, or looked up on facebook ffs. And these "in which town did this or that happen?" questions? As there is only one town in my country it's not a long shot that I was born in Mariehamn, met my partner in Mariehamn and had my first job in Mariehamn. Security questions for imbecils.4
-
Trying to install Linux off of a USB drive when motherboard flips put during boot mode and boots back into windows saying that it is not secure. Even though I've tested this drive and installed Linux on other computers. ugh1
-
Why is it so difficult to tell the people to not use the same passwords everywhere? I thought of a service which searches all leaked databases and predicts a password based on that as a warning for the user... Having the program told you that your password the user is likely to enter would be XY, because the adobe OR MySpace OR Dropbox passwords for the email OR username entered was that password could be a bit more aggressive but useful to let the users at least think of secure passwords.1
-
!rant
Why everyone who claim to know a lot about web security and encryptions is not able to help me check if my system is secure :/
And some try to charge me afterwards -.-"
Edit:
If they expect payment they should state that at beginning and be able to actually do something...3 -
Pull request got declined by a peer because crc32 is apparently not "secure enough". It was used for integrity check of a small binary payload designed to be exchanged millions of times per minute between networked services.
Vetoed the living hell out of that. -
!dev (kinda)
Warning: Might contain (be) stupid rambling.
So I got my new toy and want to play around with it. Just in case I have to return it I first want to make a full disk backup, so I try to boot clonezilla. I press the power button and mash F2, F8, F9 - and it boots straight into the windows setup. Nope, not what I wanted. Try again. And again. Eventually I look it up and apparently I have to hammer the ESC key to get where I want to. Alright, now it works. Boot from USB. Failed. Try again. Failed. Check the BIOS, disable secure boot, reboot. I need to type 4 digits to confirm disabling secure boot. Alright. Reboot, try again, failed. Secure boot is on again. Wtf? After some more infuriating tries I see that NumLock is disabled. AAAARGH. BIOS: Enable NumLock on boot, disable secure boot, enable legacy boot. Input the 4 digits - works! Try to boot from USB: Failed! Grab another USB stick, did the clonezilla image, try again: Finally! It! Works!
Format disk, install Qubes OS. Success!2 -
Goes to my comment on on of the rants to "Why linux cannot AVER be used by a normal user"
I'm pretty good with techs, OS, dev etc.
But here you go, a random error message which tells me nothing (Absolutelly nothing) and no way to fix it. No way to fix it, not even a hint where to look for solution, outside google. Sure, It took me around 5 minutes to find the problem googeling and copy/pasting some bash commands, but next time it happens and I don't have internet ? Well fucked.
This shit never happens on Wiondows or MacOs :) And that's why these 2 will always be user firendly ans linux will never be.
That's why linux will never be used by normal humains.
You 100% linux addict will point out directlly 'TYeah yours repos sources are fuckied" or whatever, but it IS NOT to user to know how sources, packages etc work. I want just update my system, if one source is not found, ignotre it by default ! How hrd is that ?
Error message in question :
E: The repository 'https://ppa.launchpadcontent.net/tr... jammy Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Thanks for assisting to my ted talk.19 -
I'm trying to improve my email setup once again and need your advice. My idea is as follows:
- 2-5 users
- 1 (sub)domain per user with a catchall
- users need to be able to also send from <any>@<subdomain>.<domain>
- costs up to 1€ per user (without domain)
- provider & server not hosted in five eyes and reasonably privacy friendly
- supports standard protocols (IMAP, SMTP)
- reliable
- does not depend on me to manage it daily/weekly
- Billing/Payment for all accounts/domains at once would be nice-to-have, but not necessary
I registered a domain with wint.global the other day and I actually managed to get this to work, but unfortunately their hosting has been very underwhelming.. the server was unreachable for a few minutes yesterday not only once, but roughly once an hour, and I'd really rather be able to actually receive (and retrieve) my mail. Also their Plesk is quite slow. To be fair for their price it's more like I pay for the domain and get the hosting for free, but I digress..
I am also considering self hosting, but realistically that means running it on a VPS and keeping at secure and patched, which I'd rather outsource to a company who can afford someone to regularly read CVEs and keep things running. I don't really want to worry about maintaining servers when I'm on holiday for example and while an unpatched game server is an acceptable risk, I'd rather keep my email server on good shape.
So in the end the question is: Which provider can fulfill my email dreams?
My research so far:
1. Tutanota doesn't offer standard protocols. I get their reasons but that also makes me depended on their service/software, which I wouldn't like. Multiple domains only on the business plans.
2.With Migadu I could easily hit their limits of incoming mails if someone signs up for too many newsletters and I can't (and don't want to) micromanage that.
3. Strato: Unclear whether I can create mails for subdomains. Also I don't like the company for multiple reasons. However I can access a domains hosted there and could try...
4. united-domains: Unclear whether I can create mails for subdomains.
5. posteo: No custom domains allowed.
I'm getting tired.. *sigh*21 -
When did we decide managing Users through Cloud REST architecture was more secure than having them in an underlying DB?
Because I can't put my finger on exactly why... but I don't like it and I think it's probably less secure... and just spawned from the need to be able to make user management a subscription based service like fucking everything? When a simple MySQL or postgres and some bcrypt somewhere would be both more secure and infinitely cheaper?
I'm more used to consuming REST API's than writing them. Can any you REST peeps help me understand how a REST API could be made as secure as a SQL DB connection for user management?
What do you think the attack vectors are for a REST API User Management? Like... what's the SQL injection of REST API? Pack some extra JSON somewhere or something?
At least if I can have faith my shit's not gonna get hacked because I have to use a 3rd party REST service for User Management of Users to my own fucking app I can maybe sleep tonight.2 -
Okay I'm probably going to get flak for this but...
WhatsApp chats are apparently e2e secure. Except when you back them up, right? Why not, when you create a backup (iCloud, google drive, whatever), have the app generate a password protected key pair and use that to encrypt/decrypt the backup?
When restoring the backup, use the password you set for the key et voila! While at rest, that backup is still encrypted.
Or have I missed something completely?2 -
This is not a rant. Rather just a question or an ask for advice, as I have seen a lot of people talk about web development around here. I am planning to create a website for my search engine. I created a Rest API for my VPS so I can do http requests and retrieve some links for certain key words. But I need some good ideas to do this from a website. As I am not sure what would be the best way to do http requests. As far as I know it's possible with Js and PHP, but I am not sure what's better, more secure or convenient? So here I am to ask you guys, especially those who have experience with this, what I should consider to do.
Oh and please forgive me my limited knowledge about Js and PHP 😅😊3 -
Obviously credit card companies, banks, etc. do not use MySQL. So what database do they use to keep data secure?7
-
Work! Terribile doubt about our project 😭i will leave this company if we do not come up with an adult solution 😔
We are working for another Company, they asked to add a web app to their project.
We made frontend and backend, we make user auth to their api, then call their api (place order, get orders etc), passing their auth token to their services.
Which Means that our endpoints are not really protected (i think) and if we add an endpoint that does not use their api, the only way to secure them Is to take the token, validate It by calling for example get /order of the api and if It fails just discard the request....too slow?
my colleagues do not want to put a serious auth they Just want to use the company api and leave the rest open...
And the customer Just asked to use some other api functionality, but that api has another auth... How do we pur them togheter? The last api want the id of the user to do machine ti machine auth
It Is my 6th month here no one thaught me anything, i think i'll Just leave ..or am i Just experiencing the developer Daily work?😔7 -
// Rant 1
---
Im literally laughing and crying rn
I tried to deploy a backend on aws Fargate for the first time. Never used Fargate until now
After several days of brainwreck of trial and error
After Fucking around to find out
After Multiple failures to deploy the backend app on AWS Fargate
After Multiple times of deleting the whole infrastructure and redoing everything again
After trying to create the infrastructure through terraform, where 60% of it has worked but the remaining parts have failed
After then scraping off terraform and doing everything manually via AWS ui dashboard because im that much desperate now and just want to see my fucking backend work on aws and i dont care how it will be done anymore
I have finally deployed the backend, successfully
I am yet unsure of what the fuck is going on. I followed an article. Basically i deployed the backend using:
- RDS
- ECS
- ECR
- VPC
- ALB
You may wonder am i fucking retarded to fail this hard for just deploying a backend to aws?
No. Its much deeper than you think. I deployed it on a real world production ready app way.
- VPC with 2 public and 2 private subnets. Private subnets used only for RDS. Public for ALB.
- Everything is very well done and secure. 3 security groups: 1 for ALB (port 80), 1 for Fargate (port 8080, the one the backend is running on), 1 for RDS postgres (port 5432). Each one stacked on top and chained
- custom domain name + SSL certificate so i can have a clean version of the fully working backend such as https://api.shitstain.com
- custom ECS cluster
- custom target groups
- task definitions
Etc.
Right now im unsure how all of this is glued together. I have no idea why this works and why my backend is secure and reachable. Well i do know to some extent but not everything.
To know everything, I'll now ask some dumbass questions:
1. What is ECS used for?
2. What is a task definition and why do i need it?
3. What does Fargate do exactly? As far as i understood its a on-demand use of a backend. Almost like serverless backend? Like i get billed only when the backend is used by someone?
4. What is a target group and why do i need it?
5. Ive read somewhere theres a difference between using Fargate and... ECS (or is it something else)? Whats the difference?
Everything else i understand well enough.
In the meantime I'll now start analyzing researching and understanding deeply what happened here and why this works. I'll also turn all of this in terraform. I'll also build a custom gitlab CI/CD to automate all of this shit and deploy to fargate prod app
// Rant 2
---
Im pissing and shitting a lot today. I piss so much and i only drink coffee. But the bigger problem is i can barely manage to hold my piss. It feels like i need to piss asap or im gonna piss myself. I used to be able to easily hold it for hours now i can barely do it for seconds. While i was sleeping with my gf @retoor i woke up by pissing on myself on her bed right next to her! the heavy warmness of my piss woke me up. It was so embarrassing. But she was hardcore sleeping and didnt notice. I immediately got out of bed to take a shower like a walking dead. I thought i was dreaming. I was half conscious and could barely see only to find out it wasnt a dream and i really did piss on myself in her bed! What the fuck! Whats next, to uncontrollably shit on her bed while sleeping?! Hopefully i didnt get some infection. I feel healthy. But maybe all of this is one giant dream im having and all of u are not real9 -
https://learnbchs.org - The web framework consisting of OpenBSD, C, httpd and SQLite.
What do you think? Not sure if I should call C-webdevs insane or genius (maybe both).
I think the code will either end up very secure or with more severe bugs than any PHP website ever had. Please talk me out of trying it.7 -
Could someone please tell me what model of router uses Https for their admin page? I went to the store and I noticed most of them had http. What is the point in making the right setting if in the first place the connection is not secure?! :S59
-
Though I’ve seen devices like the following I’ve only ever seen them used for horrible purposes.
I was envisioning facility control being made capable by the use of a larger tablet device or tablet computer. The device would have no internet connection. It would not attach to the outside world at all.
It would not receive non manual software updates
It could view all air flow, temperature, lights, locks, electrical outlets, power draw, water usage, heaters, air conditioners, computer statins etc
And control and report statistics on them all.
Impractical you people said last time. But I would say cool if the device is kept super secure . That being said who knows how to do that since everything sucks once someone who knows what they’re doing has physical access lol
Personally all I don’t know how to break into is smart phones
Comps I could always figure out even if they had disk encryption given enough time.
The only reason phones are hard is you’re limited to network attacks and the boot loader is on the chip page.
Cause in the end a computer is just it’s hard drive in terms of security lol1 -
Been wondering about something and can't figure out if I am a retard or a genius 😂.
If MD5 is so outdated and should not be used to store password hashes (let's say for whatever reason you cannot effectively switch to another algorithm) wouldn't it just be easier and more secure to just re-encrypt the hash again, so just MD5 the MD5 hash... in theory, wouldn't that make the hash virtually uncrackable because instead of trying to brute force actual real words, you now have a hash of essentially random characters which have no relation to the others, and even then, suppose you manage to crack the hash, you will get another hash to crack before getting to the password?5 -
The fact that the Wordfence plugin exists kind of admits to everyone WordPress is not very secure in the first place...
-
So, need to secure some requests.
I decided on going passwordless on the website but I want to have an API too.
I am reviewing auth0.
I am also not sure if I can secure the same endpoints as private and public differently, so the private is used by the backend with no auth and the public with auth.
Wold you guys help me with some reading material?2 -
{
-i won't follow logging practices
-i won't follow secure coding
-i won't leverage profiling n monitoring tools
-i won't reuse best practices
-i won't listen to thought leaders
-i will outsource writing UT
-i will outsource code quality checks
-i will outsource all testing
-i will ignore n overide CTO team
But I still want high stability, security n 4 9s availability. Just want it done. My team is best. Am a fast-track leadership program leader who never has or ever needs to cod. I just know ...
}
People I have to deal with every sprint. Site reliability is not easy ...
Teaching good code makes great products to morons, toughest ...
"Beginners mind needed"2 -
Guys I need to deploy a very simple authentication API service.
You register with a username (actually an ID with a determined format), a password and uuid. You login with your username and password and if credentials are correct you get back the uuid as a response (JSON or whatever the fuck).
If you forget your password, you can use your uuid (which is confidential, very long string) in some POST request to set a new password. If you forget your username, you use the uuid again in a GET request to get back your username.
I've been looking at a bunch of solutions online and I don't think they suit my purpose exactly and all require emails (Like Firebase, AUth0, etc.) So, let me get this straight: NO FUCKING EMAILS INVOLVED PLEASE.
The above are the EXACT requirements I need for my work (for a good cause too). I fucking hate 0-requirement exploratory research tasks and I'm plagued with those. Those requirements are the only way it should work. So again, NO EMAILS INVOLVED PLEASE.
Also, please note that I have never developed an API in my life. I feel like StackOverflow will be assholes about this so I am asking this here.
I know it is very easy to do and there are probably dozens of ways to do this. I just do not know how, documentations are vague and overwhelming (or I'm just a little stupid lately). Another thing is that I am not sure of how can I do this in the most secure way. Bonus if this can be dockerized.
I know I sound a little rude,so I am sorry. It is just my frustration and depressing times I am going through that's preventing from thinking straight.6 -
Relatively often the OpenLDAP server (slapd) behaves a bit strange.
While it is little bit slow (I didn't do a benchmark but Active Directory seemed to be a bit faster but has other quirks is Windows only) with a small amount of users it's fine. slapd is the reference implementation of the LDAP protocol and I didn't expect it to be much better.
Some years ago slapd migrated to a different configuration style - instead of a configuration file and a required restart after every change made, it now uses an additional database for "live" configuration which also allows the deployment of multiple servers with the same configuration (I guess this is nice for larger setups). Many documentations online do not reflect the new configuration and so using the new configuration style requires some knowledge of LDAP itself.
It is possible to revert to the old file based method but the possibility might be removed by any future version - and restarts may take a little bit longer. So I guess, don't do that?
To access the configuration over the network (only using the command line on the server to edit the configuration is sometimes a bit... annoying) an additional internal user has to be created in the configuration database (while working on the local machine as root you are authenticated over a unix domain socket). I mean, I had to creat an administration user during the installation of the service but apparently this only for the main database...
The password in the configuration can be hashed as usual - but strangely it does only accept hashes of some passwords (a hashed version of "123456" is accepted but not hashes of different password, I mean what the...?) so I have to use a single plaintext password... (secure password hashing works for normal user and normal admin accounts).
But even worse are the default logging options: By default (atleast on Debian) the log level is set to DEBUG. Additionally if slapd detects optimization opportunities it writes them to the logs - at least once per connection, if not per query. Together with an application that did alot of connections and queries (this was not intendet and got fixed later) THIS RESULTED IN 32 GB LOG FILES IN ≤ 24 HOURS! - enough to fill up the disk and to crash other services (lessons learned: add more monitoring, monitoring, and monitoring and /var/log should be an extra partition). I mean logging optimization hints is certainly nice - it runs faster now (again, I did not do any benchmarks) - but ther verbosity was way too high.
The worst parts are the error messages: When entering a query string with a syntax errors, slapd returns the error code 80 without any additional text - the documentation reveals SO MUCH BETTER meaning: "other error", THIS IS SO HELPFULL... In the end I was able to find the reason why the input was rejected but in my experience the most error messages are little bit more precise.2 -
So... there is a bank. And the website for example is using "https". Alright. But the Login consists your login ID (in the most cases your account number) and a Pin number ( only 5 chars) If i remember pentesting, crunch etc a pin or password with 5 chars (included special characters) is fast hackable or not? Or is it super secure cuz of the "https"?4
-
I'm reading online that after I buy bitcoins from Coinbase, I should transfer it to a private wallet that is kept offline.
What would be a private wallet? Does that mean I have to download and keep the entire blockchain on my PC?
Also how would I transfer?
And best way to keep the private wallet secure? and not lose the key, password, etc?
And I guess main reason I ask was bc I saw this. Actually does this basically act like Coinbase? But they keep my wallet?
https://try.blockfi.com/morningbrew...11 -
Bought two hp z230 and one hp z210 to setup as a kubernetes cluster at home.
The first two worked as expected to install Ubuntu 18.04 but the z210 just fails installation just at the end of.
I've updated the bios, I've tried different hard drive, (obvious I've turned off secure boot), I've downgraded the bios, I've cursed, spoken harch language at it and sprinkled it with holy water, still it fails.
A Google search the problem, one hit similar to my problem but it did not help me.
Currently I'm on my 5:the glass of wine, if not solved tomorrow I'm hiding it at work until the next "downsizing" and it will have an accedent from the 9:the floor.
I've spent 150$ on it but I have the economy to nurture my mental health... Not all the time but this time it feels worth it!!!3 -
the red haired girl and the blue haired girl.
there was this story about a programmer who spent years studying computer science before finally getting a job.
the dev studied only computer science and was put on blue team after a few days.
a few hours into one of the constant coding sessions, the boss told the devs that red team members and blue team members would be working in pairs.
the person from red team transferred the devs work to their data base without the dev knowing, then locked down the devs computer. the dev could not do anything. later, the dev got fired for not doing any work. after that, the company got millions of dollars, and the dev did not see any of it.
both the dev and the managers made a note not to hire any programmer who cannot secure their work.
it is not ethical to teach people programming without also teaching them cyber security.
computer networking, programming and security should all be the same major.
it is a bad idea to teach people how to build anything without telling them how to secure it.
the story above was just a scenario, but it probably happens way more often than people think.
Schools should teach both things in the same major.5 -
Approx. 24 hours ago I proceeded to use MEGA NZ to download a file It's something I've done before. I have an account with them.
This is part of the email I received from MEGA NZ following the dowload: "
zemenwambuis2015@gmail.com
YOUR MEGA ACCOUNT HAS BEEN LOCKED FOR YOUR SAFETY; WE SUSPECT THAT YOU ARE USING THE SAME PASSWORD FOR YOUR MEGA ACCOUNT AS FOR OTHER SERVICES, AND THAT AT LEAST ONE OF THESE OTHER SERVICES HAS SUFFERED A DATA BREACH.
While MEGA remains secure, many big players have suffered a data breach (e.g. yahoo.com, dropbox.com, linkedin.com, adobe.com, myspace.com, tumblr.com, last.fm, snapchat.com, ashleymadison.com - check haveibeenpwned.com/PwnedWebsites for details), exposing millions of users who have used the same password on multiple services to credential stuffers (https://en.wikipedia.org/wiki/...). Your password leaked and is now being used by bad actors to log into your accounts, including, but not limited to, your MEGA account.
To unlock your MEGA account, please follow the link below. You will be required to change your account password - please use a strong password that you have not used anywhere else. We also recommend you change the passwords you have used on other services to strong, unique passwords. Do not ever reuse a password.
Verify my email
Didn’t work? Copy the link below into your web browser:
https://mega.nz//...
To prevent this from happening in the future, use a strong and unique password. Please also make sure you do not lose your password, otherwise you will lose access to your data; MEGA strongly recommends the use of a password manager. For more info on best security practices see: https://mega.nz/security
Best regards,
— Team MEGA
Mega Limited 2020."
Who in their right mind is going to believe something like that that's worded so poorly.
Can anybody shed some light on this latest bit of MEGA's fuckery?
Thank you very much.4 -
Hey. I'm still very new to CloudFlare and I have a question.
Let's say that I have 4 sub domains: a.test.com, b.test.com, c.test.com, d.test.com. They're all under the same domain (test.com).
I have a page rule setup specifically for a.test.com, where "Disable security" is set to On. I did this as a temporary solution so that I can figure out the problems that a.test.com has when the security is enabled (had users complaints regarding not being able to send requests with CF security On), so that it is still accessible while I try to fix it..
By turning disabling security for a.test.com, do I put others (b, c, d) at risk? I had someone telling me that it is possible for attackers to make use of a.test.con (unprotected by CF) in order to attack the other sub-domains. "a.test.com has no protection so attackers can use it to send requests to other secured subdomains, cross-site attack" or something along that line.
I don't get this. I thought page rule is supposed to be active only for the domain where it's being set up and the rest will still be secured, and that if attacker manages to attack the other subdomain its due to the others not having secure applications inside of it.
Dunno if that person was telling the truth or tried to mess around with me with their joke!
Thanks!5 -
One of our partners sent me a Key Injection Tool to inject encryption keys into a PINPAD with. Looks like they were short on developers and had to hire Python typists who have made a mess of a simple AES encryption/decryption. When do these companies learn that writing a security related software in Python is not really secure? I had to read the rubbish in Python and read it from scratch in C++ to get it to work, and am now contemplating whether to provide that company with my version of their Key Injection Tool or not...2
-
I have the following scenario with a proposed solution, can anyone please confirm it is a secure choice:
- We have critical API keys that we do not want to ship with the app because de-compiling will give access to those keys, and the request is done before the user logs in, we are dealing with guests
Solution:
- Add a Lambda function which accepts requests from the app and returns the API keys
- Lambda will accept the following:
1. Android app signing key sha1
2. iOS signing certificate sha1
- If lambda was able to validate them API keys are sent back.
My concerns:
- Can an attacker read the request from the original (non-tampered) apk and see what the actual sha1 value is on his local network?
- If the answer to the question above is yes, what is the recommended way to validate that the request received is actually from the app that we shipped and not from curl/postman/script/modified version of the app11 -
People who generalize any technology as 'bad' or "worthless" (or worse, proclaim it is not secure, doesn't work correctly, or has specific problems it doesn't have) when the technology is widely and obviously appropriately used in practice just make themselves look bad. It's like getting mad at a hammer. It's just a tool. If you don't like it, don't use it. If you think it needs improvement, contribute to improving it. Non-constructive criticism is a waste of your time as a software developer.6
-
I'm kinda looking for a new phone, should be super cheap (so a used one would do), I wanna modify it to be secure (proper encryption, VPN, etc.), very good battery time and not very big (more like 4"). I have been looking at the Lenovo P2 a lot, but I'm afraid my current phone will die before I have enough money for that one (I'm a broke trainee yay).
So what do y'all have or can recommend?3 -
so i've been working with a ux/graphic designer on a pretty large project that will likely have many services attached to it, it's been in "active" development for about a year now. something that concerns me however is how uncertain i feel about what i'm doing, constant questions like "am i doing this right", "is this secure", and many like them plague my mind while i'm coding and it's really discouraging. when i was just learning i didn't really take any heed from these questions, intact i never even really thought about them so why am i now? i feel kid if i'm able to just work and have fun i will be so much more productive and happy. my partner has been learning front end and has been doing great me i'm working on front and back end. i have been making most of the decision in regards to our stack but i feel like i'm making them arbitrarily and to attribute to this fact, i have switched things up several times, we went from react to an mvc framework and now i'm considering going back to react. i just can't seem to keep on track with my decisions, if any of you have experienced this before i would really like some advice on how i can be productive and again and not fall into this never-ending abyss of doubt.3
-
I deployed a website and hosted it today. Also used a SSL certificate but now when I'm opening it on another device with its own data connection, it is not loading and showing error "This site can’t provide a secure connection".
But if my device is connected to wifi, the website is functioning normally. Can anybody help me out? My website - https://covid-india.live/4 -
🐟💩The image i fetch from s3 is of type byte array
I return it to angular as an ArrayBuffer
Which then needs to be somehow converted to an image so i can fucking show it
Then after research i had to convert ArrayBuffer to Blob
And from Blob to URL encoded object which returns a string that now shows the full image in img tag
Somehow, by a sheer of trials and error i have just accidentally made a very secure way of fetching a very sensitive piece of document (verification document with user's personal data on it) and now in browser this is shown as blob:shit-image/random-hash. Not even the file extension. This means nobody can download this image. You fucking cant. Its a Blob motherfucker! Like a Blob Fish. It saves either a .txt when you try to save it (no idea how) and if you try to open the image in new tab it shows gibberish text. This means you can read-only this highly sensitive document image and not manipulate it, not even download it. Perfect. I have just made a very secure software by accident.
(this blob fish looks like my shit)3 -
hey, so i have recently started learning about node js and express based backend development.
can you suggest some good github repositories that showcase real life backend systems which i can use as inspiration to learn about the tech?
like for eg, i want to create a general case solution for authentication and profile management : a piece of db+api end points + models to :
- authenticate user : login/signup , session expire, o auth 2 based login/signup, multi account login, role based access, forgot password , reset password, otp login , etc
- authorise user : jwt token authentication, ip whitelisting, ssl pinning , cors, certificate based authentication , etc (
- manage user : update user profile, delete user, map services , subscriptions and transactions to user , dynamic meta properties ( which can be added/removed for a single user and not exactly part of main user profile) , etc
followed by deployment and the assoc concepts involved : deployment, clusters, load balancers, sharding ,... etc
----
these are all the buzzwords that i have heard that goes into consideration when designing a secure authentication system for a particular large scale website like linkedin or youtube. am not even sure how many of these concepts would require actual codelines and how many would require something else.
so wanted inspiration from open source content to learn about it in depth, replicate and create new better stuff if possible .
apart from that, other backend architectures like video/images storage system, or just some server for movie, social media, blog website etc would also help.2 -
EY and ConsenSys announced the formation of the Baseline Protocol with Microsoft which is an open source initiative that combines cryptography, messaging and blockchain to deliver secure and private business processes at low cost via the public Ethereum Mainnet. The protocol will enable confidential and complex collaboration between enterprises without leaving any sensitive data on-chain. The work will be governed by the Ethereum-Oasis Project.
Past approaches to blockchain technology have had difficulty meeting the highest standards of privacy, security and performance required by corporate IT departments. Overcoming these issues is the goal of the Baseline Protocol.
John Wolpert, ConsenSys’ Group Executive for Enterprise Mainnet added, “A lot of people think of blockchains as the place to record transactions. But what if we thought of the Mainnet as middleware? This approach takes advantage of what the Mainnet is good at while avoiding what it’s not good at.”
Source : ConsenSys -
I need some clarity with the situation below.
I have my API ready.
Let's say I have a route /reset/token,
I want to be able to serve a html file with css and all that once I've processed the token internally.
I've not worked with the whole stack before so I've never really served files based on conditions i.e if the token is valid serve x else serve y.html
Also, I'm pretty sure node.js isn't the best for serving files.
So I'm taking another approach with nginx which is to implement /reset/token to serve the static file with it's coupled js file to query the API. Seems standard to me but I have this feeling that a prefilled html would be more secure than one with exposed js.
Is this the right way? Should I worry about my API calls being exposed via the js fil ? Is obfuscation the only way to handle this ? Is this the way everyone does it cause somehow I don't see the key js files in most sites. How are they hidden if so? Or are they?
I'm confused and also nginx won't let me rewrite /reset/token to something else without changing the browser url field. How do I prevent that ?1 -
Why in the fuck does everyone expose specific ports in Dockerfiles?
If I wanted to expose the port, I would fucking expose it.
Currently can't run my home infra platform because I'm running two separate instances of Maria DB on the same private internal network. These are two databases for two separate applications.
Why don't I run them on one? Because they're two separate fucking applications.
Why the fuck can I not do this when I used to be able to do it a week ago.
Stop exposing your fucking ports in your fucking Dockerfiles.
This shit is getting so bad, I'm just about to throw my towel in on all fucking containers and just install everything in multiple VM environments.
I am God damn appalled that after 8 years of using docker, core concepts like a port exposure is being leveraged as a way to somehow circumvent poor security practices.
You want a secure container environment? Expose your own goddamn ports.
Fuck you Maria DB, and fuck you docker.2