Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "only a "backdoor""
Confessions of a Programmer
If a client is an unbearable asshole during the initial communication, I look for every excuse to pad on the hours for the estimate to get paid more. If a client goes above and beyond in their douchbaggery, I tack on an additional $40/hour.
Sometimes I will present an elaborate solution to a client, but really I'm just reading off the features of a plugin or library I'm going to download or buy after the call. Not because I can't build it myself, but because I'd rather spend more time on other/my own projects.
Clients assume because I know one language, I know them all. Rather than turning down the work, I take a crash course to work in that language, or outsource the work and clean it up afterwards, whichever is more practical at the time.
I use cPanel on a dedicated to manage our client websites. I'm not paid enough to bother with setting up everything manually.
Certain projects I build have a 3-day backdoor built into it. If the client doesn't pay upon completion, a unique hash triggered as a GET variable deletes a core file in my work, rendering the work useless. If it wasn't triggered by the 4th day, the file allowing me to trigger this backdoor is removed. This is only used for clients where the project must be launched on their servers, or if there has been a previous issue collecting payment.
I slip in the initial contract that all preceeding phone calls will be monitored and recorded, and that they acknowledge the recordings are admissable in court. This has saved me from losing money twice now.
I have never used an IDE. (I know, I know, it's really inefficient and dumb, but I'm just more comfortable with Sublime. Plus I often find myself mobile and without my computer, so I have to program from my phone.)
Each day resembles a betting spectacle of which work will be late, which will be rushed out and which will never see the light of day.
I have used "sick" and "family emergency" as an excuse to just sleep in far more than I can count.
When a client from hell crosses over the line in their conduct (such as getting very nasty and personal, or sending threats), I anonymously report them to the BBB and on RipOffReport.22
Today was my last day of work, tomorrow i have officially left that place. It's a weird feeling because i'm not certain about the future.
The job was certainly not bad, and after all i read on devrant i'm beginning to believe it was one of the better ones. A nice boss, always something to eat/drink nearby, a relaxed atmosphere, a tolerance for my occasionally odd behaviour and the chance to suggest frameworks. Why i would leave that place, you ask? Because of the thing not on the list, the code, that is the thing i work with all the time.
Most of the time i only had to make things work, testing/refactoring/etc. was cut because we had other things to do. You could argue that we had more time if we did refactor, and i suggested that, but the decision to do so was delayed because we didn't have enough time.
The first project i had to work on had around 100 files with nearly the same code, everything copy-pasted and changed slightly. Half of the files used format a and the other half used the newer format b. B used a function that concatenated strings to produce html. I made some suggestions on how to change this, but they got denied because they would take up too much time. Aat that point i started to understand the position my boss was in and how i had to word things in order to get my point across. This project never got changed and holds hundreds of sql- and xss-injection-vulnerabilities and misses access control up to today. But at least the new project is better, it's tomcat and hibernate on the backend and react in the frontend, communicating via rest. It took a few years to get there, but we made it.
To get back to code quality, it's not there. Some projects had 1000 LOC files that were only touched to add features, we wrote horrible hacks to work with the reactabular-module and duplicate code everywhere. I already ranted about my boss' use of ctrl-c&v and i think it is the biggest threat to code quality. That and the juniors who worked on a real project for the first time. And the fact that i was the only one who really knew git. At some point i had enough of working on those projects and quit.
I don't have much experience, but i'm certain my next job has a better workflow and i hope i don't have to fix that much bugs anymore.
In the end my experience was mostly positive though. I had nice coworkers, was often free to do things my way, got really into linux, all in all a good workplace if there wasn't work.
Now they dont have their js-expert anymore, with that i'm excited to see how the new project evolves. It's still a weird thing to know you won't go back to a place you've been for several years. But i still have my backdoor, but maybe not. :P16
So today (or a day ago or whatever), Pavel Durov attacked Signal by saying that he wouldn't be surprised if a backdoor would be discovered in Signal because it's partially funded by the US government (or, some part of the us govt).
Let's break down why this is utter bullshit.
First, he wouldn't be surprised if a backdoor would be discovered 'within 5 years from now'.
- Teeny tiny little detail: THE FUCKING APP IS OPEN SOURCE. So yeah sure, go look through the code! Good idea! You might actually learn something from it as your own crypto seems to be broken! (for the record, I never said anything about telegram not being open source as it is)
- The server side code is closed (of signal and telegram both). Well, if your app is open source, enrolled with one of the strongest cryptographic protocols in the world and has been audited, then even if the server gets compromised, the hackers are still nowhere.
- Metadata. Signal saves the following and ONLY the following: timestamp of registration, timestamp of the last connection with the server (both rounded to the day so not on the second), your phone number and your contact details (if you authorize it) (only phone numbers) in HASHED (BCrypt I thought?) format.
There have been multiple telegram metadata leaks and it's pretty known that it saves way more than neccesary.
So, before you start judging an app which is open, uses one of the best crypto protocols in the world while you use your own homegrown horribly insecure protocol AND actually tries its best to save the least possible, maybe try to fix your own shit!
*gets ready for heavy criticism*22
So as quite some people know on here, I am strongly against closed source software and have a very strong distrust in it as well.
So next to some principles (and believes etc etc etc) there is one specifc 'event' which triggered the distrust in CSS (No not Cascading Style sheet, I mean Closed Source Software :P). So hereby the story about what happened.
I think it was about 5 years ago when a guy joined my programming class (I wasn't in uni although I studied but for the sake of clarity, lets just call it uni for now (also, that makes me feel smarter so why the fuck not!)) in uni. He knew a shitload about programming for his age but he was convinced that he was always right. (that aside)
Anyways, at some point we had to work in groups on this project (groups for specific tasks) and he chose (he loved it, we hated it, he had the final say) Trello for 'project management'. He gave everyone (I was running Windows for a little bit at that moment because the project was in C# and the Snowden leaks had not arrived yet so I was not extremely uncomfortable with using Windows, just a lot) this addon program thingy he created for Trello which would make usage easier. I asked if it was open source, he replied with 'No, because this is my project.' and although I did understand that entirely, I didn't feel comfy using it because of it's closed source nature. Everyone declared me paranoid and he was annoyed as hell but I just kept refusing to use it and just used the web interface.
*skips to 2 years later*
I met that guy again at the train station at a random day! Had the usual 'how are you and what's up after a few years' talk with him and then he told me something that changed my view on closed source software for most probably the rest of my life.
"Hey by the way, do you remember that project of a few years back where you didn't want to use my software because of your 'closed-sourceness paranoia'? I just wanted to say that I actually had some kind of backdooring feature build in which (I am not going to say what) allowed me to (although I didn't use it) look at/do certain things with the 'infected' computers. I really wanted to say that I find it funny how you, the only one who didn't give in to my/the peer pressure, were the only one who wasn't affected by my 'backdoor' at that moment! Also your standards towards the use of closed source software probably played a big part probably. I find that pretty cool actually!"
Although I cannot confirm what he said, he was exactly the type of guy who would do this IMO (and not only IMO I think).
So yeah, that's one of the reasons AND the story behind a big part of why I don't trust closed source software :).8
Recently I got an E-Mail from PayPal.de with the headline "Your account gets limited". Fun Fact: I don't have a PayPal account.
This Mail got me curious though, as it couldn't be a phishing mail, since I don't have a PayPal account in the first place, so I opened the e-mail just to get greeted by pure emptiness. It was completely empty. I thought to myself "oh no, is this some sort of new trick? Did I get infected by some sort of a weird hacky backdoor trojan already?!"
Original E-mail Address: NULL (never seen this before)
I then realized, that Thunderbird blocked the only content from this mail: a clickable image.
This is getting even more confusing the longer I examine this unique mail. The image is showing me a domain from a site completely unrelated from PayPal, so it was obviously no phishing, but I didn't trust this clickable image, so I looked up its hidden link to find an even more confusing redirection to not a picture upload site like the image suggests, but to a game key reselling site instead, like wtf? What was the whole point of this whole e-mail? Was this a weird try to make advertisements for more than one website? It wasn't even a ref-link or something like that. It was just weird, iunno.11
Wordpress. The only backdoor with a plugin system and CMS included.
I have to clean ANOTHER. Hacked WordPress site. One wrong decision and you have to support it for the life time :'(9
!rant Scary Stuff...
Not sure what are the rules on sharing external content, but this story freaked me out and I wanted to share with you.
Pretty scary stuff, maybe something like this is already in the wild? Especially with the NSA and other power groups trying to exploit vulnerabilities and infiltrate everything...
Found it originally on the rational subreddit. Here is the link:
It's about the The Ken Thompson Hack:
"Ken describes how he injected a virus into a compiler. Not only did his compiler know it was compiling the login function and inject a backdoor, but it also knew when it was compiling itself and injected the backdoor generator into the compiler it was creating. The source code for the compiler thereafter contains no evidence of either virus."
How to detect/deal with something like this? better no to think too much about this.2
I'm in a react/vue/angular/polymer-debate. Lets continue this here, but only with the worst arguments you heard about these 4.
React: "I dont like it, facebook might have a backdoor in the code so they can see what we're developing"
Angular: "We use Google Cloud, angular is developed by google too. There is a synergy between the two"