Just received OTP expired already...

That is peak security:
- Require timebased OTP for login
- Also require recaptcha for login
- Select the frickin bus, palm tree and cross walk 93 times
- Finally manage to please the algorithm
- The 30 second validity window of TOTP expired

*GAAH!*

Just saw this in the code I'm reviewing:

function encryptOTP(otp){
var enc = MD5(otp);
return enc;
}

@netikras since when does proprietary mean bad?

Lemme tell you 3 stories.

CISCO AnyConnect:
- come in to the office
- use internal resources (company newsletter, jira, etc.)
- connect to client's VPN using Cisco AnyConnect
- lose access to my company resources, because AnyConnect overwrites routing table (rather normal for VPN clients)
- issue a route command updating routing table so you could reach confluence page in the intranet
- route command executes successfully, `route -n` shows nothing has changed
- google this whole WTF case
- Cisco AnyConnect constantly overwrites OS routing table to ENFORCE you to use VPN settings and nothing else.

Sooo basically if you want to check your company's email, you have to disconnect from client's VPN, check email and reconnect again. Neat!

Can be easily resolved by using opensource VPN client -- openconnect

CISCO AnyConnect:
- get a server in your company
- connect it to client's VPN and keep the VPN running for data sync. VPN has to be UP at all times
- network glitch [uh-oh]
- VPN is no longer working, AnyConnect still believes everything is peachy. No reconnect attempts.
- service is unable to sync data w/ client's systems. Data gets outdated and eventually corrupted

OpenConnect (OSS alternative to AnyConnect) detects all network glitches, reports them to the log and attempts reconnect immediatelly. Subsequent reconnect attempts getting triggered with longer delays to not to spam network.

SYMANTEC VIP (alleged 2FA?):
- client's portal requires Sym VIP otp code to log in
- open up a browser in your laptop
- navigate to the portal
- enter your credentials
- click on a Sym VIP icon in the systray
- write down the shown otp number
- log in

umm... in what fucking way is that a secure 2FA? Everything is IN the same fucking device, a single click away.

Can be easily solved by opensource alternatives to Sym VIP app: they make HTTP calls to Symantec to register a new token and return you the whole totp url. You can convert that url to a qr code and scan it w/ your phone (e.g. Google's Authenticator). Now you have a true 2FA.

Proprietary is not always bad. There are good propr sw too. But the ones that are core to your BAU and are doing shit -- well these ARE bad. and w/o an oppurtunity to workaround/fix it yourself.

So here I am, skrewing around with the Google Authenticator app and the dodgiest base32 code generator I've ever built and generating a 56 char unique ID, and a 8 digit time based code.

WTF, all these products, services and logins that use 6 digit codes... and this fucking thing can handle 8 without breaking 😑

Now... to hook it into a QR code class... and spit out an image I can actually scan, without calling google charts api.

I can't say I've written one of those before 🙃

Germany has the best 2fa method in the world. Sending otp through post-mail....

“Fullstack dev morphs into a security expert”

We have a simple user registration system. Get the user details, generate an OTP, save in Oracle, email the OTP. The SMTP host is configured to send emails only to people who have an existing @a_very_famous_bank.com email address.

As a part of an enhancement request, the other day, we were trying to register a non-bank email address. As expected, it failed.

Manager: Meeting... meeting... meeting

Me: (Explained the problem)

Fullstack dev: so the thing is.. it’s like.. (doesn’t falter to open with these lines)...what I can do is...I can send you an HTTP security header in the HTTP request. It’ll work!

Me: (I hope an adult giraffe fucks you in your belly button)

More to come!

Working in a bank, using MIcrosoft platform:

To open my email, I need to enter my password and sms OTP.

To open my email using phone, I need to enter my password and sms OTP.

To open Teams, I need to enter my password and sms OTP.

To open Teams using phone, I need to enter my password and sms OTP.

To access Microsoft Azure, I need to enter my password and sms OTP.

To git pull/push, I need to enter my sms OTP.

To check UAT logs, I need to enter my sms OTP.

To get access to UAT DB, I need to connect to VPN, which then asks for OTP.

Did I also mention that I need to do these OTPs every single fucking day?

#OTPDrivenDevelopment

Remember to always implement a backup solution if the first one fails.
Don’t break the experience for the user. 😉

Today is was the smoothest PHP session I ever had!

Implemented OTP system for a project in about 2 hrs without any hurldes.

Php is awesome with OOPs!
Now I can get a good Sleep. Goodnight !

this just happened a few seconds ago and I am just laughing at the pathetic site that is Facebook. xD
4 years ago:
So I was quite a noobie gamer/hacker(sort of) back then and i had a habit of having multiple gmail/fb accounts, just for gaming, like accounts through which i can log in all at once in the same poker room, so 4/5 players in the game are me, or just some multiple accounts for clash of clans for donations.
I had 7-8 accounts back then. one had a name that translated to "may the dead remain in peace "@yahoomail.com . it was linked to fb using same initials. after sometime only this and 2 of my main accs were all i cared about.even today when i feel like playing, i sometimes use those accs.

2 years ago.
My dad is a simple man and was quite naive to modern techs and used to hang around with physical button nokia phones.But we had a business change, my father was now in a partnership in a restaurant where his daily work included a lot of sitting job and and casual working. So he bought a smartphone for some time pass.
He now wanted to download apps and me to teach him.I tried a lot to get him his own acc, but he couldn't remember his login credentials.
so at the end i added one of my own fake ID's(maythedead...) so he could install from playstore, watch vids on youtube and whatever.

The Actual Adventure starts now
Today, 1 hour ago:
I had completely forgot about this incident, since my parents are now quite modern in terms of tech.
But today out of nowhere i recieved an email that someone has JUST CHAINGED MY FB PASSWORD FOR ONE OF MY FAKE ACCS!?!??
what the hell, i know it was just a useless acc and i never even check my fb from any acc these days, but if someone could login into that acc, its not very difficult to track my main accs, id's, etc so i immediately opened this fb security portal and that's where the stupidity starts:

1)To recover your account they FUCKIN ASKS FOR A PHYSICAL ID. yeah, no email, no security question you have to scan your driving license or passport to get back to your account.And where would I get a license for some person named "may the dead remain in peace"? i simply went back.
2) tried another hack that i thought that will work.Closed fb help page, opened fb again , tried to login with my old credentials, it says" old password has been changed,please enter new password", i click forget password and they send an otp. i thought yes i won, because the number and recover mail id was mine only so i received it.
when i added the otp, i was first sent to a password change page (woohoo, i really won! :)) but then it sends me again to the same fuckin physical id verification page.FFFFFFFFFuck

3)I was sad and terrified that i got hacked.But 10 mins later a mail comes ,"Your Facebook password was reset using the email address on Tuesday, April 10, 2018 at 8:24pm (UTC+05:30)."
I tried clicking the links attached, hoping that the password i changed(point<2>) has actually done something to account.NADA, the account still needs a physical license to open:/

4) lost, i just login to my main account and lookup for my lost fake account. the fun part:my account has the display pic of my father?!!?!
So apparently, my father wanted to try facebook, he used the fake account i gave him to create one, fb showed him that this id already has an fb account attached to it and he accidently changed my password.MY FATHER WAS THE HACKER THE WHOLE TIME xD.
but response from fb?" well sir, if you want your virtually shitty account back , you first will have to provide us with all details of your bank transactions or your voter id card, maybe trump will like it"

Me : Yeah dude, totally. I support Right To Privacy.
Also Me : To get OTP filled automatically, i need to ask Recieve Sms Permission from user. Also to send them, too.

😂😂😂😂

it was my first job as an embedded engineer i was hired to write firmware for arm microcontroller that has ble radio. But the microcontroller we used didn't have FLASH it had a SRAM and an otp ( one time programmable) memory. In ble you can make a proximity beacon and When a phone passes by this beacon it will get a notification '<device_name> nearby'
. I thought it is funny if i keep device name 'MILF' (original name of device is FLIP ) so when somebody's phone is in proximity it will have a notification 'MILF nearby'. joke didn't work as nobody has their bluetooth switched on by default ,but i forgot to change it before programming otp memory.

i just buried that device and told everyone it is not working properly

It was more of "Hate story" with a guy whose mere presence would irritate me very much. He was also close to the girl I liked a bit (not very huge crush or something).

So he was very active on two of his social networks one being fb and second directly connected to fb so basically getting hold of fb would mean that I could control his other one too.

It was Oct 2016 and that time you could easily hack an account using social hacking (not asking OTP out something mere details did it for few accounts).

I hacked his account and wrote curse words and all. As I had already changed the email and password, he couldn't till date retrieve it.
However as he reported to fb, his account was held and I could no longer access it but till then everything was over.
I couldn't still spot him on FB or the other social network.
And this was one of the most evil act I have performed in my life.

So, i use this bulk messaging service and they decided to make logins OTP only ("for security reasons", they say), sent to your email.
So instead of entering a password quickly,
- enter the password for your email account,
- click about 10 times on Resend OTP
- wait for OTP
- copy OTP and paste in the box.

So basically relying on the person's email provider's security than deploying their own.

!rant. Story from my college abt 6 months old.

We had to make projects for our course.
One team made a very nice project. One part of that was mobile no. verification using OTP.

And the student who was supposed to to that, did it by sending the required otp to the frontend page, and when user enters it, validate it using javascript.

The prof got mad about it and the rest of the class couldn't stop laughing.

Just remembered. Thought it would be worth sharing.

When you need Google's internet the most ..it decides to mess with you..triple checked the otp to make sure it wasn't my mistake ..entered it thrice and it gets rejected ..only to accept it when the train arrives

🔥👽🤘🏻
I've been CRUSHING it lately, so stoked!!!
**Also, this means that in the near future something will crush me because I have a few subjects on deck I need to lock down.

1. Deno

2. TypeScript(deep dive)

3. CPP (currently 75% done with my 2nd masterclass, first one complete)

4. Multi-platform local device storage (Sqflite/mongoDB/shared preferences/Hive)

5. REST/api/requests/json management && application

6. Implementing Firebase authentication using Apple, Twitter, and mobile OTP

7. Cloud functions && server scripting/automation

8. Intro to embedded systems/OS/kernels

9. Steadily improve my code style, design strategies, and build patterns that are team friendly && provide easier code base maintainibilty

10. Influence, teach, and/or spark the interest of someone new to development in any possible- all that matters is getting new people on board, making sure they are stoked about, and last but not least making sure they feel welcome in the community and are able to start off in the right direction.

cheers, ya fockers!!!!

Boltt coin is a total bullshit, never use this app, a total data stealer. They will say they will reward you, but when you are going to claim it, there OTP will not work. Total data selling fraud.

This is a part rant-part question.
So a little backstory first:
I work in a small company (5 including me) which is mostly into consultation (we have many tech partners where we either resell their products or if there is a requirement from one of our clients, we get our partners to develop it for them and fulfill the client requirements) so as you can see there is a lot of external dependencies. I act as a one-hat-fits-all tech guy, handling the company websites, social media channels, technical documentation, tech support, quicks POCs (so anything to do with anything technical, I handle them). I am a bit fed up now, since the CEO expects me to do some absurd shit (and sometimes micro manages me, like WTF I am the only one who works there with 100% commitment) and expects me to deliver them by yesterday.

So anyway long story short, our CEO finally had the brains to understand that we should start having our own product (which i had been subtly suggesting him to do for a while now!).

Now he came up with a fairly workable concept that would have good market reach (i atleast give him credits for that) and he wanted me to suggest the best way to move forward (from a both business and technical point of view). The concept is to have an auction-based platform for users to buy everyday products.

I suggested we build a web app as opposed to a mobile one (which is obvious, since i didnt want to develop a seperate website and a mobile app, and anyway just because we can doesnt mean we have to make a mobile app for everything), and recommended the Node/react based JS tech stack to build it.

At first he wanted me to single handedly build the whole platform within a month, I almost flipped (but me being me) then somehow calmed down and finally was able to explain him how complicated it was to single-handedly build a platform of such complexity (especially given my limited experience; did I mention that this is my first job and I am still in college, yeah!!) and convinced him to get an experienced back-end dev and another dev to help me with it.

Now comes the problem, I was to prepare a scope document outlining all the business and technical requirements of the project along with a tentative cost, which was fairly straightforward. I am currently stuck at deciding the server requirements and the system architecture for the proposed solution (I am thinking of either going with AWS - which looks a bit complicated to setup - or go with either Digital Ocean or Heroku):

I have assumed that at peak times we would have around 500-1000 users concurrently

And a daily userbase of 1000 users (atleast for the first few months of the platform running)

What would be the best way forward guys?

I did some extensive (i mean i read through some medium blogs! and aws documentation) research and put together the following specs (if we are going through AWS):

One AWS t3.medium ec2 instance for the node server (two if we want High Availability by coupling with the AWS load balancer and Elastic Beanstalk)

The db.t3.small postgres database

The S3 Storage bucket (100gb) for the React Front end hosting

AWS SNS for email/sms OTP and notification

And AWS CloudMonitor for logging amd monitoring.

Am I speculating the requirements properly, where have I missed??

Can u guys suggest what is the best specification for such a requirement (how do you guys decide what plan to go with)?

Any suggestions, corrections, advices are welcome

namecheap doesn't trim the space in the OTP code when you submit it...

if you manually delete the space, it goes through

i mean, it's the little things

Am I incredibly paranoid with my idea of multiple(>2)-factor-auth like fingerprint+yubikey+password+OTP aso?

Spent days to setup a newer-Android version with reverse-proxy-HTTPS certificate in its CA store + one that'd support Google Play and signing in (old school man-in-the-middle).
FINALLY got the API calls of this 1 app whose unofficial client I wanted to make coz their main sucks ass. Just to get stuck on the phone-number-based OTP that they use for their login (:

They send a unique token for each OTP request, I assumed they're using some hard-coded string based function, which they decrypt on their backend to verify.
Downloaded their APK and decompiled. Went through dozens of weird-ass-named classes (coz decompiled). For the 2nd time I thought I had it!

But no -.- they call Google's Firebase messaging for the phone-num OTP n that function simply called firebase, looked into that service n ofc it's very tightly coupled with the calling API's backend

It was fun while it lasted I guess~~~

Just built a solid desktop app for MacOS with Flutter that's worthy of shipping. I gotta say I'm pretty stoked about it, even if it isn't nearly as dope as LOIC. Haha chargin muh lazers!
I'll get some screenshots up soon!!
I also wrote a comple CLI interface for Firebase management using Python. Advanced auth abilities, CRUD capability, full json import/export, verification/password resets, you name it. Well, except full Firestore/mobile OTP features but it's still a win. Actually dicked around and made a cool little Firebase chat program in the terminal with the Python interpreter.
Finished up my first apps in React, React-Native and Ember, my 2nd with Electron, and also got my first Firebase hosted site up and running. Solid day!!! Cheers to that. And cheers to all of you amazing bastards!

Finally, I just received an OTP message that said it will be expired in 10 minutes.

Funny part is that i was trying to login 2 hours ago at thier(new client) platform to review.

And they said it is fully functional and you will have to fix some minor issues only.

I am thinking this way( it is so secure that you received otp only after it is expired).😅

How to implement freakin OTPs ...

Loggin in ...
Click on Request OTP -> Not available
Click on Forgot password -> Send the OTP to both phone and Email.
The OTPs on phone and mail must not be the same.
So basically, user can't Login by entering OTP received on one of mail or phone.
Just ... fk the user while logging in already ... Entering the order entry in the database in twenty one minutes will do the rest. 😒

- Flipkart

So Facebook is shutting down AccountKit.

I was using this service to enable signup / signin using mobile number.

Guess I'll be switching to Firebase phone authentication.

Which ons is less risky and which one Is most profitable to succeed ?

0- telling the admin you forgot your password and as he's logging in, sniff his password (you already placed sslstrip)

1- gain access to router using its vulnerabilities and redirect the traffic to a fake page and get the password.

2- exploiting smb port of admin's system and placing a krylogger or stealing his cookies if available

3- brute forcing admin password :/

4- pressing forgot password on admin account and staying close to him and sniff the SMS containing the otp using rtl-sdr (and of course you will be prompted to set a new password)

5- any other way .

Also the website itself is almost secure.
It is using iis 8.5 and windows server 2012
Only open ports are 80 and 443.

When it's 2 straight days and the XHR call is not happening for the OTP confirmation

First day back at work, lunch time now. So far I've been to one meeting and done no work. I can't get on to the vpn. We get OTP for the vpn via sms. Sms is taking so long to come through that it always expired by the time I get it

The kicker? I work for a cellular provider

today i have received email from gov. for some otp. i found some interesting thing in email. i have marked in picture. typo in production and still didn't change.

Guys, is it possible to catch OTP code sent from a website to phone through the browser just because of a lack of security practice and weak coded script?

> * npm login *
> puts everything right, uses token because of OTP
> npm login fails: incorrect user or password

you know what, fuck you

Hey guys, I have almost developed the backend of an app like reddit. My question is about authentication. How should I authenticate my user. Is phone number necessary to add phone otp?Because I don't want to get any legal trouble if someone posts objectionable content on the platform. Most of the apps today need phone number, I dont know why except reducing spam accounts.

Or shall I verify email by otp. But its hard to track disposable emails. I cant go for only gmail too as its banned in china. Email domains of china are weird.

Can I get into legal trouble for objectionable content posted by any evil user?

I dont want to go for auth.

I do it pretty regularly maybe once or twice a week depends when I'm working on something interesting and want to get it done. Not very hard when you have coffee, headphones, good music, and enjoy what you do.

As for a story i don't have much of one unless you want one about implementing jwt tokens with a rest api along with trying to implement an 2FA system that would support otp and u2f. Then nuking it from orbit two days later cause it looked like garbage from trying to abstract everything

I was today years old when I got to know that there is a way to auto detect OTP sent via SMS with SMS READ permission. WTF!!

Any Erlang guys over here ?

I am getting into it after trying elixir, just to get solid foundations (understand it better and otp)

The goal is to get erlang elixir and pheonix undercontrol

Now my questions:

Any good reads about maintenance scalability in a prod environment ?

Thanks

hey, so i have recently started learning about node js and express based backend development.

can you suggest some good github repositories that showcase real life backend systems which i can use as inspiration to learn about the tech?

like for eg, i want to create a general case solution for authentication and profile management : a piece of db+api end points + models to :

- authenticate user : login/signup , session expire, o auth 2 based login/signup, multi account login, role based access, forgot password , reset password, otp login , etc

- authorise user : jwt token authentication, ip whitelisting, ssl pinning , cors, certificate based authentication , etc (

- manage user : update user profile, delete user, map services , subscriptions and transactions to user , dynamic meta properties ( which can be added/removed for a single user and not exactly part of main user profile) , etc

followed by deployment and the assoc concepts involved : deployment, clusters, load balancers, sharding ,... etc

----

these are all the buzzwords that i have heard that goes into consideration when designing a secure authentication system for a particular large scale website like linkedin or youtube. am not even sure how many of these concepts would require actual codelines and how many would require something else.

so wanted inspiration from open source content to learn about it in depth, replicate and create new better stuff if possible .

apart from that, other backend architectures like video/images storage system, or just some server for movie, social media, blog website etc would also help.