How it is to be a dev in my country?

At bit of an odd question this week.

For me (in the USA), it's being technical support for *every* website my family uses.

Over the weekend my wife visited her aunt and I get a call.

Wife: "How do I create an ebay account?"
Me: "I don't like where this is going. We already have an account."
Wife: "Not for me, dummy, Aunt T. She found some books she wants to buy on ebay."
Me: "You go thru the process to create an account? Email, name, password, etc."
Wife: "We tried that, but it's not working."
<few seconds of silence>
Me: "Oookaaay...why isn't it working? Is there an error?"
Wife: "I don't know, we already clicked off of it. Something about the email."
<few more seconds of silence>
Me: "Can you reproduce the error and tell me?"
Wife: "Uggh..are you serious? We've done it like 10 times, its not working. Just tell me what I need to do."
Me: "If you can't tell me the error, I can't help you. I'm not there and can't see what you see."
Wife: "Stop being an asshole."
<Aunt T takes the phone>
T: "Said something about using another email address. Does that help you?"
Me: "Are you sure you don't already have a ebay account?"
T: "No, I don't think so. I hate ebay. but I really want these books. I don't want the same problems as last time."
Me: "Last time?"
T: "Yes, I bought a coffee cup on ebay from China and it never arrived."
Me: "OK, so you do have an account?"
T: "I don't know, I mean, I never got the cup."
Me: "What email address did you use? I'll send a 'remind me' email so you can reset the password and login"
<go thru the motions, she is able to login>
T: "Ahhh...I do have an account! There are the golf balls I bought for <husband> for Christmas."
<face smack>
Wife: "Why didn't you do this from the start? I thought you knew a lot about computers. We basically figured this out ourselves. Goodbye!"
<click>

Shitty call
Me: what do you want?

Q: I Lost my iphone

Me: (already pissed) ok,do you have an icloud account?

Q: Yes, but i forgot the password.

Me: what!?!, ok, fine, we will reset it, which is your ID?

Q: I lost it too.

*stay calm* *stay calm*

Me: I can't help you go to an apple store and ask there. *I Close the call*

*Add that number to blacklist*

My dad got a new phone over the weekend and asked me to help him set it up (TL;DR his IPhone broke, he likely cussed out someone on the phone and now he's on android).

Setting up his bank app, I asked for his password (I somehow knew asking a 80+ year old man password questions wouldn't end well)

<pulls a card out of his wallet>
Dad: "Here you go."
Me: "This is your business card?"
Dad: "Yep. Password is at the bottom. That way I never forget it."
Me: "Jeez dad, you shouldn't have your bank's password on a business card. You don't give these out to people, do you?"
Dad: "Sometimes. Hell, they won't know what that is. Its just a bunch of nonsense."

Luckily the password didn't work. He had to reset it when his IPhone messed up and didn't remember what he changed the password to.

OK I can't deal with this user anymore.

This morning I get a text. "My laptop isn't getting emails anymore I'm not sure if this is why?" And attached is a screenshot of an email purporting to be from "The <company name> Team". Which isn't even close to the sort of language our small business uses in emails. This email says that his O365 password will soon be expiring and he needs to download the attached (.htm) file so he can keep his password. Never mind the fact that the grammar is awful, the "from" address is cheesy and our O365 passwords don't expire. He went ahead and, in his words, "Tried several of his passwords but none of them worked." This is the second time in less than a year that he's done this and I thought we were very clear that these emails are never real, but I'll deal with that later.

I quickly log into the O365 admin portal and reset his password to a randomly-generated one. I set this to be permanent since this isn't actually a password he should ever be needing to type. I call him up and explain to him that it was a phishing email and he essentially just gave some random people his credentials so I needed to reset them. I then help him log into Outlook on his PC with the new password. Once he's in, he says "so how do I reset this temporary password?" I tell him that no, this is his permanent password now and he doesn't need to remember it because he shouldn't ever need to be typing it anyway. He says "No no no that won't work I can't remember this." (I smile and nod to myself at this point -- THAT'S THE IDEA). But I tell him when he is in the office we will store the password in a password manager in case he ever needs to get to it. Long pause follows. "Can't I just set it back to what it was so I can remember it?"

NO FUCKING GOOD NIGHT FOR FLOYD.

THIS MULTI FACTOR AUTHENTICATION IS A FUCKING NIGHTMARE.

So my organisation uses some MFA app as an SSO to access any and everything. Fantastic. Absolutely wonderful. No VPN shit and one password to rule them all.

But, for some reason I accidentally deleted the app from my phone and as any normal human being would do, I also reinstalled the app.

Well, post reinstalling, the app does not detect the linked Org account.

I was cool, when I'll login, the system will throw a prompt to map the phone.

So I login to org URL from my machine and lo and behold, the URL says that MFA is already linked to the phone and I have to enter the Citrix type code to login.

But phone does not show the code because account is no longer linked and web does not have option to change/re-register the phone.

What the actual unholy fuck?????? Bloody retards. How am I suppose to get in now?

So after a Googling for a bit, a thread mentioned that this is most common issue faced by users with this MFA app. The only way to get this resolved is to contact your IT team.

Cool. Let's do that.

I opened the link to my IT portal and it asks me to login via SSO which is what I need help with in first place.

I can't login to Slack because fuckers ask SSO every time the app is exited. So no contact there.

Thankfully bastards allow Outlook so was able to drop a note to one of my team member, whom I connected recently and is very nice, asking her to help me sort this IT team.

If this is the most common use case then why the fuck not add a feature to help people overcome this shit?

And my IT team is absolute nuts. No other way allowed to reset the linking or connect them or any help links provided on login page.

Whoever was behind this design should be dipped in donkey shit and deep fried in pig urine.

this just happened a few seconds ago and I am just laughing at the pathetic site that is Facebook. xD
4 years ago:
So I was quite a noobie gamer/hacker(sort of) back then and i had a habit of having multiple gmail/fb accounts, just for gaming, like accounts through which i can log in all at once in the same poker room, so 4/5 players in the game are me, or just some multiple accounts for clash of clans for donations.
I had 7-8 accounts back then. one had a name that translated to "may the dead remain in peace "@yahoomail.com . it was linked to fb using same initials. after sometime only this and 2 of my main accs were all i cared about.even today when i feel like playing, i sometimes use those accs.

2 years ago.
My dad is a simple man and was quite naive to modern techs and used to hang around with physical button nokia phones.But we had a business change, my father was now in a partnership in a restaurant where his daily work included a lot of sitting job and and casual working. So he bought a smartphone for some time pass.
He now wanted to download apps and me to teach him.I tried a lot to get him his own acc, but he couldn't remember his login credentials.
so at the end i added one of my own fake ID's(maythedead...) so he could install from playstore, watch vids on youtube and whatever.

The Actual Adventure starts now
Today, 1 hour ago:
I had completely forgot about this incident, since my parents are now quite modern in terms of tech.
But today out of nowhere i recieved an email that someone has JUST CHAINGED MY FB PASSWORD FOR ONE OF MY FAKE ACCS!?!??
what the hell, i know it was just a useless acc and i never even check my fb from any acc these days, but if someone could login into that acc, its not very difficult to track my main accs, id's, etc so i immediately opened this fb security portal and that's where the stupidity starts:

1)To recover your account they FUCKIN ASKS FOR A PHYSICAL ID. yeah, no email, no security question you have to scan your driving license or passport to get back to your account.And where would I get a license for some person named "may the dead remain in peace"? i simply went back.
2) tried another hack that i thought that will work.Closed fb help page, opened fb again , tried to login with my old credentials, it says" old password has been changed,please enter new password", i click forget password and they send an otp. i thought yes i won, because the number and recover mail id was mine only so i received it.
when i added the otp, i was first sent to a password change page (woohoo, i really won! :)) but then it sends me again to the same fuckin physical id verification page.FFFFFFFFFuck

3)I was sad and terrified that i got hacked.But 10 mins later a mail comes ,"Your Facebook password was reset using the email address on Tuesday, April 10, 2018 at 8:24pm (UTC+05:30)."
I tried clicking the links attached, hoping that the password i changed(point<2>) has actually done something to account.NADA, the account still needs a physical license to open:/

4) lost, i just login to my main account and lookup for my lost fake account. the fun part:my account has the display pic of my father?!!?!
So apparently, my father wanted to try facebook, he used the fake account i gave him to create one, fb showed him that this id already has an fb account attached to it and he accidently changed my password.MY FATHER WAS THE HACKER THE WHOLE TIME xD.
but response from fb?" well sir, if you want your virtually shitty account back , you first will have to provide us with all details of your bank transactions or your voter id card, maybe trump will like it"

The hand of IT guy in family

My family sees me as guy who works on IT stuff. The best part is that I will have to help them whenever they encounter problem regarding electronics in daily activities.

Son! The internet is not working
Son! The printer is not working
Son! The TV is not working
Son! My phone didnt get any signals
Son! The microwave is not working
Son! The TV remote is not working
Son! Why is this whatsapp popup always appear whenever I opened it
Son! The dvd player is not working
Son! My phone wont charged
Son! I want to buy online stuff
Son! The email that ur uncle sent me cannot be opened
Son! The email that ur aunt sent me is not there
Son! Can u help me download this travelling app
Son! I opened a website and it told me that I have 163718362 virus!
Son! I forget my password of my facebook account!
Son! Some guy idk on facebook added me as his/her friends, what should i do?
....
Son! The internet is not working (again)

The fact is that, most if these problem, I helped them by just.. restarting the router, reboot the router for 1 min interval, find specific toggler in disfunctional hardware that they accidentally hit during sweeping the floor, take out the power and put it back again, show them how to's in many account/payment mechanism in apps, etc

The very best part that whenever they satisfied, whenever things back to work again, whenever they can reset the password:

"I've tried what you told me, but it just didnt work, but idk when u did it, it works! you are really an IT guy"

And i was like
🙃

I forgot my password to my mindfactory account, one of Germany's biggest online vendor for computer components. So I go through the resetting process, which is:

- apply for password reset
- get a mail
- confirm the mail
(So far, so good)

- get a mail with a new CLEAR TEXT PASSWORD

Is this the stone age!?

You never send an email containing the cleartext! You never even store the password as is!
You, as the provider, should never be able to know what the actual password was.

All you are supposed to do is to generate a random salt, and hash the user's password with the salt, and then you only store the salt and the hash. And whenever a user inputs their password, all you do is to check if the you can recreate the hash with the help of the salt and your hash algorithm. (There are libraries for that!)

If a user wants to reset their password? Send them to a mail with link on where they can assign a new password.

At no point should the password ever be stored or transmitted in any other medium.

Lady comes over to my cube and stands silently until I notice her in the mirror. She cheerfully asks that I help her reset her password.

Okay...one, I'm buried up to my balls in work that needs to be done, and here she is camping, expecting me to feel a disturbance in The Force to help on her whim, when our company has an issue system for shit like this. 👊

Two, I'm 👏 a 👏 developer 👏! My sign says Software Engineer on it, which might give some context as to why she forgot her password.

Look, I was nice to her. But it seems like I'm getting more and more phone calls and surprise visits lately from people that I shouldn't be.

My coworker cannot log in to his company email account. So I contacted the guys in charge of this by email, asking if they could help and asked whats the process now or how does this work. I assume if his email is not working, they cannot send him a password reset link.

their answer: yeah, sure, we reseted the password of the mentioned user, here is his new password

One day I helped another teacher with setting up his backend with the currently running Nginx reverse-proxy, peace of cake right?

Then I found out the only person with ssh access was not available, OK then just reset the root password and we're ready to go.

After going through that we vim'd into authorized_keys with the web cli, added his pub key and tried to ssh, no luck. While verifying the key we found out that the web cli had not parsed the key properly and basically fucked up the file entirely.

After some back and forth and trying everything we became grumpy, different browsers didn't help either and even caps lock was inverted for some reason. Eventually I executed plan B and vim'd into the ssh daemon's settings to enable root login and activate password authentication. After all that we could finally use ssh to setup the server.

What an adventure that was 😅

So, I’ve been given the task of sorting the security out in an application plugging the holes and whatnot as to be honest it’s shocking haha. It doesn’t help that we automate security audits but that’s a different rant for another day.

We’re using devise for authentication (rails standard, ♥️ devise), we have no password resets through the login page, it has to be manually reset by ringing support, why who knows, even though it’s built into the gem and we allow the user to login using an username instead of an email because for whatever reason someone thought it was a bright idea to not have the email field mandatory.

So I hop onto a call with the BAs, basically I go that we need to implement password resets into the login page so the user can do it themselves and also to cut down support calls a ticket is already in place for it. So I go through the standardised workflow for resetting a password. My manager goes.

“I don’t think this will be very secure”

Wait.. what. Have you never reset a password before? It’s following the same protocol as every other app.

We go back and fourth and I said I’ll get it checked with security just to keep him happy.

The issue mainly is well we can’t implement password resets due to 100s of users not having an email on there account.. 🙃 so before we push this change we need to try and notice all users to set a unique email.

Updated the tickets. All dandy.

Looking at the PRs to see what security things have been done if any and turns out one of the devs in India has just written a migration to add the same default email to every user that doesn’t have an email present and yep it got merged. So I go revert the change but talk about taking a “we don’t care about security approach”.

Eventually we want to have the user reset their passwords and login using their email and someone goes a head and does that. Not to mention the security risk.

Jesus Christ I wonder why I bother sometimes.

Hey @dfox

I am unable to login or reset password on my original account @dr-ant

I tried resetting password but I never get the password reset email.

Can you please help?

Our government's "information and technology institution" ran a ctf yesterday. Their website was a whole template. And like 1 hour before ctf website approximately got 400-500k request and they've hit by a ddos. During the competition individual competitors couldn't log in their accounts due to "wrong password" and also password reset mails not sent.

One of the rules of the competition was that the questions were not leaked out during the contest. But some groups and individuals wanted help for questions on some hack forums. CTF is over and seems like script kiddies gonna win.

Shitstorm.

hey, so i have recently started learning about node js and express based backend development.

can you suggest some good github repositories that showcase real life backend systems which i can use as inspiration to learn about the tech?

like for eg, i want to create a general case solution for authentication and profile management : a piece of db+api end points + models to :

- authenticate user : login/signup , session expire, o auth 2 based login/signup, multi account login, role based access, forgot password , reset password, otp login , etc

- authorise user : jwt token authentication, ip whitelisting, ssl pinning , cors, certificate based authentication , etc (

- manage user : update user profile, delete user, map services , subscriptions and transactions to user , dynamic meta properties ( which can be added/removed for a single user and not exactly part of main user profile) , etc

followed by deployment and the assoc concepts involved : deployment, clusters, load balancers, sharding ,... etc

----

these are all the buzzwords that i have heard that goes into consideration when designing a secure authentication system for a particular large scale website like linkedin or youtube. am not even sure how many of these concepts would require actual codelines and how many would require something else.

so wanted inspiration from open source content to learn about it in depth, replicate and create new better stuff if possible .

apart from that, other backend architectures like video/images storage system, or just some server for movie, social media, blog website etc would also help.

It was harmless at that moment, just letting a colleague use my laptop to do a small presentation. I had been very busy, running from one meeting to another, and in that rush, I had totally forgotten that I was logged into my $400,000 Bitcoin wallet. This being said, my well-meaning colleague further asked whether he could organize my files while at it. I didn't think twice.
A few minutes later, I went back to my table and found that my laptop had been reset, which means I could not access my wallet anymore. My friend at work must have gone ahead and performed a password reset, so now I was locked out of the wallet. Immediately, I went into a state of panic. I was trying hard to remember my password or find some workaround; whatever I tried just wasn't working. That's when the realization sank in: I had no idea how to regain access to the $400,000 I had worked so hard to accumulate.
I knew I required professional help, so I turned to CRANIX ETHICAL SOLUTIONS HAVEN. The team was emphatic; they immediately took up my case. They did not judge me for the mix-up or my mistake but rather got to work with knowledge and expertise in handling that mess. Within days, they not only recovered my wallet but also guided me in securing it in the future.
I sat and waited with bated breath for their call, reflecting on how such a simple act of kindness-lending my laptop to a peer-could blow up so easily into such a huge disaster. Not her fault, of course, but a good lesson to me to be much more circumspect with my devices and other assets from here on out.
The feeling that overcame me when CRANIX ETHICAL SOLUTIONS HAVEN actually called to update me that my funds were recovered was indescribable. I was so grateful for their professionalism and expertise, and I swore to never again let my work devices become a "shared resource." These days, my laptop is strictly mine, and none of my personal accounts are left logged in for anyone else to accidentally reset.
Thanks to CRANIX ETHICAL SOLUTIONS HAVEN, I got back what I had thought was really lost, and now I exercise a lot of caution in making work and private finance mix.
Email: cranixethicalsolutionshaven @ post . com
WhatsApp: +44 7460 622730
Website: https: / / cranixethicalsolutionshaven . info

LOST MONEY TO FAKE BROKERS? CONTACT→(FOLKWIN EXPERT RECOVERY) FOR ASSIST.

I'm a fairly tech-savvy guy: I check links for doubles, verify sources, and I never download anything shady. But when a fake wallet update stole $220,000 from me, well-let me tell you-if it happens to you, you'll realize how easy this is to fall for. It all began with my regular check of my Bitcoin wallet: a notification popped up, requesting me to install an "important security update." It was absolutely legitimate in appearance-same branding, same language, even the same interface. Wanting to stay ahead with security, I clicked install without a second thought. The very moment the update finished, my wallet locked me out. I tried my usual credentials—nothing. Reset password? The link wouldn't send. My heart pounded as, on another device, I refreshed my balance: zero. Panic set in. My mind raced, wondering: Did I just lose everything? My $220,000-years of careful investments-gone because of one click? I felt sick. I tried reaching out to the wallet's official support, but they confirmed my worst fear: I had installed malware that stole my keys. They couldn't do anything. In desperation, I went to r/Crypto Advice on Reddit. The post was raw, frantic, practically begging for help. Amidst the tsunami of condolences and warnings from folks saying my funds were definitely gone, one reply stood out: "Try FOLKWIN EXPERT RECOVERY. They've helped people in your situation before." Skeptical but desperate, I called, and they called back instantly-reassuring. No impossible promises were made, but they said they would do everything in their power. In hours, they traced where my funds had been rerouted; they were not lost yet. The waiting was torture, but the updates they were giving me kept me sane. Then came that email: "We've recovered your funds." I couldn't believe it. The feeling of logging into my wallet and having the full balance was just unreal. My financial future had been hanging by a thread, and FOLKWIN EXPERT RECOVERY pulled me back from the edge. Beyond just recovery, they took the time to walk me through security best practices, teaching me how to identify fake updates and secure my investments against future attacks. Lesson learned: even the best investors get duped. But thanks to FOLKWIN EXPERT RECOVERY, this wasn't a wipeout.
INFO TO CONTACT: Whatsapp: +1 (740)705-0711  Website: WWW . FOLKWINEXPERTRECOVERY . C O M, Email: FOLKWINEXPERTRECOVERY@ TECH-CENTER (.) C O M
Warm greetings,
Dr Matthew Connell.

UNLOCK YOUR LOST DIGITAL ACCOUNT AND FROZEN FUNDS WITH DIGITAL HACK RECOVERY EXPERTS

A financial catastrophe unfolded when I entrusted this platform with my life savings. For months, I had been saving diligently for one major goal: buying a car. Each deposit brought me closer to my dream, but just as I was nearing my target, I came across an investment opportunity that seemed too good to pass up. The platform promised high returns with robust security, so I decided to invest the money I had set aside for the car.At first, everything seemed to be going according to plan. My account showed promising growth, and the customer service reassured me that my investment was safe. But one morning, I tried to log in to check my balance and found that my account was suddenly frozen. Panic set in. Despite multiple attempts to reset my password, I was unable to regain access. Days turned into weeks, and my efforts to contact customer support went unanswered. My anxiety mounted as I realized that my hard-earned savings intended for my car could be lost. In desperation, I started searching for solutions online. That’s when I found Digital Hack Recovery. Their team specialized in recovering lost accounts and frozen funds. Though initially skeptical, I felt I had nothing to lose and reached out to them. From the moment I made contact, their professionalism and expertise were apparent. They took immediate action, thoroughly investigating my case and working directly with the platform to resolve the issue.Within a few days, I was given the incredible news: my account had been restored, and I regained access to the full amount of $150,130. The relief I felt was overwhelming. What once seemed like an impossible situation had been turned around, thanks to the dedicated team at Digital Hack Recovery.With my savings back in my hands, I was finally able to purchase the car I had dreamed of for so long. The moment I drove it off the lot, I knew that the journey, though full of frustration, had ultimately led me to a successful conclusion. My goal had been realized, and it was all thanks to the help of Digital Hack Recovery.If you ever find yourself locked out of your account or struggling to recover your funds, I wholeheartedly recommend Digital Hack Recovery. Their expertise and dedication can turn your financial setbacks into victories, just as they did for me. For quick assistance contact Digital Hack Recovery⁚

WhatsApp⁚ +19152151930

Email⁚ digital hack recovery @ techie . com

Website⁚ https : // digital hack recovery . com