I was registering for a website, and on a whim, I used this as my username:
null'); PRINT('Hello');--

And sure enough, the login system went down. The next day it was still down, so I went to Twitter to tell the people running the site that this was why, but to my surprise, I see them saying they had been hacked.
Based on the timing, I'm pretty sure they're referring to this, but they are saying user info was stolen. *facepalm*
They later said they stored passwords salted with a fixed salt and hashed with fucking md5, at which point I was glad not to have done any more business with them.

How incompetent can these fucking people be?!

My first unintentional "hack" was in middle school, I had been programming for a couple years already and I was really bored.

My school had blocked facebook, twitter and so on because most students are lazy and think everything revolves around their "descrete" cleavage picture's likes. Any way, I thought most would be naive and desperate enough to fall into a "Facebook unblocked" app at the desktop, the program was fairly simple just a mimicking FB page done on C# ASP that saved user and passwords in an encrypted file.

I distributed it in around 5 computers and by the end of the month I had over 60 accounts, and what did I do? I used it to post a gay relationship between two of my friends on fb (one had a gf), it was dumb but boy did I laughed, after that I erased everything as it didn't seem so important.

I have bank accounts with 5 different banks.
I HAVE TO use 4-5 different government websites.

Every fucking place: you cannot use these "~-/;^"(some others too) symbols in your password.

Are you freaking fucking kidding me!! And all of them have a limit of 12or15 characters.

If this wasn't mind numbingly stupid enough, they fucking go ahead and force you to change password every fucking month or two.

THIS IS NOT SECURITY. YOU SHOULDN'T FORCE SOMEONE TO LIMIT THERE PASSWORDS TO:
- CERTAIN CHARACTERS
- A 15 CHARACTER SIZE LIMIT
- THRN OVERTHAT, FORCE TO CHANGE PASSWPRDS PERIODICALLY.

ALL THE 5 MAJOR FUCKING BANKS IN INDIA.

FUUUUUCCCCKKKKK YOUU 🖕

I'm really close to just quitting coding all together. This job is sucking the life out of me. I've lost my interest in code and the idea that there are better jobs out there.

My "boss" who's not even really my boss but behaves like he is, is micromanaging my every tag, and is an information hog. He doesn't document, he doesn't tell me anything, I've been here six months and still don't know half of what I need to know to do my job properly!

I'm expected to implement a new responsive design, but we don't have design specifications.
Cool, you'd think, new ideas, complete overhaul! Let's get a good foundation in bootstrap going!

WRONG! It needs to fit in with the old, fuck- ugly pre 2000 design.

Not because of any design constraints in particular, but because HE wants it that way. You know what was fucking trendy in 2000? Tables. Tables fucking everywhere. YOU KNOW WHAT TABLES ARE NOT? RESPONSIVE YOU FUCKING ICE LOLLY CHEWER!

We have no development timeline, no process management, no fucking project management. THE FUCKING PASSWORDS WERE STILL STORED IN PLAIN TEXT UNTIL LAST MONTH YOU IRRESPONSIBLE BANANA DEEPTHROATER! 😤😤😤😤😤😤

I'm doing my best here to get something resembling the old page, but there needs to be some fucking compromise! We are in fucking 2017, let's work with Bootstrap instead of against it, how about that you fucking bald cactus!

I know enough about UI to know that the way we're going, this is just going to be another unusable fucking clusterfuck.

YOU KNOW THE BEST FUCKING PART? I'M A FUCKING BACKEND DEV AND I WAS HIRED AS SUCH! GIVE ME A DESIGN TEMPLATE AND I'LL DO MY BEST TO IMPLEMENT IT, BUT FUCK YOU FOR EXPECTING FRONT END LEVEL DESIGN KNOWLEDGE YOU DUMB FUCKING SPAGHETTI!

My school just tried to hinder my revision for finals now. They've denied me access just today of SSHing into my home computer. Vim & a filesystem is soo much better than pen and paper.

So I went up to the sysadmin about this. His response: "We're not allowing it any more". That's it - no reason. Now let's just hope that the sysadmin was dumb enough to only block port 22, not my IP address, so I can just pick another port to expose at home. To be honest, I was surprised that he even knew what SSH was. I mean, sure, they're hired as sysadmins, so they should probably know that stuff, but the sysadmins in my school are fucking brain dead.

For one, they used to block Google, and every other HTTPS site on their WiFi network because of an invalid certificate. Now it's even more difficult to access google as you need to know the proxy settings.

They switched over to forcing me to remote desktop to access my files at home, instead of the old, faster, better shared web folder (Windows server 2012 please help).

But the worst of it includes apparently having no password on their SQL server, STORING FUCKING PASSWORDS IN PLAIN TEXT allowing someone to hijack my session, and just leaving a file unprotected with a shit load of people's names, parents, and home addresses. That's some super sketchy illegal shit.

So if you sysadmins happen to be reading this on devRant, INSTEAD OF WASTING YOUR FUCKING TIME BLOCKING MORE WEBSITES THAN THEIR ARE LIVING HUMANS, HOW ABOUT TRY UPPING YOUR SECURITY, PASSWORDS LIKE "", "", and "gryph0n" ARE SHIT - MAKE IT BETTER SO US STUDENTS CAN ACTUALLY BROWSE MORE FREELY - I THINK I WANT TO PASS, NOT HAVE EVERY OTHER THING BLOCKED.

Thankfully I'm leaving this school in 3 weeks after my last exam. Sure, I could stay on with this "highly reputable" school, but I don't want to be fucking lied to about computer studies, I don't want to have to workaround your shitty methods of blocking. As far as I can tell, half of the reputation is from cheating. The students and sysadmins shouldn't have to have an arms race between circumventing restrictions and blocking those circumventions. Just make your shit work for once.

**On second thought, actually keep it like that. Most of the people I see in the school are c***s anyway - they deserve to have half of everything they try to do censored. I won't be around to care soon.**

It took forever to get SSH access to our office network computers from outside. Me and other coworkers were often told to "just use teamviewer", but we finally managed to get our way.

But bloody incompetents! There is a machine with SSH listening on port 22, user & root login enabled via password on the personal office computer.

"I CBA to setup a private key. It's useless anyways, who's ever gonna hack this computer? Don't be paranoid, a password is enough!"

A little more than 30 minutes later, I added the following to his .bashrc:

alias cat="eject -T && \cat"
alias cp="eject -T && \cp"
alias find="eject -T && \find"
alias grep="eject -T && \grep"
alias ls="eject -T && \ls"
alias mv="eject -T && \mv"
alias nano="eject -T && \nano"
alias rm="eject -T && \rm"
alias rsync="eject -T && \rsync"
alias ssh="eject -T && \ssh"
alias su="eject -T && \su"
alias sudo="eject -T && \sudo"
alias vboxmanage="eject -T && \vboxmanage"
alias vim="eject -T && \vim"

He's still trying to figure out what is happening.

TL; DR: Bringing up quantum computing is going to be the next catchall for everything and I'm already fucking sick of it.

Actual convo i had:

"You should really secure your AWS instance."

"Isnt my SSH key alone a good enough barrier?"

"There are hundreds of thousands of incidents where people either get hacked or commit it to github."

"Well i wont"

"Just start using IP/CIDR based filtering, or i will take your instance down."

"But SSH keys are going to be useless in a couple years due to QUANTUM FUCKING COMPUTING, so why wouldnt IP spoofing get even better?"

"Listen motherfucker, i may actually kill you, because today i dont have time for this. The whole point of IP-based security is that you cant look on Shodan for machines with open SSH ports. You want to talk about quantum computing??!! Lets fucking roll motherfucker. I dont think it will be in the next thousand years that we will even come close to fault-tolerant quantum computing.

And even if it did, there have been vulnerabilities in SSH before. How often do you update your instance? I can see the uptime is 395 days, so probably not fucking often! I bet you "dont have anything important anyways" on there! No stored passwords, no stored keys, no nothing, right (she absolutely did)? If you actually think I'm going to back down on this when i sit in the same room as the dude with the root keys to our account, you can kindly take your keyboard and shove it up your ass.

Christ, I bet that the reason you like quantum computing so much is because then you'll be able to get your deepfakes of miley cyrus easier you perv."

I previously worked as a Linux/unix sysadmin. There was one app team owning like 4 servers accessible in a very speciffic way.
* logon to main jumpbox
* ssh to elevated-privileges jumpbox
* logon to regional jumpbox using custom-made ssh alternative [call it fkup]
* try to fkup to the app server to confirm that fkup daemon is dead
* logon to server's mgmt node [aix frame]
* ssh to server directly to find confirm sshd is dead too
* access server's console
* place root pswd request in passwords vault, chase 2 mangers via phone for approvals [to login to the vault, find my request and aprove it]
* use root pw to login to server's console, bounce sshd and fkupd
* logout from the console
* fkup into the server to get shell.

That's not the worst part... Aix'es are stable enough to run for years w/o needing any maintenance, do all this complexity could be bearable.

However, the app team used to log a change request asking to copy a new pdf file into that server every week and drop it to app directory, chown it to app user. Why can't they do that themselves you ask? Bcuz they 'only need this pdf to get there, that's all, and we're not wasting our time to raise access requests and chase for approvals just for a pdf...'

oh, and all these steps must be repeated each time a sysadmin tties to implement the change request as all the movements and decisions must be logged and justified.

Each server access takes roughly half an hour. 4 servers -> 2hrs.

So yeah.. Surely getting your accesses sorted out once is so much more time consuming and less efficient than logging a change request for sysadmins every week and wasting 2 frickin hours of my time to just copy a simple pdf for you.. Not to mention that threr's only a small team of sysadmins maintaining tens of thousands of servers and every minute we have we spend working. Lunch time takes 10-15 minutes or so.. Almost no time for coffee or restroom. And these guys are saying sparing a few hours to get their own accesses is 'a waste of their time'...

That was the time I discovered skrillex.

A few days ago Aruba Cloud terminated my VPS's without notice (shortly after my previous rant about email spam). The reason behind it is rather mundane - while slightly tipsy I wanted to send some traffic back to those Chinese smtp-shop assholes.

Around half an hour later I found that e1.nixmagic.com had lost its network link. I logged into the admin panel at Aruba and connected to the recovery console. In the kernel log there was a mention of the main network link being unresponsive. Apparently Aruba Cloud's automated systems had cut it off.

Shortly afterwards I got an email about the suspension, requested that I get back to them within 72 hours.. despite the email being from a noreply address. Big brain right there.

Now one server wasn't yet a reason to consider this a major outage. I did have 3 edge nodes, all of which had equal duties and importance in the network. However an hour later I found that Aruba had also shut down the other 2 instances, despite those doing nothing wrong. Another hour later I found my account limited, unable to login to the admin panel. Oh and did I mention that for anything in that admin panel, you have to login to the customer area first? And that the account ID used to login there is more secure than the password? Yeah their password security is that good. Normally my passwords would be 64 random characters.. not there.

So with all my servers now gone, I immediately considered it an emergency. Aruba's employees had already left the office, and wouldn't get back to me until the next day (on-call be damned I guess?). So I had to immediately pull an all-nighter and deploy new servers elsewhere and move my DNS records to those ASAP. For that I chose Hetzner.

Now at Hetzner I was actually very pleasantly surprised at just how clean the interface was, how it puts the project front and center in everything, and just tells you "this is what this is and what it does", nothing else. Despite being a sysadmin myself, I find the hosting part of it insignificant. The project - the application that is to be hosted - that's what's important. Administration of a datacenter on the other hand is background stuff. Aruba's interface is very cluttered, on Hetzner it's super clean. Night and day difference.

Oh and the specs are better for the same price, the password security is actually decent, and the servers are already up despite me not having paid for anything yet. That's incredible if you ask me.. they actually trust a new customer to pay the bills afterwards. How about you Aruba Cloud? Oh yeah.. too much to ask for right. Even the network isn't something you can trust a long-time customer of yours with.

So everything has been set up again now, and there are some things I would like to stress about hosting providers.

You don't own the hardware. While you do have root access, you don't have hardware access at all. Remember that therefore you can't store anything on it that you can't afford to lose, have stolen, or otherwise compromised. This is something I kept in mind when I made my servers. The edge nodes do nothing but reverse proxying the services from my LXC containers at home. Therefore the edge nodes could go down, while the worker nodes still kept running. All that was necessary was a new set of reverse proxies. On the other hand, if e.g. my Gitea server were to be hosted directly on those VPS's, losing that would've been devastating. All my configs, projects, mirrors and shit are hosted there.

Also remember that your hosting provider can terminate you at any time, for any reason. Server redundancy is not enough. If you can afford multiple redundant servers, get them at different hosting providers. I've looked at Aruba Cloud's Terms of Use and this is indeed something they were legally allowed to do. Any reason, any time, no notice. They covered all their bases. Make sure you do too, and hope that you'll never need it.

Oh, right - this is a rant - Aruba Cloud you are a bunch of assholes. Kindly take a 1Gbps DDoS attack up your ass in exchange for that termination without notice, will you?

Little anecdote from my in-house it:

"Our passwords are safe because we change them every 3 months and they have to contain uppercases, lowercases, numbers and special characters. 6 digit length is enough and can't be hacked."

Another rant about my school: the default password system.
Each student's username is FirstnameLastname, and the same applies to teachers. The passwords assigned are <First initial><Last initial> for students, and the same for teachers with "teacher" appended to the end. As students, we figured out this system pretty quickly, and we were able to log into the computer system as any teacher who we knew had requested an account. (Teacher accounts had unfiltered Internet access, student accounts did not).
I now teach in this school, where they recently got Google Classrooms accounts for each teacher during Covid. The accounts use the same naming/password scheme! I somehow doubt the teachers replace their passwords, so any student clever enough to figure out the system can log into their Google for Education account.

So for context, I'm doing an Apprenticeship in IT and naturally I've been put on help desk.

I've recently been given a phone on my desk since I'm trusted enough and know enough about our software that there's no risk to me accepting calls.

I get the standard ones, a number from a different country, poorly pronouncing a co-workers name, asking if they can speak to them. I give my normal response, "I'll just check if they're in a meeting and I'll get back to you" (which they somehow always are) and ask if they would like to leave a message. They obviously don't since they're usually scams.

Since Tuesday I've started getting calls from "BT Technical Support". I don't use BT. My company doesn't use BT. So, it's clearly a scam.

Yesterday, the same guy calls me up, Thomas he says his name is. I go along with it for a while, agreeing that I've noticed our network has been slow until the point where he asks me to begin to install TeamViewer. I realise what he's going to do so I ask him what the problem with our network is.

I hear him start to respond but he stops. He's got no clue what to say, so I say to him, "Thomas mate. I think our biggest problem with our BT network is that we don't have BT."

He puts the phone down.

So I ask you for help, lovely people of devRant.

I have a Windows 10 VM ready to go. I have a couple notepad files labelled as "Passwords" and "Bank Details". What else can I throw on there to make this guy think he's hit the jackpot without really causing too much damage?

Any ideas would be appreciated. <3

I promised a friend to have a look over his dads website to add a small blog. No big deal, I've got it on my drive, can reuse it just need to adapt it to the environment.

I take a look at what I'm working with and I see the most terrifying piece of "Please, take my data" code I could possibly imagine (And I've seen passwords, in plain text in a script tag). I quote "function queryDB(mode, val) {
var query=" ";
if(mode==="findProd")
query="Select * from Products where ProdNam=" +val;
... (same shit for different cases)
sendQuery(query) ;
}

He literally built the query on the client side sent it to a php script (without validation) and inserted it into the database.
You could literally call window.sendQuery with any sql query and get the result printed into the console.
And other than the plain text passwords guy that wasn't some kid someone knew, this was a "Webdesign" Agency.
Now I took the entire thing offline, called my friends dad, explained it to him and try to sort this out. I would not charge a good friends father but that hack will get a quite hefty bill since my hourly rate just tripled.

And the worst thing : If I publicly name that asshole or warn the people in his portfolio I can, according to Google, be sued. (But, and I assume thats vague enough not to count as bad mouthing, if anyone of you has a customer from Rheinland-Pfalz, Germany with a preexisting page, please have a look at the database interface)
I will call that agency tomorrow, ask for a detailed explanation for why they apparently let trained monkeys write their code and anonymously warn everyone in their portfolio about those flaws...

I don't know if I'm cursed or if there are just that many bad devs but it seems that once a year I have to stumble over some "mistakes" that make me question my sanity.

Security fail here. I've just started a PPI claim and have been provided a link to a so called "very secure" client area.

There are no username or passwords and the screenshot is not a first time sign up screen.

All I need to login is a surname, postcode and DOB - all information easy enough to find online.

Pretty bad IMO, esp, so considering the effort required to add a proper login using a username/password combination.

I mean I'm logged in now and have no option to set an account password :|

So I enventually spent 2 years working for that company with a strong b2b market. Everything from the checkouts in their 6 b2c stores to the softwares used by the 30-people sales team was dependant on the main ERP shit home-built with this monstruosity we call Windev here in France. If you don't know it just google and have some laugh : this is a proprieteray FRENCH language. Not french like made by french people, well that too, but mostly french like the fucking language is un fucking french ! Instructions are on french, everything. Hey that's my natural language okay, but for code, really ?

The php website was using the ERP database too, even all the software/hardware of the massive logistic installation they had (like a tiny Amazon depot), and of course the emails of all employees. Everything was just handled by this unique shitty and so sloooooow fucking app. When there was to many clients on the website or even too many salespeople connected to the ERP at the same time, every-fuckin-piece of the company was slowing down, and even worse facing critical bugs. So they installed a monitor in the corner of a desk constantly showing the live report page of Google analytics and they started panic attacks everytime it was counting more than 30 sessions on the website. That was at the time fun and sad to observe.

The whole shit was created 12 years ago and is since maintened locally by one unique old-fashion-microsoft dev who also have to maintain all the hardware of all the fucking 150+ people business. You know, when the keyboard of anyone is "broken" cause it's unplugged... That's his job too. The poor guy was totally overstressed on a daily basis and his tech knowledge just saddly losts themeselves somewhere in the way. He was my n+1 in a tech team of 3 people : him, a young and inexperimented so-called "php developer" who was in charge of the website (btw full of security holes I discovered and dealed with when I first arrive at the job), and myself.

The database was a hell of 100+ tables of business and marketing data with a ton of specific logic added on-the-go during years. No consistent data model or naming. No utf8. Fucked up relations that ends with queries long enough to fill books. And that's not all, all the customers passwords was just stored there uncrypted. Several very big companies and administrations were some of these clients. I was insisting on the passwords point litterally all the time, that was an easy security fix and a good start... But no, in two years of discussions on the subject I never achieved to have them focusing on other considerations than "our customers like that we can remind them their password by a simple phone call if they lost it". What. The. Fuck. WHATTHEFUCK!

Eventually I ran myself out of this nightmare. I had a few bad jobs already, and worked on shitty software already. But that one really blows my mind (and motivation for a time too). Happy it's over.

Hmm...recently I've seen an increase in the idea of raising security awareness at a user level...but really now , it gets me thinking , why not raise security awareness at a coding level ? Just having one guy do encryption and encoding most certainly isn't enough for an app to be considered secure . In this day an age where most apps are web based and even open source some of them , I think that first of all it should be our duty to protect the customer/consumer rather than make him protect himself . Most of everyone knows how to get user input from the UI but how many out here actually think that the normal dummy user might actually type unintentional malicious code which would break the app or give him access to something he shouldn't be allowed into ? I've seen very few developers/software architects/engineers actually take the blame for insecure code . I've seen people build apps starting on an unacceptable idea security wise and then in the end thinking of patching in filters , encryptions , encodings , tokens and days before release realise that their app is half broken because they didn't start the whole project in a more secure way for the user .

Just my two cents...we as devs should be more aware of coding in a way that makes apps more secure from and for the user rather than saying that we had some epic mythical hackers pull all the user tables that also contained unhashed unencrypted passwords by using magix . It certainly isn't magic , it's just our bad coding that lets outside code interact with our own code .

Oh ffs, just fucking inject a chip into my finger already for authentication purposes, you can track my every fucking move if you so wish. When a web page like twitch uses 2FA it boggles my mind because its a page where you're watching some fucking videos.

"hey there, so out of the blue, we send you a code to your email, we won't tell you which so good luck. Also, you cannot copy paste this code because we did that fucking thing where each character has its own textbox"

Of course, this is only because we are dumb enough to reuse shitty passwords. THIS IS WHY WE CAN'T HAVE NICE THINGS.

Soo... Let me get this straight... My boss reeeeeeally wants me to reconfigure our database system to sync data between each of our 15 sites... Let me this about this...

Our database is an MS Access database originally written about 17 years ago. It was written as a standalone database that runs a unique instance for each of our sites.The person responsible for the database (still not the original developer) before I took over 6 years ago bragged about how they were "an 80s developer" (w...t...f!). Even with all of the fixes and additions (additions because... F&$#ing of course there are!) It's still basically held together by duct tape and spit.

Hmmm... Ok, still possible. What's the environment I'm working in... I have absolutely ZERO control of our workplace network... That's a whole other department. Due to the nature of the workplace (and it's sites) there is extreme limitation on network access.

Well... If I'm Reeeeeeally nice to the people in charge of the network, maaaaaybe they can give me access to a little server space.

A very long shot, but, doab.... Oh, the boss would really like this handled in the next couple months...

F$#k you! There is no way on God's (still) green earth that I... Alone... Can rewrite a legacy database... written across 4 or 5 different versions of FU$KING MS Access, and give 15 sites, with extremely limited networking, real time data sync in... Oh, a few months.

Now, I do not work with "computer people". I'm usually lucky when my coworkers remember their passwords (which, even if they don't, WHY tell ME! I don't run the network!)

And when I tell my boss basically what I just said... In a nice, pleasant way... They suggest I'm not giving the problem enough thought...

FU#K YOU IGNORANT ASS! Write me a ToDo list in MS Access (no, I'm not going to tell you where to start) in under an hour then, MAYBE, we can talk about... No... Just NO... Can't be done!

*Takes deep breath* so... Lovely weather we're having, right?

Relatively often the OpenLDAP server (slapd) behaves a bit strange.

While it is little bit slow (I didn't do a benchmark but Active Directory seemed to be a bit faster but has other quirks is Windows only) with a small amount of users it's fine. slapd is the reference implementation of the LDAP protocol and I didn't expect it to be much better.

Some years ago slapd migrated to a different configuration style - instead of a configuration file and a required restart after every change made, it now uses an additional database for "live" configuration which also allows the deployment of multiple servers with the same configuration (I guess this is nice for larger setups). Many documentations online do not reflect the new configuration and so using the new configuration style requires some knowledge of LDAP itself.
It is possible to revert to the old file based method but the possibility might be removed by any future version - and restarts may take a little bit longer. So I guess, don't do that?

To access the configuration over the network (only using the command line on the server to edit the configuration is sometimes a bit... annoying) an additional internal user has to be created in the configuration database (while working on the local machine as root you are authenticated over a unix domain socket). I mean, I had to creat an administration user during the installation of the service but apparently this only for the main database...

The password in the configuration can be hashed as usual - but strangely it does only accept hashes of some passwords (a hashed version of "123456" is accepted but not hashes of different password, I mean what the...?) so I have to use a single plaintext password... (secure password hashing works for normal user and normal admin accounts).

But even worse are the default logging options: By default (atleast on Debian) the log level is set to DEBUG. Additionally if slapd detects optimization opportunities it writes them to the logs - at least once per connection, if not per query. Together with an application that did alot of connections and queries (this was not intendet and got fixed later) THIS RESULTED IN 32 GB LOG FILES IN ≤ 24 HOURS! - enough to fill up the disk and to crash other services (lessons learned: add more monitoring, monitoring, and monitoring and /var/log should be an extra partition). I mean logging optimization hints is certainly nice - it runs faster now (again, I did not do any benchmarks) - but ther verbosity was way too high.

The worst parts are the error messages: When entering a query string with a syntax errors, slapd returns the error code 80 without any additional text - the documentation reveals SO MUCH BETTER meaning: "other error", THIS IS SO HELPFULL... In the end I was able to find the reason why the input was rejected but in my experience the most error messages are little bit more precise.