Manager: We need to setup the security in the Mexico server

Dev: You mean that 3rd party firewall add on?

Manager: Yes

Dev: And set up the billing on the Mexico account?

Manager: Yes

Dev: lol, sure thing I’ll create the ticket

Manager: What’s so funny?

Dev: Nothing

Ticket: Build wall and get Mexico to pay for it.

Dude
The client has a giant database with all credit and debit cards

ALL INFOS IN FUCKING PLAINTEXT
THE CARD NUMBER
THE CVV
THE EXPIRY DATE

I'M SHAKING AF

Doing some Christmas shopping.

Creating some throwaway accounts in various e-shops

Some e-shops send me my password via email upon registration.

I've spent the better half of a day emailing those e-shops to revise their IT security policies.

Haven't bought a single gift yet.

Time well spent!

While writing up this quarter's performance review, I re-read last quarter's goals, and found one my boss edited and added a minimum to: "Release more features that customers want and enjoy using, prioritized by product; minimum 4 product feature/bug tickets this quarter."

... they then proceeded to give me, not four+ product tickets, but: three security tickets (two of which are big projects), a frontend ticket that should have been assigned to the designer, and a slow query performance ticket -- on top of my existing security tickets from Q3.

How the fuck was I supposed to meet this requirement if I wasn't given any product tickets? What, finish the monster tickets in a week instead of a month or more each and beg for new product tickets from the product manager who refuses to even talk to me?

Fuck these people, seriously.

Stop calling people by their old occupation titles. .
Please address them by using their new titles accordingly
and they will like it their job more.

OLD: *Garden Boy*
NEW: *Landscape Executive and Animal Nutritionist*

OLD: *Petrol attendant*
NEW: *Fuel transmission engineer*

OLD: *Receptionist*
NEW: *Front Desk Controller*

OLD: *Typist*
NEW: *Printed Document Handler*

OLD: *Messenger*
NEW: *Business Communication Conveyer*

OLD: *Window Cleaner*
NEW: *Transparent Wall Technician*

OLD: *Temporary Teacher*
NEW: *Associate Teacher*

OLD: *Tea Boy*
NEW: *Refreshment Director*

OLD: *Garbage Collector*
NEW: *Environmental Sanitation Technician*

OLD: *Guard*
NEW: *Security Enforcement Director*

OLD: *Prostitute*
NEW: *Practical Sexual Relations Officer*

OLD: *Thief*
NEW: *Wealth Relocation Officer*

OLD: *Driver*
NEW: *Automobile Propulsion Specialist*

OLD: *Maid*
NEW: *Domestics Managing Director*

OLD: *Cook*
NEW: *Food Chemist*

OLD: *Gossip*
NEW: *Oral Research and Evaluation Director*

Which one got you more?

That log4j RCE is some fucking nasty business!!! Its exploits have already been observed multiple times in our company scope.

Time for some unplanned Saturday evening hot-patches :/

P.S. Why the fuck leave such a feature enabled as default??? I mean really, whose brilliant idea was "let's leave the message parser enabled as well as the LDAP query hooks... BY FUCKING DEFAULT!!!"

I mean really, is anyone using that? ANYONE?

And then they laugh at me when I say "stay away from frameworks", "use as little libraries as possible", "avoid foreign code in your codebase",...

you know what.... JOKE'S ON YOU!

My CTO prefers to hire very expensive consultants than to trust on staff. It's funny, because he also decided that all technical teams should run on the absolute minimal amount of resources.

You can't imagine how shitty it felt this morning when he sent an email talking about a security consultant that we should hire, just because he thinks the guy could "take our expertise to the next level".
They will charge us 450/hour to run assessments, to find the exact same things my team discovered a year ago.

Working in security for many years only granted me world-class paranoia about taking pictures of myself and my family. It even made it hard to keep in touch with my friends as we don’t live in the same country anymore.

The good side is that it pays well enough to grant me a platinum foil hat.

!rant Security training at work comes in the form of a serialized TV show where each episode concerns some security topic kind of tangentially and ends with a “REMEMBER… “ followed by the lesson you were supposed to get from the episode.

I kind of love it. A lot. I actually look forward to security training, and I’m not the only one. They stagger the release so you can’t binge watch all the seasons at once and you get three episodes at a time. 😂

I found this old printout of my username and password for my school account from ca 2008. I really like how the password are the same as the username except for some capitalization 😂😅

“sECurItY”

Registering a new account for microsoft teams:
`Your password cannot contain a space, &# characters combination, or the following characters: < >`

Are they storing the passwords in plain text? Are they not sanitizing the input? Why the fuck would they care if I put motherfucking emojis in my password? What the fuck are you doing to the passwords, Microsoft? TELL ME.

So it turns out that one of our systems is so fucking old that its Log4j is off the hook. What they say of blessings being disguised as curses is real.

I dont understand the Log4j vulnerability.

Isnt the ability to execute code a feature they added so that you can add dynamic data to the logs?

If it is a feature then isnt it written in the documentation?

Is the problem that a lot of companies forgot to sanitize the input before logging it?

New job. Almost all sites are blocked due to "security"... even spotify. I can' listen to the music. Fortunately i have access to dev rant xd

Yesterday, the Project Manager forwarded an email from a staff member who worked on a donations campaign. Staff member was confused about a Cloudflare challenge that appeared before the user was sent to the donation page. It’s a less than 5 second JavaScript check. He thought it looked fishy.

I had to explain that it’s a security measure that’s been up for almost a month. PM knows this but left it to me to explain because ownership of the site is on me. The donations page and api gets hit by a lot of bots because it’s a public api and there are no security measures like captchas to deter the bots. I’m inheriting this website and I didn’t build it.

Staff member says other staff want to know if the Cloudflare page can be customized so it looks more legit. Um, Cloudflare is a widely known legit service. Google it.

A few thoughts pop into my head:

1. Engineering communicated to stakeholders about the Cloudflare messaging a month ago.

2. Wow, stakeholders don’t share relevant info with their staff who aren’t on these emails.

3. Woooow, stakeholders and staff don’t look at the website that often.

Salesforce lightning web components have such bullshit limitations that they claim is because of security but it's just because it's overengineered garbage.

Want to use web components? Nope.

Want to pass in a value to a function in a click listener expression? Nope.

Want to use scss? Nope, compile it to css yourself.

Want to use the fucking document object? Guess what it's overridden except for very specific third party frameworks.

Who in the fuck thought it was a good idea to override the document object? Your app isn't more secure, literally the entire internet uses the document object and it still becomes available in runtime anyway so what the fuck??

LWC is the biggest garbage I've ever seen, you know a framework's a big red flag when there are developers solely for the framework.

There is a new security release coming out that apparently removes some of these nuances (understatement) so there might be some light at the end of the tunnel.

Real conversation with my shit bank
Me: Hey, I want to change the phone number associated with my card because I no longer have access to it. (aka stolen). I can't find the option to do so on your website anymore.
Them: Yeah, for security reasons you now have to come down to the bank (which involves standing in line for anywhere between 40 minutes and 2 hours) to do that simple change.

The actual fuck.

Jesus christ I need my VP and CIO to get their hands out of Azure and GCP and just let me work.

Yes, governance and security and IAM are big deals. That's why you have infraops people like me to deal with that.

I'm literally working with one hand tied behind my back because just about every button press or CLI command I need to do my damn job as a professional cloud fluffer requires me to go bother an executive and ask permission to pretty please can I deploy a new container, can you go press the shiny button? No not that one, move your mouse up...up..now UP..ok over lef-no..can I have mouse control? Sigh fine, do you see where it says "Approvers", no that says "Release Pipeline"

Look I actually kinda like this job, I do, in as much as when I have something to do I get left the fuck alone to do it. Meetings are minimal, aside from the odd days when one of our app services decides to yeet itself into the river Styx, there's little distractions.

Yeah, developers do dumb shit but that's probably best left to the notion of job security and never talked about again less they go to HR and complain that the ops guy was very stern and direct and made the developer take some accountability for their work product.

AND YET

It's so intergalactically stupid that I have to go ask permission just to do ops tasks by the same people barging down my goddamn door asking why the ops task isn't done yet.

"Because you won't give me permissions in GCP to actually DO anything".

Okay. Rant over. Time for lunch. Good meeting, see you all at the holiday party.

I was on Instagram and I saw a boy advertising to sell 5k followers and I was wondering, how do they do that? Can they programmically create and control those accounts? I know they can use the Instagram API to some degree but I feel like Instagram probably has security set up to detect that type of stuff (5k accounts following someone at the same time, etc). Does anybody know? I’m actually really curious

I'm trying to reach Alice but none of my messages get through. Maybe Eve has something to do with it 🤔

A customer specialising in identification and security solutions called today, claiming "they" found malware on their website. Then they provided a weird link to some shady malware scanner, and the "malware" turned to be a <noscript> tag which adds ?noscript to the page url, so we can serve no-JS optimised content. As a bonus, the scanner only detected it on two URLs, even though every single page on the site contains that same line of code.

Joke's on them, have fun paying for priority support outside of the business hours for nothing.

After brute forced access to her hardware I spotted huge memory leak spreading on my key logger I just installed. She couldn’t resist right after my data reached her database so I inserted it once more to duplicate her primary key, she instantly locked my transaction and screamed so loud that all neighborhood was broadcasted with a message that exception is being raised. Right after she grabbed back of my stick just to push my exploit harder to it’s limits and make sure all stack trace is being logged into her security kernel log.
Fortunately my spyware was obfuscated and my metadata was hidden so despite she wanted to copy my code into her newly established kernel and clone it into new deadly weapon all my data went into temporary file I could flush right after my stick was unloaded.
Right after deeply scanning her localhost I removed my stick from her desktop and left the building, she was left alone again, loudly complaining about her security hole being exploited.
My work was done and I was preparing to break into another corporate security system.
- penetration tester diaries

I always hated in school computing lessons when the teachers pet students would snitch on you for getting around the school network stuff.

Many people in the lesson would always play games instead of doing what they were meant to. So the teacher turned off the internet in the room using the admin control stuff. Then when I found a way around it all so I could watch some educational YouTube videos, the stupid teachers pet would snitch on me. Luckily the teacher knew I wasn’t using it to mess around, always felt good when he said that I could access it because I’m the biggest security threat to the school.

Did you ever have issues with snitches in computing lessons?

*Frustrated user noises* Whyyyy, Grafana, why don't you implement any actual query forgery checks?!

So long as a user has access to the Grafana frontend, they can happily forge the requests going off to the backend, and modify them to return *whatever* data they want from the datasource.

No matter that they're a read-only user. That only stops them from modifying the dashboard definitions on the frontend, but doesn't enforce any sort of immutability on the BE...

If anyone had any tips on how to further secure it, I'm curious...

We should find a way to replace passwords: any password manager which I tried is inaccurate in identifying login forms and is too hard to use for non technical people older than 40 and convince people to not use some stupid name + birth year combination as their passwords is a frustrating uphill battle.

Thats top notch design.
All actions happening on the page go to one endpoint. Removing old trusted computers, changing the password, changing 2FA, you name it.

Now if you want to remove all old trusted devices, you cannot remove all at once, there is no button for it. So you click one after the other. And then it stops working. Ok, then do the normal password rotation. Hmm, button has a loading spinner and then nothing happens.

Looking into the browser console:
- All requests go to /myaccount/security/graphql
- All requests get a 429 Too many requests
- Even if you just click a panel, it tracks the action to the graphql endpoint. Or at least tries to because even that gets shot down with a 429

Pretty dumb, eh? Must be some small shitty website. It's not. It's fucking paypal.

So, I've been with my current employer four years now, three and a half of which have been spent working as a time material developer for a huge fashion company. I've been trying to get out of It for the past six months only for my exit to be postponed everytime. There's also no clear idea as to what I would be moved to, going forward. Nobody Is telling me a thing and I think other developers will be moved to different projects before I do.

That's why I took matters into my own hands and started getting back into the recruitement process. I'm about to receive an offer. A fairly better one.

The thing is, I wanna use such offer to see if my current employer can reedem himself and propose to me a good counter offer. I'm not in the mood of starting over, but I want security and management to have a fucking idea of what my future Is gonna be like at this fucking company.

What do you guys think? Am I playing with Fire?

A question to all software security specialists of devRant. Please, take it serious.

Is it fundamentally possible to restrict a SQL database like Postgres in a way that unintended SQL queries are impossible to execute? Perhaps in some kind of whitelist fashion. Is it possible to achieve the kind of security that will be just fine exposed to the outside world akin to "SQL queries in onClick handlers" scenario?

Or is this an uphill battle of never being able to moderate an infinite set of possible fraudulent queries?

A philosophical question about maintenance/updating.

There is no need to repeat the reasons we need to update our dependencies and our code. We know them/ especially regarding the security issues.
The real question is , "is that indicates a failure of automation"?

When i started thinking about code, and when also was a kid and saw all these sci fi universes with robots etc, the obvious thing was that you build an automation to do the job without having to work with it anymore. There is no meaning on automate something that need constant work above it.

When you have a car, you usually do not upgrade it all the time, you do some things of maintance (oil, tires) but it keeps your work on it in a logical amount.
A better example is the abacus, a calculating device which you know it works as it works.

A promise of functional programming is that because you are based on algebraic principles you do not have to worry so much about your code, you know it will doing the logical thing it supposed to do.
Unix philosophy made software that has been "updated" so little compared to all these modern apps.
Coding, because of its changeable nature is the first victim of the humans nature unsatisfying.

Modern software industry has so much of techniques and principles (solid, liquid, patterns, testing that that the air is air) and still needs so many developers to work on a project.
I know that you will blame the market needs (you cannot understand the need from the start, you have to do it agile) but i think that this is also a part of a problem .
Old devices evolved at much more slow pace. Radio was radio, and still a radio do its basic functionality the same war (the upgrades were only some memory functionalities like save your beloved frequencies and screen messages).

Although all answers are valid, i still feel, that we have failed. We have failed so much. The dream of being a programmer is to build something, bring you money or satisfaction, and you are bored so you build something completely new.

the red haired girl and the blue haired girl.

there was this story about a programmer who spent years studying computer science before finally getting a job.

the dev studied only computer science and was put on blue team after a few days.

a few hours into one of the constant coding sessions, the boss told the devs that red team members and blue team members would be working in pairs.

the person from red team transferred the devs work to their data base without the dev knowing, then locked down the devs computer. the dev could not do anything. later, the dev got fired for not doing any work. after that, the company got millions of dollars, and the dev did not see any of it.

both the dev and the managers made a note not to hire any programmer who cannot secure their work.

it is not ethical to teach people programming without also teaching them cyber security.

computer networking, programming and security should all be the same major.

it is a bad idea to teach people how to build anything without telling them how to secure it.

the story above was just a scenario, but it probably happens way more often than people think.

Schools should teach both things in the same major.

Every single time that I realised how much of my expertise sounds like vaporware to people, mostly management and C-level.

Have been working on security for quite some time now but seeing that I can't really get through make me feel useless and not worth my weight in shit.