Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "security check"
Long but worth it...
So I was cleaning out my Google Drive last night, and deleted some old (2 years and up) files. I also deleted my old work folder, it was for an ISP I worked for over 2 years ago. After deleting the files I had a little twinge of "Man I hope they're not still using those". But seriously, it'd be a pretty big security risk if I was still the owner of those files... right? Surely they copied them and deleted all the info from the originals. IP addresses, Cisco configs, username and passwords for various devices, pretty much everything but customer info.
Guess who I get a call from this morning... "Hi this is Debbie from 'ISP'. I was trying to access the IP Master List and I can't anymore. I was just told to call you and see if there's any way to get access to it again" (Not her real name...)
I had to put her on hold so I could almost die of laughter...
Me: "Sorry about that Debbie, I haven't worked for that company for over 2 years. Your telling me in all that time no one thought to save them locally? No one made a copy? I still had the original documents?!"
D: "Uh... Apparently not..."
Another long pause
D: "So is there any way you can give me access to them again?"
Me: "They're gone Debbie. I deleted them all last night."
D: Very worried voice "Can... Can you check?"
This kids is why you never assume you'll always have access to a cloud stored file, make local copies!!
A little bit of background on this company, the owner's wife fired me on trumped up "time card discrepancy" issues so she could hire her freshly graduated business major son. The environment over there was pretty toxic anyway...
I feel bad for "Debbie" and the other staff there, it's going to be a very bad week for them. I also hope it doesn't impact any customers. But... It is funny as hell, especially since I warned the owner as I was clearing out my desk to save copies, and plan on them being gone soon. Apparently he never listened.
This is why you should have a plan in place... And not just wing it...
PS. First Post!27
Me wanting to board Plane,
Goes through security Check...
"Sorry sir Laptops are not allowed."
"It could be a modified bomb"
"But this is a Tablet!"
"No sir, it has a Keyboard and Trackpad attached to it, its also running Windows..."
"Excuse me, but this is clearly a Tablet"
*Detatches Keyboard from Surface Book*
"Sorry sir, but no. You cant board the plane with this, only Tablets and Smartphones"
"WTF? you dont allow Laptops because they could be bombs but A FUCKING SMARTPHONE IS ALLOWED? AND TABLETS TOO?!"
"Yes, because the Battery is not removable..."
"But my Laptop Battery is also not Removable..."
"I dont have anymore Time for an Argument"
"So I can board the Plane?"
"No, the Ticket will be refunded"
WHO THE FUCK CAME UP WITH THIS BULLSHIT? LIKE RLY? WHO!!
I MEAN WHAT THE FUCK IS ALLOWED?!31
Happened a few weeks ago but still awesome.
Me and a good friend have a website together but we don't monitor it too much.
He studied with me in the same class but went towards frontend/apps where I chose backend/servers/security. He knows how to do basic Linux stuff but that's about it.
We were at a party when he noticed that our site was offline. Walked over to me (because I manage the server) to notify me so I could look into it said I'd look into it (phone):
*visits site: nothing*
*online dig tool: got the server ip*
*remembered this one didn't have pubkey authentication - after three passwords attempts I'm in*
"service apache2 status"
*service doesn't exist*
*right, migrated this one from Apache to nginx....*
*ah, an nginx restart probably suffices...*
"service nginx restart"
BAM, site is reachable again.
*god damnit, lets encrypt cert expired...*
*sees command with certbot and our domain both in one*
*20 seconds later: success message*
*service nginx reload*
BAM, site works securely again.
"Yo mate, check the site again"
Mate: 😶 w-w-what? *checks site and his watch* you started less than two minutes ago...?
Mate: 😶 now this is why YOU manage our server and I don't 😐
His face was fucking gold. It wasn't that difficult for me (I do this daily) but to him, I was a God at that moment.
Awesome moment 😊27
A former colleague made an online shopping app. Boss wanted to promote him to Senior Developer when he still working with us.
14 days ago another colleague checked the code and told the boss that it's ready for production. No one asked me because everyone in the company thinks am the stupid developer of them all.
So what happened?
Well the total value of the cart was being over to payment gateway using a hidden field. Well you know the rest of the story.
The client has sued our company for this issue and boss came running to me and asked me to check if it was our fault or something else.
I checked and found the hidden value where the total value of cart was being stored and send over to payment gateway. The following is the conversation between me and the colleague who checked the code:
Me: So you checked the code and everything was okay?
Him: Yes, all good.
Me: Did you see this hidden field where the total value of cart is being passed to the payment gateway?
Me: Why didn't you fix this?
Him: What's there to fix?
Me: Well someone can temper the value and let it pass to the payment gateway.
Him: No, they can't we are using https
Me: I' am done with you
He has Masters in software engineering and has few security certificates.25
And here comes the last part of my story so far.
After deploying the domain, configuring PCs, configuring the server, configuring the switch, installing software, checking that the correct settings have been applied, configuring MS Outlook (don't ask) and giving each and every user a d e t a i l e d tutorial on using the PC like a modern human and not as a Homo Erectus, I had to lock my door, put down my phone and disconnect the ship's announcement system's speaker in my room. The reasons?
- No one could use USB storage media, or any storage media. As per security policy I emailed and told them about.
- No one could use the ship's computers to connect to the internet. Again, as per policy.
- No one had any games on their Windows 10 Pro machines. As per policy.
- Everyone had to use a 10-character password, valid for 3 months, with certain restrictions. As per policy.
For reasons mentioned above, I had to (almost) blackmail the CO to draft an order enforcing those policies in writing (I know it's standard procedure for you, but for the military where I am it was a truly alien experience). Also, because I never trusted the users to actually backup their data locally, I had UrBackup clone their entire home folder, and a scheduled task execute a script storing them to the old online drive. Soon it became apparent why: (for every sysadmin this is routine, but this was my first experience)
- People kept deleting their files, whining to me to restore them
- People kept getting locked out because they kept entering their password WRONG for FIVE times IN a ROW because THEY had FORGOTTEN the CAPS lock KEY on. Had to enter three or four times during weekend for that.
- People kept whining about the no-USB policy, despite offering e-mail and shared folders.
The final straw was the updates. The CO insisted that I set the updates to manual because some PCs must not restart on their own. The problem is, some users barely ever checked. One particular user, when I asked him to check and do the updates, claimed he did that yesterday. Meanwhile, on the WSUS console: PC inactive for over 90 days.
I blocked the ship's phone when I got reassigned.
Phiew, finally I got all those off my chest! Thanks, guys. All of the rants so far remind me of one quote from Dave Barry:8
Wow, just wow.
The Dutch national security spy agency and also their military one are complaining that the organisation that was brought to life to check if they don't spy on innocent people (and execute illegal hacks and overstep their surveillance powers etc) is investigating too much and asking too many technical questions relating to ongoing operations.
Well, this shows that this is necessary apparently! I'm glad this organisation is doing their job.
Oh, the irony.12
This rant is a confession I had to make, for all of you out there having a bad time (or year), this story is for you.
Last year, I joined devRant and after a month, I was hired at a local company as an IT god (just joking but not far from what they expected from me), developer, web admin, printer configurator (of course) and all that in my country it's just called "the tech guy", as some of you may know.
I wasn't in immediate need for a full-time job, I had already started to work as a freelancer then and I was doing pretty good. But, you know how it goes, you can always aim for more and that's what I did.
The workspace was the usual, two rooms, one for us employees and one for the bosses (there were two bosses).
Let me tell you right now. I don't hate people, even if I get mad or irritated, I never feel hatred inside me or the need to think bad of someone. But, one of the two bosses made me discover that feeling of hate.
He had a snake-shaped face (I don't think that was random), and he always laughed at his jokes. He was always shouting at me because he was a nervous person, more than normal. He had a tone in his voice like he knew everything. Early on, after being yelled for no reason a dozen of times, I decided that this was not a place for me.
After just two months of doing everything, from tech support to Photoshop and to building websites with WordPress, I gave my one month's notice, or so I thought. I was confronted by the bosses, one of which was a cousin of mine and he was really ok with me leaving and said that I just had to find a person to replace me which was an easy task. Now, the other boss, the evil one, looked me on the eye and said "you're not going anywhere".
I was frozen like, "I can't stay here". He smiled like a snake he was and said "come on, you got this we are counting on you and we are really satisfied with how you are performing till now". I couldn't shake him, I was already sweating. He was rolling his eyes constantly like saying "ok, you are wasting my time now" and left to go to some basketball practice or something.
So, I was stuck there, I could have caused a scene but as I told you, one of the bosses was a cousin of mine, I couldn't do anything crazy. So, I went along with it. Until the next downfall.
I decided to focus on the job and not mind for the bad boss situation but things went really wrong. After a month, I realised that the previous "tech guy" had left me with around 20 ancient Joomla - version 1.0 websites, bursting with security holes and infested with malware like a swamp. I had never seen anything like it. Everyday the websites would become defaced or the server (VPN) would start sending tons of spam cause of the malware, and going offline at the end. I was feeling hopeless.
And then the personal destruction began. I couldn't sleep, I couldn't eat. I was having panick attacks at the office's bathroom. My girlfriend almost broke up with me because I was acting like an asshole due to my anxiety issues (but in the end she was the one to "bring me back"(man, she is a keeper)) and I hadn't put a smile on my face for months. I was on the brink of depression, if not already there. Everyday I would anxiously check if the server is running because I would be the one to blame, even though I was trying to talk to the boss (the bad one was in charge of the IT department) and tell him about the problem.
And then I snapped. I finally realised that I had hit rock bottom. I said "I can't let this happen to me" and I took a deep breath. I still remember that morning, it was a life-changing moment for me. I decided to bite the bullet and stay for one more month, dealing with the stupid old server and the low intelligence business environment. So, I woke up, kissed my girlfriend (now wife), took the bus and went straight to work, and I went into the boss's office. I lied that I had found another job on another city and I had one month in order to be there on time. He was like, "so you are leaving? Is it that good a job the one you found? And when are you going? And are you sure?", and with no hesitation I just said "yup". He didn't expect it and just said "ok then", just find your replacement and you're good to go. I found the guy that would replace me, informing him of every little detail of what's going on (and I recently found out, that he is currently working for some big company nowadays, I'm really glad for him!).
I was surprised that it went so smoothly, one month later I felt the taste of freedom again, away from all the bullshit. Totally one of the best feelings out there.
I don't want to be cliche, but do believe in yourself people! Things are not what the seem.
With all that said, I want to give my special thanks to devRant for making this platform. I was inactive for some time but I was reading rants and jokes. It helped me to get through all that. I'm back now! Bless you devRant!
I'm glad that I shared this story with all of you, have an awesome day!17
*Me working on the security system of the notes app thingy*
"hmm, should check if a users' ip is valid, let's look for some online services..."
*can't find a good one without rate limits*
*hold on, I wrote one myself 🤣*
I am so fucking retarded sometimes.7
Another incident which made a Security Researcher cry 😭😭😭
[ NOTE : Check my profile for older incident ]
I was invited by a fellow friend to a newly built Cyber Security firm , I didn't asked for any work issues as it was my friend who asked me to go there . Let's call it X for now . It was a good day , overcast weather , cloudy sky , everything was nice before I entered the company . And the conversation is as follows :
Fella - Hey! Nice to see you with us .
Me - Thanks! Where to? *Asking for my work area*
Fella - Right behind me .
Me - Good thing :)
Fella - So , the set-up is good to go I suppose .
Me - Yeah :)
*I'm in my cabin and what I can see is a Windows VM inside Ubuntu 12.4*
*Fast forward to 1 hour and now I'm at the cafeteria with the Fella*
Fella - Hey! Sup? How was the day?
Me - Fine *in a bit confused voice*
Fella - What happened mate , you good with the work?
Me - Yeah but why you've got Windows inside Ubuntu , I mean what's the use of Ubuntu when I have to work on Windows?
Fella - Do you know Linux is safe from Malwares?
Me - Yeah
Fella - That's why we are using Windows on VM inside Linux .
Me - For what?
Fella - To keep Windows safe from Malwares as in our company , we can't afford any data loss!
Me - 😵 *A big face palm which went through my head and hit another guy , made me a bit unconscious*
I ran for my life as soon as possible , in future I'm never gonna work for anyone before asking their preferences .9
Well, here's the OS rant I promised. Also apologies for no blog posts the past few weeks, working on one but I want to have all the information correct and time isn't my best friend right now :/
Anyways, let's talk about operating systems. They serve a purpose which is the goal which the user has.
So, as everyone says (or, loads of people), every system is good for a purpose and you can't call the mainstream systems shit because they all have their use.
Last part is true (that they all have their use) but defining a good system is up to an individual. So, a system which I'd be able to call good, had at least the following 'features':
- it gives the user freedom. If someone just wants to use it for emailing and webbrowsing, fair enough. If someone wants to produce music on it, fair enough. If someone wants to rebuild the entire system to suit their needs, fair enough. If someone wants to check the source code to see what's actually running on their hardware, fair enough. It should be up to the user to decide what they want to/can do and not up to the maker of that system.
- it tries it's best to keep the security/privacy of its users protected. Meaning, by default, no calling home, no integrating users within mass surveillance programs and no unnecessary data collection.
- Open. Especially in an age of mass surveillance, it's very important that one has the option to check the underlying code for vulnerabilities/backdoors. Can everyone do that, nope. But that doesn't mean that the option shouldn't be there because it's also about transparency so you don't HAVE to trust a software vendor on their blue eyes.
- stability. A system should be stable enough for home users to use. For people who like to tweak around? Also, but tweaking *can* lead to instability and crashes, that's not the systems' responsibility.
Especially the security and privacy AND open parts are why I wouldn't ever voluntarily (if my job would depend on it, sure, I kinda need money to stay alive so I'll take that) use windows or macos. Sure, apple seems to care about user privacy way more than other vendors but as long as nobody can verify that through source code, no offense, I won't believe a thing they say about that because no one can technically verify it anyways.
Some people have told me that Linux is hard to use for new/(highly) a-technical people but looking at my own family and friends who adapted fast as hell and don't want to go back to windows now (and mac, for that matter), I highly doubt that. Sure, they'll have to learn something new. But that was also the case when they started to use any other system for the first time. Possibly try a different distro if one doesn't fit?
Problems - sometimes hard to solve on Linux, no doubt about that. But, at least its open. Meaning that someone can dive in as deep as possible/necessary to solve the problem. That's something which is very difficult with closed systems.
The best example in this case for me (don't remember how I did it by the way) was when I mounted a network drive at boot on windows and Linux (two systems using the same webDav drive). I changed the authentication and both systems weren't in for booting anymore. Hours of searching how to unfuck this on windows - I ended up reinstalling it because I just couldn't find a solution.
On linux, i found some article quite quickly telling to remove the entry for the webdav thingy from fstab. Booted into a root recovery shell, chrooted to the harddrive, removed the entry in fstab and rebooted. BAM. Everything worked again.
So yeah, that's my view on this, I guess ;P32
Ex-boss (who boasted 20 years of programming exp.) Would not let us work on a web project saying we didn't have enough experience and said he'd do it alone... Fast forward to 3 days before presenting to client, we get to check the log in interface and immediately find that there's no actual security, no validation... Just 2 text boxes with hard coded users and no way to add more without creating them in db... And if you knew the next page's URL you can actually skip the login... Needless to say he was removed from the project that instant and we (interns at the time) had to do everything from scratch. A 3 months project done in 2 days. Never been more stressed in my life :'(11
OH MY GOD
WHO NAMES A CONFERENCE ROOM AFTER AN -ADDRESS-??
At my new job, we had all day training on Friday. It was emphasized many times that we should not be late. I look at the meeting invite many times, and it says [123 Fake], with Fake being a Very Well Known Street, and I see on Google Maps that there's an office building there. Great, we must have an off-site training facility to help our clients become certified in our product. It doesn't say which floor, but I assume the small space we have in that large office building will become evident once I check in with lobby security.
Friday morning comes, I get to the office building 20 minutes early, and try to check in. They've never heard of my company. Maybe there's a computer lab we rent out? No, they don't know anything about that. I don't have work email or slack set up on my phone yet, so who do I call? I try reception, no one answers. Eventually I call our customer support line.
I shouldn't be at 123 Fake St. I should be at the office. Because that's the name of the conference room!
YOU HAD ONE JOB, ROOM NAMER!
Last night my boyfriend and I tried to think of worse names for conference rooms. The only ones I could think of were "meeting canceled" (but with that, at least I would be in the correct fucking building!) or just naming every conference room "conference room". Here's the thing: there's not just one 123 Fake St room! There's two of them right next to each other! So you can easily show up and think, I remember I was supposed to be in this room, but which one?
And I'm not even the first person to make this mistake. CLIENTS have gone to the wrong building before because they get included on meeting invitations that include conference room names! WTF!
It's pretty common to have Chicago conference rooms named after neighborhoods, or iconic buildings, etc. But nobody is going to think, "meeting in Bucktown? I'll just wander around the neighborhood until I find people with laptops". It's obviously a conference room. BUT A FUCKING ADDRESS OF A NEARBY OFFICE BUILDING? It's not even an iconic of a building!
Names matter. I care a lot about names in code. I never realized it could apply to the physical world as well. So now I am on a mission to change the names of these Goddamm conference rooms so I'm the last person to be directed to the wrong fucking building.
OH, and I'm out $9 for a taxi ride and a pair of gloves that got lost in the taxi so that's GREAT.17
The best I have seen and exploited was years ago with a web shop that allowed me to set my own check-out price by just inspecting the element and setting the desired price. It just happily advanced to the next step where they invoked the payment provider with my custom price. Unfortunately the shop doesn't exist anymore. I have encountered many more security leaks but this one was so easy and lucrative to exploit.3
The stupid stories of how I was able to break my schools network just to get better internet, as well as more ridiculous fun. XD
It was my freshman year in college. The internet sucked really, really, really badly! Too many people were clearly using it. I had to find another way to remedy this. Upon some further research through Google I found out that one can in fact turn their computer into a router. Now what’s interesting about this network is that it only works with computers by downloading the necessary software that this network provides for you. Some weird software that actually looks through your computer and makes sure it’s ok to be added to the network. Unfortunately, routers can’t download and install that software, thus no internet… but a PC that can be changed into a router itself is a different story. I found that I can download the software check the PC and then turn on my Router feature. Viola, personal fast internet connected directly into the wall. No more sharing a single shitty router!
This was about the year when bitcoin mining was becoming a thing, and everyone was in on it. My shitty computer couldn’t possibly pull off mining for bitcoins. I needed something faster. How I found out that I could use my schools servers was merely an accident.
I had been installing the software on every possible PC I owned, but alas all my PC’s were just not fast enough. I decided to try it on the RDS server. It worked; the command window was pumping out coins! What I came to find out was that the RDS server had 36 cores. This thing was a beast! And it made sense that it could actually pull off mining for bitcoins. A couple nights later I signed in remotely to the RDS server. I created a macro that would continuously move my mouse around in the Remote desktop screen to keep my session alive at all times, and then I’d start my bitcoin mining operation. The following morning I wake up and my session was gone. How sad I thought. I quickly try to remote back in to see what I had collected. “Error, could not connect”. Weird… this usually never happens, maybe I did the remoting wrong. I went to my schools website to do some research on my remoting problem. It was down. In fact, everything was down… I come to find out that I had accidentally shut down the schools network because of my mining operation. I wasn’t found out, but I haven’t done any mining since then.
As an engineering student I found out that all engineering students get access to the school’s VPN. Cool, it is technically used to get around some wonky issues with remoting into the RDS servers. What I come to find out, after messing around with it frequently, is that I can actually use the VPN against the screwed up security on the network. Remember, how I told you that a program has to be downloaded and then one can be accepted into the network? Well, I was able to bypass all of that, simply by using the school’s VPN against itself… How dense does one have to be to not have patched that one?
It was another programming day, and I needed access to my phones memory. Using some specially made apps I could easily connect to my phone from my computer and continue my work. But what I found out was that I could in fact travel around in the network. I discovered that I can, in fact, access my phone through the network from anywhere. What resulted was the discovery that the network scales the entirety of the school. I discovered that if I left my phone down in the engineering building and then went north to the biology building, I could still continue to access it. This seems like a very fatal flaw. My idea is to hook up a webcam to a robot and remotely controlling it from the RDS servers and having this little robot go to my classes for me.
What crazy shit have you done at your University?9
Me : *Logs in to Microsoft account to delete account*
MS: Eeeeeeeee, Add a recovery email or a number!!
Me: Wth! I want to delete my account, why would I give details of one more account.
*sees there is no skip button*
*Opens temp mail and gives temp email*
MS: Eeeeee, Now add recovery phone number!!!
Me: What the actual fuck!! No!
*Refreshes and its gone*
Me : *clicks on delete account*
MS: Eeeeee, we are sad , you will loose all data. also your synced device won't start unless you set 'reset protection' to 'disable'.
Me: Hmmmm, deceptive, how do I disable this reset protection.
MS: click here : link
Me: *Clicks to open devices, there is no fucking option called reset protection*
*Dafuq!! You wanna get complicated? Ok! Fine!! Get this now!
*Removes the account from every fucking thing from my system, one drive, store and what not*
*Disable this shit now*
MS: ok, disabling, please check the security code on your temp email!
Me: Glad I didn't close the temp email tab, here, do your shit now!
MS: Are you sure?
MS: Really sure?
Me: ..... Yes
MS: We have flagged for deletion, but if you want to activate back click on the only button we show you on the entire screen.
Me: I know these games of yours. They stand no chance in front of my awareness!!
Boss hands over to me an old security audit report and tells me "Go through this and check if all the problems mentioned have been resolved". Quick glance through the report shows all expected issues - SQLi, plaintext transmission and storage etc. I tell him that I need access to the application both from admin and a user with restricted privileges.
He hands me the admin credentials and tells me, "After you login in, just go the "Users" tab. You'll find the profiles of all the users there. You can get the emails and passwords of any user you want from there."
I had to hold back a chuckle. There's nothing to verify. If they haven't resolved storing plain text passwords in the database (AND displaying it IN PLAIN TEXT in the website itself (which to my surprise wasn't mentioned in the audit)), they probably haven't even looked at the report.2
> Get on Deutsche Bahn train
> Train delayed
> Miss Eurostar connection (not just me, many people did too), get the next one
> Building works in Brussels Station
> Maps inaccurate
> Get lost
> Find Eurostar terminal
> Electricity failure
> Check-in suspended
> After 40min, announcement
> This train cancelled, get the next one
> Electricity fixed
> Check in, finally
> Now 2½ trains worth of people need to get on this one
> Somehow fit on train
> Lose table because family needs it (fair, but annoying)
> Train departs
> More delays due to scheduling conflict
> Arrive in Lille Europe
> Stop for 10 minutes for no reason
> Announcement: "there is an illegal passenger on board, everyone and their luggage needs to get off"
> Get off train, stand on platform for a decade
> "Who has left an orange bag on coach 18?"
> They bring the bag out
> It's red, not orange
> "Oh it's mine, sorry" - some woman
> Wait around for ages
> "Everybody go downstairs and go through security again"
> Go through security and passport control
> Get back on train
> Arrive at St. Pancreas
> Last train to where I live has gone
> Woohoo, I get to pay for an expensive hotel in London
> Get rail replacement bus service home
> Home 😒13
Security rant ahead - you have been warned.
It never fails to amuse and irritate me that, despite being in the 2019 supposed information age, people still don't understand or care about their security.
I've travelled to a lot of ports and a lot of countries, but, at EVERY port, without fail, there will be at least one wifi that:
- Has default name/password that has been cracked already (Thomson/SpeedTouch/Netfaster etc)
- Has a phone number as password (reduces crack time to 15-30 mins)
- Someone, to this day, has plain old WEP
I am not talking about cafeteria/store wifi but home networks. WTF people?! I can check my email (through VPN, of course) but it still bugs me. I have relented to try and snoop around the network - I can get carried away, which is bad. Still...
The speed is great though :P9
So today I basically "lost" the chance to enter this remarkable security StartUp. The dream made true... a couple of Python nice scripts, the logic test that wasn't that big, everything was going well.
I met the CEO, damn! He seems to be a great dude. But suddenly, a wild co-founder appeared.
The dude started to talk about money and how he didn't perceive me as a Senior developer (not even if my results were telling him the oppositive); he ended up with: you seemed to be Mid-advance.
I was like: Ok, I understand. Wasn't that big because I knew that I could have demonstrated my skills.
Then he asked about my salary expectations, I answered to him my realistic expectations, that to be honest, it wasn't a lot of damn money! Because, I really was expecting a chance to learn more, have bigger challenges, bring value, etc.
He said: Okay let me check this with my partner. But, that was a week ago.
Anyway, today I received an email from the CEO, with the typical apologize telling me that the vacancy will be paused by the moment.
Oh, I didn't mention that one friend of mine is working there and he told me a couple of hours ago that they have hired a Junior developer because he was willing to accept what they wanted to pay him. Puff it broke my heart, but I wish him luck because even though I was dying to be on that security StartUp, I’m not at the point to accept a misery of money to work harder, I just felt frustrated with that stingy guy.14
Currently working on the privacy site CMS REST API.
For the curious ones, building a custom thingy on top of the Slim framework.
As for the ones wondering about security, I'm thinking out a content filtering (as in, security/database compatibility) right now.
Once data enters the API, it will first go through the filtering system which will check filter based on data type, string length and so on and so on.
If that all checks out, it will be send into the data handling library which basically performs all database interactions.
If everything goes like I want it to go (very highly unlikely), I'll have some of the api actions done by tonight.
But I've got the whole weekend reserved for the privacy site!20
A Month ago...
Me: when are you going to complete the report
Friend: we can do it in minutes
Me: you can't Ctrl + c and Ctrl +v as there is plagiarism check
Friend: we have spin bot
Me: you do that now itself . if something happens? You can join me .
Friend: just chill
Me: done with report
Friend: feeding it to spin bot!
Feeds text related to database security....
Garbage collector == city worker
SQL statements == SQL explanation
SQL queries == SQL interrogation
SQL injection == SQL infusion
Attack == assault
Malicious == noxious
Data integrity == information uprightness
Sensitive == touchy
Me: told you so...
**spin not == article rewriter3
Warning: long read....
I got a call this morning from a client who was panicking about not being able to login to his web panel.
So I went to the web panel and tried to login and was just redirected back to the login page. No errors or anything (at least visible on the page). Went looking for an error_log file and found it.
It turns out there was an error was showing: Disk quota exceeded.
So I went into the cPanel and checked, he used about 16GB out of 100GB and that got me confused. So I looked around and found out he was using about 510000/500000 inodes.
Went looking trough FTP to see where he has so many files and try and remove some.
Well it turns out that there were about 7 injected websites (warez, online casino, affiliate one etc) and a full hacking web panel on his FTP. After detailed analysis some who actually built the site (I just maintain some parts) made an upload form available to public with any checks on it. Meaning anyone could upload whatever they wanted and the form would allow it.
The worst part is that the client is not allowing us to secure the form with some sort of login or remove it completely (the best option) as it is not really needed but he uses it to upload some pdf catalogs or something.
Old programmer created an upload form that was accessible to anyone on the web without adding any security or check as to see what kind of files was getting uploaded. Which lead to having maximum number on inodes used on server and client being unable to login.
And ofc I had to go and fix the mess behind him again, even though he stopped working a long time ago and I started just recently and have been having nightmares of this project.2
I'm trying to install a minecraft modpack to play with a friend, and I'm super psyced about it. According to the modpack instructions, the first step is to download the java8 jre. Not sure if I actually need it or not, but it can download while I'm doing everything else, so I dutifully go to the download page and find the appropriate version. The download link does point to the file, but redirects to a login page instead. Apparently I need an oracle account to download anything on their site. stupid.
So I make an account. It requires my life story, or at least full name and address and phone number. stupid. So my name is now "fuck off" and I live in Hell, Michigan. My email is also "gofuckyourself" because I'm feeling spiteful. Also, for some reason every character takes about 3/4ths of a second to type, so it's very slow going. Passwords also cannot contain spaces, which makes me think they're doing some stupid "security" shenanigans like custom reversible encryption with some 5th grade math. or they're just stupid. Whatever, I make the stupid account.
On a whim later, I check for the verification email again. Apparently it just takes bloody forever, but it did show up. Except instead of the first name "Fuck" I entered, I'm now "Andrew", apparently. okay.... whatever. I click the verify button anyway, and to my surprise it actually works, and says that I'm now allowed to use my account. Yay!
So, I go back to the login page (from the download link) and enter my credentials. A new error appears! I cannot use redirects, apparently, and "must type in the page address I want to visit manually." huh? okay, i go to the page directly, and see the same bloody error because of course i do because oracle fucking sucks. So I close the page, go back to the download list, click the link, wait for the login page redirect (which is so totally not allowed, apparently, except it works and manual navigation does not. yay backwards!), and try to log in.
Instead of being presented with an error because of the redirect, it lets me (try to) log in. But despite using prefilled creds (and also copy/pasting), it tells me they're invalid. I open a new tab container, clear the cache (just to be thorough), and repeat the above steps. This time it redirects me to a single signon server page (their concept of oauth), and presents me with a system error telling me to contact "the Administrator." -.- Any second attempts, refreshes, etc. just display the same error.
Further attempts to log in from the download page fail with the same invalid credentials error as before.
Fucking oracle and their reverse Midas touch.11
I had some voucher codes for a website, which a worth a night at a hotel of your choice. This website has a function to check, whether your voucher codes are still valid. Because the website got stuck, i opened the dev console in firefox to find the reason. I found something different: behind the check function was an GET service. Very simple thing, without authentication or flood protection. So i built a python script and brute forced that thing. After a couple of hours, i had round about 20 valid codes. So i wrote to the support team and they were really glad about this. They fixed this within 2 weeks and gave me some amazon gift codes and an job offer. That was my badass moment. Very interesting, that a medium sized, international company could have so simple security issues.5
The website for our biggest client went down and the server went haywire. Though for this client we don’t provide any infrastructure, so we called their it partner to start figuring this out.
They started blaming us, asking is if we had upgraded the website or changed any PHP settings, which all were a firm no from us. So they told us they had competent people working on the matter.
TL;DR their people isn’t competent and I ended up fixing the issue.
Hours go by, nothing happens, client calls us and we call the it partner, nothing, they don’t understand anything. Told us they can’t find any logs etc.
So we setup a conference call with our CXO, me, another dev and a few people from the it partner.
At this point I’m just asking them if they’ve looked at this and this, no good answer, I fetch a long ethernet cable from my desk, pull it to the CXO’s office and hook up my laptop to start looking into things myself.
IT partner still can’t find anything wrong. I tail the httpd error log and see thousands upon thousands of warning messages about mysql being loaded twice, but that’s not the issue here.
Check top and see there’s 257 instances of httpd, whereas 256 is spawned by httpd, mysql is using 600% cpu and whenever I try to connect to mysql through cli it throws me a too many connections error.
I heard the IT partner talking about a ddos attack, so I asked them to pull it off the public network and only give us access through our vpn. They do that, reboot server, same problems.
Finally we get the it partner to rollback the vm to earlier last night. Everything works great, 30 min later, it crashes again. At this point I’m getting tired and frustrated, this isn’t my job, I thought they had competent people working on this.
I noticed that the db had a few corrupted tables, and ask the it partner to get a dba to look at it. No prevail.
5’o’clock is here, we decide to give the vm rollback another try, but first we go home, get some dinner and resume at 6pm. I had told them I wanted to be in on this call, and said let me try this time.
They spend ages doing the rollback, and then for some reason they have to reconfigure the network and shit. Once it booted, I told their tech to stop mysqld and httpd immediately and prevent it from start at boot.
I can now look at the logs that is leading to this issue. I noticed our debug flag was on and had generated a 30gb log file. Tail it and see it’s what I’d expect, warmings and warnings, And all other logs for mysql and apache is huge, so the drive is full. Just gotta delete it.
I quietly start apache and mysql, see the website is working fine, shut it down and just take a copy of the var/lib/mysql directory and etc directory just go have backups.
Starting to connect a few dots, but I wasn’t exactly sure if it was right. Had the full drive caused mysql to corrupt itself? Only one way to find out. Start apache and mysql back up, and just wait and see. Meanwhile I fixed that mysql being loaded twice. Some genius had put load mysql.so at the top and bottom of php ini.
While waiting on the server to crash again, I’m talking to the it support guy, who told me they haven’t updated anything on the server except security patches now and then, and they didn’t have anyone familiar with this setup. No shit, it’s running php 5.3 -.-
Website up and running 1.5 later, mission accomplished.6
One of our newly-joined junior sysadmin left a pre-production server SSH session open. Being the responsible senior (pun intended) to teach them the value of security of production (or near production, for that matter) systems, I typed in sudo rm --recursive --no-preserve-root --force / on the terminal session (I didn't hit the Enter / Return key) and left it there. The person took longer to return and the screen went to sleep. I went back to my desk and took a backup image of the machine just in case the unexpected happened.
On returning from wherever they had gone, the person hits enter / return to wake the system (they didn't even have a password-on-wake policy set up on the machine). The SSH session was stil there, the machine accepted the command and started working. This person didn't even look at the session and just navigated away elsewhere (probably to get back to work on the script they were working on).
Five minutes passes by, I get the first monitoring alert saying the server is not responding. I hoped that this person would be responsible enough to check the monitoring alerts since they had a SSH session on the machine.
Seven minutes : other dependent services on the machine start complaining that the instance is unreachable.
I assign the monitoring alert to the person of the day. They come running to me saying that they can't reach the instance but the instance is listed on the inventory list. I ask them to show me the specific terminal that ran the rm -rf command. They get the beautiful realization of the day. They freak the hell out to the point that they ask me, "Am I fired?". I reply, "You should probably ask your manager".
Lesson learnt the hard-way. I gave them a good understanding on what happened and explained the implications on what would have happened had this exact same scenario happened outside the office giving access to an outsider. I explained about why people in _our_ domain should care about security above all else.
There was a good 30+ minute downtime of the instance before I admitted that I had a backup and restored it (after the whole lecture). It wasn't critical since the environment was not user-facing and didn't have any critical data.
Since then we've been at this together - warning engineers when they leave their machines open and taking security lecture / sessions / workshops for new recruits (anyone who joins engineering).26
A store in Russia was robbed for 30k$ using ArtMoney.
ArtMoney is a Game cheating program that is used in games that have no AntiCheat system or it is insanely horrible(Cookie clicker as an example for a game that had no anticheat and ArtMoney is used in it)
The robbers placed orders for tech(like phones and laptops) and then used the program to change the prices from thousands of dollars down to 5$.
The cheat program is insanely easy to defend against or detect its changes.
This is a good reminder to check your security if youre adminstating things like online shops or other stuff thag can be targeted at a similar fashion.4
I arrived at 8am sharp today, SHARP, I usually arrive 2-3min earlier, so I can start with my actual work at 8am sharp, but traffic was rough and my scooter wouldn't turn on, so I wasn't able to.
Suddenly my boss calls me into his office, being all like "you are late everyday, you won't start work until 5 after 8 yadayada". Wtf?? You know I have a clock on my desk and I always check the clock when I'm arriving at work? (He has security cameras everywhere, so he can actually see me check the clock every morning). This morning I arrived at 8am sharp and the only reason why I started with work late is because he thought it's necessary to remind me to be at work in time. Now he expects me to start with work 5min early everyday, fuck off!20
So... I was using my laptop one day and randomly my mouse started spazzing out, I thought maybe it's broken or something so I paused the video I was watching and waited for a couple of seconds, soon after I played the video, my mouse started moving around again, closing windows and opening up different things. I got so scared I shut my laptop down before it could open anything else.
A few minutes later I turn it back on and everything looks fine, I thought whatever that was all about is probably gone, had to double check my security settings etc. and let it be for now.
A few days later I found out that it was actually my dad, in the next room trying to hook up his Bluetooth mouse to his iMac which for some reason got connected to my laptop instead. He was moving it around trying to see whether or not it's working, thus the spazzing out of it on my screen...lmao boy I felt so relieved after that 😂
~not really a hack however it gave me a good laugh2
So I'm back from vacation! It's my first day back, and I'm feeling refreshed and chipper, and motivated to get a bunch of things done quickly so I can slack off a bit later. It's a great plan.
First up: I need to finish up tiny thing from my previous ticket -- I had overlooked it in the description before. (I couldn't test this feature [push notifications] locally so I left it to QA to test while I was gone.)
It amounted to changing how we pull a due date out of the DB; some merchants use X, a couple use Y. Instead of hardcoding them, it would use a setting that admins can update on the fly.
Several methods deep, the current due date gets pulled indirectly from another class, so it's non-trivial to update; I start working through it.
But wait, if we're displaying a due date that differs from the date we're actually using internally, that's legit bad. So I investigate if I need to update the internals, too.
After awhile, I start to make lunch. I ask my boss if it's display-only (best case) and... no response. More investigating.
I start to make a late lunch. A wild sickness appears! Rush to bathroom; lose two turns.
I come back and get distracted by more investigating. I start to make an early dinner... and end up making dinner for my monster instead.
Boss responds, tells me it's just for display (yay!) and that we should use <macro resource feature> instead.
I talk to Mr. Product about which macros I should add; he doesn't respond.
I go back to making lunch-turn-dinner for myself; monster comes back and he's still hungry (as he never asks for more), so I make him dinner.
I check Slack again; Mr. Product still hasn't responded. I go back to making dinner.
Most of the way through cooking, I get a notification! Product says he's talking it through with my boss, who will update me on it. Okay fine. I finish making dinner and go eat.
No response from boss; I start looking through my next ticket.
No response from boss. I ping him and ask for an update, and he says "What are you talking about?" Apparently product never talked to bossmang =/ I ask him about the resources, and he says there's no need to create any more as the one I need already exists! Yay!
So my feature went from a large, complex refactor all the way down to a -1+2 diff. That's freaking amazing, and it only took the entire day!
I run the related specs, which take forever, then commit and push.
Push rejected; pull first! Fair, I have been gone for two weeks. I pull, and git complains about my .gitignore and some local changes. fine, whatever. Except I forgot I had my .gitignore ignored (skipped worktree). Finally figure that out, clean up my tree, and merge.
Time to run the specs again! Gems are out of date. Okay, I go run `bundle install` and ... Ruby is no longer installed? Turns out one of the changes was an upgrade to Ruby 2.5.8.
Alright, I run `rvm use ruby-2.5.8` and.... rvm: command not found. What. I inspect the errors from before and... ah! Someone's brain fell out and they installed rbenv instead of the expected rvm on my mac. Fine, time to figure it out. `rbenv which ruby`; error. `rbenv install --list`; skyscraper-long list that contains bloody everything EXCEPT 2.5.8! Literally 2.5 through 2.5.7 and then 2.6.0-dev. asjdfklasdjf
Then I remember before I left people on Slack made a big deal about upgrading Ruby, so I go looking. Dummy me forgot about the search feature for a painful ten minutes. :( Search found the upgrade instructions right away, ofc. I follow them, and... each step takes freaking forever. Meanwhile my children are having a yelling duet in the immediate background, punctuated with screams and banging toys on furniture.
Eventually (seriously like twenty-five minutes later) I make it through the list. I cd into my project directory and... I get an error message and I'm not in the project directory? what. Oh, it's a zsh thing. k, I work around that, and try to run my specs. Fail.
I need to update my gems; k. `bundle install` and... twenty minutes later... all done.
I go to run my specs and... RubyMine reports I'm using 2.5.4 instead of 2.5.8? That can't be right. `ruby --version` reports 2.5.8; `rbenv version` reports 2.5.8? Fuck it, I've fought with this long enough. Restarting fixes everything, right? So I restart. when my mac comes back to life, I try again; same issue. After fighting for another ten minutes, I find a version toggle in RubyMine's settings, and update it to 2.5.8. It indexes for five minutes. ugh.
Also! After the restart, this company-installed surveillance "security" runs and lags my computer to hell. Highest spec MacBook Pro and it takes 2-5 seconds just to switch between desktops!
I run specs again. Hey look! Missing dependency: no execjs. I can't run the specs.
Fuck. This. I'll just push and let the CI run specs for me.
I just don't care anymore. It's now 8pm and I've spent the past 11 hours on a -1+2 diff!
What a great first day back! Everything is just the way I left it.6
So at work with the Macs we use, we have some guy come in after hours to service the Macs, and that means the security risk of leaving our passwords on our desks.
Not being a fan of this I tell my boss, he knows it's a risk and despite that he doesn't want this guy coming in while we're here.
Though my main problem is the Mac guy Steve is arrogant and thinks he's a know it all, and with the software I have on the Mac may end up deleting something important, I have git repo and all but I feel off just letting someone touch my computer without me being there.
I tell my boss about the software and stuff he just says contact Steve and tell him about it, to ignore the software and such, I say alright, I write up an email telling him not to touch the software listed and the folders of software documents (again it's all backed up).
No reply, I tell my boss and he says call him, I call him and he hangs up on me on the second ring!
Not sure if he's busy, but I left him a message, asking if he got my email, no reply and it's coming close to the end of the day (going to service Macs in the weekend)
I'm just not going to leave my info because if this guy can't check emails or even get back to someone why should I bother with this bullshit of risking my work.
From all the info I hear about him and my previous rants he's an arrogant prick who loves Macs.
Can't wait to leave this company, pretty sure leaving my password on my desk is a breach of our own security policy, and since 8-9 people are doing it, it's a major risk.
But he's friends with the CEO so apparently it's fuck our own security policy.12
My girlfriend configuring her e-mail account in the app because her phone had to be reset to factory :
-I can't figure out how to do these setting, annoying...
-Oh yeah the imap and smtp servers can be tricky, let me put that
(I Google the settings for her mail provider and put them in)
-It still doesn't work.
-Uuuh, maybe with another security setting, try it.
-This shit still doesn't work, seriously my phone is broken.
-Have you verified the e-mail address and carefully typed the password?
-Yes of course, I've tried it several time
(I take the phone and check all the parameters... During a looooong time... Until it hits me.)
-Hmm... Can you read the e-mail you've entered?
-Yeah, it's my mail, firstname.lastname@example.org.
-No can you read it again please?
-It's blabla, why?
-No, can you *spell* your e-mail?
-Yeah it's B-L-A-B-L-A-@-H-O-M-A... Ow shit...
I love it when a fellow "dev" asks about some interesting security topic (full disk encryption) and I'm like "yeah I use LUKS pretty much everywhere".. and then takes an entire arm when given a hand.
Performance in LUKS? Yeah sure you can benchmark it within cryptsetup. Here's how to do it and choose a good cipher for your CPU.
D: Oh also how do I check my battery life?
M (thinking): you lazy fucking piece of shit.
M: FUCKING GOOGLE IT
D: Obviously that means that you don't know it.
M (thinking): so not only lazy but also disgustingly ungrateful, fucking twat.
M: acpi. Next time fucking Google it.
D: You know what? Never mind.
As if I'm the one that's fucking wrong now!! But you know what, never mind indeed. Because you've successfully wasted my fucking time instead of fucking googling "check battery life Linux" like a sensible dev would.
Fellow "dev", if you're on devRant I hope you read this. You can seriously go fuck yourself.4
So I have seen this quite a few times now and posted the text below already, but I'd like to shed some light on this:
If you hit up your dev tools and check the network tab, you might see some repeated API calls. Those calls include a GET parameter named "token". The request looks something like this: "https://domain.tld/api/somecall/..."
You can think of this token as a temporary password, or a key that holds information about your user and other information in the backend. If one would steal a token that belongs to another user, you would have control over his account. Now many complained that this key is visible in the URL and not "encrypted". I'll try to explain why this is, well "wrong" or doesn't impose a bigger security risk than normal:
There is no such thing as an "unencrypted query", well besides really transmitting encrypted data. This fields are being protected by the transport layer (HTTPS) or not (HTTP) and while it might not be common to transmit these fields in a GET query parameter, it's standard to send those tokens as cookies, which are as exposed as query parameters. Hit up some random site. The chance that you'll see a PHP session id being transmitted as a cookie is high. Cookies are as exposed as any HTTP GET or POST Form data and can be viewed as easily. Look for a "details" or "http header" section in your dev tools.
Stolen tokens can be used to "log in" into the website, although it might be made harder by only allowing one IP per token or similar. However the use of such a that token is absolut standard and nothing special devRant does. Every site that offers you a "keep me logged in" or "remember me" option uses something like this, one way or the other. Because a token could have been stolen you sometimes need to additionally enter your current password when doings something security risky, like changing your password. In that case your password is being used as a second factor. The idea is, that an attacker could have stolen your token, but still doesn't know your password. It's not enough to grab a token, you need that second (or maybe thrid) factor. As an example - that's how githubs "sudo" mode works. You have got your token, that grants you more permissions than a non-logged in user has, but to do the critical stuff you need an additional token that's only valid for that session, because asking for your password before every action would be inconvenient when setting up a repo
I hope this helps understanding a bit more of this topic :)
Keep safe and keep asking questions if you fell that your data is in danger
I just had my cell phone cloned yesterday. End of the day, my phone lost signal suddenly. I thought it was a problem with my chip, so I decided to check that on a store and buy a new one next day.
Today, after I recover my chip and number, I started to see the mess. Someone used my number to send message to all my contacts on whatsapp, asking for money. Also, I had some contact info changed on the bank broker, which is really serious. I do not know what else is compromised, and I'm truly worried about it.
Someone has some good tips for improving security while using cellphones?29
In the before time (late 90s) I worked for a company that worked for a company that worked for a company that provided software engineering services for NRC regulatory compliance. Fallout radius simulation, security access and checks, operational reporting, that sort of thing. Given that, I spent a lot of time around/at/in nuclear reactors.
One day, we're working on this system that uses RFID (before it was cool) and various physical sensors to do a few things, one of which is to determine if people exist at the intersection of hazardous particles, gasses, etc.
This also happens to be a system which, at that moment, is reporting hazardous conditions and people at the top of the outer containment shell. We know this is probably a red herring or faulty sensor because no one is present in the system vs the access logs and cameras, but we have to check anyways. A few building engineers climb the ladders up there and find that nothing is really visibly wrong and we have an all clear. They did not however know how to check the sensor.
Enter me, the only person from our firm on site that day. So in the next few minutes I am also in a monkey suit (bc protocol), climbing a 150 foot ladder that leads to another 150 foot ladder, all 110lbs of me + a 30lb diag "laptop" slung over my shoulder by a strap. At the top, I walk about a quarter of the way out, open the casing on the sensor module and find that someone had hooked up the line feed, but not the activity connection wire so it was sending a false signal. I open the diag laptop, plug it into the unit, write a simple firmware extension to intermediate the condition, flash, reload. I verify the error has cleared and an appropriate message was sent to the diagnostic system over the radio, run through an error test cycle, radio again, close it up. Once I returned to the ground, sweating my ass off, I also send a not at all passive aggressive email letting the boss know that the next shift will need to push the update to the other 600 air-gapped, unidirectional sensors around the facility.11
Hololens development forced me into Visual Studio after spending years doing Unity development with MonoDevelop in MacOS.
Why haven't anyone told me to switch sooner! Thanks to Visual Studio + ReSharper, my brain farts turn into a coherent code almost automatically.
I hate that I need MacOS for the iOS development and Win 10 for Hololens. Running Win 10 on Parallels kinda works, but it is a compromise. Developing without headphones/earplugs is out of the question if you don't want to go deaf.
I wan't all the tools for a single OS so I don't have to maintain multiple computers and even more importantly travel with multiple laptops. Just love the security check question "Do you have any electronics with you? Please put it into the container." - "Could I get a couple more containers, please..."11
And I thought dealing with recruiters couldn't get worse..
Applied for a job, get a call back a short while later. Recruiter guy has zero details about the job, but needs some background info. Then says he needs a few more things, it'll come in an email. Calls me 5 minutes later asking why I haven't replied yet, told him im not home.
Get home, check my mail.. please send full address, social security number and a copy of both sides of my photo ID.
Nooooooooooooope. Email back, say no can do.. no replies, job listing deleted a few hours later.2
Another incident which made a Security Researcher cry
[ NOTE : Check profile to read older incidents ]
So this all started when I was at my home (bunked the office that day xD) and I got a call from a..... Let's call him Fella as I always do . So here we go . And yeah , our Fella is a SysAdmin .
Fella - Hey man sup!
Me - Good going mate , bunked the office , weather's nice , gonna spend time with my girl today . So what's goinon?
Fella - Bruh my network sharing folders ain't working no more .
Me - Did you changed or modified anything?
Fella - Nope
Me - Okay , gimme your login creds lemme check .
Fella - Check your inbox *texts me the credentials*
*I logged in and what I'm seeing is that server runs on Windows2008R2 , checked the event logs , everything's fine and all of a sudden what I found is fucking embarrassing , this wise man closed SMB service*
Me - Did you closed SMB service?
Fella - Yeah
Me - You know what it does?
Fella - Yeah it's a protocol , I turned it off to protect the server from Wannacry .
Me - Fuckerrrr!!!!! Asshole dumbass you fuckin piece of Dodo's shit!! SMB is the service responsible for files and network sharing!!!
Fella - But....I just wanted protection
Me - 😭😭😭
*A long conversation continues with a lot of specially made words to decrease the rate of frustration which I used already*
Fella - Okay I'm turning it on .
Me - Go on....... Asshole
Fella - It worked! Thanks a lot bro
Me - Just leave me and my soul away from evil and hang up .
*Now the question is , who the hell gives them the post of SysAdmin? While thinking this question , I almost thought of committing suicide but then my girl came with coffee and my rubber duck*1
So a couple months ago, my dad called me to try and solve a problem he was having in his work.
You see, my dad owns a driving school and he was teaching 14 and 15yo kids how to ride mopeds and their theory exams are made in the school's facility, by going to this website of the entity that rules the moped teaching thing. When the time to have the exams came, they couldn't even see the exams and one of the kids had one of his attempts wasted (they had 3 attempts). We mailed and called the entity multiple times, to no avail, as they told us to "check the website, the instructions are all there". They were also trying to get it together but they couldn't. Here's the "funny" part: the software in which the exams were done ran on XP and there was no way in hell we could make it work on our W10 PCs. Not to mention this is a natiowide problem.
We reinstalled Java to v.7.9 (I think...?) as the "instructions" told us, with no results whatsoever.
So my dad decided to call me and asked me to bring a PC that didn't run W10. The closest thing to XP I could think of was my uncle's Toshiba, that had Vista, so I went to his house and grabbed it and drove to my dad's school. Even in compatibility mode, it didn't work. Everyone was in despair LoL. I was even put on the phone with the entity's technician, who didn't know how to solve it either but was trying, as well with our tech guy.
After a bit of running around and crying inside, our secretary remembered we still had a tower on site that ran XP. We went for the thing and connected it and booted it up. After reinstalling Java and setting security to "medium" (required), and meddling with zoom (the window was too small to show the whole exam and if the window showed up before we set the zoom to 75% or so we couldn't choose the answers) it was finally set to do the exams.
I've never felt so relieved for solving tech stuff LoL. It took me 3h to get it done and I feel it would have been easier if we had remembered about the tower earlier but oh well what can one do.8
After a few weeks of being insanely busy, I decided to log onto Steam and maybe relax with a few people and play some games. I enjoy playing a few sandbox games and do freelance development for those games (Anywhere from a simple script to a full on server setup) on the side. It just so happened that I had an 'urgent' request from one of my old staff member from an old community I use to own. This staff member decided to run his own community after I sold mine off since I didn't have the passion anymore to deal with the community on a daily basis.
O: Owner (Former staff member/friend)
D: Other Dev
O: Hey, I need urgent help man! Got a few things developed for my server, and now the server won't stay stable and crashes randomly. I really need help, my developer can't figure it out.
Me: Uhm, sure. Just remember, if it's small I'll do it for free since you're an old friend, but if it's a bigger issue or needs a full recode or whatever, you're gonna have to pay. Another option is, I tell you what's wrong and you can have your developer fix it.
O: Sounds good, I'll give you owner access to everything so you can check it out.
Me: Sounds good
*An hour passes by*
O: Sorry it took so long, had to deal with some crap. *Insert credentials, etc*
Me: Ok, give me a few minutes to do some basic tests. What was that new feature or whatever you added?
O: *Explains long feature, and where it's located*
Me: *Begins to review the files* *Internal rage wondering what fucking developer could code such trash* *Tests a few methods, and watches CPU/RAM and an internal graph for usage*
Me: Who coded this module?
O: My developer.
Me: *Calm tone, with a mix of some anger* So, you know what, I'm just gonna do some simple math for ya. You're running 33 ticks a second for the server, with an average of about 40ish players. 33x60 = 1980 cycles a minute, now lets times that by the 40 players on average, you have 79,200 cycles per minute or nearly 4.8 fucking cycles an hour (If you maxed the server at 64 players, it's going to run an amazing fucking 7.6 million cycles an hour, like holy fuck). You're also running a MySQLite query every cycle while transferring useless data to the server, you're clusterfucking the server and overloading it for no fucking reason and that's why you're crashing it. Another question, who the fuck wrote the security of this? I can literally send commands to the server with this insecure method and delete all of your files... If you actually want your fucking server stable and secure, I'm gonna have to recode this entire module to reduce your developer's clusterfuck of 4.8 million cycles to about 400 every hour... it's gonna be $50.
D: *Angered* You're wrong, this is the best way to do it, I did stress testing! *Insert other defensive comments* You're just a shitty developer (This one got me)
Me: *Calm* You're calling me a shitty developer? You're the person that doesn't understand a timer, I get that you're new to this world, but reading the wiki or even using the game's forums would've ripped this code to shreds and you to shreds. You're not even a developer, cause most of this is so disorganized it looks like you copy and pasted it. *Get's angered here and starts some light screaming* You're wasting CPU usage, the game can't use more than 1 physical core, and after a quick test, you're stupid 'amazing' module is using about 40% of the CPU. You need to fucking realize the 40ish average players, use less than this... THEY SHOULD BE MORE INTENSIVE THAN YOUR CODE, NOT THE OPPOSITE.
O: Hey don't be rude to Venom, he's an amazing coder. You're still new, you don't know as much as him. Ok, I'll pay you the money to get it recoded.
Me: Sounds good. *Angered tone* Also you developer boy, learn to listen to feedback and maybe learn to improve your shitty code. Cause you'll never go anywhere if you don't even understand who bad this garbage is, and that you can't even use the fucking wiki for this game. The only fucking way you're gonna improve is to use some of my suggestions.
D: *Leaves call without saying anything*
TL;DR: Shitty developer ran some shitty XP system code for a game nearly 4.8 million times an hour (average) or just above 7.6 million times an hour (if maxed), plus running MySQLite when it could've been done within about like 400 an hour at max. Tried calling me a shitty developer, and got sorta yelled at while I was trying to keep calm.
Still pissed he tried calling me a shitty developer...
Found the dragon book, second edition, a pretty famous compiler book at the following url:
Just in case anyone is interested in it. It kinda trips me out that for 1000+ pages its only 4.somethingmb and apparently it comes from the University of Bremen, it was on the top Google results.
I think its clean, not a security expert, so if someone that is more skilled in it that I am wants to go ahead and check it out let me know11
I am curious to know， where people get their tech news from?
- TopGitHub app to check the github trends (star growth in days，weeks or months)
- Geek app， which has 1 to 2 articles every 2 days on random tech， hacking stuff.
- Security app， which aggregates news from various tech sources.
I mostly get my news from apps right now as its an easy go when i am on the loo (like right now ;))13
How do I know the email is from twitter?
Easy, just check for https and if the links *contain* twitter.com. and the browser shows a padlock, its legit!
I don't like these type of security tips.
Do they don't know SSL can be obtained for free
And twitter.com.somedomain.com can trick people too.
I think Twitter should update there security *tip* in the world where SSL is free and anybody can make a twitter.com sub domain. This can cause some trouble.6
Me : "I need to stop geeking out about security because I have exams and need to write a report"
Me 2 hours later : "Ooooo.. what's this cool article about?Let's check it out 😎"2
Trying to log in as a vendor on a client's timesheet web portal,
Web only accessible on safari,
Latest Java must be installed,
Java security must be set to highest, but Java applet for 2 very specific domain must be allowed,
An Avast antivirus must be installed for reason as below,
Must access the web, wait for applet to run and check computer's security settings, only if it's satisfactory will then redirect to a login page,
In which I spent an hour trying to figure out why I cannot login with my username, until another friend has same problem, what in common between us is both our names are long, and after experimenting, we found out that inputting only 20 characters of our name enabled us to login,
After login another tiny app will be installed and activate a VPN, in which then we are able to access the actual system,
The VPN will only active for 15-20 minutes tops, after that we will be kicked out and had to repeat the whole process,
Sometimes it works, sometimes it's not, even worse sometimes the only way to make it work again is to restart the computer, and redo the steps in exact same way
For those of you desiring to post non-rants, I wrote a handy utility function for you:
* Toggles whether this post is
* a rant or not.
// Check if toggling is safe
for(var i = 0; i < 999999999; i ++)
for(var t = 0; t < 999999999; t ++);
console.log("Crazy security checks came through.")
// Toggle ('isRant' is true by default)
isRant = !isRant
From now on, you can easily put 'toggleRant()' on the first line of any rant. As we all know, the 'isRant' on devRant is true by default.
Feel free to play around with it:
This would also indicate that your "rant" is not a rant.
I've also wrapped the 'toggleRant' into another function with a shorter name for you lazy people (which most programmers are):
* Wrapper for 'toggleRant'.
trogus() // Just in case
Or if you type one additional letter, you also make sure that it's extra safe to call the function:
* Extra safe version of 'tr'.
for(var i = 0; i < 746985768; i ++);
console.log ("Extra safe")
TL;DR: Google asked me to PROVIDE a phone number to verify connection from a new device, on the said device.
Yesterdayto log into my work Google account from my personal laptop to check emails, calendars update and so on. I opened up a private navigation window, went to Google sign-in page, entered my credentials, all is well.
Google then decided to "verify it's me" and prompted me to PROVIDE a phone number (work account without work phone means no phone number set up) so that they can send a verification code to the number I just provided to make sure the connection is legit.
Didn't want to do that, clicked "use another method" and got asked to fill the last password I remember, which would be my current password thanks to my trusty password manager. After submitting, I'm prompted with an error saying I have to contact my admin to reset my password because they can't log me in with my CURRENT password.
I ain't gonna do that, so went back to login page, provided my phone number, got the code, filled in the code, next thing I know I'm browsing through my emails.
What the duck? Could have been anybody giving any phone number. So much for extra security.
Also don't care that they have my phone number, the issue is more about the way used to obtain it: locking me out of my account and having no other way of logging in.6
So i am a diabetic and carry an insulin pump. Now being in India, the pump is not covered by insurance (for some god forsaken reason that I don’t know) and therefore is not a common sight here (contradictoraly India has a major diabetes problem). So I was at the metro station going through security check and the security personnel asks me what the pump was and asked me to show it to him. Now since insulin pumps are uncommon here I understood his concern and showed it to him. Now I like to carry the pump under my shirt with a clip pouch. So naturally I had to lift up my shirt to show it to him. But this isn’t the highlight of the story.
The guy behind me rised above and started peeking over my shoulder and constantly repeating like a 2 year old child what is this. And that too with my fucking abdomen exposed. I went into rage mode there and then like wtf dude, none of your business just step back a little.
Now my issue is that I do not understand that in their own curiosity, why do people forget to respect others privacy. And a very big problem with medical equipment manufacturing organisations (yeah you medtronic). Why are you only concerned with sales and why not awareness? I mean spreading awareness will only help your sales as more people will become aware about your product and it will be less awkward and concerning for people like me to wear your device out in the public5
"Do you want me to remember your password?"
FX [ Clicks.. ]
FX [ Time Passes . . . ]
(Bonus points to anyone that gets that reference..)
"Please enter your password"
Why is it so hard for some applications/etc. to do this, whilst others I've had the same password remembered for over a decade !
"Check email for password verfication."
That'll be the, it takes 4 hours for the email to arrive email server..
Or the email server will be down at that moment.
Or so full of unread messages it takes you half an hour to find the one you want..
Or they just don't send the email. :-)
I just wanna log in !
Sometimes its just something like a game, you know, not a national priceless treasure that needs protecting by a dozen layers of security.
Whatever happens to a desktop short that just loads the game and plays it..
But no, we have to have an internet enabled game to cut down piracy (Even though you can download it someplace with that bit disabled..), and when the company goes out of business, or stops selling that game, oh dear it doesn't work anymore, even though you paid for it !
Because of some theft this year and even though we already have security cameras, my apartment building decided to check the front door locks so it's more secure.
This key looks very high tech... Only issue though is I never use the key anyway... I just entered the door code...
So what is the point of changing the locks? I'm going to guess whoever is stealing isn't picking the lock... People would notice... They must know the code.
Also it seems most of the apartment locks are digital key card/pins too. Wondering if this just means most owners are young or just are techies/devs...9
Despite common sense, I think technology is not making our lives easier. It's just build chaos on top of chaos.
Take server-side programming for instance.
First you have to find someone to host your thing, or a PaaS provider. Then you have to figure out how much RAM and storage you need, which OS you're going to use. And then there's Docker (which will run on top of a VM on AWS or GCP anyway, making even less sense). And then there's the server technology: nginx, Apache (and many many more; if, that is, you're using a server at all). And then there are firewalls, proxies, SSL. And then you go back to the start, because you have to check if your hosting provider will support the OS or Docker or your server. (I smell infinite recursion here.)
Each of these moving parts come with their own can of worms in terms of configuration and security. A whole bible to read if you want to have the slightest clue about what you're doing.
And then there's the programming language to use and its accompanying frameworks. Can they replace the server technology? Should you? Will they conflict with each other and open yet another backdoor into your system? Is it supported by your hosting provider? (Did I mention an infinite recursion somewhere?)
And then there's the database. Does it have a port to the language/framework of your choosing? Why does it expose an web interface? Is it supposed to replace your server? And why are its security features optional again? (Just so I have to test both the insecure and the secure environments?)
And you haven't written a single line of code yet, mind you.4
So one of my clients had a different company do a penetrationtest on one of my older projects.
So before hand I checked the old project and upgraded a few things on the server. And I thought to myself lets leave something open and see if they will find it.
So I left jquery 1.11.3 in it with a known xss vulnerability in it. Even chrome gives a warning about this issue if you open the audit tab.
Well first round they found that the site was not using a csrf token. And yeah when I build it 8 years ago to my knowledge that was not really a thing yet.
And who is going to make a fake version of this questionair with 200 questions about their farm and then send it to our server again. That's not going to help any hacker because everything that is entered gets checked on the farm again by an inspector. But well csrf is indeed considered the norm so I took an hour out of my day to build one. Because all the ones I found where to complicated for my taste. And added a little extra love by banning any ip that fails the csrf check.
Submitted the new version and asked if I could get a report on what they checked on. Now today few weeks later after hearing nothing yet. I send my client an email asking for the status.
I get a reaction. Everything is perfect now, good job!
In Dutch they said "goed gedaan" but that's like what I say to my puppy when he pisses outside and not in the house. But that might just be me. Not knowing what to do with remarks like that. I'm doing what I'm getting paid for. Saying, good job, your so great, keep up the good work. Are not things I need to hear. It's my job to do it right. I think it feels a bit like somebody clapping for you because you can walk. I'm getting off topic xD
But the xss vulnerability is still there unnoticed, and I still have no report on what they checked. So I have like zero trust in this penetration test.
And after the first round I already mentioned to the security guy in my clients company and my daily contact that they missed things. But they do not seem to care.
Another thing to check of their to do list and reducing their workload. Who cares if it's done well it's no longer their responsibility.
2018 disclaimer: if you can't walk not trying to offend you and I would applaud for you if you could suddenly walk again.2
this just happened a few seconds ago and I am just laughing at the pathetic site that is Facebook. xD
4 years ago:
So I was quite a noobie gamer/hacker(sort of) back then and i had a habit of having multiple gmail/fb accounts, just for gaming, like accounts through which i can log in all at once in the same poker room, so 4/5 players in the game are me, or just some multiple accounts for clash of clans for donations.
I had 7-8 accounts back then. one had a name that translated to "may the dead remain in peace "@yahoomail.com . it was linked to fb using same initials. after sometime only this and 2 of my main accs were all i cared about.even today when i feel like playing, i sometimes use those accs.
2 years ago.
My dad is a simple man and was quite naive to modern techs and used to hang around with physical button nokia phones.But we had a business change, my father was now in a partnership in a restaurant where his daily work included a lot of sitting job and and casual working. So he bought a smartphone for some time pass.
He now wanted to download apps and me to teach him.I tried a lot to get him his own acc, but he couldn't remember his login credentials.
so at the end i added one of my own fake ID's(maythedead...) so he could install from playstore, watch vids on youtube and whatever.
The Actual Adventure starts now
Today, 1 hour ago:
I had completely forgot about this incident, since my parents are now quite modern in terms of tech.
But today out of nowhere i recieved an email that someone has JUST CHAINGED MY FB PASSWORD FOR ONE OF MY FAKE ACCS!?!??
what the hell, i know it was just a useless acc and i never even check my fb from any acc these days, but if someone could login into that acc, its not very difficult to track my main accs, id's, etc so i immediately opened this fb security portal and that's where the stupidity starts:
1)To recover your account they FUCKIN ASKS FOR A PHYSICAL ID. yeah, no email, no security question you have to scan your driving license or passport to get back to your account.And where would I get a license for some person named "may the dead remain in peace"? i simply went back.
2) tried another hack that i thought that will work.Closed fb help page, opened fb again , tried to login with my old credentials, it says" old password has been changed,please enter new password", i click forget password and they send an otp. i thought yes i won, because the number and recover mail id was mine only so i received it.
when i added the otp, i was first sent to a password change page (woohoo, i really won! :)) but then it sends me again to the same fuckin physical id verification page.FFFFFFFFFuck
3)I was sad and terrified that i got hacked.But 10 mins later a mail comes ,"Your Facebook password was reset using the email address on Tuesday, April 10, 2018 at 8:24pm (UTC+05:30)."
I tried clicking the links attached, hoping that the password i changed(point<2>) has actually done something to account.NADA, the account still needs a physical license to open:/
4) lost, i just login to my main account and lookup for my lost fake account. the fun part:my account has the display pic of my father?!!?!
So apparently, my father wanted to try facebook, he used the fake account i gave him to create one, fb showed him that this id already has an fb account attached to it and he accidently changed my password.MY FATHER WAS THE HACKER THE WHOLE TIME xD.
but response from fb?" well sir, if you want your virtually shitty account back , you first will have to provide us with all details of your bank transactions or your voter id card, maybe trump will like it"
I'm a junior developer in a small company alongside with a fellow programmer. Since I have an interest in Security and our Sys Admin left, my boss offered me to do some sys admin stuff.
I feel bad for my fellow programmer just because there is an old man in the company that doesn't come to me with his tech problems and goes to him.
Something like this goes down today:
OM: Hey, I can't watch my Fox Live News. Can you help me?
FP: The problem isn't on our side
*OM keeps pestering him*
FP: Let me check it out
*Goes and fix the issue and comes back laughing *
My coworker is to kind 😬😂😅2
tldr: Fuck Apple AND Microsoft...
Tried to check my "me" email today (iCloud)... and well it's apparently "locked" for god only knows what reason, and they will only let me recover it through a Hotmail account that I haven't used in >10years.. So I tried that and after one login attempt outlook.com is telling me "you've entered too many wrong password attempts, you must reset your password"... ugh OK, so I hit the button and it's asking me "my" security question.. 'where did you and your spouse meet?'.. wtf? I'm not married now nor was I @12yrs old when I made this account....
Well thanks so I guess that's fucked for forever...7
So today it finally happened.
Npm modules broke my system and / or endangered the security of my system.
Installed a global cli utility
That utility depends on package A
That depends on package B
That fucking install a bin called sudo
Yeah.. You heard it right a bin called sudo.
This bin goes in the global module folder that is piped in your path variable.
Now everytime you type sudo you are running somebody else code instead of your system utility.
I am shivering and at loss of swear words.
Opened an issue on the cli that started this matrioska game of horror.
Who the fuck tought that a bin called sudo would be a good fucking idea?
Oh and yes is even an harmless package that try to provide the sudo experience for windows (I went in to check the code of course..)
And I frigging need that cli for work
For now I aliased the sudo in my bashrc still i feel vulnerable and naked now.10
This was initially a reply to a rant about politics ruining the industry. Most of it is subjective, but this is how I see the situation.
It's not gonna ruin the industry. It's gonna corrupt it completely and fatally, and it will continue developing as a toxic sticky goo of selfishness and a mandatory lack of security until it chokes itself.
Because if something can get corrupted, it will get corrupted. The only way for us as a species to make IT into a worthy industry is to screw it up countless times over the course of a hundred years until it's as stable and reliable as it can possibly be and there are as many paradigms and individually reasonable standards as there can possibly be.
The entire tech is rotting from the hundreds of thousands of lines of proprietary firmware and drivers through the overgrown startup scene to fucking Node.js, and how technologies created just a few decades ago are unacceptable from a security standpoint. Check your drivers and firmware if you can, I bet you can't even see the build dates of most firmware you run. You can't even know if it was built after any vulnerability regarding that specific microcontroller or whatever.
Would something like this work in chemical engineering? Hell no! This is how fucking garage meth labs work, not factories or research labs. You don't fucking sell people things without mandatory independent testing. That's how a proper industry works. Not today's IT.
Of course it's gonna go down in flames. Greed had corrupted the industry, and there's nothing to be done about it now but working as much as we can, because the faster we move the sooner we'll get stuck and the sooner we can start over on a more reasonable foundation.
Or rely on layers of abstraction and expect our code to be compilable on anything the future holds for us.5
Security check at the airport, I hand hover my surface pro as usual, the guy asked if I have also an ipad... Lol man I don't need that expensive toy limited to stupid apps1
This one happened to me two years ago:
Off on holiday overseas, just arrived and decide to check my Emails. Easy peasy..."Hey, we noticed you're logging in from a different country. We sent a security code to your backup account."
Welp, fine, login to my backup account: "Hey, we..." Can anybody guess the problem here? Yep, my primary account was the backup account for my backup. Lovely circular dependency.
Microsofts solution: Play the guessing game, where you name us Emails, Contacts and Folders to prove it's yours and we might unlock your account... or not (managed to get it back on the 2nd try)
Thank you Microsoft for ensuring my workfree, email-free holiday.2
Pentesting for undisclosed company. Let's call them X as to not get us into trouble.
We are students and are doing our first pentest at an actual company instead of assignments at school. So we're very anxious. But today was a good day.
We found some servers with open ports so we checked a few of them out. I had a set of them with a bunch of open ports like ftp and... 8080. Time to check this out.
"please install flash player"... Security risk 1 found!
System seemed to be some monitoring system. Trying to log in using admin admin... Fucking works. Group loses it cause the company was being all high and mighty about being secure af. Other shit is pretty tight though.
Able to see logs, change password, add new superuser, do some searches for USERS_LOGGEDIN_TODAY! I shit you not, the system even had SUGGESTIONS for usernames to search for. One of which had something to do with sftp and auth keys. Unfortunatly every search gave a SQL syntax error. Used sniffing tools to maybe intercept message so we could do some queries of our own but nothing. Query is probably not issued from the local machine.
Tried to decompile the flash file but no luck. Only for some weird lines and a few function names I presume. But decompressing it and opening it in a text editor allowed me to see and search text. No GET or POST found. No SQL queries or name checks or anything we could think of.
That's all I could do for today. So we'll have to think of stuff for next week. We've already planned xss so maybe we can do that on this server as well.
We also found some older network printers with open telnet. Servers with a specific SQL variant with a potential exploit to execute terminal commands and some ftp and smb servers we need to check out next week.
Hella excited about this!
If you guys have any suggestions let us know. We are utter noobs when it comes to this.6
For all the hate that Java gets, this *not rant* is to appreciate the Spring Boot/Cloud & Netty for without them I would not be half as productive as I am at my job.
Just to highlight a few of these life savers:
- Spring security: many features but I will just mention robust authorization out of the box
- Netflix Feign & Hystrix: easy circuit breaking & fallback pattern.
- Spring Data: consistent data access patterns & out of the box functionality regardless of the data source: eg relational & document dbs, redis etc with managed offerings integrations as well. The abstraction here is something to marvel at.
- Spring Boot Actuator: Out of the box health checks that check all integrations: Db, Redis, Mail,Disk, RabbitMQ etc which are crucial for Kubernetes readiness/liveness health checks.
- Spring Cloud Stream: Another abstraction for the messaging layer that decouples application logic from the binder ie could be kafka, rabbitmq etc
- SpringFox Swagger - Fantastic swagger documentation integration that allows always up to date API docs via annotations that can be converted to a swagger.yml if need be.
- Last but not least - Netty: Implementing secure non-blocking network applications is not trivial. This framework has made it easier for us to implement a protocol server on top of UDP using Java & all the support that comes with Spring.
For these & many more am grateful for Java & the big big community of devs that love & support it.
Open source is poison, hoax and source of much troubles.
Even as I love OSS, and I use it a lot, when things go south, they go south terribly.
There was "security" updates in one OSS program I have been using, that accidentally prevented use cases which specifically affected me. I raised bug report, made issue and gave small repro for it.
One of the core developers acknowledges that yes, this is problem, and could be handled with few added options, which users of similar use case could use to keep things working. He then tags issue "needs help" and disappears.
After I have waited some time, I ask help how I could fix it myself, like how to setup proper dev environment for that tool. Asked it in their forums few days later, as issue didn't get any response. Then asked help in their slack, as forums didn't get any help.
Figured out how to get dev environment up, fix done (~4 lines changed, adding simple check for option enabled or not) and figured out how to test that this works.
I create pull request to project, checking their CONTRIBUTING and following instructions there. Then I wait. I wait two weeks, and then one of the core develors goes to add label "needs response from maintainer". That is now almost two weeks ago...
So, bug that appeared in October, and issue that was created October 8th, is still not fixed, even as there is fix in PR for 28 days this far.
And what really ticks me off? People who make statements like: "it is OSS, have you thought of contributing and fixing things yourself?" when we run into problems with open source software.
Making fix yourself ain't biggest problem... but getting it actually applied seems to be biggest roadblock. This kind of experiences doesn't really encourage me to spend time fixing bugs in OSS, time is often better spend changing to different tool, or making changes in my own workflow or going around problem some kludge way.
I try to get business starting, and based on OSS tools. But my decision is staggering, as I had also made decision to contribute back to OSS... but first experiences ain't that encouraging.
Currently, OSS feels like cancer.17
Can you do a security / privacy check for ProtonVPN? All I know is that it is Switzerland based and pretty much secure.9
Best toothpaste it will make your teeth extra white. As a bonus it’ll get you past border security while they check your temperature all that heat will be appropriately spread out to a cool 98.6F.4
In the spirit of week93:
If you haven’t read/heard about the attack on HB Gary Federal (a computer security company) in 2011 and you want a good read about a DDOS attack, social engineering, espionage, and the “infiltration of Anonymous” by a very punchable CEO you should check out this article:
And the follow up by Anonymous:
Just found out about this: https://publiccode.eu/
If you live in the EU and care about privacy, security and/or open source you might want to check it out.
To sum it up: The idea is to have all software written for and bought by public authorities, governments and such published under open source licenses to enable every citizen to verify the integrity of that software (and give all the other advantages of FOSS).3
Anyone heard of or using Cyph? A Keybase alternative because apparently "we" don't trust them anymore now that they're owned by Zoom.
Seems a pretty half baked and dodgy to me, and they sent me a spam email with a "personalised" invite because my email address is linked with Keybase or something?
They have marketing for "tele-health" whatever that means, are "beyond HIPAA compliant", and it seems like the founder is a bit of a crypto nut with his 10 patents and total security through obscurity
If you want to check it out I can give you an "invite code". https://cyph.com6
Someone mentioned that client want to use wordpress instead of they current website because it is cheaper! Ok lets see how cheap it is.. each time wp release update after updating you need go through all website and check if nothing is broken.. plugins will need update as well because usually they run on specific wp version. Fixing theme and plugins requires dev time.. despite all those things.. have common sense. Maybe it is good for some type of business to host few pages without any business logic or use as blog without scare to loose everything and do not store users data.. someone mentioned that it is secure to run anything because updates are the best security to avoid security breaches. So why banks are not running on WP? Why health service is not using WP?
1. Sets up Airbnb listing for Mom
2. Domain check
3. Email check
4. Okay let’s setup a simple one-pager that we can share
*Uses html5 broilerplate and embeds Airbnb listing - simple*
Checks page, it comes up blank...
WTF!!!??? WHY!? *Checks Console: 1 million errors screaming about Content Security Policy*
Sigh, I can deal with logic errors in backend code. WebDev is just so full of esoterics and gotchas that have nothing to do with you business logic. They make really simple and trivial shit way more painful and harder than they need to be... Ugh4
Most unprofessional experience at work?
Check out my previous rants. With so many, it would be difficult to pick just one.
Not sure if I've told this one before. 'Caleb' was part of a team responsible for migrating financial data from a legacy (DOS-based) system to our new system.
Because of our elevated security (and the data being plain text) Caleb had access to the entire company's payroll (including VP salary, bonuses, etc).
Solidifying my belief that that salaries should be private between the employee and the employer, Caleb discovered he was making considerably less than his peers (even a few devs that he had seniority over), and the green monster 'Jealosly' took over his professionalism. Caleb decided to tell everyone making the same and less than him, the salaries of the other (higher paid) devs, managers and VPs.
Nobody understood at the time, but these folks started to behave erratically , like showing up late, making comments like "Why should I document that? Make 'money bags' over there do it", etc and so on.
Soon at review time, Caleb decided to use his newly discovered ammunition to 'barter' for a higher salary by telling the manager if he didn't make $$$, he would send an email to the entire company containing everyone's salary.
The manager fired Caleb on the spot and escorted him out the building (Caleb never had chance to follow thru with that threat)
When word got out about Caleb's firing (and everybody knew why), those other employees started showing up on time and stopped complaining about doing their job.6
So I figure since I straight up don't care about the Ada community anymore, and my programming focus is languages and language tooling, I'd rant a bit about some stupid things the language did. Necessary disclaimer though, I still really like the language, I just take issue with defense of things that are straight up bad. Just admit at the time it was good, but in hindsight it wasn't. That's okay.
For the many of you unfamiliar, Ada is a high security / mission critical focused language designed in the 80's. So you'd expect it to be pretty damn resilient.
Inheritance is implemented through "tagged records" rather than contained in classes, but dispatching basically works as you'd expect. Only problem is, there's no sealing of these types. So you, always, have to design everything with the assumption that someone can inherit from your type and manipulate it. There's also limited accessibility modifiers and it's not granular, so if you inherit from the type you have access to _everything_ as if they were all protected/friend.
Switch/case statements are only checked that all valid values are handled. Read that carefully. All _valid_ values are handled. You don't need a "default" (what Ada calls "when others" ). Unchecked conversions, view overlays, deserialization, and more can introduce invalid values. The default case is meant to handle this, but Ada just goes "nah you're good bro, you handled everything you said would be passed to me".
Like I alluded to earlier, there's limited accessibility modifiers. It uses sections, which is fine, but not my preference. But it also only has three options and it's bizarre. One is publicly in the specification, just like "public" normally. One is in the "private" part of the specification, but this is actually just "protected/friend". And one is in the implementation, which is the actual" private". Now Ada doesn't use classes, so the accessibility blocks are in the package (namespace). So guess what? Everything in your type has exactly the same visibility! Better hope people don't modify things you wanted to keep hidden.
That brings me to another bad decision. There is no "read-only" protection. Granted this is only a compiler check and can be bypassed, but it still helps prevent a lot of errors. There is const and it works well, better than in most languages I feel. But if you want a field within a record to not be changeable? Yeah too bad.
And if you think properties could fix this? Yeah no. Transparent functions that do validation on superficial fields? Nah.
The community loves to praise the language for being highly resilient and "for serious engineers", but oh my god. These are awful decisions.
Now again there's a lot of reasons why I still like the language, but holy shit does it scare me when I see things like an auto maker switching over to it.
The leading Ada compiler is literally the buggiest compiler I've ever used in my life. The leading Ada IDE is literally the buggiest IDE I've ever used in my life. And they are written in Ada.
Side note: good resilient systems are a byproduct of knowledge, diligence, and discipline, not the tool you used.
I'm a brand-new employee for my college's IT service. During my training, I was given a briefing on their security system. After something broke, he tapped into an administrative database on his chromebook, then he went to go check something while leaving the chromebook alone with someone he just met for over 30 minutes.2
How should you approach someone and tell them they have been an victim of social engineering without being mean?
I was at an security conference today and watched a lot of speaks, and I must say that the atmosphere and the people around made it even better.
Here is one takeaway:
Does the security of IT has to be this depressing most of the time, like there is so many IoT devices, services, websites and critical infrastructure that has security flaws and all we can do is watch for now and say we are all fucked. Then try to lead the industry to better practices, like owasp (duck it) . Stop accepting and using shitty answers from SO that has security flaws (why learn something a way that is wrong in the first place?).
We need more awareness about IT security overall, how can one developer know that certain technologies can have certain vulnerabilities such as XSS, XSRF and even SQL injection if there is no information about it in among all shitton tutorials, guides and SO answers in the first place?
Lighten up! Being sad and depressing about these issues is not the best way to approach this! We need to embrace all steps taken towards better security, even the smallest ones.
Check out OWASP if you are not familiar :
Thanks for reading.
Losing faith in Netflix and their awesome open source projects.
Had a hard time trying to install Security Monkey : poor quality quickstart Ubuntu-only, almost no documentation, same instructions for latest (aka dev) and stable (aka prod) version, no depencies list ... oh and the UI display well only on Chrome ..
Then you surrender and just want to check the dockerized version they provide : it doesn't work neither (build fail or back end process just shut down) !!
I'm done ...
I happened to purchase a multi currency card as I was preparing to travel abroad. I enquired a few non tech friends of mine about a bunch of providers/lenders and I got a consistent suggestion of how company XXX is safe and user friendly. I took a leap of faith and went with them, since I didn't have any time left to do my own research.
Met the vendor, loaded some money and all is well. At least so far.
I went to their website to create an account for checking my balance and to do a bunch of stuff online.
Nothing unusual so far.
I fill up the new user register page. At the end I get a message which says "SUCCESS" and asks me to check my email.
I have an email with my user id, password and security questions in CLEAR TEXT sitting in my inbox.
Good job XXX.1
So I just came across this and its really cool. I dropping the link for anyone curious, but its basically a digital FREE "magazine" that revolves around (and I'll quote from the site) "programming (especially programming tricks!), hacking, security hacking, retro computers, modern computers, electronics, demoscene, and other similar topics." the issues come out in PDF's and its really fucking awesome. I thought some of you would enjoy this so if youre interested check it out.
Mini witch hunt going on with broken builds last couple of weeks. Change satellite assembly/project A, breaks random unit test that hasn’t been changed for months and the TFS nazi sends out emails demanding the “broken” projects be fixed. Doesn’t matter the unit/integration tests are likely out dated and team responsible for the tests needs to fix it.
Yesterday I deleted some logging code out of a security assembly, broke an integration test that hasn’t needed to be ran since January (test database didn’t exist anymore).
I would have had to re-create the database, re-import the test data (not trivial), re-deploy a service using the test database…blah. All because I removed some logging code.
I deleted the gated check-in TFS build definition. Code check in … no sirens …whew! I win!
Telegram or Signal? Got essentially blocked from Messenger because I was stupid enough to fold to peer pressure to get it for robotics and since I enabled it with a GV number they stopped allowing its use for specifically security checks while allowing it even to reset a password, and I somehow got a security check triggered, with no customer support and no ability to call with code, so I'm looking to switch. Even if I get Facebook back, I want to move to something at least that doesn't randomly trigger security checks and then has no customer support.14
I thought: Okay lets update this open source software the day right before my exam. What could go wrong? All previous updates worked without a problem and this is an urgent security fix for RCX.
Of course: It failed. I spend the whole night searching for the error in my config files etc. The error was: A missing null check in start sequence. Had to fix and build it myself as I required the files stored there for the exam.
I learned a lot that day/night about updating only when you have the time to deal with errors...
Facebook rant incoming!
I'm so pissed off with Facebook right now, woke up this morning to check Facebook and it asked me to submit a photo of myself (it's not like Facebook doesn't already have many photos of me), then after submitting it logs me out "for security reasons". The only thing I've done different since the last time I was on Facebook was add someone.... If Facebook doesn't approve my photo I will just say fuck it and stay off Facebook.1
That moment when you in Computer Security Management and the Professor shows you the different between
Alt+ Tab and Windows + Tab.
Professor: did you guys know about these shortcuts?
Me: of course how else do I code, write a post and check one on Stack Overflow, Google help on a code, check my work email for the boss response, and see how the codes runs on a browser?
Many times in life I experienced situations that are depressing to me yet I'm not partially or totally conscious about it.
I have a very good example that I'm actually experiencing right now: me reporting the progress of a task to my boss and getting no response from him.
He has gone on these "ignoring sprees" in the past already and for the current one, it's been like four consecutive ignores.
I guess it's depressing for two reasons:
1) I feel like my work has no importance or value, which drags me down.
2) Sometimes he also tries to rush which I consider pretty hypocritical of him. because I have to basically not complain about it to not endanger this job relationship my family dearly depends on, I have to shut up and feel frustrated. (keep in mind i'm a south am person working for a us company and I was very lucky to get this job).
For some reason I just don't notice as easily how awful it makes me feel, but I wished I could fucking tell this straight into his fucking face:
You wanna be a boss? Be a fucking boss and check on my fucking progress.
I'm considering getting into security and going for bug bounties online.
Some of my previous rants mention a web application that I wrote for my then-employer. As it is still in use and I have the whole code, too, I figured to check on security a little with a friend. It's all fine, except for one page, were I was sloppy and didn't escape strings, thus allowing for SQL injection.
This is however only possible if already logged in, which has shown to be secure (and the tool is for employees only).
Nobody is ever going to find out, as the only one who knew what injection even is was me. I left 2 years ago.
Why everyone who claim to know a lot about web security and encryptions is not able to help me check if my system is secure :/
And some try to charge me afterwards -.-"
If they expect payment they should state that at beginning and be able to actually do something...3
One of the worst practices in programming is misusing exceptions to send messages.
This from the node manual for example:
> fsPromises.access(path[, mode])
> fsPromises.access('/etc/passwd', fs.constants.R_OK | fs.constants.W_OK)
> .then(() => console.log('can access'))
> .catch(() => console.error('cannot access'));
I keep seeing people doing this and it's exceptionally bad API design, excusing the pun.
This spec makes assumptions that not being able to access something is an error condition.
This is a mistaken assumption. It should return either true or false unless a genuine IO exception occurred.
It's using an exception to return a result. This is commonly seen with booleans and things that may or may not exist (using an exception instead of null or undefined).
If it returned a boolean then it would be up to me whether or not to throw an exception. They could also add a wrapper such as requireAccess for consistent error exceptions.
If I want to check that a file isn't accessible, for example for security then I need to wrap what would be a simple if statement with try catch all over the place. If I turn on my debugger and try to track any throw exception then they are false positives everywhere.
If I want to check ten files and only fail if none of them are accessible then again this function isn't suited.
I see this everywhere although it coming from a major library is a bit sad.
This may be because the underlying libraries are C which is a bit funky with error handling, there's at least a reason to sometimes squash errors and results together (IE, optimisation). I suspect the exception is being used because under the hood error codes are also used and it's trying to use throwing an exception to give the different codes but doesn't exist and bad permissions might not be an error condition or one requiring an exception.
Yet this is still the bane of my existence. Bad error handling everywhere including the other way around (things that should always be errors being warnings), in legacy code it's horrendous.6
Gf asked me to help her with getting science articles. She had some page that her university suggested students to use, but had troubles with downloading documents.
At first I was like "Hey, it says use IE, other browsers are not supported. Thats bad but.. whatever". Then it popped that she needs Java enabled - well, I guess we have to... Even updated it cause it was needed.
Restarted IE, clicked download again and... Java security blocked web app... Eh, I don't trust it but whatever, just let's check what if I whitelist it.
Got some basic view, 1 dropdown list for "file name format" (like anybody cares), path selection where to save file, and some checkbox. Lame, but let's just leave it behind.
Downloaded, it turned out to be html file, not pdf, fishy that it was single file, but hoped for some text styled with css, so I opened it and got redirected to page where I clicked download.
Checked that file content - html with empty body and script tag containing js that redirects on load.
Using AWS S3 web ui to copy a big folder from one to another and in the middle of copying, I got a pop up that your session has expired please refresh the page and task failed because of this.
What kind of security is this ? Can you check if any task is currently running.
Second who uses browser alert these days... wasted my one hour.7
i have been testing pop os! since several days, MY GOD, i have never seen such a clean Debian (Ubuntu) - distribution in my life time as developer .... holy shit, this is even superior to MacOS look&feel ... it is so good, that I can play several AAA games on my fucked up RX 560D (a RX 460 version) ... it is the best Linux operating system I ever witnessed ... and I will stick to it ...
to the @ security team ... please check for NSA backdoors, that might be the only possibility this shit is too good to be true2
So i am at an MNC as a summer internship, me along with 18 other students from my university cleared this hackathon and got selected for this internship,
Few things you should know
1. Amongst all the other candidates i had the most work experience
3. I legit have more skills then almost everyone working in my team
So, I don't know how but the HR decided i should go to this team, where there are no developers and are people of age 30 who have no idea what django is,
I was fucking frustrated but i let it go, thinking i will just solve this problem and will change my team, calm down
They told me about the project. I said okay give me access i will just finish it.
5 days no signs of access anyhow, so, i sucked it up and tracked all the network request and made my own api,
Then I was happy i get rid of this project,
But then they had bigger plans they ask me to add features on this project but there is a catch you have no access to any accounts, do it on your own,
Like What the Fuck, before giving an intern any project don't you have the responsibility to check weather the fucking project is possible i am just wasting my summer internship. I thought I got a big company it will help me grow i will get job security, but noo wtf, i am hell of frustrated1
What's the point of having a 'Check for updates' if it doesn't tell you there is a security update? And why do I always have to download and install updates manually?