They call it $5/gb hotel wifi, i call it free uncapped 100meg fibre because your security sucks

Oh and they host their entire POS (and database with backups) on the same network accessible to every TV in the hotel

When the "lost password" feature of a website sends you an email with your original password :/

Story time:

I was once working on a project that dealt with incredibly sensitive financial data.

We needed a client’s database to do a migration.

They wouldn’t send it over the internet because it was too big and they didn’t think it would be secure.

They opt to send it in the post on an encrypted usb drive.

(Fair enough thinks I)

USB drive arrives.
Is indeed encrypted.

MFW there’s a post it note in the envelope with the password on.

MFW this is a billion dollar multinational petrochem company.

MFW this same company’s ‘sysadmin’ and ‘dba’ once complained because a SQL script I sent them didn’t work - they’d pasted it twice and couldn’t work this out from the fucking “table already created” error message management studio was throwing at them.

> Claims to be a security expert and an Anonymous member

> His router uses WEP as encryption

I hate it when I run out of internets.

Probably the funniest phishing test I've ever seen.

Conversation between some kind of executives on the table next to mine:

A: do you know this app that'll let you hack into any Wi-Fi? You just click here, copy that and paste it here... and I hacked the restaurant's Wi-Fi. **laughs**

B: oh, only X? Bought. Wait... what is this "allow app to access your location"?

A: yeah, click "allow". You should also install a VPN.

B: what? BPN?

A: no, no. VPN. When you use a VPN you have a secure internet connection. You're protected from tracking, hacking and virus.

Imagine if a structural engineer whose bridge has collapsed and killed several people calls it a feature.

Imagine if that structural engineer made a mistake in the tensile strength of this or that type of bolt and shoved it under the rug as "won't fix".

Imagine that it's you who's relying on that bridge to commute every day. Would you use it, knowing that its QA might not have been very rigorous and could fail at any point in time?

Seriously, you developers have all kinds of fancy stuff like Continuous Integration, Agile development, pipelines, unit testing and some more buzzwords. So why is it that the bridges don't collapse, yet new critical security vulnerabilities caused by bad design, unfixed bugs etc appear every day?

Your actions have consequences. Maybe not for yourself but likely it will have on someone else who's relying on your software. And good QA instead of that whole stupid "move fast and break things" is imperative.

Software developers call themselves the same engineers as the structural engineer and the electrical engineer whose mistakes can kill people. I can't help but be utterly disappointed with the status quo in software development. Don't you carry the title of the engineer with pride? The pride that comes from the responsibility that your application creates?

I wish I'd taken the blue pill. I didn't want to know that software "engineering" was this bad, this insanity-inducing.

But more than anything, it surprises me that the world that relies so much on software hasn't collapsed in some incredible way yet, despite the quality of what's driving it.

UN: admin
PW: password

Fuck me, big fucking security flaw with a UK internet service provider, my head has gone through my desk and hit the floor it’s that bad.

I'm seeing people defending clearly-injectable code and I'm just stunned.

And this person in particular is supposed to be responsible (at least partially) for finding security flaws.

I don't know what to say.

!rant
The change log from notepad++ update. The last paragraph is the cream!

" The issue of a hijacked DLL concerns scilexer.dll (needed by Notepad++) on a compromised PC, which is replaced by a modified scilexer.dll built by the CIA. When Notepad++ is launched, the modified scilexer.dll is loaded instead of the original one.
It doesn't mean that CIA is interested in your coding skill or in your sex message content typed in Notepad++, but rather it prevents raising any red flags while the DLL does data collection in the background.

It's not a vulnerability/security issue in Notepad++, but for remedying this issue, from this release (v7.3.3) forward, notepad++.exe checks the certificate validation in scilexer.dll before loading it. If the certificate is missing or invalid, then it just won't be loaded, and Notepad++ will fail to launch.

Checking the certificate of DLL makes it harder to hack. Note that once users’ PCs are compromised, the hackers can do anything on the PCs. This solution only prevents from Notepad++ loading a CIA homemade DLL. It doesn't prevent your original notepad++.exe from being replaced by modified notepad++.exe while the CIA is controlling your PC.

Just like knowing the lock is useless for people who are willing to go into my house, I still shut the door and lock it every morning when I leave home. We are in a f**king corrupted world, unfortunately. "

Wow... this is the perfect week for this topic.

Thursday, is the most fucked off I’ve ever been at work.

I’ll preface this story by saying that I won’t name names in the public domain to avoid anyone having something to use against me in court. But, I’m all for the freedom of information so please DM if you want to know who I’m talking about.

Yesterday I handed in my resignation, to the company that looked after me for my first 5 years out of university.

Thursday was my breaking point but to understand why I resigned you need a little back story.

I’m a developer for a corporate in a team of 10 or so.

The company that I work for is systemically incompetent and have shown me this without fail over the last 6 months.

For the last year we’ve had a brilliant contracted, AWS Certified developer who writes clean as hell hybrid mobile apps in Ion3, node, couch and a tonne of other up to the minute technologies. Shout out to Morpheus you legend, I know you’re here.

At its core my job as a developer is to develop and get a product into the end users hands.

Morpheus was taking some shit, and coming back to his desk angry as fuck over the last few months... as one of the more experienced devs and someone who gives a fuck I asked him what was up.

He told me, company want their mobile app that he’s developed on internal infrastructure... and that that wasn’t going to work.

Que a week of me validating his opinion, looking through his work and bringing myself up to speed.

I came to the conclusion that he’d done exactly what he was asked to, brilliant Work, clean code, great consideration to performance and UX in his design. He did really well. Crucially, the infrastructure proposed was self-contradicting, it wouldn’t work and if they tried to fudge it in it would barely fucking run.

So I told everyone I had the same opinion as him.

4 months of fucking arguing with internal PMs, managers and the project team go by... me and morpheus are told we’re not on the project.

The breaking point for me came last Wednesday, given no knowledge of the tech, some project fannies said Morpheus should be removed and his contract terminated.

I was up in fucking arms. He’d done everything really well, to see a fellow developer take shit for doing his job better than anyone else in [company] could was soul destroying.

That was the straw on the camels back. We don’t come to work to take shit for doing a good job. We don’t allow our superiors to give people shit in our team when they’re doing nothing but a good job. And you know what: the opinion of the person that knows what they’re talking about is worth 10 times that of the fools who don’t.

My manager told me to hold off, the person supposed to be supporting us told me to stand down. I told him I was going to get the app to the business lead because he fucking loves it and can tell us if there’s anything to change whilst architecture sorts out their outdated fucking ideas.

Stand down James. Do nothing. Don’t do your job. Don’t back Morpheus with his skills and abilities well beyond any of ours. Do nothing.

That was the deciding point for me, I said if Morpheus goes... I go... but then they continued their nonsense, so I’m going anyway.

I made the decision Thursday, and Friday had recruiters chomping at the bit to put the proper “senior” back in my title, and pay me what I’m worth.

The other issues that caused me to see this company in it’s true form:
- I raised a key security issue, documented it, and passed it over to the security team.
- they understood, and told the business users “we cannot use ArcGIS’ mobile apps, they don’t even pretend to be secure”
- the business users are still using the apps going into the GDPR because they don’t understand the ramifications of the decisions they’re making.

I noticed recently that [company] is completely unable to finish a project to time or budget... and that it’s always the developers put to blame.

I also noticed that middle management is in a constant state of flux with reorganisations because in truth the upper managers know they need to sack them.

For me though, it was that developers in [company], the people that know what they’re talking about; are never listened to.

Fuck being resigned to doing a shit job.

Fuck this company. On to one that can do it right.

Morpheus you beautiful bastard I know you’ll be off soon too but I also feel I’ve made a friend for life. “Private cloud” my arse.

Since making the decision Thursday I feel a lot more free, I have open job offers at places that do this well. I have a position of power in the company to demand what I need and get it. And I have the CEO and CTO’s ears perking up because their department is absolutely shocking.

Freedom is a wonderful feeling.

left a company over 3 years ago because they wanted me to dumb my code down so that the other devs could understand it. they wouldn't allow me to use classes in my code lol. anyway, 3+ years later figured I would try to log in to some of the admin panels... passwords still the same. MySQL dbs... passwords the same... cpanel... passwords the same. smh. even if I still worked there the passwords should be changed every so often. top notch security right there. funniest part is they don't even do backups or use VCS for the code. sad sad company. glad I'm no longer there. my personal projects have more security, redundancy and fail over lol

Forgive me father, for I have sinned.  Alot actually, but I'm here for technical sins.  Okay, a particular series of technical sins.  Sit your ass back down padre, you signed up for this shit.  Where was I?  Right, it has been 11429 days since my last confession.  May this serve as equal parts rant, confession, and record for the poor SOB who comes after me.

Ended up in a job where everything was done manually or controlled by rickety Access "apps".  Many manhours were wasted on sitting and waiting for the main system to spit out a query download so it could be parsed by hand or loaded into one of the aforementioned apps that had a nasty habit of locking up the aged hardware that we were allowed.  Updates to the system were done through and awful utility that tended to cut out silently, fail loudly and randomly, or post data horrifically wrong.

Fuck that noise.  Floated the idea of automating downloads and uploads to bossman.  This is where I learned that the main system had no SQL socket by default, but the vendor managing the system could provide one for an obscene amount of money.  There was no buy in from above, not worth the price.

Automated it anyway.  Main system had a free form entry field, ostensibly for handwriting SELECT queries.  Using Python, AutoHotkey, and glorified copy-pasting, it worked after a fashion.  Showed the time saved by not having to do downloads manually.  Got us the buy in we needed, bigwigs get negotiating with the vendor, told to start developing something based on some docs from the vendor.  Keep the hacky solution running as team loves not having to waste time on downloads.

Found SQLi vulnerability in the above free form query system, brought it up to bossman to bring up the chain.  Vulnerability still there months later.  Test using it for automated updates.  Works and is magnitudes more stable than update utility.  Bring it up again and show the time we can save exploiting it.  Decision made to use it while it exists, saves more time.  Team happier, able to actual develop solutions uninterrupted now.  Using Python, AutoHotkey, glorified copy-pasting, and SQLi in the course of day to day business critical work.  Ugliest hacky thing I've ever caused to exist.

Flash forward 6 years.  Automation system now in heavy use acrossed two companies.  Handles all automatic downloads for several departments, 1 million+ discrete updates daily with alot of room for expansion, stuff runs 24/7 on schedule, most former Access apps now gone and written sanely and managed by the automation system.  Its on real hardware with real databases and security behind it.

It is still using AutoHotkey, copy-paste, and SQLi to interface with the main system.  There never was and never will be a SQL socket.  Keep this hellbeast I've spawned chugging along.

I've pointed out how many ways this can all go pearshaped.  I've pointed out that one day the vendor will get their shit together they'll come in post system update and nothing will work anymore.  I've pointed out the danger in continuing to use the system with such a glaring SQLi vulnerability.

Noone cares.  Won't be my problem soon enough.

In no particular order:
Fuck management for not fighting for a good system interface
Fuck the vendor for A) not having a SQL socket and B) leaving the SQLi vulnerability there this long
Fuck me for bringing this thing into existence

Security rant ahead - you have been warned.
It never fails to amuse and irritate me that, despite being in the 2019 supposed information age, people still don't understand or care about their security.
I've travelled to a lot of ports and a lot of countries, but, at EVERY port, without fail, there will be at least one wifi that:
- Has default name/password that has been cracked already (Thomson/SpeedTouch/Netfaster etc)
- Has a phone number as password (reduces crack time to 15-30 mins)
- Someone, to this day, has plain old WEP
I am not talking about cafeteria/store wifi but home networks. WTF people?! I can check my email (through VPN, of course) but it still bugs me. I have relented to try and snoop around the network - I can get carried away, which is bad. Still...
The speed is great though :P

My office has blocked access to all external websites. Only internal, self-hosted sites under our domain work.

P E A K. S E C U R I T Y.

such secured

Can we talk about this for a second? I mean WTF, how is Windows XP still a thing. Wasn't there a ransomeware attack recently, so every last sys admin should have some motivation to upgrade their shit?
Sure, I hear you say, it's just an information display. No critical stuff.
Well guess what, it was at an airport. Most likely not connected to any critical infrastructur, but still it's a computer, stuck at the boot screen at 11 a.m. running windows XP, connected to an airport network.
And I was standing there like: fuck me!

!!oracle

I'm trying to install a minecraft modpack to play with a friend, and I'm super psyced about it. According to the modpack instructions, the first step is to download the java8 jre. Not sure if I actually need it or not, but it can download while I'm doing everything else, so I dutifully go to the download page and find the appropriate version. The download link does point to the file, but redirects to a login page instead. Apparently I need an oracle account to download anything on their site. stupid.

So I make an account. It requires my life story, or at least full name and address and phone number. stupid. So my name is now "fuck off" and I live in Hell, Michigan. My email is also "gofuckyourself" because I'm feeling spiteful. Also, for some reason every character takes about 3/4ths of a second to type, so it's very slow going. Passwords also cannot contain spaces, which makes me think they're doing some stupid "security" shenanigans like custom reversible encryption with some 5th grade math. or they're just stupid. Whatever, I make the stupid account.

Afterwards, I try to log in, but apparently my browser-saved credentials are wrong? I try a few more times, try enabling all of the javascripts, etc. No beans. Okay, maybe I can't use it until I verify the email? That actually makes some sense. Fine, I go check the throwaway inbox. No verification email. It's been like five minutes, but it's oracle so they probably just failed at it like everything else, so I try to have them resend the email. I find the resend link, and try it. Every time I enter my email address, though, it either gives me a validation error or a server error. I try a few mores times, and give up. I try to log in again; no dice. Giving up, I go do something else for awhile.

On a whim later, I check for the verification email again. Apparently it just takes bloody forever, but it did show up. Except instead of the first name "Fuck" I entered, I'm now "Andrew", apparently. okay.... whatever. I click the verify button anyway, and to my surprise it actually works, and says that I'm now allowed to use my account. Yay!

So, I go back to the login page (from the download link) and enter my credentials. A new error appears! I cannot use redirects, apparently, and "must type in the page address I want to visit manually." huh? okay, i go to the page directly, and see the same bloody error because of course i do because oracle fucking sucks. So I close the page, go back to the download list, click the link, wait for the login page redirect (which is so totally not allowed, apparently, except it works and manual navigation does not. yay backwards!), and try to log in.

Instead of being presented with an error because of the redirect, it lets me (try to) log in. But despite using prefilled creds (and also copy/pasting), it tells me they're invalid. I open a new tab container, clear the cache (just to be thorough), and repeat the above steps. This time it redirects me to a single signon server page (their concept of oauth), and presents me with a system error telling me to contact "the Administrator." -.- Any second attempts, refreshes, etc. just display the same error.

Further attempts to log in from the download page fail with the same invalid credentials error as before.

Fucking oracle and their reverse Midas touch.

A store in Russia was robbed for 30k$ using ArtMoney.

ArtMoney is a Game cheating program that is used in games that have no AntiCheat system or it is insanely horrible(Cookie clicker as an example for a game that had no anticheat and ArtMoney is used in it)

The robbers placed orders for tech(like phones and laptops) and then used the program to change the prices from thousands of dollars down to 5$.

The cheat program is insanely easy to defend against or detect its changes.

This is a good reminder to check your security if youre adminstating things like online shops or other stuff thag can be targeted at a similar fashion.

So I'm back from vacation! It's my first day back, and I'm feeling refreshed and chipper, and motivated to get a bunch of things done quickly so I can slack off a bit later. It's a great plan.

First up: I need to finish up tiny thing from my previous ticket -- I had overlooked it in the description before. (I couldn't test this feature [push notifications] locally so I left it to QA to test while I was gone.)

It amounted to changing how we pull a due date out of the DB; some merchants use X, a couple use Y. Instead of hardcoding them, it would use a setting that admins can update on the fly.

Several methods deep, the current due date gets pulled indirectly from another class, so it's non-trivial to update; I start working through it.

But wait, if we're displaying a due date that differs from the date we're actually using internally, that's legit bad. So I investigate if I need to update the internals, too.

After awhile, I start to make lunch. I ask my boss if it's display-only (best case) and... no response. More investigating.

I start to make a late lunch. A wild sickness appears! Rush to bathroom; lose two turns.

I come back and get distracted by more investigating. I start to make an early dinner... and end up making dinner for my monster instead.

Boss responds, tells me it's just for display (yay!) and that we should use <macro resource feature> instead.

I talk to Mr. Product about which macros I should add; he doesn't respond.

I go back to making lunch-turn-dinner for myself; monster comes back and he's still hungry (as he never asks for more), so I make him dinner.

I check Slack again; Mr. Product still hasn't responded. I go back to making dinner.

Most of the way through cooking, I get a notification! Product says he's talking it through with my boss, who will update me on it. Okay fine. I finish making dinner and go eat.

No response from boss; I start looking through my next ticket.

No response from boss. I ping him and ask for an update, and he says "What are you talking about?" Apparently product never talked to bossmang =/ I ask him about the resources, and he says there's no need to create any more as the one I need already exists! Yay!

So my feature went from a large, complex refactor all the way down to a -1+2 diff. That's freaking amazing, and it only took the entire day!

I run the related specs, which take forever, then commit and push.

Push rejected; pull first! Fair, I have been gone for two weeks. I pull, and git complains about my .gitignore and some local changes. fine, whatever. Except I forgot I had my .gitignore ignored (skipped worktree). Finally figure that out, clean up my tree, and merge.

Time to run the specs again! Gems are out of date. Okay, I go run `bundle install` and ... Ruby is no longer installed? Turns out one of the changes was an upgrade to Ruby 2.5.8.

Alright, I run `rvm use ruby-2.5.8` and.... rvm: command not found. What. I inspect the errors from before and... ah! Someone's brain fell out and they installed rbenv instead of the expected rvm on my mac. Fine, time to figure it out. `rbenv which ruby`; error. `rbenv install --list`; skyscraper-long list that contains bloody everything EXCEPT 2.5.8! Literally 2.5 through 2.5.7 and then 2.6.0-dev. asjdfklasdjf

Then I remember before I left people on Slack made a big deal about upgrading Ruby, so I go looking. Dummy me forgot about the search feature for a painful ten minutes. :( Search found the upgrade instructions right away, ofc. I follow them, and... each step takes freaking forever. Meanwhile my children are having a yelling duet in the immediate background, punctuated with screams and banging toys on furniture.

Eventually (seriously like twenty-five minutes later) I make it through the list. I cd into my project directory and... I get an error message and I'm not in the project directory? what. Oh, it's a zsh thing. k, I work around that, and try to run my specs. Fail.

I need to update my gems; k. `bundle install` and... twenty minutes later... all done.

I go to run my specs and... RubyMine reports I'm using 2.5.4 instead of 2.5.8? That can't be right. `ruby --version` reports 2.5.8; `rbenv version` reports 2.5.8? Fuck it, I've fought with this long enough. Restarting fixes everything, right? So I restart. when my mac comes back to life, I try again; same issue. After fighting for another ten minutes, I find a version toggle in RubyMine's settings, and update it to 2.5.8. It indexes for five minutes. ugh.

Also! After the restart, this company-installed surveillance "security" runs and lags my computer to hell. Highest spec MacBook Pro and it takes 2-5 seconds just to switch between desktops!

I run specs again. Hey look! Missing dependency: no execjs. I can't run the specs.

Fuck. This. I'll just push and let the CI run specs for me.

I just don't care anymore. It's now 8pm and I've spent the past 11 hours on a -1+2 diff!

What a great first day back! Everything is just the way I left it.

Client: I can't login with my lastpass
Me: Oh, why not, how are you trying?
Client: So, I've entered my lastpass password into my bank account, and it says 'wrong login credentials'
Me: °-°

Damn... some dude has his full SSH credentials to his webserver in his published NPM package...
I have to tell him 😅

Saw this security blunder a while ago. Went onto some site and it showed me this username/password dialog (probably an apache's htpasswd or nginx one). Went away but returned quickly because I noticed I could see all content. Then I thought 'why the fuck not try?' so I dragged the auth popup thingy to the side of the screen and et voila... I could interact with the page as if nothing was wrong while the authentication popup was hovering above the page on the right!

I sat there giggling dramatically for a while.

The company that I currently work for has a strict clean-desk policy. So strict, there's even have a little booklet that they have about 1000 copies of lying around the office everywhere. In the booklet is a playful description (with cartoons!) of what can go wrong when sensitive information is lying around, or shared with outsiders through careless talk, etcetera. Employees are encouraged to take a copy of the booklet home.

Also in the booklet is a description of the importance of having a good password. It mentions the required minimum (x) and maximum (x+1) length of passwords, mandatory character classes, and how often the passwords have to be changed.

My new phone will (as a default feature) discover the devices that my housemate is using to stream content on the WiFi network - and let me control them.

Right now, I think he's getting ready for bed, but he left the player paused instead of turning it off.

Let the fun and hilarity ensue.

Microsoft seriously hates security, first they do enforce an numer, upper and lowercase combined with a special character.
But then they allow no passwords longer than 16 characters....
After that they complain that "FuckMicrosoft!1" is a password they've seen to often, gee thanks for the brute force tips.

To add insult to injury the first displayed "tip" take a look at the attached image.

So, my fathers company’s website got hacked. And the hacker left this message on the homepage. Wtf does this mean?

Me: "The exploit worked when you tested it too, right?"
Them: "..."
Me: "You tested it too, right?"
Them: "..."
*facepalm*

One of my colleagues in college asked me if I could check his raspberry pi because it behaved „strangely“.

I found out that it had been hijacked and somebody tried to mine bitcoins with it... that’s why you should change default credentials...

Secure security camera... :'D

I saw a lot of this this week when browsing GitHub...

Shopping with my girlfriend when I spot this. Nobody to see for miles. Guess this wouldn't pose a problem, would it? I mean it wouldn't say secure Id, if it wasn't secure...?

Confidence is key.

Fucking amateur developers deploying what should be complex APIs to a financial business environment with incomplete and inaccurate documentation, with their code copy pasted from chat boxes, with "tests" that do not output any relevant logging except pass/fail and take 2 days to run, with deficient but multi-factor redundant security that works occasionally based on air pressure, publishing code that causes their systems to break and lose data then blame everything on integrators for simply calling their own fucking cheap excuse of an API based on their own shitty documentation, and API calls that respond in 10+ seconds for simplest fucking queries.
FUCK.ALL.OF.YOU
FUCK YOU sideways go write children's books morons fuck off and die I will fucking teabag your women and turn your dogs into tacos you watching... hopefully next year when i'm done wasting my time on your retarded shit

I really just came across this on a legit apartment rental website.

I can see no possible way for this to go wrong.
No possible way that anyone could exploit this... 🙃

Security fail here. I've just started a PPI claim and have been provided a link to a so called "very secure" client area.

There are no username or passwords and the screenshot is not a first time sign up screen.

All I need to login is a surname, postcode and DOB - all information easy enough to find online.

Pretty bad IMO, esp, so considering the effort required to add a proper login using a username/password combination.

I mean I'm logged in now and have no option to set an account password :|

Come ooonnn!!!

When i was younger, lesser experienced and more naive than now; i got away with a lot of things. By lot of things i mean security flaws in my applications and overall architecture. I realise now i could've so easily been pawned.

Not that i claim to be totally secure even now, or would ever. It is a process, slow and painful one - Learning.

What i wish to point out is the role of favorable probability (non believers would call it luck). Security is so much about it. You get away with so many things for so long. And bang one day the roll of dice is unfavorable. On such rare occasions, just look back and wonder - damn i should've been breached long ago.

!Rant #motivation #hugeProject
Yesterday i started a new app and i designed some of it but classes i coded will speed up the whole coding of other parts .
Anyways today i needed to work on the server side of the project and when i was working on setting up the databases structures i realized how big is this project (it uses like 3 APIs) so i was unmotivated because its a side project and it takes alot of time and overall it dont worth it and even app may fail or may be successful.
So i said i dont care about how it will turn out
Im gonna do it , and im gonna do it right now
So i did now its 6 am and the server part is almost finished ! 75% done .
It was a secure login system and signup with verifications and more security stuff and the codes that provide the server status and most of the user parts . And some of the features of the app .
The most hard thing remaining is to setup the in app purchases and the APIs .
So if you see a project that is huge .
Dont give up . Just do it as long as you can
And you will see how much you progress !
And the huge project will be a big project ;)
Then a normal project , then a tiny project :P
Good night

Security! I wish clients would listen to me regarding security...

The client has started to ask me to give them access to all the logins I have for the email, domain, server etc.
I created them a new account and gave them admin access.

Now they’re asking for password for all the email accounts (I don’t even store them). So I asked why, she wanted to have them in case some of the employees forgot their password.

I explained to her, deeply and many times, WHY THIS IS A BAD FUCKING IDEA. I also discovered she’s keeping it in a document, clear text.

Why do they pay me for support, when they want to have access to everything...

I’m wondering if they’re planning to find someone else to do their support, or do it themselves.

I didn’t even think 25€ pr month is that expensive for support

telco sysadmin: hey maybe we should secure our SMTP server with SSL and password verification so our clients can e-mail safely!
senior exec be like: nah just filter incoming connections for our own IP-range, that'll do.

result: I can impersonate any client of the telco and send e-mail in their name (from any home network connected to that provider), but I can't send e-mail over cellular network.

Credentials are in var/www/credentials.txt

Short sad story:

The backend team in my company stores plain text passwords and I am making a view in the website to view all the users password in the system

That moment you call a php curl script to download files handed to it from a python script because the http request in python somehow get blocked by corporate bullshit, but you also need access to MS products for this script to work, which you can't do in PHP.

# FML
# Corporate "Security" is bullshit
# Fail, Adapt, Overcome

Sux Security: Banking site asked me to set up 3 "security questions" for validation purposes. When I typed in my responses they were obfuscated behind asterisks.

When I log in later, from a different computer than usual, and am prompted for the answer to one of the security questions my answers appear in clear text.

So I had just finished the walkthrough with the inspector in my soon-to-be home. I was told I’d receive an email with instructions on how to download my inspection report.

A few hours passed and I received the email; it required I make an account with the service they were using to view my report... alright, whatever.

After making the account I receive another email thanking me for signing up. Then I see it, plaintext and bold letters:

Username: $myusername
Password: $mypassword

How is this even still a thing???

Today, carrying my dinner to a table in our universities cafeteria, I passed by the table of a professor. He had a book on his table titled "Hacking Handbook". It contains chapters on httrack, ping, port scans and the like (I checked that on Amazon).

The professor drank a coffee, then got up to get some food. His table was directly next to the wall separating the food corner from the tables. He stayed away from his computer for two or three minutes. Both table and computer where totally out of his field of vision during that time. His computer was not locked and Outlook was open.

The professor teaches IT security.

"The Phoenix project" alternative ending:

Bill Palmer manages to avert disaster with heroic efforts, working 18 hours per day for weeks.
His wife files for divorce. He starts to sleep at office, next to the servers room.
At the last moment a huge hacker attack almost destroys everything, but he finally manages to announce that Phoenix is ready on time, security auditing passed and any kind of great improvements.

Steve, the CEO, calls him and says: "are you crazy? we put you on an impossible project with short notice to make you fail! All our investors have been secretly short selling our stocks, so now they are waiting a big failure to cash in. We also paid korean hackers to bring you on your knees. But you are really stubborn! "

All Phoenix Project is rolled back, huge shit happens, stocks fall, investors ripe great benefits. All IT is outsourced to an external company (owned by members of the board)

Bill is fired. His reputation tainted by the failure, he can't find job anymore. his technical skills and knowledge are out of date.
As he didn't have time to take care of divorce he has lost also all his personal wealth.

He writes a book about his experience, well, actually a rant, but the company sues him forcing him to pay more money.

In the final scene, police arrests him, drunk while trying to burn a server farm with matches.

Talking about stupidity, my friend on whatsapp even share his bank online transaction on his stories, I told him to be careful with those sensitive information, but he's ignoring it.
I think he more care to show off his "bulge-wallet" than protect his own money.
Find anything stupid than that?

I started using Keepass like 2 months ago, and recently i started going through all my email accounts to compile a list of all the services i've ever signed up to; delete the accounts you don't need and move everything else to keepass with a strong passwd, that was the plan.
I'm still going, but out of the 60 i have so far, 10 sites just had the password, *in plain text*, in the confirmation email!! I don't even konw anymore, just end me now plz 😢

Logs in to client office 365.

Big recommendation at the top

"Disable password auto expiry, it's currently set to 90 days"

Why is this a recommendation? I suppose there's an argument that making a user change every now and again will weaken their passwords over time, but really?

Why don't most products follow a minimalist approach right till the end? Most start ups start like that. But when things begin to fall apart or become better they tend to deviate. While the earlier reason is understandable (because no one likes to fail so they'll do anything to not fail), the second reason seems to me more of an organisational creation than what the users want.

From my understanding as the product becomes popular positions (managerial or product) created need to justify their presence. What do they do? So the breath of fresh air brings in a lot of garbage that may not be required and would be in deviance from the main product idea.

It is debatable that audiences would not accept such ideas that are being brought in, because hey audiences are smart. And they are. But the organisation in order to justify the original wrong decision tends to push their new features (through offers or marketing campaigns). This makes the organisation invested into a wrong direction and security of jobs of the new managers/product people. Win win situation, but lose lose for the organisation and the original product.

please stop fucking "Access-Control-Allow-Origin: *"

I hate Mondays...

So, Yours truly, the multilingual flightless bird leaves his apartment... Locks door... Fucking key gets stuck in lock (had some attempted home invasion attempt last year, left a few things bent).
The last thing I can use today, important project to work on with a deadline close enough to worry about.

I would say that's a classic Error 500 on login kinda situation.

The irony? I fancy myself a pretty good lock picker(A must have for an aspiring pentester) .

Luckily, a quick squirt of gun oil resolved that one... Seriously, how do people manage without a supply of tools and stuff?

One aged person went to banker and said my son is not in country, and he asked me to withdraw money from his mutual fund account. Can you help.

Banker replied, do you have withdraw form signed. If not then can you copy his sign.

Elder guy tried it and stupid banker accepted withdraw form as well.

How does 2FA and https help, when site forwards all traffic from cloudfront to their actual servers in plain http?

Security starts as soon as the project starts. Every decision you make needs to be one that considers whether you will compromise on security - but human beings fail to do this for one reason - bureaucracy.

I worked 2012-2016 for a big telco company in my country and there was this HTTPS webpage with an iframe rendering any url you passed over the ?url query param plus a header with the company's logo.

I was on a meeting with some friends in charge of social media and they found it for a user report.

Unbelievable 🤷🏻‍♂️ I remember I tried the page's url itself and it rendered a loop of the header with the company's logo 😂

FUCK you "WP iThemes Security Pro".

First of all, your FUCKing services isn't really secure, more like security by obscurity.
Don't get me started on how you probably don't have a dedicated team of security experts.
But oh well, the customer insisted I must install you, despite my advise.

Second of all, Don't FUCKing send me emails regarding "Scheduled malware scan failed" without it containing the FUCKing error message, not some generic "http_request_failed" error, why did it FUCKing fail?

Last but not least: Don't FUCKing clutter is with with your giant ass logo that takes up half my screen or FUCKing spam such as your upcoming events, newly published books/articles, incorrect "documentation"

My buddy thinks cyber security is a scam, because it will always fail?!? 🤔

Losing faith in Netflix and their awesome open source projects.

Had a hard time trying to install Security Monkey : poor quality quickstart Ubuntu-only, almost no documentation, same instructions for latest (aka dev) and stable (aka prod) version, no depencies list ... oh and the UI display well only on Chrome ..

Then you surrender and just want to check the dockerized version they provide : it doesn't work neither (build fail or back end process just shut down) !!

I'm done ...

just opened a ticket with a software provider because the new version is crap, crashes, and doesn't even function properly

get an temp ftp account made (for some...reason?) and an e-mail with the user and pass in plain text in a single e-mail

what year is it?

What the fuck, Android? My phone was locked, and the last open app was Instagram brcause I was chatting with my friend. So I try to unlock the phone with fingerprint, as I always do. The phone unlocks (at least it looked like it) and I get straight ot my IG chat, but at the same time an error message appears on the top of the screen saying that it failed to unlock the phone. And sure enough when I check my navi bar, the recent apps button is missing, indicating that the phone is still in a locked state. So after a failed unlock, someone with enough luck can get full access to my instagram chats and whatever else the foreground app is??? What the actual fuck?

A list with usernames and passwords have to go from customer A to customer B, because customer A does not have the permission to set these login credentials to the productive system. Additionally, the users are technically unable to change their passwords (yes I know, it's a mess there). What should customer a do? Like except burn all my customers alive and punch them...

- I love blowing my mind. Even if it is the most confusing thing. Things like security mechanisms, neurons' behaviors, mathematics (even tho I hate it when I fail lol), electronics, medical terminology and chemistry.
- I love collecting rare coins, personally never-seen stones and put them into my collection. I love to be a designer. Not only on my laptop. I have a book shelf and within that book shelf I put stones that create the yin yang sign while pushing the books to two sides. That makes them look like they are levitating. I have stones (including obsidian) that create a triangle and a knife hanging down the wall of my room.
- I love visiting touristic, historic, naturally-beautiful but also non-touristic (non-touristic? yes. by that I mean visiting e.g. the areas of touristic cities which are dangerous, because you can easily fall down off of a slippery ground and take serious injuries) places around the globe, talk to complete strangers in public (I am trying to be an extrovert), take pictures with my camera and collecting antiquities.
- I love taking risks (no. I don't play any poker games etc on the internet) without trying to put other people in risk. Driving insanely with whatever I have. Car, bike, you name it.
- I love reading books. Books that are about human psychology, fantasy novels and books about programming languages.
- I love to cook (I am at the beginning).
- I love to use the konMari method of tidying up my room.
- I love plants.
- I love having everything in my room tidied up (even if I am too busy with other stuff and skip this cleaning process for a week upto a month sometimes. Sorry, room.).
- I love doing sports. But mostly sport that I have never tried before. This can be, because of my greedy wish for an adrenaline kick. That led me into taking a balloon flight at 4 am (sunrise) and to paragliding at sunset above Mediterranean sea btw. (I am normally afraid of flying, but paragliding was awesome).
- I love swimming. Like, you cannot pull me out of the sea for a minimum of 2 hours, if it is not important.
- I love laying above the sea water and let the sea carry me to somewhere else.
- I love being alone. I love the silence. I love to be free in my thoughts.
- I love watching the sunset, the light that shines through the forest, the moonlight and the stars at night.
- I love dreaming. No, like, lucid dreaming for example.
- I love being open to any opinions.
- I love to learn about other people's views about the world and their religion.
- I love pets and would do anything to keep them alive when they are ill. It hurts my heart seeing them like this.
- I love watching demonic "A: Holy shit! Did you see this thing, too?! B: Yes!" YouTube videos just for the fun of it, but I hate horror movies and games.
- I love trying out new things. The creation of music and video for example.
- I love to give my hair and beard a shape, if I am too lazy to go to the barbershop lol. By that I don't mean just going to the barbershop, but taking an electric razor and cutting my hair myself even if I get bad results from time to time that can be corrected by letting any family member tell me in which area of of my head the hair problem is.
- I don't like disco clubs.
- I don't like toxic people even though I can be a quite toxic person myself without realizing it. If I appear toxic to you, inform me about it. Having so much testosterone in that moment, can make me do things that I don't want to do.
- I don't like drugs even tho I have to admit that I am trying a few from time to time (maybe 6 months in-between) to have a dopamine kick. I am not an addict.
- I hate myself for things that I did in the past.
- I used to watch MMA videos etc.
- I used to use a telescope, but I can't find it anymore.
- I used to have a microscope, but I can't find it anywhere and besides of that the seller did literally piss in it before selling it to me many years ago. Don't want to touch it tbh.
- I used to play games, but I don't enjoy games anymore. That makes me feel sad.
- I miss the old moments of my life.

In conclusion:
I like how things went and go so far. It changed me so much. It made me a good and a bad person. I became more open and confident, but it also particularly made me a leader who can say "fuck off" in a bad way to his family. I would like to undo this particular part of me.

What would you do if you discover a major security flaw in an enterprise product that claims to be secure and has GDPR compliance? Like a really major flaw in a core feature of the product!

In this new World of Microservices Architecture, I fail to understand the monolithic application. My context being for interviews. They keep asking about the old ways. What patterns were used and security situation. How do you tackle that when I did not get a chance to work on old monoliths. But

Having a meeting with an old client of our company's today, guiding him through the deployment process for his front and backend, because he thought that we were withholding information, and at one point in the call he asks me if the './' at the beginning of the deployment script was a special security measure put in place by us... 😂

Facebook. Tell me about what you think of security issues. I’m all ears 👂

One of the worst practices in programming is misusing exceptions to send messages.

This from the node manual for example:

> fsPromises.access(path[, mode])

> fsPromises.access('/etc/passwd', fs.constants.R_OK | fs.constants.W_OK)
> .then(() => console.log('can access'))
> .catch(() => console.error('cannot access'));

I keep seeing people doing this and it's exceptionally bad API design, excusing the pun.

This spec makes assumptions that not being able to access something is an error condition.

This is a mistaken assumption. It should return either true or false unless a genuine IO exception occurred.

It's using an exception to return a result. This is commonly seen with booleans and things that may or may not exist (using an exception instead of null or undefined).

If it returned a boolean then it would be up to me whether or not to throw an exception. They could also add a wrapper such as requireAccess for consistent error exceptions.

If I want to check that a file isn't accessible, for example for security then I need to wrap what would be a simple if statement with try catch all over the place. If I turn on my debugger and try to track any throw exception then they are false positives everywhere.

If I want to check ten files and only fail if none of them are accessible then again this function isn't suited.

I see this everywhere although it coming from a major library is a bit sad.

This may be because the underlying libraries are C which is a bit funky with error handling, there's at least a reason to sometimes squash errors and results together (IE, optimisation). I suspect the exception is being used because under the hood error codes are also used and it's trying to use throwing an exception to give the different codes but doesn't exist and bad permissions might not be an error condition or one requiring an exception.

Yet this is still the bane of my existence. Bad error handling everywhere including the other way around (things that should always be errors being warnings), in legacy code it's horrendous.

When your redirect url passed as get parameter to 'secure' the login you pass bade64 envoded string with path, length and (salted) md5 hash ....

why God why you secure a redirect you do 302 to on success

This happened while I was working for my company's client, I was analysing why the build failed and I had ctrl+c the build files(.zip) to my local webserver to see what was wrong. After sometime I was replying an official email via outlook. But somehow those copied build files (.zip) ended up in this email. I realised this only it was too late. Yes config files had clear text passwords.

A few years ago we had a fail-over which was successful until we started failing everything back to primary servers. The applications could not start at all.
4 hours into troubleshooting, only to find out some java security files were misbehaving. Update from another server and it worked.
Up to date i haven't understood how it failed

HP Fortify is utter bullshit vaporware and the fact that it has any influence on my development cycle is soul crushing.