Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "security flaws"
-
First internship (ranted about it before).
- Had to google translate their entire internal crm.
- pointed out major security flaws and got a speech saying that "I shouldn't think so high of myself and I didn't have the fucking right to criticize their products"
- every time the boss came to the office after a failed sales presentation, we (interns) got called the most nasty stuff. Yes. We didn't have anything to do with that at all.
- I had "hygiene issues": window to the south with 35-40 degrees (Celsius) feeling temperature and no airco. Deo didn't really make a difference but wasn't allowed to use it there anyways. Details: I have a transpiration issue so I sweat shitloads more than other people, that didn't help at all.
- nearly got fired because I had to to to the doctor in company time for a serious health issue.
- was (no kidding) REQUIRES to use internet explorer and we were monitored constantly.
Self esteem dropped through the fucking ground there.12 -
This was at my first internship (was fired later for other bs reasons).
They got me as a programming intern but very soon I felt very conflicted with multiple things:
1. Got to google translate their internal CRM into five languages. After two weeks (the estimate I gave them) I discovered that I overlooked the second half, apologized and got a whole shitstorm at my face.
2. Was only allowed to use Internet Explorer for everything *cry face*.
3. Saw multiple security flaws in their main product, told my boss (also my internship manager) about it because hey, I'm security oriented and it might help them. Next day he called me into his office and I got a huge speech about who the fuck I am to criticize their product and that I was a security wannabee who doesn't know shit.
4. Boss came home after a product presentation went sideways. The interns didn't have anything to do with that but he called (or, yelled big time) us every dirty word he could think of and blamed us.
Luckily I was fired after like five weeks. I literally cried of happiness when I walked home. I was too shy to stand up for myself by that time (even only 2-3 years ago)14 -
A group of Security researchers has officially fucked hardware-level Intel botnet officially branded as "Intel Management Engine" they did so by gathering it all the autism they were able to get from StackOverflow mods... though they officially call it a Buffer Overflow.
On Wednesday, in a presentation at Black Hat Europe, Positive Technologies security researchers Mark Ermolov and Maxim Goryachy plan to explain the firmware flaws they found in Intel Management Engine 11, along with a warning that vendor patches for the vulnerability may not be enough.
Two weeks ago, the pair received thanks from Intel for working with the company to disclose the bugs responsibility. At the time, Chipzilla published 10 vulnerability notices affecting its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE).
The Intel Management Engine, which resides in the Platform Controller Hub, is a coprocessor that powers the company's vPro administrative features across a variety of chip families. It has its own OS, MINIX 3, a Unix-like operating system that runs at a level below the kernel of the device's main operating system.
It's a computer designed to monitor your computer. In that position, it has access to most of the processes and data on the main CPU. For admins, it can be useful for managing fleets of PCs; it's equally appealing to hackers for what Positive Technologies has dubbed "God mode."
The flaws cited by Intel could let an attacker run arbitrary code on affected hardware that wouldn't be visible to the user or the main operating system. Fears of such an attack led Chipzilla to implement an off switch, to comply with the NSA-developed IT security program called HAP.
But having identified this switch earlier this year, Ermolov and Goryachy contend it fails to protect against the bugs identified in three of the ten disclosures: CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707.
The duo say they found a locally exploitable stack buffer overflow that allows the execution of unsigned code on any device with Intel ME 11, even if the device is turned off or protected by security software.
For more of the complete story go here:
https://blackhat.com/eu-17/...
https://theregister.co.uk/2017/12/...
I post mostly daily news, commentaries and such on my site for anyone that wish to drop by there19 -
I'm seeing people defending clearly-injectable code and I'm just stunned.
And this person in particular is supposed to be responsible (at least partially) for finding security flaws.
I don't know what to say.9 -
A month ago I had some medical tests, the next morning, the clinic's send a email with my results. Oh surprise, unbelievable security flaws. They sent me a link without any kind of authentication, token, or security. I looked at my results, and by entering consecutive and random numbers I was able to download a lot of results and folders of other patients. I wrote an email to the clinic informing them of this situation and their response was "Thank you". Today I have accessed the link and the error is still present. I am going to notify higher health authorities.11
-
Sooo I've been working on an ancient php 5.6 project that did not have any documentation and was a homemade "framework" created 7 years ago. The original creator is long gone and no one else knows a lot about this project.
When I first looked into it I almost immediately noticed the security flaws...
Old outdated libraries
a "development" feature to easily turn dev mode on/off
BY A GET PARAMETER!
it spits out full sql queries and php warnings -.-
Oh and did I mention that the site is a webshop.... and has a backdoor password?
AND THAT THE CUSTOMER REQUESTED THAT?3 -
😡😡😡 Who here thinks that great software can be build in a few hours?!?! My silly ass boss does. He haven't programmed in decades and think we're supposed to be able to build software that doesn't break, has the best security, no flaws, feature rich in VERY, VERY short amount of time!! 😡😡😡 Fuck out of here!! It pisses me off to my core.
Me: Just finished the required software. In a short amount of time with new stuff I've never worked with before.
Him: Well, it took u a week to do. I heard it should've only have taken u a few hours.
Then u build the shit then!!! Fuck out of here.
The Sr. Dev and I was talking about this on Friday. U won't good product...leave us the fuck alone and let us work!!! He don't think that there will be small issues that come up. He thinks we're supposed to already know those issues are gonna exists, like really u fuck tart!?
FUUUUUUCK!!!!8 -
So Patanjali(aka Ramdev Baba trying to sell you even a fucking underwear as ayurvedic and locally made) released their chat application "Kimbho" and was taken down within 24 hours because of major security flaws.
Some obvious ironies I would like to point out here.
1. Coming up with a chat application with gaping security flaws at this stage when privacy related discussions are happening at every nook and corner, worst move ever.
2. There are elections in 2019 and 1 year would be the right amount of time to gather data on public and start targetting and influencing people. It shouldn't be so obvious and everyone knows which political party Patanjali leans towards.
3. You are promoting an app citing Make In India initiative. You are the biggest Indian based FMCG operating in India, courtesy exploiting nationalist sentiments. Whatever you aim of doing, at least invest a decent amount of money in hiring good developers and designers. If not anything get a content writer who will write you an original description of your app for as low as ₹1000.
4. Promoting a competitor of whatsapp on whatsapp is a brilliant move. Give that marketting fellow a big raise.
5. Replacing the phone icon with a shankh is not innovation. Also, everyone knows about spam farms in Bangladesh and many places in India. So boasting about 1.5 lakh downloads in less than an hour only speaks more about your ignorance and lack of technical knowledge.
6. If you really are promoting "swadeshi app", why are you offering logging in through facebook? I mean even a blind person can clearly see your agenda here.
7. Hike is a messaging app made in India and they are here since long and still it are nowhere near the usage of whatsapp. Selling shit in the name of Make in India is not cool and its high time Patanjali realises this. But then again, it is their only marketting strategy because how else can you sell something as gross as cow urine and that too people buying it voluntarily.
8. If this stunt was carried out to be in the news, well played. You are getting a good amount of publicity, but this time a bad publicity will do more harm than good. People are calling out your bluff and you will get to see the results.
Mr. Baba Ramdev, fraud karo, itna blatant mat karo. India ki public sentimental hai chutiya nahi.7 -
Hello guys and girls!
My company tasked me to do something insane.
Little background info: I'm a trainee, in my first year (of three, even though I will shorten my apprenticeship to two years). I told my trainer that I like encryption in a somewhat private talk.
Now to the insane part. I got tasked to develop a whole security concept ~2 weeks ago to protect our products against industrial espionage. I feel in no way competent enough to achieve this especially because my concepts so far have been dismissed with a 'naaaah. Can't we just do X for now and add the other stuff later?' or 'we can't do that.'
I seriously don't want my name under a concept we would use world wide on our customers pcs which I know has serious flaws.
What should I do? What would you do?22 -
School's windows installations had the UAC set to lowest.
Anyone could install malware or fiddle with important settings.
Oh by the way, the same school who's gData found it funny to go through my USB drive and delete all executables and all my code because it was "possibly malicious".
Started installing random crap and messing with people in retaliation.
Was fun.
Until I got caught.
Good thing I compiled a list of security flaws earlier on.
From that day on, everytime I messed up, I sold them two security vulnerabilites to let me off the hook.
These included access to all kinds of drives in the windows network, accessing other PCs desktop, literally uninstalling random printers from the network etc..
Fun time.3 -
Have you heard that Facebook is developing a cryptocurrency?
Huge waste of money. Everyone knows Facebooks security flaws and will problably not invest in their cryptocurrency because of that.11 -
When i was younger, lesser experienced and more naive than now; i got away with a lot of things. By lot of things i mean security flaws in my applications and overall architecture. I realise now i could've so easily been pawned.
Not that i claim to be totally secure even now, or would ever. It is a process, slow and painful one - Learning.
What i wish to point out is the role of favorable probability (non believers would call it luck). Security is so much about it. You get away with so many things for so long. And bang one day the roll of dice is unfavorable. On such rare occasions, just look back and wonder - damn i should've been breached long ago.rant hindsight security fail looking back security luck vulnerabilities food for thought musings naive probability2 -
So apparently some major vpn connection providers got compromised some time ago.
https://twitter.com/hexdefined/...
https://twitter.com/cryptostorm_is/...
adding the fact that major enterprise vpn network providers had security flaws earlier this year
https://sdxcentral.com/articles/...
Sums up what was the major topic in security this year.
At the end I see something like cloud act that allows wiretapping anyone.
https://justice.gov/opa/pr/...
And when we multiply this by number of companies that have services in cloud that sums up privacy these days.
Non existent.6 -
Windows 10 updates. I see many posts about singular events that people have experienced, so I thought I'd try to sum up all the problems I have had.
Home computer, always on:
Is scheduled to update during 'inactive hours' but the options for that window are too narrow. So almost daily the 'required updates' overlay pops up WHILE I'M DOING STUFF and I have to say 'Ok' then close the update settings window that opens automatically so I can get on with what I'm doing.
Now, if I'm just browsing, writing or something like that, it's just really annoying.
But when I'm gaming and it causes the game to freeze up (because, you know, ubisoft and ea and such) and I lose my progress, that pisses me off.
When I'm hosting movie night with my friends and the movie gets interrupted, that pisses me off.
Even when I'm just trying to relax with a good show after a hard day and THAT gets interrupted, it really bugs me.
And then when there's a major update and I don't want to schedule it right away, they decide that I probably meant 'do it in an hour'. And then a message pops up every hour with only the option to postpone one more hour. What happened to all the options for scheduling it for several days in the future? Nope! Can't decide? We'll do it RIGHT NOW, NO TAKEBACKS, THAT'S FINAL!
I cannot fathom that they can't find a way to ACTUALLY do the 'inactive hours' thing.
And then there's the work computer. For the last two years, that has been a laptop that I shut down and take home every day. The common problem with that is that it always tells me it has to update when I want to shut down for the day because I have to go home. I can't leave the pc turned on in my bag, it would overheat. So since there is no option to shut down without updating anymore, I have had to rely on the fact that using the power button to shut down circumvents the update.
And if I don't remember to update at home, it's then going to waste my time the next morning at work.
Just give me the option to delay for a bit, then remind me NON-INTRUSIVELY so I can do it when I have the time.
And then there was the update that prevented the machine from booting and I had to waste TWO working days reinstalling EVERYTHING! And we were about 6-7 people hit by that update in our organization.
So yeah. Windows updates are a real fucking problem. Yes, I wan't critical fixes for security problems and other serious software flaws.
But the current policy of 'fuck you, we're doing this' is just not fucking acceptable in any way.3 -
Ibwish I had remembered this when the weekly theme was office pranks.
In the first or second year of high school we covered basic internet security. Stuff like don't follow suspicious urls, don't open suspicious emails and such.
Our teacher let us play around with some sort of simulated desktop environment, where we could execute some hacks like ad popups and such on each other's environment, if we fell for the trap.
Anyways, one hack I found interesting was a hack, that lockes a user out of their virual desktop, until he enters a password, that will be displayed on his environment.
Yes, a very interesting hack, because it contains two obvious yet major design flaws, which I could exploit 😈
1. It's case sensitive
In itself not a problem, but combined with #2, it's fatal.
2. "IlIlllIlI"
Depending on your font, you probably have no idea what exactly I just typed.
Let's just say, the font displayed uppercase i and lowercase L completely undifferentiable.
Guess whom I let suffer.
It was our teacher, who had to demonstrate us some things and who was connected to the same network.
I swear, nothing beats that feeling when your tearcher has go come to you and embarrassingly ask you to "unhack" them, because they can't type it 😂1 -
12 Stages of Software Development:
1. Analysis.
2. Development
3. Realization the whole analysis is complete bullshit and has nothing to with reality.
4. Denial about failing deadlines.
6. "Acceleration": adding more people to the project, bringing out big corner cutting machine.
7. Learning that massive amount of new features needs to be added, while the deadline is two weeks away.
8. Putting some random crap in production, riddled with horrid bugs and security flaws, to technically not miss the deadline.
9. Get the mess almost working long after the deadline has passed.
10. Maintain this steaming pile of crap for a year.
11. Start planning for full system rewrite that "Makes Everything Better".
12. Goto 12 -
tfw you have matured enough as a developer to look at old legacy code (some of which you contributed to) from a hacked together UI Frankenstein kludge and immediately you notice all the security flaws.
How fortunate there is strong query param validation going on...otherwise this would be a veritable shit storm. -
South Africa Release notes version v3.0.2
In 1994 SA underwent one of the biggest system upgrades since 1948. In this new rolling release since the system update called apartheid the system has been annexing resources, locking it down, making it closed source, closing it off community updates and from global updates and minimizing services across the board. On 27 April 1994, the new democratic system update was released with a new system monitor, release resources and balancing efficiency in the system. Though there were remnants of the old code in the system, it was being rewritten by a new generation of users, open source resources were established, giving users the right to choose among themselves how to grow the system , and how to better the experience for all.
In 1999 a new system monitor was created by the users, it wasnt as popular as the ground breaking Madiba release but it was a choice by the community to move forward and grow. The system was stable for a few years, new users were able to develop more on the system, making it more lucrative monetary wise. There were still remnants of the apartheid code but the new generation of developers worked with it making it there own, though they had not yet had admin rights to help change the system, they created a developer culture of their own. A new system resources balancer was introduced called BBEE, that allowed previous disadvantage users more admin rights to other system resources, helping the user base to grow. Though the balancer was biased, and flawed it has helped the system overall to grow and move forward. It has major holes in security and may flood some aspects of the system with more outdated software patches, users have kept it in its system releases until the resource balancer moved the system into a more stable position.
The next interim system monitor release was unexpected, a quiet release that most users did not contribute towards. The system monitor after that nearly brought the system down to a halt, as it was stealing resources from users, using resources for its own gain, and hasn't released any of it back to the system.
The latest user release has been stable. It has brought more interest from users from other countries, it had more monetary advantages than all other releases before. Though it still has flaws, it has tried to balance the system thus far.
Bug report as of 16 Feb 2018
*User experience has been unbalanced since the 1994 release, still leaving some users at a disadvantage.
*The three tier user base that the 1948 release established, creating three main user groups, created a hierarchy of users that are still in effect today, thought the 1994 release tried to balance it out, the user based reversed in its hierarchy, leaving the middle group of users where they were.
*System instability has been at an all time low, allowing users to disable each others accounts, effectively
killing" them off
*Though the infrastructure of the system has been upgraded to global standards ( in some aspects ) expansions are still at an all time low
*Rogue groups of users have been taking most of the infrastructure from established users
*Security services have been heightened among user groups though admins were still able to do as they pleased without being reprimanded
*Female users have been kicked off the system at an alarming rate, the security services have only kicked in recently, but the system admins and system monitor has not done anything about it yet
Bug fixes for a future release:
*Recreating the overall sysadmin team. Removing some admins and bringing others in
*Opening the system more globally to stabilize it more
*Removing and revamping the BBEE system, replacing it with more user documentation, equalizing the user base
*Giving more resources to users that were at a disadvantage during the first release
*Giving the middle group of users more support, documentation and advantages in the system, after removing the security protocols from the user base
*Giving new users who grew up with the post 1994 release more opportunities to help grow the system on a level playing field.
*Establishing the Madiba release principles more efficiently in the current system1 -
I started working for a forex company as a web developer, designer and also a online marketer, so when i was doing the designing part the boss of mine became very happy as he can see the results of my work.
But from few days I was doing the backend part and fixing some security flaws. Today i recieved a message saying that if you are not capable or free to do the work i will hire someone else for the work.
Working under people who doesn't know difference between http and https sucks.5 -
Google researchers have exposed details of multiple security flaws in Safari web browser that allowed user's browsing behavior to be tracked.
According to a report : The flaws which were found in an anti-tracking feature known as Intelligent Tracking Prevention, were first disclosed by Google to Apple in August last year. In a published paper, researchers in Google's cloud team have identified five different types of attacks that could have resulted from the vulnerabilities, allowing third parties to obtain "sensitive private information about the user's browsing habits."
Apple rolled out Intelligent Tracking Prevention in 2017, with the specific aim of protecting Safari browser users from being tracked around the web by advertisers and other third-party cookies.2 -
How should you approach someone and tell them they have been an victim of social engineering without being mean?
I was at an security conference today and watched a lot of speaks, and I must say that the atmosphere and the people around made it even better.
Here is one takeaway:
Does the security of IT has to be this depressing most of the time, like there is so many IoT devices, services, websites and critical infrastructure that has security flaws and all we can do is watch for now and say we are all fucked. Then try to lead the industry to better practices, like owasp (duck it) . Stop accepting and using shitty answers from SO that has security flaws (why learn something a way that is wrong in the first place?).
We need more awareness about IT security overall, how can one developer know that certain technologies can have certain vulnerabilities such as XSS, XSRF and even SQL injection if there is no information about it in among all shitton tutorials, guides and SO answers in the first place?
Lighten up! Being sad and depressing about these issues is not the best way to approach this! We need to embrace all steps taken towards better security, even the smallest ones.
Check out OWASP if you are not familiar :
https://owasp.org/index.php/...
Thanks for reading. -
My college senior project has become a monster. I look at it and all the work put into between my friend and I and all I can think of is
"This shits fucked I'm glad it's not for sale"
Seriously it works for the most part, but we're up to ~2500 lines of code and about as many headaches and it's still missing so much functionality and has so many security flaws. It's a great proof of concept, but good lord I couldn't imagine building it into a feasible application. It'd take months of work full time!6 -
I have participated in a hackathon this weekend and one of the theme of hackathon was blockchain and being a blockchain dev i have created a DApps which follows token standard and other security standard but our UI was kind of basic cause we didn't have any designer in our team but one participated team's UI was far better than us but has serious flaws in the smart contract and guess what they are the one being selected and that's not it there wasn't a single judge who has basic knowledge of blockchain.I was using DApp term very often while presenting our idea and one of a judge literally asked us what is dapp? I mean WTF? Now i am regretting why did i participated in this shitty hackathon? On top of all that they juat give a single sticker for whole team. Wtf we are supposed to do? Cut it ? If you are a blockchain dev don't forget to see this beautiful function i found in the token contract of the selected team from the github.1
-
So I'm sitting here trying to bodge my way through a member system. These fucknuts really made a bad system..
The task: Export a list of users and their info.
Is there an API available? No, who the fuck would need that shit, even tho the system is built upon Odoo, which has an API!
But it has an export function, you just have to log in and press the right sequence of buttons, because you need the running ID...
Here I discovered the first of many security flaws... "What happens if I post the wrong ID?"... Well, I get access to a file that has nothing to do with me or my users.... What?
Well after some fiddling It works, but holy fuck I found a lot of bugs. And this is a system that is launching in 7 days for us.. Some users have been on it for a year....
How can they ship this bad a product? There's absolute no documentation only a 15-page manual. Guess they don't want developers to develop shit that works in junction with theirs.1