!rant

After over 20 years as a Software Engineer, Architect, and Manager, I want to pass along some unsolicited advice to junior developers either because I grew through it, or I've had to deal with developers who behaved poorly:

1) Your ego will hurt you FAR more than your junior coding skills. Nobody expects you to be the best early in your career, so don't act like you are.

2) Working independently is a must. It's okay to ask questions, but ask sparingly. Remember, mid and senior level guys need to focus just as much as you do, so before interrupting them, exhaust your resources (Google, Stack Overflow, books, etc..)

3) Working code != good code. You are an author. Write your code so that it can be read. Accept criticism that may seem trivial such as renaming a variable or method. If someone is suggesting it, it's because they didn't know what it did without further investigation.

4) Ask for peer reviews and LISTEN to the critique. Even after 20+ years, I send my code to more junior developers and often get good corrections sent back. (remember the ego thing from tip #1?) Even if they have no critiques for me, sometimes they will see a technique I used and learn from that. Peer reviews are win-win-win.

5) When in doubt, do NOT BS your way out. Refer to someone who knows, or offer to get back to them. Often times, persons other than engineers will take what you said as gospel. If that later turns out to be wrong, a bunch of people will have to get involved to clean up the expectations.

6) Slow down in order to speed up. Always start a task by thinking about the very high level use cases, then slowly work through your logic to achieve that. Rushing to complete, even for senior engineers, usually means less-than-ideal code that somebody will have to maintain.

7) Write documentation, always! Even if your company doesn't take documentation seriously, other engineers will remember how well documented your code is, and they will appreciate you for it/think of you next time that sweet job opens up.

8) Good code is important, but good impressions are better. I have code that is the most embarrassing crap ever still in production to this day. People don't think of me as "that shitty developer who wrote that ugly ass code that one time a decade ago," They think of me as "that developer who was fun to work with and busted his ass." Because of that, I've never been unemployed for more than a day. It's critical to have a good network and good references.

9) Don't shy away from the unknown. It's easy to hope somebody else picks up that task that you don't understand, but you wont learn it if they do. The daunting, unknown tasks are the most rewarding to complete (and trust me, other devs will notice.)

10) Learning is up to you. I can't tell you the number of engineers I passed on hiring because their answer to what they know about PHP7 was: "Nothing. I haven't learned it yet because my current company is still using PHP5." This is YOUR craft. It's not up to your employer to keep you relevant in the job market, it's up to YOU. You don't always need to be a pro at the latest and greatest, but at least read the changelog. Stay abreast of current technology, security threats, etc...

These are just a few quick tips from my experience. Others may chime in with theirs, and some may dispute mine. I wish you all fruitful careers!

Definitely my security teacher. He actually expected us to actively learn the stuff and put effort into our education. He guided us through malware analysis and reverse engineering, simplifying it without insulting us.

We had students who thought they knew everything and he corrected them. We had arrogant students he put in place.

He treated us like adults and expected us to act like adults.

That's the only class I enjoyed studying for, because he would tell us exactly what wasn't on the exams (it was an intro course, didn't need to know the math). There were no trick questions.

I told him about the shitty teacher and he helped me through that confidence block. He helped me realize I *can* make it through the workforce as a female in security because I will work my ass off to be the best I can be. He reminded me why I love computers and why I want to go into forensics.

He's been a great mentor and role model and hiring him is one of the few things my department did right.

Mother of god, was listening to the US govt hearing of zuckerberg about the recent scandals. The amount of very fucking simple obvious questions he 'could not' answer normally...

Govt person: Would you be willing to change Facebook's business model if this was required for the security and privacy of Facebook users' accounts?

Zuck: I don't understand your question.

Sorry, WHAT?! You don't need particular rocket science to understand what's being asked here. A combination of common sense and knowing the English language and English grammar in combination with maybe having finished some form of education should be enough to understand this ridiculously easy question.

Do you need it written on a golden plate with fucking blue letters in Facebook's font with the S letters as dollar signs while drinking 10 gallons of 'fuck every persons privacy'?!

Or maybe shoving it up your ass in the form of heated/glowing metal letters of 10+ inches in height? We could arrange that as well.

Wow, just wow.

The Dutch national security spy agency and also their military one are complaining that the organisation that was brought to life to check if they don't spy on innocent people (and execute illegal hacks and overstep their surveillance powers etc) is investigating too much and asking too many technical questions relating to ongoing operations.

Well, this shows that this is necessary apparently! I'm glad this organisation is doing their job.

Oh, the irony.

Lads, I will be real with you: some of you show absolute contempt to the actual academic study of the field.

In a previous rant from another ranter it was thrown up and about the question for finding a binary search implementation.

Asking a senior in the field of software engineering and computer science such question should be a simple answer, specifically depending on the type of job application in question. Specially if you are applying as a SENIOR.

I am tired of this strange self-learner mentality that those that have a degree or a deep grasp of these fundamental concepts are somewhat beneath you because you learned to push out a website using the New Boston tutorials on youtube. FOR every field THAT MATTERS a license or degree is hold in high regards.
"Oh I didn't go to school, shit is for suckers, but I learned how to chop people up and kinda fix it from some tutorials on youtube" <---- try that for a medical position.

"Nah it's cool, I can fix your breaks, learned how to do it by reading blogs on the internet" <--- maintenance shop

"Sure can write the controller processing code for that boing plane! Just got done with a low level tutorial on some websites! what can go wrong!"

(The same goes for military devices which in the past have actually killed mfkers in the U.S)

Just recently a series of people were sent to jail because of a bug in software. Industries NEED to make sure a mfker has aaaall of the bells and whistles needed for running and creating software.

During my masters degree, it fucking FASCINATED me how many mfkers were absolutely completely NEW to the concept of testing code, some of them with years in the field.

And I know what you are thinking "fuck you, I am fucking awesome" <--- I AM SURE YOU BLOODY WELL ARE but we live in a planet with billions of people and millions of them have fallen through the cracks into software related positions as well as complete degrees, the degree at LEAST has a SPECTACULAR barrier of entry during that intro to Algos and DS that a lot of bitches fail.

NOTE: NOT knowing the ABSTRACTIONS over the tools that we use WILL eventually bite you in the ASS because you do not fucking KNOW how these are implemented internally.

Why do you think compiler designers, kernel designers and embedded developers make the BANK they made? Because they don't know memory efficient ways of deploying a product with minimal overhead without proper data structures and algorithmic thinking? NOT EVERYTHING IS SHITTY WEB DEVELOPMENT

SO, if a mfker talks shit about a so called SENIOR for not knowing that the first mamase mamasa bloody simple as shit algorithm THROWN at you in the first 10 pages of an algo and ds book, then y'all should be offended at the mkfer saying that he is a SENIOR, because these SENIORS are the same mfkers that try to at one point in time teach other people.
These SENIORS are the same mfkers that left me a FUCKING HORRIBLE AND USELESS MESS OF SPAGHETTI CODE

Specially to most PHP developers (my main area) y'all would have been well motherfucking served in learning how not to forLoop the fuck out of tables consisting of over 50k interconnected records, WHAT THE FUCK

"LeaRniNG tHiS iS noT neeDed!!" yes IT fucking IS

being able to code a binary search (in that example) from scratch lets me know fucking EXACTLY how well your thought process is when facing a hard challenge, knowing the basemotherfucking case of a LinkedList will damn well make you understand WHAT is going on with your abstractions as to not fucking violate memory constraints, this-shit-is-important.

So, will your royal majesties at least for the sake of completeness look into a couple of very well made youtube or book tutorials concerning the topic?

You can code an entire website, fine as shit, you will get tested by my ass in terms of security and best practices, run these questions now, and it very motherfucking well be as efficient as I think it should be(I HIRE, NOT YOU, or your fucking blog posts concerning how much MY degree was not needed, oh and btw, MY degree is what made sure I was able to make SUCH decissions)

This will make a loooooooot of mfkers salty, don't worry, I will still accept you as an interview candidate, but if you think you are good enough without a degree, or better than me (has happened, told that to my face by a candidate) then get fucking ready to receive a question concerning: BASIC FUCKING COMPUTER SCIENCE TOPICS

* gays away into the night

Seriously fuck mandatory security questions, these are my options:

What year did you meet your spouse?
I'm single.
What is your favorite book as a child?
I didn't have a favorite book. (and still, don't)
In which city did you meet your spouse?
I'm single
What is the first name of the first person you went to prom with?
Didn't go to prom.
Which state did you first visit (outside of your birth state)?
I've been to about 43 states and can't remember when I started traveling, how the fuck am I supposed to know?
In which city was your spouse born?
Again I'm single.
In which city did your oldest sibling get married?
I don't have any siblings.

C'mon, at least let me create my own question because right now I have no choice but to make up random shit and write it down in LastPass as a note.

Alias coworker = high school classmate

This kid wore a trench coat to school every single day and I guess he had a chronic masturbation problem because the guy was caught 3 different times IN CLASS jerking off.
Most people would catch a sexual harassment / indecent exposure / public masturbation charge, but this kid was breaking all these national math competition records and was working with a local university doing research and had a 4.5+ GPA (in high school in U.S. that's possible) so the school decided to do 2 things.

1. Not punish the kid, and in fact nothing of this was ever put on any record at all.
2. Write him a note from school administrators saying that this student can leave class whenever he would like no questions asked, and that the teacher must notify the office so they could send a security guard in order for this masturbation obsessed student to literally occupy a bathroom as his jerk off chamber uninterrupted.

So if in the past 6-7 years you've been in a high caliber university studying computer science and there was a kid in a trench coat "feeding some geese" near you, you can thank my high school.

So this chick has been super nice to me for the past few months, and has been trying to push me towards a role in security. She said nothing but wonderful things about it. It’s easy, it’s not much work, it’s relaxing, etc.

I eventually decided I’m burned out enough that something, anything different would be good, and went for it. I’m now officially doing both dev and security. The day I started, she announced that she was leaving the security team and wouldn’t join any other calls. Just flat-out left.

She trained me on doing a security review of this release, which basically amounted to a zoom call where I did all of the work and she directed me on what to do next, ignored everything I said, and treated me like an idiot. It’s apparently an easy release. The work itself? Not difficult, but it’s very involved, very time consuming, and requires a lot of paper trail — copying the same crap to three different places, tagging lots of people, copying their responses and pasting them elsewhere, filing tickets, linking tickets, copying info back and forth to slack, signing off on things, tagging tickets in a specific way, writing up security notes in a very specific format etc. etc. etc. It’s apparently usually very hectic with lots of last-minute changes, devs who simply ignore security requests, etc.

I asked her at the end for a quick writeup because I’m not going to remember everything and we didn’t cover everything that might happen.

Her response: Just remember what you did here, and do it again!

I asked again for her to write up some notes. She said “I would recommend.. you watch the new release’s channel starting Thursday, and then review what we did here, and just do all that again. Oh, and if you have any questions, talk to <security boss> so you get in the habit of asking him instead of me. Okay, bye!”

Fucking what.
No handoff doc?
Not willing to answer questions after a day and a half of training?

A recap
• She was friendly.
• She pushed me towards security.
• She said the security role was easy and laid-back.
• I eventually accepted.
• She quit the same day.
• The “easy release” took a day and a half of work with her watching, and it has a two-day deadline.
• She treated (and still treats) me like a burden and ignores everything I said or asked.
• The work is anything but laid-back.
• She refuses to spend any extra time on this or write up any notes.
• She refuses to answer any further questions because (quote) “I should get in the habit of asking <security boss> instead of her”

So she smiled, lied, and stabbed me in the back. Now she’s treating me like an annoyance she just wants to go away.

I get that she’s burned out from this, but still, what a fucking bitch. I almost can’t believe she’s acting this way, but I’ve grown to expect it from everyone.

But hey, at least I’m doing something different now, which is what I wanted. The speed at which she showed her true colors, though, holy shit.

“I’m more of a personal motivator than anything,” she says, “and I’m first and foremost a supporter of women developers!” Exactly wrong, every single word of it.

God I hate people like this.

Repost: This is one of the worst security questions I have ever seen

I've been away, lurking at the shadows (aka too lazy to actually log in) but a post from a new member intrigued me; this is dedicated to @devAstated . It is erratic, and VERY boring.
When I resigned from the Navy, I got a flood of questions from EVERY direction, from the lower rank personnel and the higher ups (for some reason, the higher-ups were very interested on what the resignation procedure was...). A very common question was, of course, why I resigned. This requires a bit of explaining (I'll be quick, I promise):
In my country, being in the Navy (or any public sector) means you have a VERY stable job position; you can't be fired unless you do a colossal fuck-up. Reduced to non-existent productivity? No problem. This was one of the reasons for my resignation, actually.
However, this is also used as a deterrent to keep you in, this fear of lack of stability and certainty. And this is the reason why so many asked me why I left, and what was I going to do, how was I going to be sure about my job security.
I have a simple system. It can be abused, but if you are careful, it may do you and your sanity good.
It all begins with your worth, as an employee (I assume you want to go this way, for now). Your worth is determined by the supply of your produced work, versus the demand for it. I work as a network and security engineer. While network engineers are somewhat more common, security engineers are kind of a rarity, and the "network AND security engineer" thing combined those two paths. This makes the supply of my work (network and security work from the same employee) quite limited, but the demand, to my surprise, is actually high.
Of course, this is not something easy to achieve, to be in the superior bargaining position - usually it requires great effort and many, many sleepless nights. Anyway....
Finding a field that has more demand than there is supply is just one part of the equation. You must also keep up with everything (especially with the tech industry, that changes with every second). The same rules apply when deciding on how to develop your skills: develop skills that are in short supply, but high demand. Usually, such skills tend to be very difficult to learn and master, hence the short supply.
You probably got asleep by now.... WAKE UP THIS IS IMPORTANT!
Now, to job security: if you produce, say, 1000$ of work, then know this:
YOU WILL BE PAID LESS THAN THAT. That is how the company makes profit. However, to maximize YOUR profit, and to have a measure of job security, you have to make sure that the value of your produced work is high. This is done by:
- Producing more work by working harder (hard method)
- Producing more work by working smarter (smart method)
- Making your work more valuable by acquiring high demand - low supply skills (economics method)
The hard method is the simplest, but also the most precarious - I'd advise the other two. Now, if you manage to produce, say, 3000$ worth of work, you can demand for 2000$ (numbers are random).
And here is the thing: any serious company wants employees that produce much more than they cost. The company will strive to pay them with as low a salary as it can get away with - after all, a company seeks to maximize its profit. However, if you have high demand - low supply skills, which means that you are more expensive to be replaced than you are to be paid, then guess what? You have unlocked god mode: the company needs you more than you need the company. Don't get me wrong: this is not an excuse to be unprofessional or unreasonable. However, you can look your boss in the eye. Believe me, most people out there can't.
Even if your company fails, an employee with valuable skills that brings profit tends to be snatched very quickly. If a company fires profitable employees, unless it hires more profitable employees to replace them, it has entered the spiral of death and will go bankrupt with mathematical certainty. Also, said fired employees tend to be absorbed quickly; after all, they bring profit, and companies are all about making the most profit.
It was a long post, and somewhat incoherent - the coffee buzz is almost gone, and the coffee crash is almost upon me. I'd like to hear the insight of the veterans; I estimate that it will be beneficial for the people that start out in this industry.

This happened via mail thread today.

Boss: we need this new brilliant feature I just made up and running asap! Top priority, it has to be done well, for my reputation is on the line!

Me: *looks at the specifics* 'kay, looks easy enough, this evening max and it will be ready. I just nees some extra info about what kind of data validations (I speak no accountant) are needed, and some other details (a total of 3 questiona).

B: Sure! Remember, it needs to be perfect, as my reputation is at stake. Call me on the phone and I'll give you the details!

M: Can't you answer via mail? Thua way both me and the other devs will have clewr guidelines

B: Just call me! Why do you need it to be written down? It's faster this way!

...Fine. I'll keep asking until you're ready to give me a written answer to my questions. No way I'll take security details via phone for something you want in production this evening. No chance in Hell I'll take responsibility for "misunderstanding" what you said on the phone. Why does it always has to be like that?

Found that out that one of our company's internal API (I hope it's only internal) is exposing some personal data. After finally getting the right people involved they said they'd fix it 'immediately'.

5 days later I check and now there is more personal data exposed...which includes personal security questions and the hashed answers to said questions.

And of course they are using a secure hashing mechanism...right? Wrong. md5, no salt

Sigh...

Every time I got a mandatory security question, I type in "go fuck yourself with a cactus". There's only one answer for all of them.

Me: API support, please check why I'm getting ECONNTIMEDOUT for 3% of requests

supp: before we look into this, please answer these questions: a), b), c), d), e)

Me and coleague: *spend 20 minutes gathering all the details into a nice answer. Post the answers*

Slack bot: *removes the answer [allegedly for compliance/security]*

api supp: any update?

..... I really want to smash smth. Hulk SMASH!!!

I work in big data and security analytics... So naturally I am a very detail oriented and analytical person.... Something that I constantly get told off about for 'over analysing' every personal situation.... Especially by my wife!

Today she was chatting to our best friend on WhatsApp who's been travelling Europe for 6 months seeing how life is etc... At the end of the conversation I point out he never once told her where he was and avoided the questions.... And that I was sure he was gonna turn up tonight....

She tells me I'm over analysing and full of it as she's in Spain.... Not even an hour later he walked through our front door and we are in the pub having an awesome catch up!

Who said I'm over analytical! More like right!?

Hey Citrix:

FUCK YOU.

Learn to make an accessible log in page you fucks.

Maybe instead of vague fucking "you're user name and password is wrong" say things like "your account is locked because we somehow decided we don't like your password anymore. . . . without telling you"

Fucking 2 hours of my day wasted trying to log into my company's VM because first it wouldn't take my password (that I've had for over a month and doesn't expire for another month) over and over again. I changed it, logged in. Got up to do something that'd take less than 5 minutes. And OF COURSE the people who set up the VM made them log you out if you're gone for more than 3 minutes (fuck that guy too). Come back to a log in screen and it won't accept my new password.

Change it again. Except this time it won't accept my new password because it's "like my old password." It is in that it uses the alphabet and numbers, but it's also different in that those alphanumeric characters are LITERALLY DIFFERENT IN EVERY PLACE. I finally get it to accept a new password.

I'm also loving the whole "answer these security questions that literally anyone who does minimal research on you can answer" before I get to change my password. Yeah. Because finding my mother's maiden name or the city I was born in is so fucking hard. Literally impossible to find out what my Dad's dad's name is. Shit like that isn't publically available. Nope. Why the fuck are we still using "security" questions?

I log into Citrix again. And it takes me to . . . the log in for Citrix.

There is no word in elvish, entish or the tongues of men for this stupidity.

Fuck Citrix. Fuck the people behind the password manager (Aviator or something like that), and fuck whatever administrator setting turns my computer off due to inactivity in such a stupid short amount of time. 10 minutes, 15 minutes, that'd be fine. But it's more like 3 or 5, like wtf.

I am really getting sick of recruiters contacting me with "great opportunities" then when I ask questions about the post they just give me the answers they think I want to hear. I know when you're lying because if you knew the answer you would have led with that. At least say you'll find out more and then give me a follow up response.

Recruiter: Would it be possible for you to deliver hacking training?
Me: You mean pentesting?
R: Yes, that.
Me: Well, what will it be used for? Breaking into peoples networks and spying on them?
R: Yes, they'll want it to be able to spy on people.
Me: Well, that's unethical, I'm only interested in defensive security practices.
R: Yes, they'll only want it for ethical reasons like defence and against bad guys.
Me: *dirtiest look I could muster*

I mean there's gullible and then there's what ever it is you think I am.

Alright lads here is the thing, have not been posting anything other than replies to things cuz I have been busy being miserable at school and dealing with work stuff.

Our manager left us back in February. Because she was leaving I decided that I wanted to try a different path and went on to become a programmer analyst for my institution, if anything I knew that it was going to be pretty boring work, but it came with nice monetary compensation and a foot in the door for other data science related jobs in the future. Thing is, the department head asked me to stay in the web technologies department because we had a lack of people there and hiring is hard as shit, we do not do remote jobs since our work usually requires a level of discretion and security. Thus I have been working in the web tech department since she left albeit with a different title since I aced the interview for the analyst position and the team there were more than happy to have me. I have done very few things for them, some reports here and there and mostly working directly with the DBA in some projects. One migration project would have costed my institution a total of 58k and we managed to save the cost by building the migration software ourselves.....honestly it was a fucking cake walk, if you had any doubts about the shaddyness of enterprise level applications regarding selling overpriced shit with different levels of complexity, keep them, enterprise is shaddy af indeed. But I digress.

I wrote the specification for the manager position along the previous manager, we had decided that the next candidate needed to be strong with development knowledge as well as other things as to properly understand and manage a software team, we made the academic requirement(fuck you, yes we did ask for academic requirements) to be either in the Computer Science/software engineering area or at least on the Business Administration side. We were willing to consider BA holders in exchange for having knowledge of the development process of different products and a complete understanding of what developers go through. NOT ONE SINGLE motherfucker was able to satisfy this, some of them were idiots that I knew from before that had ABSOLUTELY no business even considering applying to the position, the courage it took for some of these assholes to apply would have hurt their mothers, their God if they had one, and their country, they were just that fucking bad in their jobs as well as being overall shit people.

Then we had 1 candidate actually fall through the cracks enough to get an interview. My dude here was lying out of his ass through the interview process. According to him he had "lots of Laravel experience and experience managing Laravel projects" and mentioned repeatedly how it would be a technology that we should consider for our products. I was to interview him alongside the vice president of our institution due to the head of my department and the rest of the managers for I.T being on vacation leave all at the same bloody time.

Backstory before the interview:
Whilst I was going over the interview questions with the vice president literally offered me the job instead. I replied with honesty, reflecting how I did not originally wanted him but feeling that our institution was ready to settle on any candidate due to the lack of potentials. He was happy to do it since apparently both him and the HOD were expecting me to step up sooner or later. I was floored.

Regardless, out of kindness he wanted to go through the interview.
So, going back to the interview. As soon as the person in question referenced the framework I started to ask him about it, just simple questions, the first was "what are your thoughts on the Eloquent ORM? I am not too fond of it and want to know what you as a full time laravel dev think of it"
his reply: "I am sorry I am not too familiar with it, I don't know what that is" <--- I appreciated his honesty in this but thought it funny that someone would say that he was a Laravel developer whilst not knowing what an ORM was since you can't really get away from using it on the initial stages of learning about Laravel, maybe if one wanted to go through the hurdle of switching to something like doctrine...but even then, it was....odd.

So I met with the hod when he came back, he was stoked at the prospect of having me become the manager and I happily accepted the position. It will be hell, but I don't even need to hit the ground running since I have been the face of the department since ages. My team were ecstatic about it since we are all close friends and they have been following my directions without complaints(but the ocational eat a dick puto) for some time, we work well together and we are happy to finally have someone to stop the constant barrage that comes from people taking advantage of a missing manager.

Its gonna get good, its gonna get fun, and i am getting to see how shit goes.

So one of my clients had a different company do a penetrationtest on one of my older projects.

So before hand I checked the old project and upgraded a few things on the server. And I thought to myself lets leave something open and see if they will find it.

So I left jquery 1.11.3 in it with a known xss vulnerability in it. Even chrome gives a warning about this issue if you open the audit tab.

Well first round they found that the site was not using a csrf token. And yeah when I build it 8 years ago to my knowledge that was not really a thing yet.

And who is going to make a fake version of this questionair with 200 questions about their farm and then send it to our server again. That's not going to help any hacker because everything that is entered gets checked on the farm again by an inspector. But well csrf is indeed considered the norm so I took an hour out of my day to build one. Because all the ones I found where to complicated for my taste. And added a little extra love by banning any ip that fails the csrf check.

Submitted the new version and asked if I could get a report on what they checked on. Now today few weeks later after hearing nothing yet. I send my client an email asking for the status.

I get a reaction. Everything is perfect now, good job!

In Dutch they said "goed gedaan" but that's like what I say to my puppy when he pisses outside and not in the house. But that might just be me. Not knowing what to do with remarks like that. I'm doing what I'm getting paid for. Saying, good job, your so great, keep up the good work. Are not things I need to hear. It's my job to do it right. I think it feels a bit like somebody clapping for you because you can walk. I'm getting off topic xD

But the xss vulnerability is still there unnoticed, and I still have no report on what they checked. So I have like zero trust in this penetration test.

And after the first round I already mentioned to the security guy in my clients company and my daily contact that they missed things. But they do not seem to care.

Another thing to check of their to do list and reducing their workload. Who cares if it's done well it's no longer their responsibility.

2018 disclaimer: if you can't walk not trying to offend you and I would applaud for you if you could suddenly walk again.

Dear Identity Providers, Never ask for "favorite teacher" or "mother’s maiden name." Security questions are among the worst ideas in security to date. If you insist, at least let me provide my own questions!

Haven't been on here in a while, but I had to rant about these security questions. I couldn't come up with legit answers for any of the very few options; most of which required you to be married....

Got fucking graduated, a whole day wasted, fucking ass hole literally trapped us cannot even got to release some water.

To get a fucking degree you have to bear with fucking teacher who don't shit about privacy, security.

And answering fucking theroy questions which has fucking string Match with the fucking textbook paragraph.

Do a fucking report which will be fucking 100 pages and take fucking 2 copy (10 rough copies)

The register to fucking leaky placement centre. Who leak you data to all hiring companies as well as your co-students.

Then fucking attend the fucking ass hole ceremony where some old guy lectures for fucking long time about some civil infrastructure , road and other stuff.

And I have not mentioned other fucking ass hole slutty stuff.i don't know fucking until what time I can hold on.

This Fucked the fuck out of me

Had my first interview for a cyber security gig.

1st round, preliminary questions about ethics in a security related topic, etc.

I wrote a report about that topic, but for some reason brain fogged the answer.

At the end of the interview, I also blurted out that I found the interviewer's presentation at a past conference and really liked it.

Pretty sure they now think I'm a creep.

That being said, it's been a few years since I've interviewed, so it feels great to get the dust off, even if I bombed it

Practice makes perfect, right?!

PayPal = GayPal

PHASE 1

1. I create my personal gaypal account
2. I use my real data
3. Try to link my debit card, denied
4. Call gaypal support via international phone number
5. Guy asks me for my full name email phone number debit card street address, all confirmed and verified
6. Finally i can add my card

PAHSE 2

7. Now the account is temporarily limited and in review, for absolutely no fucking reason, need 3 days for it to be done

8. Five (5) days later still limited i cant deposit or withdraw money

9. Call gaypal support again via phone number, burn my phone bill

10. Guy tells me to wait for 3 days and he'll resolve it

PHASE 3

11. One (1) day later (and not 3), i wake up from a yellow account to a red account where my account is now permanently limited WITHOUT ANY FUCKING REASON WHY

12. They blocked my card and forever blocked my name from using gaypal

13. I contact them on twitter to tell me what their fucking problem is and they tell me this:

"Hi there, thank you for being so patient while your conversation was being escalated to me. I understand from your messages that your PayPal account has been permanently limited, I appreciate this can be concerning. Sometimes PayPal makes the decision to end a relationship with a customer if we believe there has been a violation of our terms of service or if a customer's business or business practices pose a high risk to PayPal or the PayPal community. This type of decision isn’t something we do lightly, and I can assure you that we fully review all factors of an account before making this type of decision. While I appreciate that you don’t agree with the outcome, this is something that would have been fully reviewed and we would be unable to change it. If there are funds on your balance, they can be held for up to 180 days from when you received your most recent payment. This is to reduce the impact of any disputes or chargebacks being filed against you. After this point, you will then receive an email with more information on accessing your balance.

As you can appreciate, I would not be able to share the exact reason why the account was permanently limited as I cannot provide any account-specific information on Twitter for security reasons. Also, we may not be able to share additional information with you as our reviews are based on confidential criteria, and we have no obligation to disclose the details of our risk management or security procedures or our confidential information to you. As you can no longer use our services, I recommend researching payment processors you can use going forward. I aplogise for any inconvenience caused."

PHASE 4

14. I see they basically replied in context of "fuck you and suck my fucking dick". So I reply aggressively:

"That seems like you're a fraudulent company robbing people. The fact that you can't tell me what exactly have i broken for your terms of service, means you're hiding something, because i haven't broken anything. I have NOT violated your terms of service. Prove to me that i have. Your words and confidentially means nothing. CALL MY NUMBER and talk to me privately and explain to me what the problem is. Go 1 on 1 with the account owner and lets talk

You have no right to block my financial statements for 180 days WITHOUT A REASON. I am NOT going to wait 6 months to get my money out

Had i done something wrong or violated your terms of service, I would admit it and not bother trying to get my account back. But knowing i did nothing wrong AND STILL GOT BLOCKED, i will not back down without getting my money out or a reason what the problem is.

Do you understand?"

15. They reply:

"I regret that we're unable to provide you with the answer you're looking for with this. As no additional information can be provided on this topic, any additional questions pertaining to this issue would yield no further responses. Thank you for your time, and I wish you the best of luck in utilizing another payment processor."

16. ARE YOU FUCKING KIDDING ME? I AM BLOCKED FOR NO FUCKING REASON, THEY TOOK MY MONEY AND DONT GIVE A FUCK TO ANSWER WHY THEY DID THAT?

HOW CAN I FILE A LAWSUIT AGAINST THIS FRAUDULENT CORPORATION?

Client contacts our company that his site is down, we do some investigating and the only way we can access the site is on a mobile phone. From the office computers the site never loads and times out. Since we don't host the site and I've never logged into it before I don't have a lot of details so I suggest they contact whoever hosts their site. This is where things get weird.

Client tells me that the site is hosted on someone's home server. I tell him that this is quite strange in 2018 and rather unlikely and ask if he was ever given access to the site to log in or if he has access to his domain registration, GoDaddy.

He says he doesn't understand any of this and would rather I just contact his current developer and figure it out with him. We agree that he needs to get access to his site so we are going to migrate it once I get access to it.

I email his current developer letting him know the client has put me in contact with him to troubleshoot the issues with the site. I ask him some standard questions like: where is the site hosted? Can you access it from a computer? Do you have some security measures in place to block certain IP ranges? Can you give me from access to get the files? Will you send me a backup of the site for me to load up on my server?

*2days pass*

Other dev: Tell me the account number and I'll transfer the domain.

Me: I'll have to get back to you on that once I talk to the client and set up his GoDaddy account since we believe the business owner should own their domain, not their developers. In the meantime you didn't answer any of the questions I asked. Transferring the domain won't get the site on my server so I still need the files.

*3 days pass*

OD: You are trying the wrong domain. The correct domain is [redacted].com I'll have my daughter send you the files when she gets in town. We will transfer the domain to you, the client will forget to pay and the site will go down and it'll be your fault.

Me: I appreciate your advice, but the client will own their domain. I'm trying to get the site online and you have no answered any of my questions. It's been a week now and you have not transferred the domain, you have not provided a copy of the site, you have not told me where the site is hosted. The client and I are both getting impatient at this point when will we receive a backup of the site and the transfer of the domain?

OD: Go fuck yourself, tell the client they can sue me.

If the client is that terrible, wouldn't you want to hand them off to anyone willing to take them? I have never understood why developers and agencies try to hold clients hostage by keeping their domain or website and refusing access. From what I can tell this is a freelance developer without a real company so a legal battle likely isn't going to go well since the domain is worthless to him as the copyright to the name is owned by the client. This isn't the first time we've had to help clients through this sort of thing.

what kind of dumb fuck you have to be to get the react js dev job in company that has agile processes if you hate the JS all the way along with refusing to invest your time to learn about shit you are supposed to do and let's add total lack of understanding how things work, specifically giving zero fucks about agile and mocking it on every occasion and asking stupid questions that are answered in first 5 minutes of reading any blog post about intro to agile processes? Is it to annoy the shit out of others?

On top of that trying to reinvent the wheels for every friggin task with some totally unrelated tech or stack that is not used in the company you work for?

and solution is always half-assed and I always find flaw in it by just looking at it as there are tons of battle-tested solutions or patterns that are better by 100 miles regarding ease of use, security and optimization.

classic php/mysql backend issues - "ooh, the java has garbage collector" - i don't give a fuck about java at this company, give me friggin php solution - 'ooh, that issue in python/haskel/C#/LUA/basically any other prog language is resolved totally different and it looks better!' - well it seems that he knows everything besides php!

Yeah we will change all the fucking tech we use in this huge ass app because your inability to learn to focus on the friggin problem in the friggin language you got the job for.

Guy works with react, asked about thoughts on react - 'i hope it cease to exists along with whole JS ecosystem as soon as possible, because JS is weird'. Great, why did you fucking applied for the job in the first place if it pushes all of your wrong buttons!

Fucking rockstar/ninja developers! (and I don't mean on actual 'rockstar' language devs).

Also constantly talks about game development and we are developing web-related suite of apps, so why the fuck did you even applied? why?

I just hate that attitude of mocking everything and everyone along with the 'god complex' without really contributing with any constructive feedback combined with half-assed doing something that someone before him already mastered and on top of that pretending that is on the same level, but mainly acting as at least 2 levels above, alas in reality just produces bolognese that everybody has to clean up later.

When someone gives constructive feedback with lenghty argument why and how that solution is wrong on so many levels, pulls the 'well, i'm still learning that' card.

If I as code monkey can learn something in 2 friggin days including good practices and most of crazy intricacies about that new thing, you as a programmer god should be able to learn it in 2 fucking hours!

Fucking arrogant pricks!

When I was in 11th class, my school got a new setup for the school PCs. Instead of just resetting them every time they are shut down (to a state in which it contained a virus, great) and having shared files on a network drive (where everyone could delete anything), they used iServ. Apparently many schools started using that around that time, I heard many bad things about it, not only from my school.
Since school is sh*t and I had nothing better to do in computer class (they never taught us anything new anyway), I experimented with it. My main target was the storage limit. Logins on the school PCs were made with domain accounts, which also logged you in with the iServ account, then the user folder was synchronised with the iServ server. The storage limit there was given as 200MB or something of that order. To have some dummy files, I downloaded every program from portableapps.com, that was an easy way to get a lot of data without much manual effort. Then I copied that folder, which was located on the desktop, and pasted it onto the desktop. Then I took all of that and duplicated it again. And again and again and again... I watched the amount increate, 170MB, 180, 190, 200, I got a mail saying that my storage is full, 210, 220, 230, ... It just kept filling up with absolutely zero consequences.
At some point I started using the web interface to copy the files, which had even more interesting side effects: Apparently, while the server was copying huge amounts of files to itself, nobody in the entire iServ system could log in, neither on the web interface, nor on the PCs. But I didn't notice that at first, I thought just my account was busy and of course I didn't expect it to be this badly programmed that a single copy operation could lock the entire system. I was told later, but at that point the headmaster had already called in someone from the actual police, because they thought I had hacked into whatever. He basically said "don't do again pls" and left again. In the meantime, a teacher had told me to delete the files until a certain date, but he locked my account way earlier so that I couldn't even do it.
Btw, I now own a Minecraft account of which I can never change the security questions or reset the password, because the mail address doesn't exist anymore and I have no more contact to the person who gave it to me. I got that account as a price because I made the best program in a project week about Java, which greatly showed how much the computer classes helped the students learn programming: Of the ~20 students, only one other person actually had a program at the end of the challenge and it was something like hello world. I had translated a TI Basic program for approximating fractions from decimal numbers to Java.
The big irony about sending the police to me as the 1337_h4x0r: A classmate actually tried to hack into the server. He even managed to make it send a mail from someone else's account, as far as I know. And he found a way to put a file into any account, which he shortly considered to use to put a shutdown command into autostart. But of course, I must be the great hacker.

Companies really need to re-evaluate what they ask as security questions.

If I know your name and your approximate date of birth (to the month) then, here in the UK at least, I have a very good chance of being able to find out your parents names, your mother's maiden name, your address, your parents address (i.e. probably where you grew up and what school you went to), your parents ages, when they got married, etc. - and all from publicly available info, not illegal crap you find on Tor or social media stalking.

This isn't hard to find if you know where to look - the problem is that people think that it's all private, and behave as such - and companies encourage it. The typical "internet safety courses" don't even touch on it, and even more tech savvy people I know often don't have a clue this is possible.

They call it security questions.
I call it social engineering backdoor.

I'm supposed to enter those questions after logging into my account and I'm not able to skip it nor to set a proper two factor method.

Well, fuck you. Did you ever thought about dying by a two factor method? Ever watched a Saw movie? You got the idea.

hi devrant!

about six months ago i posted that i was accepted into and starting at a coding bootcamp. next week is the last week of curriculum for me before i can choose to be a teachers assistant or finish my capstone project and graduate!

some basic info about the course i took:

- 6 months (3 months web dev 2 months CS 1 month capstone project )
- starts by learning the MERN stack
- includes noSQL and SQL dbs
- transitions into C and then python for computer science
- includes basic security info
- lots and lots of algorithm practice
- lots of job readiness stuff (resume writing, linkedin, etc, but i havent done that yet)
- lots of portfolio-able projects throughout the schooling experience
- previous cohorts have something like 40% (after 1month) and 70% (after two) job placement rates (rough estimate)

let me know if anyone is curious about anything related and id be happy to answer what questions i can! :)

Nothing makes me not want to take a full-time job at your company more than having to go through IT tickets every quarter year when my password expires to actually change my password. Why have a fucking self-service portal for employees if logging in with an expired password doesn't work and the reset password link tells me that I need to log in to enroll with security questions (???). It feels like these websites are glued together with sticks and spit and there's a million of them each sporting one specific purpose! I have to go through this shit multiple times since I'm an intern and I didn't have access to my account through the course of the semester. Get your fucking shit together!

Does someone know a site where i can get professional level help/guides/tutorials with system architecture questions? Like best practices for implementing common features? (Something like stackoverflow but where u actually get an answer instead of insults)

Googling for tutorials gives very basic/demo level results that might not be great for scale/security in prod env

I had the opportunity to ask some basic security questions of a government system that is rolling out (got invited to a meeting).

So now I am absolutely terrified about any technology that is being rolled out by this particular government agency. Their security model literally ends at "we use HTTPS".

Seriously, how the fuck are these systems not audited before they reach public use? Is this normal??

>>Server sind für mich "Neuland".<<

I want to switch to a new server with my website. I have a bunch of questions and hope you beautiful people will help me out.

1. I've decided to switch from shared hosting to an virtual server. Therefore I am going to rent the cheapest VS from hetzner.de. is this a good choice?

2. What do I have to care about and what stuff there is to be done in the beginning?

3. The reasons I want to switch are more root accessibility and I want to switch to https. What about that? Is let's encrypt enough?

4. How do I move the server from a to b?

5. What OS should I choose?

6. What about security?

7. Any further advice from experienced people is welcome!

Sry for those noob questions, but I've never been in touch with server work...

I work with statistics/data analysis and web development. I study these subjects for almost a decade and now I have 4 years of practical experience.

This information is on my LinkedIn profile and from time to time tech recruiters contact me wanting to have an interview. I always accept because I find it a great way to practice interviews and talking in English, as it isn't my native language.

A remark that I always make to my colleagues wanting to start doing data analysis related work is that it may seem similar to development, but it's not. When you develop, your code work or not. It may be ugly, it may be full of security problems, but you almost always have a clear indication if things are functioning. It's possible to more or less correlate experience using a programming language with knowing how to develop.

Data science is different. You have to know what you are doing because the code will run even if you are doing something totally wrong. You have to know how to interpret the results and judge if they make sense. For this the mathematics and theory behind is as important as the programming language you use.

Ok, so I go to my first interview for a data science position. Then I discover that I will be interview by... a psychologist. A particularly old one. Yeah. Great start.

She proceeds to go through the most boring checklist of questions I ever saw. The first one? "Do you know Python?". At this point I'm questioning myself why I agreed to be interviewed. A few minutes later, a super cringy one: "Can you tell me an example of your amazing analytics skills?". I then proceed to explain what I wrote in the last two paragraphs to her. At this point is clear that she has no idea of what data science is and the company probably googled what they should expect from a candidate.

20 minutes later and the interview is over. A few days later I receive an email saying that I was not selected to continue with the recruitment process because I don't have enough experience.

In summary: an old psychologist with no idea on how data science works says I don't have experience on the subject based on a checklist that they probably google. The interview lasted less than 30 minutes.

Two weeks later another company interviews me, I gave basically the same answers and they absolutely liked what they heard. Since that day I stopped trying to understand what is expected from you on interviews.

I’d been working event based and freelance jobs in the security and entertainment fields for years, with odd stints as a bartender sprinkled in. My pay was mostly decent, but I had no job security, and I was more on the road than at home. A few years before this job search experience I had already realised I can’t continue on this path for ever, especially if I ever want a serious relationship (e.g. 16 weeks straight touring Europe with on avg. 16h work days pretty much every day isn’t ideal in that regard, and also really though on both body and mind). So I decided to study. As I applied in autumn, not every line of study accepted students. The closest to my interest I found was BBA in Business IT.

Fast forward 1,5 years. After moving away from my previous base due to then-gfs studies, I had also been able to accept less work. Well, there were really two reasons: I didn’t want to go on weeks long big tours anymore, and I’d had to price up on my freelance job due to reasons. I still managed to keep our household going, but not knowing when the next paycheck would be available was becoming a little too stressful. I wanted job security. So a few weeks after my wedding I scoured the internetz for positions I could apply to, and applied to a dozen or so places. They were a variety of positions I had a vague understanding of from what I’d learned at UAS: from sales to data analytics to dev… I was aware pretty much all of the applications were a long shot by best, so I expected to be ghosted…

Two of the organizations I applied to wanted to go forward with me. Both dev jobs. I can’t even remember the specifics of the other one anymore, but I do remember the interview: I got in to their office (which was ridiculously open), and got marched into a tiny conference room. The interviewer was passive-aggressive and really bombarded me with questions, not really leaving a socially awkward introvert with any time to answer. I started to get really anxious and twitchy, sweating like a pig. Just wanted out. But nooo, they wanted me to do a coding test live. So they sat me on a computer with Eclipse open, gave me an assignment and told me not to use the internet. What’s even worse is that I could literally feel the interviewer breathing down my neck when I tried to do the test. Well, didn’t happen cause I was under so much pressure that I couldn’t think at all… yeah, that was horrible.

Anyhow, the other position I really applied to because it was in my hometown and I recognised the company name from legendary commercials from the 90s - everyone in this country who watched TV in mid-to-late 90s remembers those. Anyway, to my surprise, my present day manager contacted me and wanted me to do a coding test. At the time he asked I was having a bout of fevers after fevers, not really able to get healthy. I told him that I’d do it as soon as I’m healthy. A month went by, maybe more. He asked again. Again I replied that as soon as I get healthy, but promised to do it next week the latest. I didn’t deliver on that, but the next week after that, even if I was the most feverish I had been, I did the tests. I could only finish half of them, cause I couldn’t look at a screen for long at a time and had to visit the loo every 10min or so, but apparently that was enough. Next week I was already going to the interview… oh I also googled what is PHP on the way there, since it was mentioned as a requirement and I had no idea what it was. Imagine that…

The interview itself couldn’t have been more different from the other one. We were sitting in a nice conference room with my manager and the product’s lead dev, drinking coffee, our feet on the table and talking smack. Oh, and we did play a game of NHL<insertNumber> on PS4 during the interview… it was relaxed. Of course the more serious chat was there, too, but I can only really remember how relaxed it was. When I left the interview, I had been promised the position and that I would be sent the contract to be signed as soon as the CEO had reviewed and approved it. Next day, I had signed it and some time later I started at my current job (I gave a date when I was available to start, since there was a tour still agreed upon between the interview and the start).

Oh, and the job’s pretty much like the interview. Relaxed. It’s a good place to be in, even though the pay could be better (I regularly get offers for junior positions with more pay, and mid level positions with double the pay). I do value a pleasant working environment and the absence of stress more than big munny, what can I say?

Sooo... The ways my coworker fucks me:

Last week I have been working on setting up aWireGuard VPN server... Been trying for 4 FUCKING DAYS, the easiest VPN that has ever existed, 2 commands and that's it, I wasn't able to reach it, I checked every forum, tested every possible solution without success, checking ubuntu firewall but it was inactive... Nothing that should cause this. Why? 2 weeks ago we had a security breach and my coworker added a firewall from the cloud console with basic rules allowing only 3 ports, the port I was communicating with was blocked. He didn't bother to mention that he added an external firewall. And the junior me, not wanting to be a pain in the ass, and since that security breach wasn't my responsibility to fix, I didn't ask too many questions, just read the emails going back and forth and "learning" how to deal with that. Kill me please. Next mont a new guy is joining, we had a "quick meeting" of 30 minutes and he managed to make it 2 hours meeting. So a partner who lacks communication and a partner who talks a lot... Will be fun. And I probably should change my username... Is that even possible? @root?

TL:DR linux newbie, looking for advice/links (skip to bottom for questions)

!rant
After i had been looking for a job for quite some time, a couple of months ago i got hired by "smaller" company doing web stuff. So far it have been a great place, good colleagues, and overall just having a great time!.
They seem to value me alot, so that's great!.

Anyway, yesterday i got called into a meeting - and got told they wanted me to start learning "Server stuff (linux)". That got me quite excited, because it always was something i wanted to learn - but never really got around to doing.

But i never touched a linux installation before, so i'm really on ground zero - but im not afraid, i'm a quick learner and quite efficient at googling :)

I figured i would ask here, since other people here always seems to be happy to help other people out.

So far i have manage to setup a server, install various stuff (php, mysql and so on) and done setup a couple of domains/subdomains on my server. Also got a vestacpinstallation working - so overall im quite happy so far.

I figured maybe somebody had some good links/advice for a linux newbie :).

* Performance/Security, will obviously be a big focus - anything i should look at? - any must look at?
* Monitoring tools, how do i monitor various websites running on my server? Here i'm thinking bandwitch, cpu/ram usage and so on pr site basis.
* Any other stuff i should be looking at?

Little about what the server will/should be running :)

* Centos
* vestacp
* WordPress installations only (e-commerce mainly)
* PHP 7 / MySQL / phpmyadmin

Why is 99% of my development job responding to audits, security questions, and idiocy spewing from something called an “Office of Innovation”? So this Innovation team sends down a project request which is silently intended to push my resource allocation over 100%. Security shoots down the idea. Innovation team tells me to tell security no, we need this. Ummm, here’s a thought, why don’t you idiots all get together and tell me when there’s some coding to be done?

So I went for a "special" interview to a company whose slogan is "experience certainty" (fresher, was hoping to get a role in cyber security/Linux sysadmin). Got shown what the "real" hiring process of an indian consultancy company is...

We were called because we cleared a rank of the coding competition which the company holds on a yearly basis, so its understood that we know how to code.
3 rounds; technical, managerial and HR...

Technical is where I knew that I was signing up for complete bullshit. The interviewer asks me to write and algo to generate a "number pyramid". Finished it in 7 minutes, 6-ish lines of (pseudo) code (which resembled python). As I explained the logic to the guy, he kept giving me this bewildered look, so I asked him what happened. He asks me about the simplest part of the logic, and proceeds to ask even dumber questions...
Ultimately I managed to get through his thick skull and answer some other nontechnical questions. He then asks if I have anything to ask him...
I ask him about what he does.
Him - " I am currently working on a project wherein the client is a big American bank as the technical lead "

Me (interest is cybersec) - "oh, then you must be knowing about the data protection and other security mechanisms (encryption, SSL, etc.)"

Him (bewildered look on face) - "no, I mostly handle the connectivity between the portal and data and the interface."

Me (disappointed) - "so, mostly DB, stuff?"

Him (smug and proud) - "yeup"

Gave him a link to my Github repo. Left the cabin. Proceeded to managerial interview (the stereotypical PM asshats)

Never did I think I'd be happy to not get a job offer...

Whoever came up with the PSD2 can get fucked up their ass by all the cocks in the world combined.

Whoever fucked up the new security implementations so bad can get fucked up their ass by all the spiked, rusty, aids-contaminated metal poles in existance.

And whoever allowed all this to happen and approved it should take all the nukes in the world, shove them all up their worthless holes, and detonate them all at once.

Fuck you.
Die in a fire.

Sincerely,
Someone who's failing harder and harder every day to not lose faith in what little good there is in humanity.

I happened to purchase a multi currency card as I was preparing to travel abroad. I enquired a few non tech friends of mine about a bunch of providers/lenders and I got a consistent suggestion of how company XXX is safe and user friendly. I took a leap of faith and went with them, since I didn't have any time left to do my own research.

Met the vendor, loaded some money and all is well. At least so far.

I went to their website to create an account for checking my balance and to do a bunch of stuff online.

Nothing unusual so far.

I fill up the new user register page. At the end I get a message which says "SUCCESS" and asks me to check my email.

VOILA!

I have an email with my user id, password and security questions in CLEAR TEXT sitting in my inbox.

Good job XXX.

Just dropping some current experience here.

Content security policies are big mess in both chrome and firefox.

Chrome has some 4 years old "bug" where you can't add hash of JS file to 'style-src' policy to permit inline-styles THAT would be set by this script (jQuery actually).
Firefox is beautifully unhelpful, it just pops of error "blocked ..something..", not even saying what it was.

EDIT:
And I am missing a pair of some steel balls to ask about this on SO because there is this much of very similar questions, nonetheless -if I did read them right- every one of them is talking about enabling style attribute, and that's something different.

EDIT2: Chrome currently generates 138 errors "jquery-3.4.0.min.js:2 Refused to apply inline style..." , this ain't hitting production.

Questions more then a rant...

I've moved from being a lead on imploring DevOps and Agile practices in a large Telco to now working for a security consultancy... The team I'm with are s*** hot when it comes to SecOps (which is why I changed jobs) and I've been hired to he the automation and working practice expert on the team. Already got some of them learning Ansible which is a great start!

I've got delivery now being pushed to Git and all client work being tracked in Jira and properly documented and collaborated through HipChat and other CI tools on the way....

My question is this... Does anyone have some awesome resources to teach people Git, Jira, Jenkins, etc. quickly without forking or branching out on expensive training? Focus on being a technical but consultative team. Ideally just wanna pull some awesome guides and make. My own commits on them for the team... Please fire a story or epic away!

Yeah, so when you create an account just about anywhere nowadays, you need to choose a strong password. Fair enough. But then, some sites/services/systems require a second password, sort of a password hint as an extra security for retrieving your first password in case you forget it. Well OK...That hint question just becomes very *in*secure when you must choose from some extremely stupid presets like "In which town were you born?" or "What was your mother's maiden name?", all of which are trivia that for most people can be easily googled, or looked up on facebook ffs. And these "in which town did this or that happen?" questions? As there is only one town in my country it's not a long shot that I was born in Mariehamn, met my partner in Mariehamn and had my first job in Mariehamn. Security questions for imbecils.

Hello wonderful Salesforce peeps. I need to take the Salesforce platform app builder credential

What is the best site to use as a study guide/ exam prep?

Cause honestly I've been using Trailhead and I feel it's just a big advert for Salesforce and it's so condensed it feels like a beginner course and I'm scared the test questions will be more profound than what is displayed in there.

I am a complete noob in Salesforce but I do have CRM experience, DB experience, Security experience, and programming experience.

Help a Newb

Just reviewed my custom security questions that I haven't looked at in years.

"Dear TitanLannister : You are in the final year. A lot of shit is happening around u. its now time to make a career and take tough decisions. What would you do?"

CHOICE 1: COMPETITIVE
>>>>background : "a lot of super companies like wallmart, fb, amazon, ms, google,.. etc simply takes a straight coding test for fresher placement. They ask tough bad ass level questions, but with right guidance, a hell ton of dedicated hours of coding, and making it to the top of various coding tests could make you a potential candidate"
>>>>+ve points :
- "You got the teachers and professionals with great experience to guide you"
- "a dream job come true.you can go there and join teams that interests you"
- "it was your first exposure to computer world. maybe you would like doing it again, after 4 years"
>>>> -ve points:
- "You have always been an average 70 percentile guy. The task requires 2000-3000 hours of coding an year. it will be hard and you always grow bored out of this pretty quickly"
- "Even If you did that , you stand a lesser chance because your maths is shitty.There are millions running in this race with brains faster than your IDE"
- "your college will riot with you because they expect 75% attendance"
- "You are virtually out of college placements, in which , even though shitty companies come and offer even shittier 4LPA packages($6000 per annum), would take a tough logical/aptitude based test for which you won't be able to prepare"

CHOICE 2: PROFESSIONAL WORK
>>>>background: "you always wanted to create something , and therefore you started taking android based courses. you have been doing android for over 2 years and today you know a lot of things in android. you might be good in other professional lines like web dev, data analytics, ml,ai, etc too if you give time to that"
>>>>+ve points :
- "you will love doing this, you always did"
- "With the support of a good team, you will always be able to complete tasks and build new things quickly"
- "Start ups might offer you the placement, they always need students with some good exposure"
>>>>-ve points :
- "Every established company which provides interesting dev work takes their first round as coding, and do not considers your extra curricular dev work. So you are placing your all hopes in 1 good start up with super offerings that would somehow be amazed by your average profile and offer you a position"
- "start ups are well, startups and may not offer a job security as strong as est. companies"
- "You are probably not as awesome dev as you think you are. for 2 years, you have only learned the concepts , and not launched more than 1 shitty app and a few open source work"

CHOICE 3: NON CODING
>>>>background: "companies coming in college placements have 1-2 rounds of aptitude,logical reasoning , analysis based questions and other non tech tests. There are also online tests available like elitmus,AMCAT, etc which, when cleared with good marks help receive placements from decent established companies like TCS, infosys, accenture,etc"
>>>>+ve points :
- "you will eventually get placed from college, or online tests"
- "there will be a job security, as most of these companies bonds the person for 2-3 years"
>>>> -ve points:
- "You really don't like this. These companies are low profile consultant/services based companies which would put you in any area: from testing to sales, and job offers are again $5000-6000 per annum at max"
- "Since it includes college, the other factors like your average cgpa and 1 backlog will play an opposing role"
- "Again, you are a 70 percentile avg guy. who knows you might not able to crack even these simple tests"

Ugh... I am fucking confused. Please be me, and help.The things that i wrote about myself are true, but the things that i assumed about super companies, start ups or low profile companies might not be correct, these points comes from my limited knowledge ,terrified and confused brain, after all.
:(

Working with external teams on this new project involving pretty sensitive stuff like bank transactions.

Talking about user flow and how to handle authentication, like 2-factor and stuff.

Newish guy on external team (though experienced) says they have a proposal.

Security Questions.

... like "What was you first car" security questions...

awkward silence in room...

Tryna search for my new self inspired sexiest domain name if available but the fucking page keeps bringing up that fucking recaptcha asking me for some fucking description about some fucking cars, fucking roads, fucking bridges, dunno if that was my fucking business!
I want you to stop asking me shitty questions cause i'm a fucking robot. Hence i wrote a script that would change the typo from "i'm not a robot" to "i'm a f*cking robot" any time i visit any fucking page requesting for my fucking identity!
Fuck Google!, Fuck Recaptcha!, Fuck Hostgator! Fuck Security! Fuck them all!!!

I’m working on a new app I’m pretty excited about.

I’m taking a slightly novel (maybe 🥲) approach to an offline password manager. I’m not saying that online password managers are unreliable, I’m just saying the idea of giving a corporation all of my passwords gives me goosebumps.

Originally, I was going to make a simple “file encrypted via password” sort of thing just to get the job done. But I’ve decided to put some elbow grease into it, actually.

The elephant in the room is what happens if you forget your password? If you use the password as the encryption key, you’re boned. Nothing you can do except set up a brute-forcer and hope your CPU is stronger than your password was.

Not to mention, if you want to change your password, the entire data file will need to be re-encrypted. Not a bad thing in reality, but definitely kinda annoying.

So actually, I came up with a design that allows you to use security questions in addition to a password.

But as I was trying to come up with “good” security questions, I realized there is virtually no such thing. 99% of security question answers are one or two words long and come from data sets that have relatively small pools of answers. The name of your first crush? That’s easy, just try every common name in your country. Same thing with pet names. Ice cream flavors. Favorite fruits. Childhood cartoons. These all have data sets in the thousands at most. An old XP machine could run through all the permutations over lunch.

So instead I’ve come up with these ideas. In order from least good to most good:

1) [thinking to remove this] You can remove the question from the security question. It’s your responsibility to remember it and it displays only as “Question #1”. Maybe you can write it down or something.

2) there are 5 questions and you need to get 4 of them right. This does increase the possible permutations, but still does little against questions with simple answers. Plus, it could almost be easier to remember your password at this point.

All this made me think “why try to fix a broken system when you can improve a working system”

So instead,

3) I’ve branded my passwords as “passphrases” instead. This is because instead of a single, short, complex word, my program encourages entire sentences. Since the ability to brute force a password decreases exponentially as length increases, and it is easier to remember a phrase rather than a complicated amalgamation or letters number and symbols, a passphrase should be preferred. Sprinkling in the occasional symbol to prevent dictionary attacks will make them totally uncrackable.

In addition? You can have an unlimited number of passphrases. Forgot one? No biggie. Use your backup passphrases, then remind yourself what your original passphrase was after you log in.

All this accomplished on a system that runs entirely locally is, in my opinion, interesting. Probably it has been done before, and almost certainly it has been done better than what I will be able to make, but I’m happy I was able to think up a design I am proud of.

External Storage recommendation questions.

Im in need of some sort of external storage, either a harddrive or a NAS server, but idk what to get.

Price should be reasonable for the security and storage space it gives, so heres what i figured so far for pros and cons:

NAS Server:
+ Bigger capacity
+ Raid option
+ Easily expandable
+ Always accessible via the network (local)

- Difficult to transport (not gonna do that, but still)
- Expensive
- Physically larger
- Consumes power 24/7 (i dont pay for power currently)

Harddrive:
+ Easy to pack away and transport
+ Cheaper

- If drive fails, youre fucked
- If you want larger capacity, you end up with two external backups

What do you guys do? Im not sure what i should do :i
Any advice is appreciated.

It will be used for external backup, as mentioned. For my server and my own pc.

Why do most people think that a person can only be great at one thing.
I've just started working as a developer and when I tell people I am also learning cyber security they are like what's the point of it. And how I should focus on one thing and blah blah.
Man, nobody questions Elon Musk when he is learning new things everyday. But then why can't we do the same and man we don’t need to be judged. A little support would be so much better.

Hey ranters, I want to setup a centralised auth backend that assigns multiple logins/API keys to a single user account which is managed through a Frontend application.

Background is we use multiple services each with their own login system and not all support a unified login/auth method for their API.

My approach is to setup a simple API/Auth backend that stores the users credentials plus multiple API-Keys of other services or their logins. When auth is successful the Frontend app may receive the associated credentials for the other backends to call their respective API. So the user can login once but the Frontend may access all backend services without the user noticing that their are other auths.

This should be a really general problem today. I'm really just diving into the topic of auth and Frontend, so I hope to get some guidence/overview from you. My questions are:

- Is my approach totally stupid?
- Are there good frameworks you'd recommend for such a setup?
- Is there a best practice which I've overseen so far?
- Resources you think are a must-read?
- Any other recommendations regarding security here?

So, what do you ranters think?

!rant

Looking for help starting with DevOps.

Does anyone know of a site or forum where you can talk about general coding/scripting patterns rather than just asking specific questions?

Bear with me, this may be a bit longer than most posts here.

I'm a self-taught admin/tech working with one colleague (who's also mostly self taught) at a high school, managing both clients and servers.
We've been doing most things manually bit I'm looking into converting as much work as possible into more of a DevOps setup, with Powershell-scripts for multi step tasks.
I want to do this for a number of reasons. Having a script doing a number of steps would cut down on time spent on individual tasks and minimize the risk that a step is missed or, perhaps even worse, mistyped. Also it's important that I actually learn what I'm doing, why something works and why something fails.

As and example, I have a powershell-script which moves a student from one year to another (basically they have user names with a two-digit prefix based on the year they started and a suffix with two letters from their first names and four from their last names) if they need to repeat a grade.
It basically renames the account in the AD with the correct year-prefix, changes the samAccountName, renames Home and Profile-directories on disk and changes paths on the profile-tab in AD, moves the user into a new OU and security group etc.
It works as intended if the user account to be renamed exists and there's no name conflict with the new name. But I'd like for the script to validate that there's no problem with user names, source and target security groups and OUs etc. and eventually split the script up into smaller clearly defined functions for better readability.
However, I don't want someone to just write the script for me, I'd prefer to be able to discuss script flow and come to my own conclusions and solutions.