Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "security who cares"
-
Every single one of them, and every one that will come after them.
Google, it started out as 2 people in their garage, wanting to make a search engine that was better than the others. Nothing else, nothing evil. Just make the world a little bit better. And look what it's become now. A megacorporation with little to no regards for their user base. Because who cares about users anyway?
Microsoft, it started out with Bill Gates - young high school computer nerd - who wanted to make an operating system for the world to use. Something that's better than the competition. And boy did he do so. Well "better than the competition" aside, he did make it for the world to use. And the world adopted it. And look what it's become now. A megacorporation with little to no regards for their user base. Because who cares about users anyway?
See where I'm going here?
Apple, it started out with Steve Jobs and Steve Wozniak in their garage, just like Google did, wanting to make hardware that was better than the others. Nothing else, nothing evil. Just to make the world a little bit better. And look what it's become now. Planned obsolescence has been baked into it, just like it is in every other piece of technology. Quality control and thinking through the design has become a thing of the past. User choice, yeah who cares about that.
Samsung, it started out centuries ago actually, and I don't really remember the details of it.. ColdFusion has a video on it if memory serves me right. Do watch it if you're interested. Anyway, just like all the others they started out as a company which wanted to make the world a little bit better. And damn right did they do so.. initially. Look what they've become now. Forcing their stupid TouchWiz UI upon their customers (or products?), a Bixby button that can't even be reprogrammed.. and the latest thing.. Knox, advertised as a security feature, but as everyone who likes rooting their devices and mucking with it knows, it is an anti-feature that only serves for lockdown. Why shouldn't you be able to turn in a phone for RMA when a hardware error occurs, when all you've personally modified is the software? Why should changing the software blow that eFuse, so that you can be sure that you can't replace it without specialized equipment and a very steady hand?
I could go on and on forever about more of the tech giants out there, but I feel like this suffices for now. Otherwise I won't have anything else left for future rants! But one thing I know for sure. Every tech company started, starts, and will start out with a desire to make the world a better place, and once they gain a significant customer base, they will without exception turn into the same kind of Evil Megacorp., just like the ones before them. Some may say that capitalism itself is to blame for this, the greed for more when you already have a lot. Who knows? I'd rather say that the very human nature itself is to blame for it. We're by design greedy beings, and I hate it. I hate being human for that. I don't want humans to be evil towards one another, and be greedy for ever more. But I guess that that's just the way it is, and some things do actually never change...17 -
Forgive me father, for I have sinned. Alot actually, but I'm here for technical sins. Okay, a particular series of technical sins. Sit your ass back down padre, you signed up for this shit. Where was I? Right, it has been 11429 days since my last confession. May this serve as equal parts rant, confession, and record for the poor SOB who comes after me.
Ended up in a job where everything was done manually or controlled by rickety Access "apps". Many manhours were wasted on sitting and waiting for the main system to spit out a query download so it could be parsed by hand or loaded into one of the aforementioned apps that had a nasty habit of locking up the aged hardware that we were allowed. Updates to the system were done through and awful utility that tended to cut out silently, fail loudly and randomly, or post data horrifically wrong.
Fuck that noise. Floated the idea of automating downloads and uploads to bossman. This is where I learned that the main system had no SQL socket by default, but the vendor managing the system could provide one for an obscene amount of money. There was no buy in from above, not worth the price.
Automated it anyway. Main system had a free form entry field, ostensibly for handwriting SELECT queries. Using Python, AutoHotkey, and glorified copy-pasting, it worked after a fashion. Showed the time saved by not having to do downloads manually. Got us the buy in we needed, bigwigs get negotiating with the vendor, told to start developing something based on some docs from the vendor. Keep the hacky solution running as team loves not having to waste time on downloads.
Found SQLi vulnerability in the above free form query system, brought it up to bossman to bring up the chain. Vulnerability still there months later. Test using it for automated updates. Works and is magnitudes more stable than update utility. Bring it up again and show the time we can save exploiting it. Decision made to use it while it exists, saves more time. Team happier, able to actual develop solutions uninterrupted now. Using Python, AutoHotkey, glorified copy-pasting, and SQLi in the course of day to day business critical work. Ugliest hacky thing I've ever caused to exist.
Flash forward 6 years. Automation system now in heavy use acrossed two companies. Handles all automatic downloads for several departments, 1 million+ discrete updates daily with alot of room for expansion, stuff runs 24/7 on schedule, most former Access apps now gone and written sanely and managed by the automation system. Its on real hardware with real databases and security behind it.
It is still using AutoHotkey, copy-paste, and SQLi to interface with the main system. There never was and never will be a SQL socket. Keep this hellbeast I've spawned chugging along.
I've pointed out how many ways this can all go pearshaped. I've pointed out that one day the vendor will get their shit together they'll come in post system update and nothing will work anymore. I've pointed out the danger in continuing to use the system with such a glaring SQLi vulnerability.
Noone cares. Won't be my problem soon enough.
In no particular order:
Fuck management for not fighting for a good system interface
Fuck the vendor for A) not having a SQL socket and B) leaving the SQLi vulnerability there this long
Fuck me for bringing this thing into existence5 -
So one of my clients had a different company do a penetrationtest on one of my older projects.
So before hand I checked the old project and upgraded a few things on the server. And I thought to myself lets leave something open and see if they will find it.
So I left jquery 1.11.3 in it with a known xss vulnerability in it. Even chrome gives a warning about this issue if you open the audit tab.
Well first round they found that the site was not using a csrf token. And yeah when I build it 8 years ago to my knowledge that was not really a thing yet.
And who is going to make a fake version of this questionair with 200 questions about their farm and then send it to our server again. That's not going to help any hacker because everything that is entered gets checked on the farm again by an inspector. But well csrf is indeed considered the norm so I took an hour out of my day to build one. Because all the ones I found where to complicated for my taste. And added a little extra love by banning any ip that fails the csrf check.
Submitted the new version and asked if I could get a report on what they checked on. Now today few weeks later after hearing nothing yet. I send my client an email asking for the status.
I get a reaction. Everything is perfect now, good job!
In Dutch they said "goed gedaan" but that's like what I say to my puppy when he pisses outside and not in the house. But that might just be me. Not knowing what to do with remarks like that. I'm doing what I'm getting paid for. Saying, good job, your so great, keep up the good work. Are not things I need to hear. It's my job to do it right. I think it feels a bit like somebody clapping for you because you can walk. I'm getting off topic xD
But the xss vulnerability is still there unnoticed, and I still have no report on what they checked. So I have like zero trust in this penetration test.
And after the first round I already mentioned to the security guy in my clients company and my daily contact that they missed things. But they do not seem to care.
Another thing to check of their to do list and reducing their workload. Who cares if it's done well it's no longer their responsibility.
2018 disclaimer: if you can't walk not trying to offend you and I would applaud for you if you could suddenly walk again.2 -
I don't understand privacy advocators.
Am I the only one who wouldn't give up practicality in exchange for "potentially more secure"?
I don't understand so much what the deal is with people who avoid Facebook, or don't trust Google or Microsoft, just in the basis of "privacy" or "security".
Websites tracking you to serve ads? Well, it's pointless because I very rarely buy something from the internet or let myself be influenced, ads are waste of time, just use an adblocker.
I can pretty much upload my whole life or documents on Google drive, even if I made it public no one would really care or read it all. It's like that GitHub project you uploaded but never documented, so no one cares. I usually use alternative software not because of "privacy" but because it has features other software doesn't have.
In reality you realize people aren't that interested in your life more than their own life.24 -
Microsoft Manager: "We need to slap ChatGPT onto Bing....STAT!"
Devs: "There won't be enough time to test security."
Microsoft Manager: *Throws hands in the air* "Who cares!!?? Just get it done!"
Devs: "Ok, boss."
https://arstechnica.com/information...5 -
Not a dev!rant,/but certainly a rant. Long post ahead.
First of all I MISSED YOU ALL
Had my fair issues of shit these months. And for that, FUCK EVERYTHING. End of rant for now. I am still managing somehow to do - slowly as fuck, but who cares at this point - like finally going to uni, finding a psychologist and not a psycho, unraveling a fuckton of previous trauma (hi abuse) and ~drums~ buying my new desktop! Not exactly a nasa server but a middish level workstation/gaming place. I am shopping right now. The previous days have been shaky with all the flashback business and emotional rollercoaster of death, but I feel like going the right way somehow. Is it true? Who knows! But after enduring several issues of suicide planning and luckily only one serious-bugged attempt epically hilariously failed, the slightest hope is a victory. I like p2p, so feel free to torrent and seed this little joy. If it is mine it can be yours. Take it!
Also, you know how much autistic I am, but I'd really like to make some friends. I make attempts but honestly I am awkward errrr.... I don't know how many dude/ttes I can count on. For friend I mean simply someone that honestly likes me somehow, is loyal, and has interest in sharing they like to do or think! (And if they want to give me tips on security/sysadmin/dev stuff, even better, but not required obviously).
Also, I may have some projects in mind. Will publish in the projects section when the roughest idea is finished.
Maybe I deserve an updoot. In real life.
(Which is also here....)
🎶🎶🎶🎶2 -
Our school had for an open source way of dealing with home schooling and managing the school network and so on.
Now the government forced a "proprietary" system on our school and everyone hates it. The teachers didn't want it the pupils didn't want it but who cares "what we do is the best".
Btw the proprietary system costs a fuck load of money even though they just mixed many open source projects and made it their own proprietary thing.
And this company now get's loads of money for their shitty system that never really worked once since we got it.
They blocked so many ip's that we can't even access google and it's services on the school wifi and the bandwith dropped severely with the new system.
Oh and many random ip's e.g. one of my vps is accessible but the other one not.
Discord is blocked.
Web whatsapp.
And so on...
Now....
I need to learn for tests next week and need to access that stuff on the portal but...
Now they decided to switch the LDAP server to the new system and since a few hours i can't access this fucking thing.
It seems like the platform now contacts the new server which isn't even up and running....
Never change a fucking running system....
Oh and we got smart boards and it runs on android and they didn't block adb. Now i installed clash of clans on one of those things. Haha whoops.
These boards cost 7000€ and have security patches from 2 years ago....and Android 87 -
1. It's gonna be more and more specialized - to the point where we'll equal or even outdo the medical profession. Even today, you can put 100 techs/devs into a room and not find two doing the same job - that number will rise with the advent of even more new fields, languages and frameworks.
2. As most end users enjoy ignoring all security instructions, software and hardware will be locked down. This will be the disadvantage of developers, makers and hackers equally. The importance of social engineering means the platform development will focus on protecting the users from themselves, locking out legitimate tinkerers in the process.
3. With the EU getting into the backdoor game with eTLS (only 20 years after everyone else realized it's shit), informational security will reach an all-time low as criminals exploit the vulnerabilities that the standard will certainly have.
4. While good old-fashioned police work still applies to the internet, people will accept more and more mass surveillance as the voices of reason will be silenced. Devs will probably hear more and more about implementing these or joining the resistance.
5. We'll see major leaks, both as a consequence of mass-surveillance (done incompetently and thus, insecurely) and as activist retaliation.
6. As the political correctness morons continue invading our communities and projects, productivity will drop. A small group of more assertive devs will form - not pretty or presentable, but they - we - get shit done for the rest.
7. With IT becoming more and more public, pseudo-knowledge, FUD and sales bullshit will take over and, much like we're already seeing it in the financial sector, drown out any attempt of useful education. There will be a new silver-bullet, it will be useless. Like the rest. Stick to brass (as in IDS/IPS, Firewall, AV, Education), less expensive and more effective.
8. With the internet becoming a part of the real life without most people realizing it and/or acting accordingly, security issues will have more financial damages and potentially lethal consequences. We've already seen insulin pumps being hacked remotely and pacemakers' firmware being replaced without proper authentication. This will reach other areas.
9. After marijuana is legalized, dev productivity will either plummet or skyrocket. Or be entirely unaffected. Who cares, I'll roll the next one.
10. There will be new JS frameworks. The world will turn, it will rain.1 -
So working for a company and the dev team I’m apart of works on a legacy rails app. Technical debt is high, no automated tests, no proper routing and also running unsupported versions of the language.
I joined seven months ago and got the current team doing automated testing so that’s a plus, they bought this app four years ago and there’s been no language updates, testing, cleanup, security updates, nothing, just adding to bad code.
Now we’re looking to actually upgrade language versions, the language and the framework now this will cause a lot of stuff to break naturally due to how outdated it is.
So I started putting proper routes into place how things should of been when things were being built as we have some spare time I decided to go out of my way to clear up some of the technical debt to get ahead of the curb. Re-done an entire section of the app, massive speed improvements, better views, controller, model, comment clean up and everything exactly how it should be.
I push the PR,
*other dev* - “why are we doing all of these other changes”
*me* - “well to implement routes properly, we have to use the new routes I just did some extra cleanup along the way”
*today, me* - “can you lend me a hand with one of the routes the ID isn’t getting passed”
*today, other dev* - “this wouldn’t of happened if you didn’t redo all these files, let’s just scrap the changes”
…
Sooo, I’ve spend three weeks improving one section in the app, because I’m having issues with one route according to this dev I should scrap it? Wait come again, am I the only one in this team who cares about making this app better all round?
Frustrating…4 -
Most developers are morons, pt 2
In my last post on this topic, I discussed zombie developers, i.e. lower tier developers who enter the industry from a non-tech background usually through a bootcamp or get hired at a small (and usually desperate) company after doing a few github projects.
In this post I'll be talking about the middle 67% of developers. The average joes. The ones who know enough software to build apps, maybe even publish it and sometimes (not always) actually get users using their products, even for a brief moment of time.
For these people, software is genuinely interesting to them, but they don't really put in enough effort to get good at it. They don't put in enough late nights. They don't cancel enough leisure or social events. For most, they're only good enough to not get fired (job security) and that's as far as they want to take their careers.
And I suppose there's nothing wrong with that. Most people don't have a yearning to go above and beyond, so I'd expect most developers to follow this pattern as well.
So to you, I say thank you. Thank you for doing all the boring menial work no one cares to do. You might even get a pat on the back if you put in the extra effort.19 -
I have waited a couple of months, so I hope the airport has changed their settings.
But hey if you need a free commercial spot in dusseldorf airport you could give it a try.2