"You should use Windows server!"

It was a high security project which needed to run very stable. Even the windows sysadmin looked at that guy like 'dude what the actual fuck'.

My last internship (it was awesome). A programmer developed a vacation/free day request application for internal use.
Asked if I could test it for security.
The dev working on it thought that was a very good idea as he wasn't much into security and explained how the authentication process worked.
I immediately noticed a flaw just from his explanation. He said it was secure anyways (with an explanation but his way of thinking was wrong in this case). Asked if I was allowed to show him. He said he was intrigued by this so gave me a yes right away.

For the record, user levels were normal user, general admin and super admin (he was the only super admin).

Wrote a quick thingy server side (one of my own servers/domains) for testing purposes.

Then I started.

Went from normal user to super admin (his account) through a combination of XSS and Session Hijacking within 15 seconds.

Explained him where he went wrong and he wrote a patch under my guidance 😃.

That felt so fucking awesome.

My face when a developer suggests to use Windows server instead of Linux for speed and security reasons

So there was an inspection from government for our bank's IT security. I gave a tour to our server and security systems. I threw all possible acronyms as much as I could remember. Inspector nodded and noted down never uttered a word.

Finally, he breaks his silence, looking at a device he points out and says "What's that ?"

I look at the device then stare at his face back again at the device and to his face I reply "That's AC, Air Conditioner".

You know what?

Young cocky React devs can suck my old fuckin LAMP and Objective-C balls.

Got a new freelance job and got brought in to triage a React Native iOS/Android app. Lead dev's first comment to me is: "Bro, have you ever used React Native".

To which I had to reply to save my honor publicly, "No, but I have like 8 years with Objective-C and 3 years with Swift, and 3 years with Node, so I maybe I'll still be able help. Sometimes it just helps to have a fresh set of eyes."

"Well, nobody but me can work on this code."

And that, as it turned out was almost true.

After going back and forth with our PM and this dev I finally get his code base.

"Just run "npm install" he says".

Like no fuckin shit junior... lets see if that will actually work.

Node 14... nope whole project dies.

Node 12 LTS... nope whole project dies.

Install all of react native globally because fuck it, try again... still dies.

Node 10 LTS... project installs but still won't run or build complaining about some conflict with React Native libraries and Cocoa pods.

Go back to my PM... "Um, this project won't work on any version of Node newer than about 5 years old... and even if it did it still won't build, and even if it would build it still runs like shit. And even if we fix all of that Apple might still tell us to fuck off because it's React Native.

Spend like a week in npm and node hell just trying to fucking hand install enough dependencies to unfuck this turds project.

All the while the original dev is still trying TO FIX HIS OWN FUCKING CODE while also being a cocky ass the entire time. Now, I can appreciate a cocky dev... I was horrendously cocky in my younger days and have only gotten marginally better with age. But if you're gonna be cocky, you also have to be good at it. And this guy was not.

Lo, we're not done. OG Dev comes down with "Corona Virus"... I put this in quotes because the dude ends up drawing out his "virus" for over 4 months before finally putting us in touch with "another dev team he sometimes uses".

Next, me and my PM get on a MS Teams call with this Indian house. No problems there, I've worked with the Indians before... but... these are guys are not good. They're talking about how they've already built the iOS build... but then I ask them what they did to sort out the ReactNative/Cocoa Pods conflict and they have no idea what I'm talking about.

Why?

Well, one of these suckers sends a link to some repo and I find out why. When he sends the link it exposes his email...

This Indian dude's emails was our-devs-name@gmail.com...

We'd been played.

Company sued the shit out of the OG dev and the Indian company he was selling off his work to.

I rewrote the app in Swift.

So, lets review... the React dev fucked up his own project so bad even he couldn't fix it... had to get a team of Indians to help who also couldn't fix it... was still a dickhead to me when I couldn't fix it... and in the end it was all so broken we had to just do a rewrite.

None of you get npm. None of you get React. None of you get that doing the web the way Mark Zucherberg does it just makes you a choad locked into that ecosystem. None of you can fix your own damn projects when one of the 6,000 dependency developers pushes breaking changes. None of you ever even bother with "npm audit fix" because if security was a concern you'd be using a server side language for fucking server side programming like a grown up.

So, next time a senior dev with 20 years exp. gets brought in to help triage a project that you yourself fucked up... Remember that the new thing you know and think makes you cool? It's not new and it's not cool. It's just JavaScript on the server so you script kiddies never have to learn anything but JavaScript... which makes you inarguably worse programmers.

And, MF, I was literally writing javascript while you were sucking your mommas titties so just chill... this shit ain't new and I've got a dozen of my own Node daemons running right now... difference is?

Mine are still working.

Manager: We need to setup the security in the Mexico server

Dev: You mean that 3rd party firewall add on?

Manager: Yes

Dev: And set up the billing on the Mexico account?

Manager: Yes

Dev: lol, sure thing I’ll create the ticket

Manager: What’s so funny?

Dev: Nothing

Ticket: Build wall and get Mexico to pay for it.

So I got the job. Here's a story, never let anyone stop you from accomplishing your dreams!

It all started in 2010. Windows just crashed unrecoverably for the 3rd time in two years. Back then I wasn't good with computers yet so we got our tech guy to look at it and he said: "either pay for a windows license again (we nearly spend 1K on licenses already) or try another operating system which is free: Ubuntu. If you don't like it anyways, we can always switch back to Windows!"

Oh well, fair enough, not much to lose, right! So we went with Ubuntu. Within about 2 hours I could find everything. From the software installer to OpenOffice, browsers, email things and so on. Also I already got the basics of the Linux terminal (bash in this case) like ls, cd, mkdir and a few more.

My parents found it very easy to work with as well so we decided to stick with it.

I already started to experiment with some html/css code because the thought of being able to write my own websites was awesome! Within about a week or so I figured out a simple html site.

Then I started to experiment more and more.

After about a year of trial and error (repeat about 1000+ times) I finally got my first Apache server setup on a VirtualBox running Ubuntu server. Damn, it felt awesome to see my own shit working!

From that moment on I continued to try everything I could with Linux because I found the principle that I basically could do everything I wanted (possible with software solutions) without any limitations (like with Windows/Mac) very fucking awesome. I owned the fucking system.

Then, after some years, I got my first shared hosting plan! It was awesome to see my own (with subdomain) website online, functioning very well!

I started to learn stuff like FTP, SSH and so on.

Went on with trial and error for a while and then the thought occured to me: what if I'd have a little server ONLINE which I could use myself to experiment around?

First rented VPS was there! Couldn't get enough of it and kept experimenting with server thingies, linux in general aaand so on.

Started learning about rsa key based login, firewalls (iptables), brute force prevention (fail2ban), vhosts (apache2 still), SSL (damn this was an interesting one, how the fuck do you do this yourself?!), PHP and many other things.

Then, after a while, the thought came to mind: what if I'd have a dedicated server!?!?!?!

I ordered my first fucking dedicated server. Damn, this was awesome! Already knew some stuff about defending myself from brute force bots and so on so it went pretty well.

Finally made the jump to NginX and CentOS!

Made multiple VPS's for shitloads of purposes and just to learn. Started working with reverse proxies (nginx), proxy servers, SSL for everything (because fuck basic http WITHOUT SSL), vhosts and so on.

Started with simple, one screen linux setup with ubuntu 10.04.

Running a five monitor setup now with many distro's, running about 20 servers with proxies/nginx/apache2/multiple db engines, as much security as I can integrate and this fucking passion just got me my first Linux job!

It's not just an operating system for me, it's a way of life. And with that I don't just mean the operating system, but also the idea behind it :).

Happened a few weeks ago but still awesome.

Me and a good friend have a website together but we don't monitor it too much.
He studied with me in the same class but went towards frontend/apps where I chose backend/servers/security. He knows how to do basic Linux stuff but that's about it.

We were at a party when he noticed that our site was offline. Walked over to me (because I manage the server) to notify me so I could look into it said I'd look into it (phone):
*visits site: nothing*
*online dig tool: got the server ip*
*remembered this one didn't have pubkey authentication - after three passwords attempts I'm in*

"service apache2 status"
*service doesn't exist*
*right, migrated this one from Apache to nginx....*
"history"
*ah, an nginx restart probably suffices...*
"service nginx restart"

BAM, site is reachable again.

*god damnit, lets encrypt cert expired...*
"history"
*sees command with certbot and our domain both in one*
"!892"
*20 seconds later: success message*
*service nginx reload*

BAM, site works securely again.

"Yo mate, check the site again"

Mate: 😶 w-w-what? *checks site and his watch* you started less than two minutes ago...?
Me: yeah..?
Mate: 😶 now this is why YOU manage our server and I don't 😐

His face was fucking gold. It wasn't that difficult for me (I do this daily) but to him, I was a God at that moment.

Awesome moment 😊

Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜

Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.

First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.

Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.

Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.

Dealing with attacks and getting hacked.

Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.

linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)

How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!

One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)

Dealing with different kinds of attacks:

Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.

So yah, hereby :P

Bulma framework, thanks for existing!

Lightweight, CSS only, very fucking easy to use and understand and a beautiful!

As a backend/server/security guy, front end is hell on earth for me. I understand the basics but that's it.

This fucker makes it so simple!

When your security on your server is so good that you can't access it yourself

Custom CSS? Who am I kidding, I'm a backend/security/server guy.

Fuck this shit, bootstrap, here I come!

A dude with a THICK Russian accent just called me offering server security services.

After I politely declined, he insisted on a free audit of my servers. I declined that as well.

Now I’m backing up our DB’s and going through my nginx logs.

Am I being racist?

And here comes the last part of my story so far.
After deploying the domain, configuring PCs, configuring the server, configuring the switch, installing software, checking that the correct settings have been applied, configuring MS Outlook (don't ask) and giving each and every user a d e t a i l e d tutorial on using the PC like a modern human and not as a Homo Erectus, I had to lock my door, put down my phone and disconnect the ship's announcement system's speaker in my room. The reasons?
- No one could use USB storage media, or any storage media. As per security policy I emailed and told them about.
- No one could use the ship's computers to connect to the internet. Again, as per policy.
- No one had any games on their Windows 10 Pro machines. As per policy.
- Everyone had to use a 10-character password, valid for 3 months, with certain restrictions. As per policy.
For reasons mentioned above, I had to (almost) blackmail the CO to draft an order enforcing those policies in writing (I know it's standard procedure for you, but for the military where I am it was a truly alien experience). Also, because I never trusted the users to actually backup their data locally, I had UrBackup clone their entire home folder, and a scheduled task execute a script storing them to the old online drive. Soon it became apparent why: (for every sysadmin this is routine, but this was my first experience)
- People kept deleting their files, whining to me to restore them
- People kept getting locked out because they kept entering their password WRONG for FIVE times IN a ROW because THEY had FORGOTTEN the CAPS lock KEY on. Had to enter three or four times during weekend for that.
- People kept whining about the no-USB policy, despite offering e-mail and shared folders.
The final straw was the updates. The CO insisted that I set the updates to manual because some PCs must not restart on their own. The problem is, some users barely ever checked. One particular user, when I asked him to check and do the updates, claimed he did that yesterday. Meanwhile, on the WSUS console: PC inactive for over 90 days.
I blocked the ship's phone when I got reassigned.
Phiew, finally I got all those off my chest! Thanks, guys. All of the rants so far remind me of one quote from Dave Barry:

A fellow intern recommended the use of windows server for security and speed reasons.

Few details about the situation: windows server got hacked due to a vulnerability which had no patch released yet and this had happened multiple times that year. Also, the company was migrating everything to Linux (servers).

The senior/lead programmer literally gave him a GTFO face and pointed at the door.

Everyone was giving him the GTFO face by the way, he didn't know how fast he had to get out 🤣

Guy: dot net dev (C#) on windows. (desktop + server)
Team(not his team, he just happened to sit next to us): php/frontend devs and Linux (server) people.

Team: starting a new project! We'll have to see what framework to use and what server :D
Guy: i know it's none of my business...... but I'd recommend dot net and windows server!
Me: respectfully, that hardly makes sense, you know our skillset/field... i understand that it works for you but it doesn't really for us :).
Next to that we'd rather not use windows for security reasons.

It's fine if that happens once.

When it happened for the 1748472823'th time, I had a real hard time controlling myself.

I ranted about this guy before who thought he was a security expert while hardly knowing what the word is probably. Today I met him again at a party.

Holy fucking shit, this guy.

"we use the best servers of the netherlands"
"we use a separate server for each website and finetune them"
"we always put clusters under servers, that way we have a fallback mechanism"
"companies mostly use bv ssl certificates"
"you're on call for a week? I'm full-time on call. Why I'm drinking alcohol then? Because fuck the clients hahaha"

😥🔫

Ranted about him before but this just came to my mind again.
The fucking windows (to the max) fanboy I had to deal with for too long.

Every time I mentioned something about what programming language to use in a project he was NOT part of:
"I know it's none of my business, BUT I think you should use .net"
(All backend JavaScript and php guys).

Every time I mentioned something about what server system to use:
"I know it's none of my business but I think you should use Windows server"
(All Linux guys)

Every time I'd say something positive about Linux he'd search as long as needed to prove that that was also a windows thing (didn't even come close sometimes)

Every time I told the devs there about a windows security issue (as in "guys they found this thing, install the next update to stay safe :)" - "ahhh will do, thanks for letting know man!") he'd search as long as needed to prove that Linux also had had security issues like that.
(Okay?!? I know?!? I'm just trying to notify people so their systems stay secure and they're genuinely happy with that so STFU)

MOTHERFUCKER.

Funny story about the first time two of my servers got hacked. The fun part is how I noticed it.
So I purchased two new vps's for proxy server goals and thought like 'I can setup fail2ban tomorrow, I'll be fine.'

Next day I wanted to install NginX so I ran the command and it said that port 80 was already in use!

I was sitting there like no that's not possible I didn't install any server software yet. So I thought 'this can't be possible' but I ran 'pidof apache2' just to confirm. It actually returned a PID! It was a barebones Debian install so I was sure it was not installed yet by ME. Checked the auth logs and noticed that an IP address had done a huge brute force attack and managed to gain root access. Simply reinstalled debian and I put fail2ban on it RIGHT AWAY.

Checked about two seconds later if anyone tried to login again (iptables -L and keep in mind that fail2ban's default config needs six failed attempts within I think five minutes to ban an ip) and I already saw that around 8-10 addresses were banned.

Was pretty shaken up but damn I learned my lesson!

Navy story time, and this one is lengthy.
As a Lieutenant Jr. I served for a year on a large (>100m) ship, with the duties of assistant navigation officer, and of course, unofficial computer guy. When I first entered the ship (carrying my trusty laptop), I had to wait for 2 hours at the officer's wardroom... where I noticed an ethernet plug. After 15 minutes of waiting, I got bored. Like, really bored. What on TCP/IP could possibly go wrong?
So, scanning the network it is. Besides the usual security holes I came to expect in ""military secure networks"" (Windows XP SP2 unpatched and Windows 2003 Servers, also unpatched) I came along a variety of interesting computers with interesting things... that I cannot name. The aggressive scan also crashed the SMB service on the server causing no end of cute reactions, until I restarted it remotely.
But me and my big mouth... I actually talked about it with the ship's CO and the electronics officer, and promptly got the unofficial duty of computer guy, aka helldesk, technical support and I-try-to-explain-you-that-it-is-impossible-given-my-resources guy. I seriously think that this was their punishment for me messing around. At one time I received a call, that a certain PC was disconnected. I repeatedly told them to look if the ethernet cable was on. "Yes, of course it's on, I am not an idiot." (yea, right)
So I went to that room, 4 decks down and 3 sections aft. Just to push in the half-popped out ethernet jack. I would swear it was on purpose, but reality showed me I was wrong, oh so dead wrong.
For the full year of my commission, I kept pestering the CO to assign me with an assistant to teach them, and to give approval for some serious upgrades, patching and documenting. No good.
I set up some little things to get them interested, like some NMEA relays and installed navigation software on certain computers, re-enabled the server's webmail and patched the server itself, tried to clean the malware (aka. Sisyphus' rock), and tried to enforce a security policy. I also tried to convince the CO to install a document management system, to his utter horror and refusal (he was the hard copy type, as were most officers in the ship). I gave up on almost all besides the assistant thing, because I knew that once I left, everything would go to the high-entropy status of carrying papers around, but the CO kept telling me that would be unnecessary.
"You'll always be our man, you'll fix it (sic)".
What could go wrong?
I got my transfer with 1 week's notice. Panic struck. The CO was... well, he was less shocked than I expected, but still shocked (I learned later that he knew beforehand, but decided not to tell anybody anything). So came the most rediculous request of all:
To put down, within 1 A4 sheet, and in simple instructions, the things one had to do in order to fulfil the duties of the computer guy.
I. SHIT. YOU. NOT.
My answer:
"What I can do is write: 'Please read the following:', followed by the list of books one must read in order to get some introductory understanding of network and server management, with most accompanying skills."
I was so glad I got out of that hellhole.

This rant is a confession I had to make, for all of you out there having a bad time (or year), this story is for you.

Last year, I joined devRant and after a month, I was hired at a local company as an IT god (just joking but not far from what they expected from me), developer, web admin, printer configurator (of course) and all that in my country it's just called "the tech guy", as some of you may know.

I wasn't in immediate need for a full-time job, I had already started to work as a freelancer then and I was doing pretty good. But, you know how it goes, you can always aim for more and that's what I did.

The workspace was the usual, two rooms, one for us employees and one for the bosses (there were two bosses).

Let me tell you right now. I don't hate people, even if I get mad or irritated, I never feel hatred inside me or the need to think bad of someone. But, one of the two bosses made me discover that feeling of hate.

He had a snake-shaped face (I don't think that was random), and he always laughed at his jokes. He was always shouting at me because he was a nervous person, more than normal. He had a tone in his voice like he knew everything. Early on, after being yelled for no reason a dozen of times, I decided that this was not a place for me.

After just two months of doing everything, from tech support to Photoshop and to building websites with WordPress, I gave my one month's notice, or so I thought. I was confronted by the bosses, one of which was a cousin of mine and he was really ok with me leaving and said that I just had to find a person to replace me which was an easy task. Now, the other boss, the evil one, looked me on the eye and said "you're not going anywhere".

I was frozen like, "I can't stay here". He smiled like a snake he was and said "come on, you got this we are counting on you and we are really satisfied with how you are performing till now". I couldn't shake him, I was already sweating. He was rolling his eyes constantly like saying "ok, you are wasting my time now" and left to go to some basketball practice or something.

So, I was stuck there, I could have caused a scene but as I told you, one of the bosses was a cousin of mine, I couldn't do anything crazy. So, I went along with it. Until the next downfall.

I decided to focus on the job and not mind for the bad boss situation but things went really wrong. After a month, I realised that the previous "tech guy" had left me with around 20 ancient Joomla - version 1.0 websites, bursting with security holes and infested with malware like a swamp. I had never seen anything like it. Everyday the websites would become defaced or the server (VPN) would start sending tons of spam cause of the malware, and going offline at the end. I was feeling hopeless.

And then the personal destruction began. I couldn't sleep, I couldn't eat. I was having panick attacks at the office's bathroom. My girlfriend almost broke up with me because I was acting like an asshole due to my anxiety issues (but in the end she was the one to "bring me back"(man, she is a keeper)) and I hadn't put a smile on my face for months. I was on the brink of depression, if not already there. Everyday I would anxiously check if the server is running because I would be the one to blame, even though I was trying to talk to the boss (the bad one was in charge of the IT department) and tell him about the problem.

And then I snapped. I finally realised that I had hit rock bottom. I said "I can't let this happen to me" and I took a deep breath. I still remember that morning, it was a life-changing moment for me. I decided to bite the bullet and stay for one more month, dealing with the stupid old server and the low intelligence business environment. So, I woke up, kissed my girlfriend (now wife), took the bus and went straight to work, and I went into the boss's office. I lied that I had found another job on another city and I had one month in order to be there on time. He was like, "so you are leaving? Is it that good a job the one you found? And when are you going? And are you sure?", and with no hesitation I just said "yup". He didn't expect it and just said "ok then", just find your replacement and you're good to go. I found the guy that would replace me, informing him of every little detail of what's going on (and I recently found out, that he is currently working for some big company nowadays, I'm really glad for him!).

I was surprised that it went so smoothly, one month later I felt the taste of freedom again, away from all the bullshit. Totally one of the best feelings out there.

I don't want to be cliche, but do believe in yourself people! Things are not what the seem.

With all that said, I want to give my special thanks to devRant for making this platform. I was inactive for some time but I was reading rants and jokes. It helped me to get through all that. I'm back now! Bless you devRant!

I'm glad that I shared this story with all of you, have an awesome day!

"The customer reports that port 21 is closed on our FTP site. They said that port 443 is open, and wonder if they can use that instead."

"They are entering the wrong server name. Our FTP server is ONLY an FTP server. Port 443 is not open on our FTP server.

Please verify that they are entering `ftp.xxxxxx.com`

Our FTP site supports FTP/SSL if they are concerned about security."

"Customer responds that they would rather use port 443 to send files."

"I'm sure they would. I'd also like to enter our building on the west side when the temperature is below 10º, but there are no doors on the west side, so that's not going to happen, is it?"

Just for fun I am making an RPG Maker game called "IT Quest" where you go on a 40 hour long quest just to get the security team to modify a user. The game will feature tons of mandatory side quests and a convoluted plot that requires descending into the depths of the server room to find a virgin followed by a sacrificial ritual over the broken fax machine. And ultimately the security team just closes your request without telling you why and you have to fight the final boss of the game, Zeromus who runs security. When you defeat him you get the golden CAT5 cable of time which you beat the person who closed your request with until he reopens it and does his damned job.

So I had my exams recently and I thought I'd post some of the most hacky shit I've done there over here. One thing to keep in mind, I'm a backender so I always have to hack my way around frontend!

- Had a user level authentication library which fucked up for some reason so I literally made an array with all pages and user levels allowed so I pretty much had a hardcoded user level authentication feature/function. Hey, it worked!

- CSS. Gave every page a hight of 110 percent because that made sure that you couldn't see part of the white background under the 'background' picture. Used !important about everywhere but it worked :P.

- Completey forgot (stress, time pressure etc) to make the user ID's auto incremented. 'Fixed' that by randomly generating a user id and really hoping during every registration that that user ID did not exist in the database already. Was dirty as fuck but hey it worked!

- My 'client' insisted on using Windows server.Although I wouldn't even mind using it for once, I'd never worked with it before so that would have been fucked for me. Next to that fact, you could hear swearing from about everyone who had to use Windows server in that room, even the die hard windows users rather had linux servers. So, I just told a lot of stuff about security, stability etc and actually making half of all that shit up and my client was like 'good idea, let's go for linux server then!'. Saved myself there big time.

- CHMOD'd everything 777. It just worked that way and I was in too much time pressure to spend time on that!

- Had to use VMWare instead of VirtulBox which always fucks up for me and this time it did again. Windows 10 enjoyed corrupting the virtual network adapters after every reboot of my host so I had to re-create the whole adapter about 20 times again (and removing it again) in order to get it to work. Even the administrator had no fucking clue why that was happening.

- Used project_1.0.zip etc for version control :P.

Yup, fun times!

Navy story continued.
And continuing from the arp poisoning and boredom, I started scanning the network...
So I found plenty of WinXP computers, even some Win2k servers (I shit you not, the year was 201X) I decided to play around with merasploit a bit. I mean, this had to be a secure net, right?
Like hell it was.
Among the select douchebags I arp poisoned was a senior officer that had a VERY high idea for himself, and also believed he was tech-savvy. Now that, is a combination that is the red cloth for assholes like me. But I had to be more careful, as news of the network outage leaked, and rumours of "that guy" went amok, but because the whole sysadmin thing was on the shoulders of one guy, none could track it to me in explicit way. Not that i cared, actually, when I am pissed I act with all the subtleness of an atom bomb on steroids.
So, after some scanning and arp poisoning (changing the source MAC address this time) I said...
"Let's try this common exploit, it supposedly shouldn't work, there have been notifications about it, I've read them." Oh boy, was I in for a treat. 12 meterpreter sessions. FUCKING 12. The academy's online printer had no authentication, so I took the liberty of printing a few pages of ASCII jolly rogers (cute stuff, I know, but I was still in ITSec puberty) and decided to fuck around with the other PCs. One thing I found out is that some professors' PCs had the extreme password of 1234. Serious security, that was. Had I known earlier, I could have skipped a TON of pointless memorising...
Anyway, I was running amok the entire network, the sysad never had a chance on that, and he seemed preoccupied with EVERYTHING ELSE besides monitoring the net, like fixing (replacing) the keyboard for the commander's secretary, so...
BTW, most PCs had antivirus, but SO out of date that I didn't even need to encode the payload or do any other trick. An LDAP server was open, and the hashed admin password was the name of his wife. Go figure.
I looked at a WinXP laptop with a weird name, and fired my trusty ms08_067 on it. Passowrd: "aaw". I seriously thought that Ophcrack was broken, but I confirmed it. WTF? I started looking into the files... nothing too suspicious... wait a min, this guy is supposed to work, why his browser is showing porn?
Looking at the ""Deleted"" files (hah!) I fount a TON of documents with "SECRET" in them. Curious...
Decided to download everything, like the asshole I am, and restart his PC, AND to leave him with another desktop wallpaper and a text message. Thinking that he took the hint, I told the sysadmin about the vulnerable PCs and went to class...
In the middle of the class (I think it was anti-air warfare or anti-submarine warfare) the sysad burst through the door shouting "Stop it, that's the second-in-command's PC!".
Stunned silence. Even the professor (who was an officer). God, that was awkward. So, to make things MORE awkward (like the asshole I am) I burned every document to a DVD and the next day I took the sysad and went to the second-in-command of the academy.
Surprisingly he took the whole thing in quite the easygoing fashion. I half-expected court martial or at least a good yelling, but no. Anyway, after our conversation I cornered the sysad and barraged him with some tons of security holes, needed upgrades and settings etc. I still don't know if he managed to patch everything (I left him a detailed report) because, as I've written before, budget constraints in the military are the stuff of nightmares. Still, after that, oddly, most people wouldn't even talk to me.
God, that was a nice period of my life, not having to pretend to be interested about sports and TV shows. It would be almost like a story from highschool (if our highschool had such things as a network back then - yes, I am old).
Your stories?

School server (Windows XP something)

Username: user
Password: pass + YEAR

You think a junior dev pushing his code onto a production server is bad? Wait till you have that admin who is illegally mining Bitcoin on your production server. 😂

I went for a Cyber Security conference today with one of managers and this was one of the life experiences some of the speakers shared.

plot twist
linuxxx is some of the most advanced and efficient AI ever developed, and actually uses devrant to scope out security-aware devs and take them down 1 production server at a time

So I've been looking for a Linux sysadmin job for a while now. I get a lot of rejections daily and I don't mind that because they can give me feedback as for what I am doing wrong. But do you know what really FUCKING grinds my FUCKING gears?

BEING REJECTED BASED ON LEVEL OF EDUCATION/NOT HAVING CERTIFICATIONS FOR CERTAIN STUFF. Yes, I get that you can't blindly hire anyone and that you have to filter people out but at least LOOK AT THEIR FUCKING SKILLSET.

I did MBO level (the highest sub level though) as study which is considered to be the lowest education level in my country. lowest education level meaning that it's mostly focused on learning through doing things rather than just learning theory.

Why the actual FUCK is that, for some fucking reason, supposed to be a 'lower level' than HBO or Uni? (low to high in my country: MBO, HBO, Uni). Just because I learn better by doing shit instead of solely focusing on the theory and not doing much else does NOT FUCKING MEAN THAT I AM DUMBER OR LESS EDUCATED ON A SUBJECT.

So in the last couple of months, I've literally had rejections with reasons like
- 'Sorry but we require HBO level as people with this level can analyze stuff better in general which is required for this job.'. - Well then go fuck yourself. Just because I have a lower level of education doesn't FUCKING mean that I can't analyze shit at a 'lower level' than people who've done HBO.

- 'You don't seem to have a certificate for linux server management so it's a no go, sorry!' - Kindly go FUCK yourself. Give me a couple of barebones Debian servers and let me install a whole setup including load balancers, proxies if fucking neccesary, firewalls, web servers, FUCKING Samba servers, YOU FUCKING NAME IT. YES, I CAN DO THAT BUT SOLELY BECAUSE I DON'T HAVE THAT FUCKING CERTIFICATE APPEARANTLY MEANS THAT I AM TOO INCOMPETENT TO DO THAT?! Yes. I get that you have to filter shit but GUESS WHAT. IT'S RIGHT THERE IN MY FUCKING RESUME.

- 'Sorry but due to this role being related to cyber security, we can't hire anyone lower than HBO.' - OH SO YOUR LEVEL OF EDUCATION DEFINES HOW GOOD YOU ARE/CAN BE AT CYBER SECURITY RELATED STUFF? ARE YOU MOTHERFUCKING RETARDED? I HAVE BEEN DOING SHIT RELATED TO CYBER SECURITY SINCE I WAS 14-15 FUCKiNG YEARS OLD. I AM FAMILIAR WITH LOADS OF TOOLS/HACKING TECHNIQUES/PENTESTING/DEFENSIVE/OFFENSIVE SECURITY AND SO ON AND YOU ARE TELLING ME THAT I NEED A HIGHER LEVEL OF FUCKING EDUCATION?!?!? GO FUCKING FUCK YOURSELF.

And I can go on like this for a while. I wish some companies I come across would actually look at skills instead of (only) study levels and certifications. Those other companies can go FUCK THEMSELVES.

So, continuing the story, in reverse order, on the warship and its domain setup...
One day, the CO told me that we needed to set up a proper "network". Until now, the "network" was just an old Telcom switch, and an online HDD. No DHCP, no nothing. The computers dropped to the default 169.254.0.0/16 link local block of addresses, the HDD was open to all, cute stuff. I do some research and present to him a few options. To start things off, and to show them that a proper setup is better and more functional, I set up a linux server on one old PC.
The CO is reluctant to approve of the money needed (as I have written before, budget constraints in the military is the stuff of nightmares, people there expect proper setups with two toothpicks and a rubber band). So, I employ the very principles I learned from the holy book Bastard Operator From Hell: terrorizing with intimidating-looking things. I show him the linux server, green letters over black font, ngrep -x running (it spooks many people to be shown that). After some techno-babble I got approval for a proper rack server and new PCs. Then came the hard part: convincing him to ditch the old Telcom switch in favour of a new CISCO Catalyst one.
Three hours of non-stop barrage. Long papers of NATO specifications on security standards. Subliminal threats on security compromises. God, I never knew I would have to stoop so low. How little did I know that after that...
Came the horrors of user support.
Moral of the story: an old greek saying says "even a saint needs terrorizing". Keep that in mind.

'Lets make a security blog, sounds awesome!'

Yeah the idea is awesome, domain name is setup and the server is already running.

Choosing a CMS is proving to be the biggest challenge right now, few hours of searching and still can't find anything that suits my needs 😅

Privacy & security violations piss me off. Not to the point that I'll write on devRant about it, but to the point that coworkers get afraid from the bloodthirsty look in my eyes.

I know all startups proclaim this, but the one I work at is kind of industry-disrupting. Think Uber vs taxi drivers... so we have real, malicious enemies.

Yet there's still this mindset of "it won't happen to us" when it comes to data leaks or corporate spying.

Me: "I noticed we are tracking our end users without their consent, and store not just the color of their balls, but also their favorite soup flavor and how often they've cheated on their partner, as plain text in the system for every employee to read"

Various C-randomletter-Os: "Oh wow indubitably most serious indeed! Let's put 2 scrumbag masters on the issue, we will tackle this in a most agile manner! We shall use AI blockchains in the elastic cloud to encrypt those ball-colors!"

NO WHAT I MEANT WAS WHY THE FUCK DO WE EVEN STORE THAT INFORMATION. IT DOES IN NO WAY RELATE TO OUR BUSINESS!

"No reason, just future requirements for our data scientists"

I'M GRABBING A HARDDRIVE SHREDDER, THE DB SERVER GOES FIRST AND YOUR PENIS RIGHT AFTER THAT!

(if it's unclear, ball color was an optimistic euphemism for what boiled down to an analytics value which might as well have been "nigger: yes/no")

So I said I'd rant this yesterday but a long night of server management came in the way!

Yesterday @trogus mentioned in a comment that he thinks everyone deserves a place where they feel like home and this is that place for me along with some sub-places which derived from here.

So in this linux/foss chat yesterday I was trying to get into an IRC chatroom (all people there (or at least a lot) are also like minded on privacy/security). I don't want to use email signup if not absolutely neccesary (don't judge me, everyone there own thing) and I found out very late (after 20 minutes of instructions from a fellow devRanter) that this thing required email signup. I didn't wanna do that so I said that and started typing a whole essay of why I'd rather not do that and what my reasons are (privacy partly) but then the guy said: "haha you got it man".

For one second I forgot that I don't have to explain myself over there on stuff regarding privacy that a lot of people would find paranoid. Man, that feels like being home :).

Sooooo me and the lead dev got placed in the wrong job classification at work.

Without sounding too mean, we are placed under the same descriptor and pay scale reserved for secretaries, janitors and the people that do maintenance at work(we work for a college as developers) whilst our cowormer who manages the cms got the correct classification.

The manager went apeshit because the guidelines state that:

Making software products
Administration of dbs
Server maintenance and troubleshooting
Security (network)

And a lot of shit is covered on the exemption list and it is things that we do by a wide fucking margin. The classification would technically prohibit us from developing software and the whole it dptmnt went apeshit over it since he(lead developer) refuses (rightfully so) to touch anything and do basically nothing other than generate reports.

Its a fun situation. While we both got a substantial raise in salary(go figure) we also got demoted at the same time.

There is a department in IT which deals with the databases for other major applications, their title is "programmers" yet for some reason me and the lead end up writing all the sql code that they ever need. They make waaaaay more money than me and the lead do, even in the correct classification.

Resolution: manager is working with the head of the department to correct this blasphemy WHILE asking for a higher pay than even the "programmers"

I love this woman. She has balls man. When the president of the school paraded around the office asking for an update on a high priority app she said that I am being gracious enough to work on it even though i am not supposed to. The fucking prick asked if i could speed it up to where she said that most of my work I do it on my off time, which by law is now something that I cannot do for the school and that she does not expect any of her devs to do jack shit unless shit gets fixed quick. With the correct pay.

Naturally, the president did not like such predicament and thus urged the HR department(which is globally hated now since they fucked up everyone's classification) to fix it.

Dunno if I will get above the pay that she requested. But seeing that royal ammount of LADY BALLS really means something to me. Which is why i would not trade that woman for a job at any of my dream workplaces.

Meanwhile, the level of stress placed my 12 years of service diabetic lead dev at the hospital. Fuck the hr department for real, fuck the vps of the school that fucked this up royally and fuck people in this city in general. I really care for my team, and the lead dev is one of my best friends and a good developer, this shit will not fucking go unnoticed and the HR department is now in low priority level for the software that we build for them

Still. I am amazed to have a manager that actually looks out for us instead of putting a nice face for the pricks that screwed us over.

I have been working since I was 16, went through the Army, am 27 now and it is the first time that I have seen such manager.

She can't read this, but she knows how much I appreciate her.

Worst legacy experience...

Called in by a client who had had a pen test on their website and it showed up many, many security holes. I was tasked with coming in and implementing the required fixes.

Site turned out to be Classic ASP built on an MS Access database. Due to the nature of the client, everything had to be done on their premises (kind of ironic but there you go). So I'm on-site trying to get access to code and server. My contact was *never* at her desk to approve anything. IT staff "worked" 11am to 3pm on a long day. The code itself was shite beyond belief.

The site was full of forms with no input validation, origin validation and no SQL injection checks. Sensitive data stored in plain text in cookies. Technical errors displayed on certain pages revealing site structure and even DB table names. Server configured to allow directory listing in file stores so that the public could see/access whatever they liked without any permission or authentication checks. I swear this was written by the child of some staff member. No company would have had the balls to charge for this.

Took me about 8 weeks to make and deploy the changes to client's satisfaction. Could have done it in 2 with some support from the actual people I was suppose to be helping!! But it was their money (well, my money as they were government funded!).

The stupid stories of how I was able to break my schools network just to get better internet, as well as more ridiculous fun. XD

1st year:
It was my freshman year in college. The internet sucked really, really, really badly! Too many people were clearly using it. I had to find another way to remedy this. Upon some further research through Google I found out that one can in fact turn their computer into a router. Now what’s interesting about this network is that it only works with computers by downloading the necessary software that this network provides for you. Some weird software that actually looks through your computer and makes sure it’s ok to be added to the network. Unfortunately, routers can’t download and install that software, thus no internet… but a PC that can be changed into a router itself is a different story. I found that I can download the software check the PC and then turn on my Router feature. Viola, personal fast internet connected directly into the wall. No more sharing a single shitty router!

2nd year:
This was about the year when bitcoin mining was becoming a thing, and everyone was in on it. My shitty computer couldn’t possibly pull off mining for bitcoins. I needed something faster. How I found out that I could use my schools servers was merely an accident.
I had been installing the software on every possible PC I owned, but alas all my PC’s were just not fast enough. I decided to try it on the RDS server. It worked; the command window was pumping out coins! What I came to find out was that the RDS server had 36 cores. This thing was a beast! And it made sense that it could actually pull off mining for bitcoins. A couple nights later I signed in remotely to the RDS server. I created a macro that would continuously move my mouse around in the Remote desktop screen to keep my session alive at all times, and then I’d start my bitcoin mining operation. The following morning I wake up and my session was gone. How sad I thought. I quickly try to remote back in to see what I had collected. “Error, could not connect”. Weird… this usually never happens, maybe I did the remoting wrong. I went to my schools website to do some research on my remoting problem. It was down. In fact, everything was down… I come to find out that I had accidentally shut down the schools network because of my mining operation. I wasn’t found out, but I haven’t done any mining since then.

3rd year:
As an engineering student I found out that all engineering students get access to the school’s VPN. Cool, it is technically used to get around some wonky issues with remoting into the RDS servers. What I come to find out, after messing around with it frequently, is that I can actually use the VPN against the screwed up security on the network. Remember, how I told you that a program has to be downloaded and then one can be accepted into the network? Well, I was able to bypass all of that, simply by using the school’s VPN against itself… How dense does one have to be to not have patched that one?

4th year:
It was another programming day, and I needed access to my phones memory. Using some specially made apps I could easily connect to my phone from my computer and continue my work. But what I found out was that I could in fact travel around in the network. I discovered that I can, in fact, access my phone through the network from anywhere. What resulted was the discovery that the network scales the entirety of the school. I discovered that if I left my phone down in the engineering building and then went north to the biology building, I could still continue to access it. This seems like a very fatal flaw. My idea is to hook up a webcam to a robot and remotely controlling it from the RDS servers and having this little robot go to my classes for me.

What crazy shit have you done at your University?

I am doing a test on security on my server. I need people to hack it and report the findings.

My server IP is 127.0.0.1

So...
I'm penetrationtesting a network and the servers on said network
The network administrator and IT security officer knows this, because they hired me..

TL;DR a scan caused the network to crash.

Today I received a very angry email going "Stop scanning NOW!" from one of the IT departments.

Apparently I crashed their login server and thus their entire network...
It happened d the first time I scanned the network from the outside and they had spend an entire day figuring out how and repairing the service they thought was the problem, but then it crashed again, when I scanned from within the network.

Now they want to send me a list of IP's that I'm not allowed to scan and want to know exactly what and when I'm scanning...

How crap can they be at their job, if they weren't able to spot a scan... The only reason they found out it was me was because the NA had whitelistet my IP, so that I could scan in peace...

Following a conversation with a fellow devRanter this came to my mind ago, happened a year or two ago I think.

Was searching for an online note taking app which also provided open source end to end encryption.

After searching for a while I found something that looked alright (do not remember the URL/site too badly). They used pretty good open source JS crypto libraries so it seemed very good!

Then I noticed that the site itself did NOT ran SSL (putting the https:// in front of the site name resulted in site not found or something similar).

Went to the Q/A section because that's really weird.

Saw the answer to that question:

"Since the notes are end to end encrypted client side anyways, we don't see the point in adding SSL. It's secure enough this way".

😵

I emailed them right away explaing that any party inbetween their server(s) and the browser could do anything with the request (includingt the cryptographic JS code) so they should start going onto SSL very very fast.

Too badly I never received a reply.

People, if you ever work with client side crypto, ALWAYS use SSL. Also with valid certs!

The NSA for example has this thing known as the 'Quantum Insert' attack which they can deploy worldwide which basically is an attack where they detect requests being made to servers and reply quickly with their own version of that code which is very probably backdoored.

This attack cannot be performed if you use SSL! (of course only if they don't have your private keys but lets assume that for now)
Luckily Fox-IT (formerly Dutch cyber security company) wrote a Snort (Intrustion Detection System) module for detecting this attack.

Anyways, Always use SSL if you do anything at all with crypto/sensitive data! Actually, always use it but at the very LEAST really do it when you process the mentioned above!

The last year my school installed MagicBoards (whiteboard with beamer that responses to touch) in every class room and called itself "ready for the future of media". What they also got is A FUCKING LOW SPEC SERVER RUNNING DEBIAN 6 W/O ANY UPDATES SINCE 2010 WHICH IS DYING CONSTANTLY.

As I'm a nice person I asked the 65 y/o technician (who is also my physics teacher) whether I could help updating this piece of shit.

Teacher: "Naahh, we don't have root access to the server and also we'll get a new company maintaining our servers in two years. And even if we would have the root access, we can't give that to a student."

My head: "Two. Years. TWO YEARS?! ARE YOU FUCKING KIDDING ME YOU RETARDED PIECE OF SHIT?! YOU'RE TELLING ME YOU DON'T HAVE TO INSTALL UPDATES EVEN THOUGH YOU CREATE AN SSH USER FOR EVERY FUCKING STUDENT SO THEY CAN LOGIN USING THEIR BIRTH DATE?! DID YOU EVER HEAR ABOUT SECURITY VULNERABILITIES IN YOUR LITTLE MISERABLE LIFE OR SOUNDS 'CVE-2016-5195' LIKE RANDOM LETTERS AND NUMBERS TO YOU?! BECAUSE - FUNFACT - THERE ARE TEN STUDENTS WHO ARE IN THE SUDO GROUP IF YOU EVEN KNOW WHAT THAT IS!"

Me (because I want to keep my good grades): "Yes, that sounds alright."

I was offered to work for a startup in August last year. It required building an online platform with video calling capabilities.
I told them it would be on learn and implement basis as I didn't know a lot of the web tech. Learnt all of it and kept implementing side by side.
I was promised a share in the company at formation, but wasn't given the same at the time of formation because of some issues in documents.
Yes, I did delay at times on the delivery date of features on the product. It was my first web app, with no prior experience. I did the entire stack myself from handling servers, domains to the entire front end. All of it was done alone by me.
Later, I also did install a proxy server to expand the platform to a forum on a new server.
And yesterday after a month of no communication from their side, I was told they are scraping the old site for a new one. As I had all the credentials of the servers except the domain registration control, they transferred the domain to a new registrar and pointed it to a new server. I have a last meeting with them. I have decided to never work with them and I know they aren't going to provide me my share as promised.
I'm still in the 3rd year of my college here in India. I flunked two subjects last semester, for the first time in my life. And for 8 months of work, this is the end result of it by being scammed. I love fitness, but my love for this is more and so I did leave all fitness activities for the time. All that work day and night got me nothing of what I expected.
Though, they don't have any of my code or credentials to the server or their user base, they got the new website up very fast.
I had no contract with them. Just did work on the basis of trust. A lesson learnt for sure.
Although, I did learn to create websites completely all alone and I can do that for anyone. I'm happy that I have those skills now.
Since, they are still in the start up phase and they don't have a lot of clients, I'm planning to partner with a trusted person and release my code with a different design and branding. The same idea basically. How does that sound to you guys?

I learned that:
. No matter what happens, never ignore your health for anybody or any reason.
. Never trust in business without a solid security.
. Web is fun.
. Self-learning is the best form of learning.
. Take business as business, don't let anyone cheat you.

This is from my days of running a rather large (for its time) Minecraft server. A few of our best admins were given access to the server console. For extra security, we also had a second login stage in-game using a command (in case their accounts were compromised). We even had a fairly strict password strength policy.
But all of that was defeated by a slightly too stiff SHIFT key. See, in-game commands were typed in chat, prefixed with a slash -- SHIFT+7 on German-ish keyboards. And so, when logging in, one of our head admins didn't realize his SHIFT key didn't register and proudly broadcast to the server "[Admin] username: 7login hisPasswordHere".
This was immediately noticed by the owner of a 'rival' server who was trying to copy some cool thing that we had. He jumped onto the console that he found in an nmap scan a week prior (a scan that I detected and he denied), promoted himself to admin and proceeded to wreak havoc.
I got a call, 10-ish minutes later, that "everything was literally on fire". I immediately rolled everything back (half-hourly backups ftw) and killed the console just in case.
The best part was the Skype call with that admin that followed. I wasn't too angry, but I did want him to suffer a little, so I didn't immediately tell him that we had good backups. He thought he'd brought the downfall of our server. I'm pretty sure he cried.

I hate people... I hate stupid people even more...

A person asked on slack about where download a Programming Language server called Railo. The official site is no longer up because the software was forked and acquired by a new company.

I suggested just to download that fork since it's more stable. They said no, they needed to mimic their production environment. Makes sense, so I left it alone since I couldn't help further.

Another person on slack asked which version of Railo they need. The OPs response was, "Oh whatever version you have."

My response was... "WTF... the latest version of Railo is 4.3 and the fork is 4.5... the only difference is the new name and a couple of security fixes. If you want to mimic production then you need the exact copy.. otherwise, the fork will be your best bet."

Nope.. I need Railo... any version. They say again.

I haven't met many people through programming but I've met many friends through devRant but certainly also through being a Linux (server) enthusiast.

At study I found some good Linux guys and now through devRant I've gotten some awesome linuxers and privacy/security like minded people who I definitely see as great friends!

Also I find it awesome that I can actually teach people stuffs that I love researching about/ doing myself!

So I did a rookie mistake this week. Connected a webapp for a client using Nginx and installed the SSL cert for the site. I decided to activate the firewall of the server because hey security. All was well. Went home feeling like I am the shit.

Next day I find out I can't log in to the server over ssh. Only to find out that I had forgotten to allow SSH through the firewall.

I had basically locked myself out of the server. 😞

A client obsessed with *security* won’t give us access to the server that hosts the website we built.

Code release involves building templates, compressing the changed files into a zip folder, and emailing them to the client with instructions on where the changed files go

Worst WTF dev experience? The login process from hell to a well-fortified dev environment at a client's site.
I assume a noob admin found a list of security tips and just went like "all of the above!".

You boot a Linux VM, necessary to connect to their VPN. Why necessary? Because 1) their VPN is so restrictive it has no internet access 2) the VPN connection prevents *your local PC* from accessing the internet as well. Coworkers have been seen bringing in their private laptops just to be able to google stuff.
So you connect via Cisco AnyConnect proprietary bullshit. A standard VPN client won't work. Their system sends you a one-time key via SMS as your password.

Once on their VPN, you start a remote desktop session to their internal "hopping server", which is a Windows server. After logging in with your Windows user credentials, you start a Windows Remote Desktop session *on that hopping server* to *another* Windows server, where you login with yet another set of Windows user credentials. For all these logins you have 30 seconds, otherwise back to step 1.
On that server you open a browser to access their JIRA, GitLab, etc or SSH into the actual dev machines - which AGAIN need yet another set of credentials.

So in total: VM -> VPN + RDP inside VM -> RDP #2 -> Browser/SSH/... -> Final system to work on
Input lag of one to multiple seconds. It was fucking unusable.

Now, the servers were very disconnect-happy to prevent anything "fishy" going on. Sitting at my desk at my company, connected to my company's wifi, was apparently fishy enough to kick me out every 5 to 20 minutes. And that meant starting from step 1 inside the VM again. So, never forget to plugin your network cable.

There's a special place in hell for this admin. And if there isn't, I'll PERSONALLY make the devil create one. Even now that I'm not even working on this any more.

The company i work for has a jenkins server (for people that don't know jenkins, it's an automated build service that gets the latest git updates, pulls them and then builds, tests and deploys it)

Because it builds the software, people were scared to update it so we were running version 1.x for a long time, even when an exploit was found... Ooh boy did they learn from that...

The jenkins server had a hidden crypto miner running for about 5 days...

I don't know why we don't have detectors for that stuff... (like cpu load being high for 15 minutes)

I even tried to strengthen our security... You know basic stuff LIKE NOT SAVING PASSWORDS TO A GOOGLE SPREADSHEET! 😠

But they shoved it asside because they didn't have time... I tried multiple times but in the end i just gave up...

It's enough. I have to quit my job.

December last year I've started working for a company doing finance. Since it was a serious-sounding field, I tought I'd be better off than with my previous employer. Which was kinda the family-agency where you can do pretty much anything you want without any real concequences, nor structures. I liked it, but the professionalism was missing.

Turns out, they do operate more professionally, but the intern mood and commitment is awful. They all pretty much bash on eachother. And the root cause of this and why it will stay like this is simply the Project Lead.

The plan was that I was positioned as glue between Design/UX and Backend to then make the best Frontend for the situation. Since that is somewhat new and has the most potential to get better. Beside, this is what the customer sees everyday.

After just two months, an retrospective and a hell lot of communication with co-workers, I've decided that there is no other way other than to leave.

I had a weekly productivity of 60h+ (work and private, sometimes up to 80h). I had no problems with that, I was happy to work, but since working in this company, my weekly productivity dropped to 25~30h. Not only can I not work for a whole proper work-week, this time still includes private projects. So in hindsight, I efficiently work less than 20h for my actual job.

The Product lead just wants feature on top of feature, our customers don't want to pay concepts, but also won't give us exact specifications on what they want.
Refactoring is forbidden since we get to many issues/bugs on a daily basis so we won't get time.
An re-design is forbidden because that would mean that all Screens have to be re-designed.
The product should be responsive, but none of the components feel finished on Desktop - don't talk about mobile, it doesn't exist.
The Designer next to me has to make 200+ Screens for Desktop and Mobile JUST so we can change the primary colors for an potential new customer, nothing more. Remember that we don't have responsiveness? Guess what, that should be purposely included on the Designs (and it looks awful).
I may hate PHP, but I can still work with it. But not here, this is worse then any ecommerce. I have to fix legacy backend code that has no test coverage. But I haven't touched php for 4 years, letalone wrote sql (I hate it). There should be no reason whatsoever to let me do this kind of work, as FRONTEND ARCHITECT.

After an (short) analysis of the Frontend, I conclude that it is required to be rewritten to 90%. There have been no performance checks for the Client/UI, therefor not only the components behave badly, but the whole system is slow as FUCK! Back in my days I wrote jQuery, but even that shit was faster than the architecuture of this React Multi-instance app. Nothing is shared, most of the AppState correlate to other instances.

The Backend. Oh boy. Not only do we use an shitty outated open-source project with tons of XSS possibillities as base, no we clone that shit and COPY OUR SOURCES ON TOP. But since these people also don't want to write SQL, they tought using Symfony as base on top of the base would be an good idea.
Generally speaking (and done right), this is true. but not then there will be no time and not properly checked. As I said I'm working on Legacy code. And the more I look into it, the more Bugs I find. Nothing too bad, but it's still a bad sign why the webservices are buggy in general. And therefor, the buggyness has to travel into the frontend.

And now the last goodies:
- Composer itself is commited to the repo (the fucking .phar!)
- Deployments never work and every release is done manually
- We commit an "_TRASH" folder
- There is an secret ongoing refactoring in the root of the Project called "_REFACTORING" (right, no branches)
- I cannot test locally, nor have just the Frontend locally connected to the Staging webservices
- I am required to upload my sources I write to an in-house server that get's shared with the other coworkers
- This is the only Linux server here and all of the permissions are fucked up
- We don't have versions, nor builds, we use the current Date as build number, but nothing simple to read, nonono. It's has to be an german Date, with only numbers and has always to end with "00"
- They take security "super serious" but disable the abillity to unlock your device with your fingerprint sensor ON PURPOSE

My brain hurts, maybe I'll post more on this shit fucking cuntfuck company. Sorry to be rude, but this triggers me sooo much!

The school I went to...

Grade 1:
*GTA and minecraft to let student familiarize with cheating command and console

*Student should find and read the damn documentation him/herself about items, mobs and quests in every game. Be self motivated!

Grade 2:
*Contribute to community for myth hunting, map creation and glitch

*Solve personal networking, graphics problem and understanding hardware limitation.

*Solving game compability problem after Windows update

*Introduction to cracking and hacking

Grade 3:
*Motivation to host a game server

*Custom server scripting => start To really code the first time, Perl, python, etc

*Introduction to Linux server and Debian

Grade 4:
*From DDoS to server security

*Server maintenance and GitHub

*Game Server web development

*Motivation into non-gaming discipline by a random YouTube geek

*Set up mincraft with raspberry pi and Arduino

*Switch to Linux or Mac and just dual boot for gaming

Prepared for the real world.
Congratz for the graduation in the Pre-school of Developers (11-14 yrs old) :)

On my first day at work i was given the task to rewrite some code. I pulled the code, started the server and was greeted with a login-page. Instead of asking for credentials i tried good ol' " OR 1=1;#. Instand login, admin account. My boss was baffled, but instead of fixing this he decided other tasks had "higher priority". 3 years later, this still exists. I also heard some client runs the application open on the internet.

Everyone wants security, but some people decide to pull out the bottommost card in the fragile house of cards of security

The tech stack at my current gig is the worst shit I’ve ever dealt with...

I can’t fucking stand programs, especially browser based programs, to open new windows. New tab, okay sure, ideally I just want the current tab I’m on to update when I click on a link.

Ticketing system: Autotask
Fucking opens up with a crappy piss poor sorting method and no proper filtering for ticket views. Nope you have to go create a fucking dashboard to parse/filter the shit you want to see. So I either have to go create a metric-arse tonne of custom ticket views and switch between them or just use the default turdburger view. Add to that that when I click on a ticket, it opens another fucking window with the ticket information. If I want to do time entry, it just feels some primal need to open another fucking window!!! Then even if I mark the ticket complete it just minimizes the goddamn second ticket window. So my jankbox-supreme PC that my company provided gets to strugglepuff along trying to keep 10 million chrome windows open. Yeah, sure 6GB of ram is great for IT work, especially when using hot steaming piles of trashjuice software!

I have to manually close these windows regularly throughout the day or the system just shits the bed and halts.

RMM tool: Continuum
This fucker takes the goddamn soggy waffle award for being utterly fucking useless. Same problem with the windows as autotask except this special snowflake likes to open a login prompt as a full-fuck-mothering-new window when we need to open a LMI rescue session!!! I need to enter a username and a password. That’s it! I don’t need a full screen window to enter credentials! FUCK!!! Btw the LMI tools only work like 70% of the time and drag ass compared to literally every other remote support tool I’ve ever used. I’ve found that it’s sometimes just faster to walk someone through enabling RDP on their system then remoting in from another system where LMI didn’t decide to be fully suicidal and just kill itself.

Our fucking chief asshat and sergeant fucknuts mcdoogal can’t fucking setup anything so the antivirus software is pushed to all client systems but everything is just set to the default site settings. Absolutely zero care or thought or effort was put forth and these gorilla spunk drinking, rimjob jockey motherfuckers sell this as a managed AntiVirus.

We use a shitty password manager than no one besides I use because there is a fully unencrypted oneNote notebook that everyone uses because fuck security right? “Sometimes it’s just faster to have the passwords at the ready without having to log into the password manager.” Chief Asshat in my first week on the job.

Not to mention that windows server is unlicensed in almost every client environment, the domain admin password is same across multiple client sites, is the same password to log into firewalls, and office 365 environments!!!

I’ve brought up tons of ways to fix these problems, but they have their heads so far up their own asses getting high on undeserved smugness since “they have been in business for almost ten years”. Like, Whoop Dee MotherFucking Doo! You have only been lucky to skate by with this dumpster fire you call a software stack, you could probably fill 10 olympic sized swimming pools to the brim with the logarrhea that flows from your gullets not only to us but also to your customers, and you won’t implement anything that is good for you, your company, or your poor clients because you take ten minutes to try and understand something new.

I’m fucking livid because I’m stuck in a position where I can’t just quit and work on my business full time. I’m married and have a 6m old baby. Between both my wife and I working we barely make ends meet and there’s absolutely zero reason that I couldn’t be providing better service to customers without having to lie through my teeth to them and I could easily support my family and be about 264826290461% happier!

But because we make so little, I can’t scrap together enough money to get Terranimbus (my startup) bootstrapped. We have zero expendable/savable income each month and it’s killing my soul. It’s so fucking frustrating knowing that a little time and some capital is all that stands between a better life for my family and I and being able to provide a better overall service out there over these kinds of shady as fuck knob gobblers.

"we don't plan on fixing a huge security hole that allows for root on our one server that runs our million-dollar service"

Translation: “The Password is to long. Please choose a Password that is not longer than 12 Characters.”
Oh, and the Password can only contain Letters and numbers 🙃

Warning: long read....

I got a call this morning from a client who was panicking about not being able to login to his web panel.

So I went to the web panel and tried to login and was just redirected back to the login page. No errors or anything (at least visible on the page). Went looking for an error_log file and found it.

It turns out there was an error was showing: Disk quota exceeded.

So I went into the cPanel and checked, he used about 16GB out of 100GB and that got me confused. So I looked around and found out he was using about 510000/500000 inodes.

Went looking trough FTP to see where he has so many files and try and remove some.

Well it turns out that there were about 7 injected websites (warez, online casino, affiliate one etc) and a full hacking web panel on his FTP. After detailed analysis some who actually built the site (I just maintain some parts) made an upload form available to public with any checks on it. Meaning anyone could upload whatever they wanted and the form would allow it.

The worst part is that the client is not allowing us to secure the form with some sort of login or remove it completely (the best option) as it is not really needed but he uses it to upload some pdf catalogs or something.

TL; DR;
Old programmer created an upload form that was accessible to anyone on the web without adding any security or check as to see what kind of files was getting uploaded. Which lead to having maximum number on inodes used on server and client being unable to login.

Side note:
And ofc I had to go and fix the mess behind him again, even though he stopped working a long time ago and I started just recently and have been having nightmares of this project.

DevOps required skillset:

* Frontend engineering
* Backend services
* Database administrator
* Security consultant
* Project management
* 3rd party contract negotiator
* Build system monitor
* Build system hostage negotiator
* Paging, alerting, monitoring
* Search server admin
* Old search server admin
* Old-old-new search server admin
* Redis, ElasticSearch, MySQL, PostGres, owner
* Agile coach
* No you shouldn't do that coach
* Oh, you did that anyway coach
* DNS: (Optional) It'll replicate when it wants, and how it wants to to anyway
* Multi-Cloud deployment strategist
* Must be able to translate Klingon to YAML, and YAML to MySQL
* Cost analyzer, reducer, and justifier
* Complex documentation generation in markdown that we should have done years ago anyway
* Marketing's email went to spam analyzer
* Wordpress is broke fixer
* Where the fuck does Wordpress run anyway?
* Ability to fix MySql running Wordpress on marketing's dusty laptop

Long rant ahead.. so feel free to refill your cup of coffee and have a seat 🙂

It's completely useless. At least in the school I went to, the teachers were worse than useless. It's a bit of an old story that I've told quite a few times already, but I had a dispute with said teachers at some point after which I wasn't able nor willing to fully do the classes anymore.

So, just to set the stage.. le me, die-hard Linux user, and reasonably initiated in networking and security already, to the point that I really only needed half an ear to follow along with the classes, while most of the time I was just working on my own servers to pass the time instead. I noticed that the Moodle website that the school was using to do a big chunk of the course material with, wasn't TLS-secured. So whenever the class begins and everyone logs in to the Moodle website..? Yeah.. it wouldn't be hard for anyone in that class to steal everyone else's credentials, including the teacher's (as they were using the same network).

So I brought it up a few times in the first year, teacher was like "yeah yeah we'll do it at some point". Shortly before summer break I took the security teacher aside after class and mentioned it another time - please please take the opportunity to do it during summer break.

Coming back in September.. nothing happened. Maybe I needed to bring in more evidence that this is a serious issue, so I asked the security teacher: can I make a proper PoC using my machines in my home network to steal the credentials of my own Moodle account and mail a screencast to you as a private disclosure? She said "yeah sure, that's fine".
Pro tip: make the people involved sign a written contract for this!!! It'll cover your ass when they decide to be dicks.. which spoiler alert, these teachers decided they wanted to be.

So I made the PoC, mailed it to them, yada yada yada... Soon after, next class, and I noticed that my VPN server was blocked. Now I used my personal VPN server at the time mostly to access a file server at home to securely fetch documents I needed in class, without having to carry an external hard drive with me all the time. However it was also used for gateway redirection (i.e. the main purpose of commercial VPN's, le new IP for "le onenumity"). I mean for example, if some douche in that class would've decided to ARP poison the network and steal credentials, my VPN connection would've prevented that.. it was a decent workaround. But now it's for some reason causing Moodle to throw some type of 403.

Asked the teacher for routers and switches I had a class from at the time.. why is my VPN server blocked? He replied with the statement that "yeah we blocked it because you can bypass the firewall with that and watch porn in class".
Alright, fair enough. I can indeed bypass the firewall with that. But watch porn.. in class? I mean I'm a bit of an exhibitionist too, but in a fucking class!? And why right after that PoC, while I've been using that VPN connection for over a year?

Not too long after that, I prematurely left that class out of sheer frustration (I remember browsing devRant with the intent to write about it while the teacher was watching 😂), and left while looking that teacher dead in the eyes.. and never have I been that cold to someone while calling them a fucking idiot.

Shortly after I've also received an email from them in which they stated that they wanted compensation for "the disruption of good service". They actually thought that I had hacked into their servers. Security teachers, ostensibly technical people, if I may add. Never seen anyone more incompetent than those 3 motherfuckers that plotted against me to save their own asses for making such a shitty infrastructure. Regarding that mail, I not so friendly replied to them that they could settle it in court if they wanted to.. but that I already knew who would win that case. Haven't heard of them since.

So yeah. That's why I regard those expensive shitty pieces of paper as such. The only thing they prove is that someone somewhere with some unknown degree of competence confirms that you know something. I think there's far too many unknowns in there.

Nowadays I'm putting my bets on a certification from the Linux Professional Institute - a renowned and well-regarded certification body in sysadmin. Last February at FOSDEM I did half of the LPIC-1 certification exam, next year I'll do the other half. With the amount of reputation the LPI has behind it, I believe that's a far better route to go with than some random school somewhere.

Paranoid Developers - It's a long one
Backstory: I was a freelance web developer when I managed to land a place on a cyber security program with who I consider to be the world leaders in the field (details deliberately withheld; who's paranoid now?). Other than the basic security practices of web dev, my experience with Cyber was limited to the OU introduction course, so I was wholly unprepared for the level of, occasionally hysterical, paranoia that my fellow cohort seemed to perpetually live in. The following is a collection of stories from several of these people, because if I only wrote about one they would accuse me of providing too much data allowing an attacker to aggregate and steal their identity. They do use devrant so if you're reading this, know that I love you and that something is wrong with you.

That time when...

He wrote a social media network with end-to-end encryption before it was cool.

He wrote custom 64kb encryption for his academic HDD.

He removed the 3 HDD from his desktop and stored them in a safe, whenever he left the house.

He set up a pfsense virtualbox with a firewall policy to block the port the student monitoring software used (effectively rendering it useless and definitely in breach of the IT policy).

He used only hashes of passwords as passwords (which isn't actually good).

He kept a drill on the desk ready to destroy his HDD at a moments notice.

He started developing a device to drill through his HDD when he pushed a button. May or may not have finished it.

He set up a new email account for each individual online service.

He hosted a website from his own home server so he didn't have to host the files elsewhere (which is just awful for home network security).

He unplugged the home router and began scanning his devices and manually searching through the process list when his music stopped playing on the laptop several times (turns out he had a wobbly spacebar and the shaking washing machine provided enough jittering for a button press).

He brought his own privacy screen to work (remember, this is a security place, with like background checks and all sorts).

He gave his C programming coursework (a simple messaging program) 2048 bit encryption, which was not required.

He wrote a custom encryption for his other C programming coursework as well as writing out the enigma encryption because there was no library, again not required.

He bought a burner phone to visit the capital city.

He bought a burner phone whenever he left his hometown come to think of it.

He bought a smartphone online, wiped it and installed new firmware (it was Chinese; I'm not saying anything about the Chinese, you're the one thinking it).

He bought a smartphone and installed Kali Linux NetHunter so he could test WiFi networks he connected to before using them on his personal device.

(You might be noticing it's all he's. Maybe it is, maybe it isn't).

He ate a sim card.

He brought a balaclava to pentesting training (it was pretty meme).

He printed out his source code as a manual read-only method.

He made a rule on his academic email to block incoming mail from the academic body (to be fair this is a good spam policy).

He withdraws money from a different cashpoint everytime to avoid patterns in his behaviour (the irony).

He reported someone for hacking the centre's network when they built their own website for practice using XAMMP.

I'm going to stop there. I could tell you so many more stories about these guys, some about them being paranoid and some about the stupid antics Cyber Security and Information Assurance students get up to. Well done for making it this far. Hope you enjoyed it.

The website for our biggest client went down and the server went haywire. Though for this client we don’t provide any infrastructure, so we called their it partner to start figuring this out.
They started blaming us, asking is if we had upgraded the website or changed any PHP settings, which all were a firm no from us. So they told us they had competent people working on the matter.

TL;DR their people isn’t competent and I ended up fixing the issue.

Hours go by, nothing happens, client calls us and we call the it partner, nothing, they don’t understand anything. Told us they can’t find any logs etc.

So we setup a conference call with our CXO, me, another dev and a few people from the it partner.
At this point I’m just asking them if they’ve looked at this and this, no good answer, I fetch a long ethernet cable from my desk, pull it to the CXO’s office and hook up my laptop to start looking into things myself.

IT partner still can’t find anything wrong. I tail the httpd error log and see thousands upon thousands of warning messages about mysql being loaded twice, but that’s not the issue here.
Check top and see there’s 257 instances of httpd, whereas 256 is spawned by httpd, mysql is using 600% cpu and whenever I try to connect to mysql through cli it throws me a too many connections error.

I heard the IT partner talking about a ddos attack, so I asked them to pull it off the public network and only give us access through our vpn. They do that, reboot server, same problems.

Finally we get the it partner to rollback the vm to earlier last night. Everything works great, 30 min later, it crashes again. At this point I’m getting tired and frustrated, this isn’t my job, I thought they had competent people working on this.

I noticed that the db had a few corrupted tables, and ask the it partner to get a dba to look at it. No prevail.

5’o’clock is here, we decide to give the vm rollback another try, but first we go home, get some dinner and resume at 6pm. I had told them I wanted to be in on this call, and said let me try this time.

They spend ages doing the rollback, and then for some reason they have to reconfigure the network and shit. Once it booted, I told their tech to stop mysqld and httpd immediately and prevent it from start at boot.

I can now look at the logs that is leading to this issue. I noticed our debug flag was on and had generated a 30gb log file. Tail it and see it’s what I’d expect, warmings and warnings, And all other logs for mysql and apache is huge, so the drive is full. Just gotta delete it.

I quietly start apache and mysql, see the website is working fine, shut it down and just take a copy of the var/lib/mysql directory and etc directory just go have backups.

Starting to connect a few dots, but I wasn’t exactly sure if it was right. Had the full drive caused mysql to corrupt itself? Only one way to find out. Start apache and mysql back up, and just wait and see. Meanwhile I fixed that mysql being loaded twice. Some genius had put load mysql.so at the top and bottom of php ini.

While waiting on the server to crash again, I’m talking to the it support guy, who told me they haven’t updated anything on the server except security patches now and then, and they didn’t have anyone familiar with this setup. No shit, it’s running php 5.3 -.-

Website up and running 1.5 later, mission accomplished.

Rant about devRant.

I hate to see two types of posts:

1. “Haha, i added a WordPress existing theme and charged customer XXXX EUR”, “Idiot customer, I had cross platform app and I charged for each platform”, “lol, they wanted to negotiate the payment, I connected to backdoor and shutdown down their servers”
2. “Why does customer not trust our estimates?” “I told him he does not need to worry about this comparability”, “they are asking about security of the hardened server, are they nuts?

First you treat customers dishonestly and then expect them to trust you and rely on your expertise. Before you constantly complain about the customers - look at yourself guys.

One of our newly-joined junior sysadmin left a pre-production server SSH session open. Being the responsible senior (pun intended) to teach them the value of security of production (or near production, for that matter) systems, I typed in sudo rm --recursive --no-preserve-root --force / on the terminal session (I didn't hit the Enter / Return key) and left it there. The person took longer to return and the screen went to sleep. I went back to my desk and took a backup image of the machine just in case the unexpected happened.

On returning from wherever they had gone, the person hits enter / return to wake the system (they didn't even have a password-on-wake policy set up on the machine). The SSH session was stil there, the machine accepted the command and started working. This person didn't even look at the session and just navigated away elsewhere (probably to get back to work on the script they were working on).

Five minutes passes by, I get the first monitoring alert saying the server is not responding. I hoped that this person would be responsible enough to check the monitoring alerts since they had a SSH session on the machine.
Seven minutes : other dependent services on the machine start complaining that the instance is unreachable.

I assign the monitoring alert to the person of the day. They come running to me saying that they can't reach the instance but the instance is listed on the inventory list. I ask them to show me the specific terminal that ran the rm -rf command. They get the beautiful realization of the day. They freak the hell out to the point that they ask me, "Am I fired?". I reply, "You should probably ask your manager".

Lesson learnt the hard-way. I gave them a good understanding on what happened and explained the implications on what would have happened had this exact same scenario happened outside the office giving access to an outsider. I explained about why people in _our_ domain should care about security above all else.

There was a good 30+ minute downtime of the instance before I admitted that I had a backup and restored it (after the whole lecture). It wasn't critical since the environment was not user-facing and didn't have any critical data.

Since then we've been at this together - warning engineers when they leave their machines open and taking security lecture / sessions / workshops for new recruits (anyone who joins engineering).

That feeling when your client connection is more stable than the connection of a fucking game server... Incompetent pieces of shit!!! BEING ABLE TO PUT A COUPLE OF SPRITES DOESN'T MAKE YOU A FUCKING SYSADMIN!!!

Oh and I sent those very incompetent fucks a mail earlier, because my mailers are blocking their servers as per my mailers' security policy. A rant from the old box - their mail servers self-identify a fucking .local!!! Those incompetent shitheads didn't even properly change the values from test into those from prod!! So I sent them an email telling them exactly how they should fix it, as I am running the same MTA on my mailers (Postfix), at some point had to fix my mailers against the exact same issue as well, and clearly noticed in-game that they have deliverability problems (they explicitly mention to unblock their domain). Guess why?! Because their server's shitty configuration triggers fucking security mechanisms that are built against rogue mailers that attempt to spoof themselves as an internal mailer, with that fucking .local! And they STILL DIDN'T CHANGE IT!!!! Your fucking domain has no issues whatsoever, it's your goddamn fucking mail servers that YOU ASOBIMO FUCKERS SHOULD JUST FIX ALREADY!!! MOTHERFUCKERS!!!!!

I think we're going two sides:

For one, more and more technology is being developed/engineered which is even more and more and more intrusive as for personal privacy, I'm genuinely worried how this'll go as privacy isn't just a about not exposing certain things like passwords/bank account details and so on, it's also about being an individual who has their own thoughts, opinions and so on. If we keep taking that away more and more often, society will change and go towards the Orwell scenario (we're on our way there right now). We can change this as software/design/server engineers but that's up to us and I sadly don't see that happening quickly, also due to the 'nothing to hide' bullshit.

Second one is that were going more and more towards open source.
This is a good thing as this:
- gives freedom to devs around the world to improve software and/or modify it to suit their needs.
- gives people the opportunity to look through the source code of softwares in order to verify it as for backdoors and find security vulnerabilities which otherwise can remain hidden for the general public while spying agencies have way more resources to go vulnerability hunting.

For the people who think this isn't a good idea (even more open source), without it we'd be completely fucked as for moving forward/security/privacy. (I can give examples if wanted).

The worst project is the one I am currently working on. I didn’t build it but have to manage it, because... Reasons.

The projects is made on Core PHP(red flag right there).
But when I dig in I get to see there is no authentication used in any of the REST service. Yup. What's the fucking point of login if you are just going to update profiles based on user_id you Twat! The querying used is simply mysql_query (I have to say I expected that).
No relationships defined in the Mysql table structure. No migrations.
There is an upload feature which is forcing the image to be saved as jpeg, therby corrupting the images being saved on the server.
No security, terrible logic, no classes, terrible architecture.

And I am the chosen one to maintain this shit!

Truely, FML!!!

Finally got a new job, but it's already a horror story not even 2 hours in (making this while on break)

Everyone here is an Intern, IT? Interns, Designers? Interns, HR? Interns.

The Person who I should've worked with got fired yesterday, and now I have to work all of his shit up from 0, Documentation? Fragmental, a few things here and there, but nothing really.

IT security also doesn't exist in the slightest, there is an Excel sheet called "Master_Passwords" and every single password is in Plaintext, written out for everyone to see. (at least they used "strong" passwords)

And the place also looks run down, theres PC's, Laptops, Mics, Cables etc. lying literally everywhere no-one knows what works and what doesn't (since everyone is an intern)

Not to mention the "Server Room" is an absolute mess itself, cables hanging from literally anywhere, powerstrips are ontop of servers, each rack has like 2 or 3 2U Servers, (in a 40u Rack) and there are 10 of them!

!!oracle

I'm trying to install a minecraft modpack to play with a friend, and I'm super psyced about it. According to the modpack instructions, the first step is to download the java8 jre. Not sure if I actually need it or not, but it can download while I'm doing everything else, so I dutifully go to the download page and find the appropriate version. The download link does point to the file, but redirects to a login page instead. Apparently I need an oracle account to download anything on their site. stupid.

So I make an account. It requires my life story, or at least full name and address and phone number. stupid. So my name is now "fuck off" and I live in Hell, Michigan. My email is also "gofuckyourself" because I'm feeling spiteful. Also, for some reason every character takes about 3/4ths of a second to type, so it's very slow going. Passwords also cannot contain spaces, which makes me think they're doing some stupid "security" shenanigans like custom reversible encryption with some 5th grade math. or they're just stupid. Whatever, I make the stupid account.

Afterwards, I try to log in, but apparently my browser-saved credentials are wrong? I try a few more times, try enabling all of the javascripts, etc. No beans. Okay, maybe I can't use it until I verify the email? That actually makes some sense. Fine, I go check the throwaway inbox. No verification email. It's been like five minutes, but it's oracle so they probably just failed at it like everything else, so I try to have them resend the email. I find the resend link, and try it. Every time I enter my email address, though, it either gives me a validation error or a server error. I try a few mores times, and give up. I try to log in again; no dice. Giving up, I go do something else for awhile.

On a whim later, I check for the verification email again. Apparently it just takes bloody forever, but it did show up. Except instead of the first name "Fuck" I entered, I'm now "Andrew", apparently. okay.... whatever. I click the verify button anyway, and to my surprise it actually works, and says that I'm now allowed to use my account. Yay!

So, I go back to the login page (from the download link) and enter my credentials. A new error appears! I cannot use redirects, apparently, and "must type in the page address I want to visit manually." huh? okay, i go to the page directly, and see the same bloody error because of course i do because oracle fucking sucks. So I close the page, go back to the download list, click the link, wait for the login page redirect (which is so totally not allowed, apparently, except it works and manual navigation does not. yay backwards!), and try to log in.

Instead of being presented with an error because of the redirect, it lets me (try to) log in. But despite using prefilled creds (and also copy/pasting), it tells me they're invalid. I open a new tab container, clear the cache (just to be thorough), and repeat the above steps. This time it redirects me to a single signon server page (their concept of oauth), and presents me with a system error telling me to contact "the Administrator." -.- Any second attempts, refreshes, etc. just display the same error.

Further attempts to log in from the download page fail with the same invalid credentials error as before.

Fucking oracle and their reverse Midas touch.

First company I worked for, built around 40 websites with Drupal 7...in only a year (don't know if it's a lot for today's standards, but I was one guy doing everything). Of course I didn't have the time to keep updating everything and I continually insisted to the boss that we need more people if we are going to expand. Of course he kept telling me to keep working harder and that I "got this". Well, after a year a couple of websites got defaced, you know the usual stuff if you've been around for some time. Felt pretty bad at the time, it was a similar feeling to having your car stolen or something.

Anyways, fast forward about 2 years, started working on another company, and well...this one was on another level. They had a total of around 40 websites, with about 10 of them being Joomla 1.5 installations (Dear Lord have mercy on my soul(the security vulnerabilities from these websites only, were greater than Spiderman's responsibilities)) and the others where WordPress websites, all that ON A SINGLE VPS, I mean, come on... Websites being defaced on the daily, pharma-hacks everywhere, server exploding from malware queing about 90k of spam emails on the outbox, server downtime for maintenance happening almost weekly, hosting company mailing me on the daily about the next malware detection adventure etc. Other than that, the guy that I was replacing, was not giving a single fuck. He was like, "dude it's all good here, everything works just fine and all you have to do is keep the clients happy and shit". Sometimes, I hate myself for being too caring and responsible back then.

I'm still having nightmares of that place. Both that office and that VPS.

I work at a place where security is really high when it comes to server access. Today I was in urgent need to get admin access to a server, this is a real pain. Luckily I found an xml in version control containing the credentials for the web application which happens to be an admin account! Lucky me, saved me at least two weeks of waiting to get admin access!

My school just tried to hinder my revision for finals now. They've denied me access just today of SSHing into my home computer. Vim & a filesystem is soo much better than pen and paper.

So I went up to the sysadmin about this. His response: "We're not allowing it any more". That's it - no reason. Now let's just hope that the sysadmin was dumb enough to only block port 22, not my IP address, so I can just pick another port to expose at home. To be honest, I was surprised that he even knew what SSH was. I mean, sure, they're hired as sysadmins, so they should probably know that stuff, but the sysadmins in my school are fucking brain dead.

For one, they used to block Google, and every other HTTPS site on their WiFi network because of an invalid certificate. Now it's even more difficult to access google as you need to know the proxy settings.

They switched over to forcing me to remote desktop to access my files at home, instead of the old, faster, better shared web folder (Windows server 2012 please help).

But the worst of it includes apparently having no password on their SQL server, STORING FUCKING PASSWORDS IN PLAIN TEXT allowing someone to hijack my session, and just leaving a file unprotected with a shit load of people's names, parents, and home addresses. That's some super sketchy illegal shit.

So if you sysadmins happen to be reading this on devRant, INSTEAD OF WASTING YOUR FUCKING TIME BLOCKING MORE WEBSITES THAN THEIR ARE LIVING HUMANS, HOW ABOUT TRY UPPING YOUR SECURITY, PASSWORDS LIKE "", "", and "gryph0n" ARE SHIT - MAKE IT BETTER SO US STUDENTS CAN ACTUALLY BROWSE MORE FREELY - I THINK I WANT TO PASS, NOT HAVE EVERY OTHER THING BLOCKED.

Thankfully I'm leaving this school in 3 weeks after my last exam. Sure, I could stay on with this "highly reputable" school, but I don't want to be fucking lied to about computer studies, I don't want to have to workaround your shitty methods of blocking. As far as I can tell, half of the reputation is from cheating. The students and sysadmins shouldn't have to have an arms race between circumventing restrictions and blocking those circumventions. Just make your shit work for once.

**On second thought, actually keep it like that. Most of the people I see in the school are c***s anyway - they deserve to have half of everything they try to do censored. I won't be around to care soon.**

The IT head of my Client's company : You need to explain me what exactly you are doing in the backend and how the IOT devices are connected to the server. And the security protocol too.

Me : But it's already there in the design documents.

IT Head : I know, but I need more details as I need to give a presentation.

Me : (That's the point! You want me to be your teacher!) Okay. I will try.

IT Head : You have to.

Me : (Fuck you) Well, there are four separate servers - cache, db, socket and web. Each of the servers can be configured in a distributed way. You can put some load balancers and connect multiple servers of the same type to a particular load balancer. The database and cache servers need to replicated. The socket and http servers will subscribe to the cache server's updates. The IOT devices will be connected to the socket server via SSL and will publish the updates to a particular topic. The socket server will update the cache server and the http servers which are subscribed to that channel will receive the update notification. Then http server will forward the data to the web portals via web socket. The websockets will also work on SSL to provide security. The cache server also updates the database after a fixed interval.

This is how it works.

IT Head : Can you please give the presentation?

Me : (Fuck you asshole! Now die thinking about this architecture) Nope. I am really busy.

10 years experience in DoD C4I enterprise hardware and software.
Looks at civilian job (requires A+)
Gets A+
Looks at civilian job (requires Network+)
Gets Network+
Looks at civilian job market (requires Security+)
Gets security+
Looks at civilian job market (requires CCNA)
Getting CCNA
Looks again at job market (requires CCNP)
Fuck...

Job interview "we don't think you have a strong enough background"

Looks back at my 5 million dollar military flying robotic server FML

MAINTENANCE OF STACKOVERFLOW PLANNED
SHARE TO YOUR NEAREST DEV FRIENDS

Stackoverflow and its relative partners will be closed for two days due to maintenance, new design, and moving server infrastructure from United States to 1km below the Switzerland Alps for extra layers of security. This decision was made by the recent CloudFlare data leak.
Now our servers will be able to handle data leaks because even though the data was leaked, it will fill the empty places in the rocks resulting inaccessible from attackers.
Stackoverflow and its relative partners' maintenance estimated time is February 29 - 30. We will try to finish as fast as possible and bring you guys the best experience. If the maintenance delayes, we will tweet via @StackStatus or post details in our status blog.
Thank you for your support and have a happy day.
Best regards,
Stack Exchange team

I need to make a confession about my terribly unprofessional project I made. Around two years ago I got thrown for the first time into back end development - I had to work on the project alone. As a very smart man I basically exposed our SMTP server as a nice and very flexible API.

Fortunately it was, by the design, a very short-lived project, taken down from the web completely and for good after around 2 months. I'm still happy I had more luck than brains and nobody used our server as a spam sending service in our name and I have learned a valuable and relatively cheap lesson in security this way.

Taking IT classes in college. The school bought us all lynda and office365 accounts but we can't use them because the classroom's network has been severed from the Active Directory server that holds our credentials. Because "hackers." (The non-IT classrooms don't have this problem, but they also don't need lynda accounts. What gives?)

So, I got bored, and irritated, so I decided to see just how secure the classroom really was.

It wasn't.

So I created a text file with the following rant and put it on the desktop of the "locked" admin account. Cheers. :)

1. don't make a show of "beefing up security" because that only makes people curious.
I'm referring of course to isolating the network. This wouldn't be a problem except:

2. don't restrict the good guys. only the bad guys.
I can't access resources for THIS CLASS that I use in THIS CLASS. That's a hassle.
It also gives me legitimate motivation to try to break your security.

3. don't secure it if you don't care. that is ALSO a hassle.
I know you don't care because you left secure boot off, no BIOS password, and nothing
stopping someone from using a different OS with fewer restrictions, or USB tethering,
or some sort malware, probably, in addition to security practices that are
wildly inconsistent, which leads me to the final and largest grievance:

4. don't give admin priveledges to an account without a password.

seriously. why would you do this? I don't understand.
you at least bothered to secure the accounts that don't even matter,
albeit with weak and publicly known passwords (that are the same on all machines),
but then you went and left the LEAST secure account with the MOST priveledges?
I could understand if it were just a single-user machine. Auto login as admin.
Lots of people do that and have a reason for it. But... no. I just... why?

anyway, don't worry, all I did was install python so I could play with scripting
during class. if that bothers you, trust me, you have much bigger problems.

I mean you no malice. just trying to help.

For real. Don't kick me out of school for being helpful. That would be unproductive.
Plus, maybe I'd be a good candidate for your cybersec track. haven't decided yet.

-- a guy who isn't very good at this and didn't have to be
have a nice day <3

oh, and I fixed the clock. you're welcome.

me: the source code is currently store on GitHub and we use GitHub Actions after each updates to compile your code into binary before deploying to your servers
client: storing source code on GitHub (external server) is insecure and breaks compliance
me: so i guess you will need to have a copy of the source code on all your servers and build them directly there (too cheap to have a separate build server) instead of using GitHub Actions
client: yeah
me: keep in mind that all your certificates and tokens are going to be store as plain text in all your servers so if a hacker gain access to anyone of your servers, they will have access to everything.
client: yeah, this is in compliance to our security policy

We got DDoS attacked by some spam bot crawler thing.

Higher ups called a meeting so that one of our seniors could present ways to mitigate these attacks.

- If a custom, "obscure" header is missing (from api endpoints), send back a basic HTTP challenge. Deny all credentials.

- Some basic implementation of rate limiting on the web server

We can't implement DDoS protection at the network level because "we don't even have the new load balancer yet and we've been waiting on that for what... Two years now?" (See: spineless managers don't make the lazy network guys do anything)

So now we implement security through obscurity and DDoS protection... Using the very same machines that are supposed to be protected from DDoS attacks.

Permission denied (publickey).

(That's my life while learning how to harden security on a server and then locking myself out.)

Putting SSH on another port and using fail2ban on the default one to ban everyone else trying to get in is a nice thing until you ban your own static ip by forgetting the new port...

My first job was actually nontechnical - I was 18 years old and sold premium office furniture for a small store in Munich.
I did code in my free time though (PHP/JS mostly, had a litte browsergame back then - those were the days), so when my boss approached me and asked me whether I liked to take over a coding project, I agreed to the idea.

Little did I know at the time: I was supposed to work with a web agency the boss had contracted to build their online shop. Only that he had no plan or anything, he basically told them "build me an online shop like abc(a major competitor of ours at the time)"

He employed another sales lady who was supposed to manage the shop (that didn't exist yet). In the end, I think 80% of her job was to keep me from killing my boss.

As you can imagine, with this huuuuge amout of planning and these exact visions of what was supposed to be, things went south fast and far. So far that I could visit my fellow flightless birds down in the Penguin's republic of Antarctica and still need to go further.

Well... When my boss started suing the web agency, I was... ahem, asked to take over. Dumb as I was, I did - I was a PHP kid and thought that Magento, being written in PHP, would be easy to master. If you know Magento, you know that was maybe the wrongest thing I ever said.

Fast forward 3 very exhausting months, the thing was online. Not all of it worked yet, but it was online and fairly secure.

I did next to everything myself, administrating the CentOS box the shop was running on, its (own) e-mail server, the web server, all the coding required for the shop (can you spell 12 hour day for 8 hour pay?)

3 further months later, my life basically was a wreck, I dragged myself to work, the only thing I looked forward being the motorcycle ride home. The system worked though.

Mind you, I was still, at the time, working with three major customers, doing deskside support and some admin (Win Server 2008R2 at the time) - because, to quote my boss, "We could not afford a full time developer and we don't need one".

I think i stopped coding in my free time, the one hobby I used to love more than anything on the world, somewhere Decemerish 2012. I dropped out of the open source projects I was in, quit working on my browser game and let everything slide.

I didn't even care to renew the domains and servers for it, I just let it die without notice.

The little free time I had, I spent playing video games and getting drunk/high.

December 2013, 1.5 years on the job, I reached my breaking point and just left, called in sick at least a week per month because I just could not see this fucking place anymore.

I looked for another job outside of ALL of what I did before. No more Magento, no more sales, no more PHP. I didn't have to look for long, despite what I thought of my skills.

In February 2014, I told my boss that I quit. It was still seven months until my new job started, but I wanted him to know early so we could migrate and find a replacement.

The search for said replacement started in June 2014. I had considerably less work in the months before, looks like he got the hint.

In August 2014, my replacement arrived and I got him started.

I found a job, which I am still in, and still happy about after almost half a decade, at a local, medium sized ISP as a software dev and IT security guy. Got a proper training with a certificate and everything now.

My replacement lasted two months, he was external and never really did his job - the site, which until I had quit, had a total of 3 days downtime for 3 YEARS (they were the hoster's fault, not mine), was down for an entire month and he could not even tell why.

HIS followup was kicked after taking two weeks to familiarize himself with the project. Well, I think that two weeks is not even barely enough to familiarize yourself with nearly three years of work, but my boss gave him two days.

In 2016, the shop was replaced with another one. Different shop system, different OS, different CI. I don't know why and I can't say I give a damn.

Almost all the people that worked at the company back with me have left for greener pastures, taking their customers (and revenue) with them.

As for my boss' comments, instructions and lines: THAT might not be safe for work. Or kids. Or humans in general. And there wouldn't be much left if you put it through a language filter...

Moral of the story: No, it's not a bad thing to leave a place if you're mistreated there. Don't mistake loyalty with stupidity!

And, to quote one of my favourite Bands: "Nothing matters when the pain is all but gone" (Tragedy + Time by Rise Against).

It's finally happened. I've used my mail servers for about a year to give out different email addresses on my domain to things I sign up for online, and only used my "actual" email address that received all this email for the whole domain but the single one that I used outbound for private communications.

This worked well for a long time as I could see when spam comes in, where it came from by looking at the email address I designated it. Each company's email would be sent not only from an email address that they choose, but also to an email address that I choose. It allowed me to easily determine where there were problems. For example, on Freenode IRC my vhost happened to make my username@host there a valid email address. It eventually got blacklisted due to too much incoming spam as crawlers started detecting it. Another one was "nickname"@my.domain as I posted it a few times here. Got crawled as well. But it allowed me to easily blacklist each.

I'd never thought my actual outbound email address, my real one, to get crawled though. That would require the mail server of a company I explicitly communicated with to get hacked. But today that happened. I wonder whose it is, but I can't tell.

Time to make my outgoing email bound to a designated email address as well. I want to know which companies this happens to, even if they don't disclose it.

IE is dead ?!

NOT SO FAST.

The whole singin in Visual 2022 uses... Internet explorer renderer and... doesn't work on a Windows Server 2022 because of... "Enchanced internet explorer security policy".

I'm dying inside.

So I manage multiple VPS's (including multiple on a dedicated server) and I setup a few proxy servers last week. Ordered another one yesterday to run as VPN server and I thought like 'hey, let's disable password based login for security!'. So I disabled that but the key login didn't seem to work completely yet. I did see a 'console' icon/title in the control panel at the host's site and I've seen/used those before so I thought that as the other ones I've used before all provided a web based console, I'd be fine! So le me disabled password based login and indeed, the key based login did not work yet. No panic, let's go to the web interface and click the console button!
*clicks console button*
*New windows launches.....*

I thought I would get a console window.

Nope.

The window contained temporary login details for my VPS... guess what... YES, FUCKING PASSWORD BASED. AND WHO JUST DISABLED THE FUCKING PASSWORD BASED LOGIN!?!

WHO THOUGHT IT WOULD BE A GOOD IDEA TO IMPLEMENT THIS MOTHERFUCKING GOD?!?

FUUUUUUUUUUUUUUUUUUUUUUU.

My Sunday Morning until afternoon. FML. So I was experiencing nightly reboots of my home server for three days now. Always at 3:12am strange thing. Sunday morning (10am ca) I thought I'd investigate because the reboots affected my backups as well. All the logs and the security mails said was that some processes received signal 11. Strange. Checked the periodics tasks and executed every task manually. Nothing special. Strange. Checked smart status for all disks. Two disks where having CRC errors. Not many but a couple. Oh well. Changing sata cables again 🙄. But those CRC errors cannot be the reason for the reboots at precisely the same time each night. I noticed that all my zpools got scrubbed except my root-pool which hasn't been scrubbed since the error first occured. Well, let's do it by hand: zpool scrub zroot....Freeze. dafuq. Walked over to the server and resetted. Waited 10 minutes. System not up yet. Fuuu...that was when I first guessed that Sunday won't be that sunny after all. Connected monitor. Reset. Black screen?!?! Disconnected all disks aso. Reset. Black screen. Oh c'moooon! CMOS reset. Black screen. Sigh. CMOS reset with a 5 minute battery removal. And new sata cable just in cable. Yes, boots again. Mood lightened... Now the system segfaults when importing zroot. Good damnit. Pulled out the FreeBSD bootstick. zpool import -R /tmp zroot...segfault. reboot. Read-only zroot import. Manually triggering checksum test with the zdb command. "Invalid blckptr type". Deep breath now. Destroyed pool, recreated it. Zfs send/recv from backup. Some more config. Reboot. Boots yeah ... Doesn't find files??? Reboot. Other error? Undefined symbols???? Now I need another coffee. Maybe I did something wrong during recovery? Not very likely but let's do it again...recover-recover. different but same horrible errors. What in the name...? Pulled out a really old disk. Put it in, boots fine. So it must be the disks. Walked around the house and searched for some new disks for a new 2 disk zfs root mirror to replace the obviously broken disks. Found some new ones even. Recovery boot, minimal FreeBSD Install for bootloader aso. Deleted and recreated zroot, zfs send/recv from backup. Set bootfs attribute, reboot........
It works again. Fuckit, now it is 6pm, I still haven't showered. Put both disks through extensive tests and checked every single block. These disks aren't faulty. But for some reason they froze my system in a way so that I had to reset my BIOS and they had really low level data errors....? I Wonder if those disks have a firmware problem? So that was most of my Sunday. Nice, isn't it? But hey: calm sea won't make a good sailor, right?

Hey there!

So during my internship I learned a lot about Linux, Docker and servers and I recently switched from a shared hosting to my own VPS. On this VPS I currently have one nginx server running that serves a static ReactJs application. This is temponarily, I SFTP-ed the build files to the server and added a config file for ssl, ciphers and dhparams. I plan to change it later to a nextjs application with a ci/di pipeline etc. I also added a 'runuser' that owns the /srv/web directory in which the webserver files are located. Ssh has passwords disabled and my private keys have passphrases.

Now that I it's been running for a few days I noticed a lot of requests from botnets that tried to access phpmyadmin and adminpanels on my server which gave me quite a scare. Luckily my website does not have a backend and I would never expose phpmyadmin like that if I did have it.

Now my question is:
Do you guys know any good articles or have tips and tricks for securing my server and future projects? Are there any good practices that I should absolutely read and follow? (Like not exposing server details etc., php version, rate limiting). I really want to move forward with my quest for knowledge and feel like I should have a good basis when it comes to managing a server, especially with the current privacy laws in place.

Thanks in advance for enduring my rant and infodump 😅

My boss just came to me and demanded that we drop the first layer of security from our new servers so that the snake oil salesmen he used can open test it. I did try to explain that you don't remove security to test security.

Flash has made Java programs look desirable. And anyone keeping up with me knows I despise Java and C#, despite having written C# and currently working on deciphering a Java server to create documentation.

Before I begin, I want to make this clear: IT IS TWO THOUSAND AND FUCKING EIGHTEEN. 2018. WE HAVE BETTER TECH. JAVASCRIPT HAS TAKEN OVER THIS BITCH. So, firstly, FUCK FLASH. Seriously, that shit's a security liability. If you work for a company that uses it, find a new job and then fucking quit, or go mutany and get several devs to begin a JS-based implementation that has the same functionality. There is no excuse. "I'm fired?" That's not an excuse - if there is a way to stop the madness, then fucking hit the brakes on that shit or begin job hunting. Oh, and all you PMs who are reading this and have mandated or helped someone else to mandate work on an enterprise flash program, FUCK YOU. You are part of the problem.

The reason for this outburst seems unreasonable until you realize the hell I went through today. At my University, there is a basic entry-level psychology course I'm taking. Pearson, a company I already fucking hate for some of the ethically sketchy shit they pulled with PARCC as well as overreach in publishing to the point they produce state tests here in the US - has a product called "My PsychLab" and from here on out, I'm referring to it as MPL. MPL has an issue - it is entirely fucking Flash. Homework assignments, the textbook, FUCKING EVERYTHING. So, because of that, you need to waste time finding a browser that works. Now let me remind all of you that just because something SHOULD WORK does NOT mean that it actually does.

I'm sitting on my Antergos box a few days ago: Chromium and Firefox won't load Flash. I don't know why, and don't care to find out. NPAPI and whatnot are deprecated but should still run in a limited mode or some shit. No go on Antergos.

So, today I went to the lab in the desolated basement of an old building which is where it's usually empty except a student hired by the university to make sure nobody fucks things up. I decided - because y'all know I fuckin' hate this - to try Windows. No go in Chrome still - it loaded Flash but couldn't download the content. So I tried Firefox - which worked. My hopes were up, but not too long - because there was no way to input. The window had buttons and shit - but they were COMPLETELY UNRESPONSIVE.

So the homework is also Flash-based. It's all due by 1/31/18 - FOUR CHAPTERS AND THE ACCOMPANYING HOMEWORK - which I believe is Tuesday, and the University bookstore is closed both Saturday and Sunday. No way to get a physical copy of the book. And I have other classes - this isn't the only one.

Also, the copyright on the program was 2017 - so whoever modded or maintained that Flash code - FUCK YOU AND THE IRRESPONSIBLE SHIT YOUR TEAM PULLED. FUCK THE SUPERIORS MAKING DECISIONS AS WELL. Yeah, you guys have deadlines? So do the end users, and when you have to jump through hoops only to realize you're fucked? That's a failure of management and a failure of a product.

How many people are gonna hate me for this? Haters gonna hate, and I'm past the point of caring.

When you resign and before you leave your coworkers ask you to help them write a job description for your replacement and you be like "MUUUUUUHAHAHAHAHAAAA! Just TRY to find THIS!" #IDoAllTheThings

This is a server in my school and I was wondering... Is it okay to have a server everyone can access? There's no key or other security need to the room needed.

After designing the new server architecture for our software and the security to go with it, the boss decides we should ask our provider’s solutions architects to see if it is okay, they came back and said it all looks good apart from one part which my manager did and I always said was bad practice.

Another incident which made a Security Researcher cry
[ NOTE : Check profile to read older incidents ]
-----------------------------------------------------------
So this all started when I was at my home (bunked the office that day xD) and I got a call from a..... Let's call him Fella as I always do . So here we go . And yeah , our Fella is a SysAdmin .
-----------------------------------------------------------
Fella - Hey man sup!
Me - Good going mate , bunked the office , weather's nice , gonna spend time with my girl today . So what's goinon?
Fella - Bruh my network sharing folders ain't working no more .
Me - Did you changed or modified anything?
Fella - Nope
Me - Okay , gimme your login creds lemme check .
Fella - Check your inbox *texts me the credentials*

*I logged in and what I'm seeing is that server runs on Windows2008R2 , checked the event logs , everything's fine and all of a sudden what I found is fucking embarrassing , this wise man closed SMB service*
Me - Did you closed SMB service?
Fella - Yeah
Me - You know what it does?
Fella - Yeah it's a protocol , I turned it off to protect the server from Wannacry .
Me - Fuckerrrr!!!!! Asshole dumbass you fuckin piece of Dodo's shit!! SMB is the service responsible for files and network sharing!!!
Fella - But....I just wanted protection
Me - 😭😭😭

*A long conversation continues with a lot of specially made words to decrease the rate of frustration which I used already*

Fella - Okay I'm turning it on .
Me - Go on....... Asshole
Fella - It worked! Thanks a lot bro
Me - Just leave me and my soul away from evil and hang up .

*Now the question is , who the hell gives them the post of SysAdmin? While thinking this question , I almost thought of committing suicide​ but then my girl came with coffee and my rubber duck*

Was just recalling one of the worst calls I ever got in IT...

Many years ago we had a single rack for all of our servers, network and storage (pre virtualization too!).

We had a new security system installed in the building and the facilities manager let the guy into the server room to run all the sensor cables in because that is where they wanted their panel... the guy was too lazy to get up on the roof and in the attic repeatedly so after he checked it out he went around every where and drilled a hole straight up where he wanted the sensor wire to go... well the server room was not under an attic space... when he found he had drilled through to the out side... HE FILLED IT WITH EXPANDING FOAM.... the membrane on the roof was damaged... that night it rained... I got a call at 4 am that systems were acting funky and I went in... when I opened the door it was literally raining through the corners of the drop ceiling onto the rack... An excellent DR plan saved our asses but the situation cost the vendor's insurance company $30k in dead equipment and another $10k in emergency labor. Good thing for him we had so little equipment in that room back in.

Moral of the story... always have a good DR plan... you never know when it will rain in the server room.... :)

I just love how liferay keeps finding ways to surprise me...

Customer: need to fix this security issue
me: ok
me: fixed. Testing locally. Works 100%.
Me: testing on dev server. Works 100%
qa: testing on dev server. Works 100%
me: all good. Deploying to preprod
customer: it doesn't work
me: testing preprod - it doesn't work.
Me: scp whole app to local machine. App works 100%.
Me: preview loaded liferay properties in preprod via liferay adm panel. All props loaded ok.
Me: attach jdb to preprod's liferay to see what props are loaded. Only defaults are used [custom props not loaded according to jdb]

me: is there some quantum mechanics involved..? Liferay managed to both load and not to load props at the same time and the state only changes as it's observed...

After a few weeks of being insanely busy, I decided to log onto Steam and maybe relax with a few people and play some games. I enjoy playing a few sandbox games and do freelance development for those games (Anywhere from a simple script to a full on server setup) on the side. It just so happened that I had an 'urgent' request from one of my old staff member from an old community I use to own. This staff member decided to run his own community after I sold mine off since I didn't have the passion anymore to deal with the community on a daily basis.

O: Owner (Former staff member/friend)
D: Other Dev

O: Hey, I need urgent help man! Got a few things developed for my server, and now the server won't stay stable and crashes randomly. I really need help, my developer can't figure it out.
Me: Uhm, sure. Just remember, if it's small I'll do it for free since you're an old friend, but if it's a bigger issue or needs a full recode or whatever, you're gonna have to pay. Another option is, I tell you what's wrong and you can have your developer fix it.
O: Sounds good, I'll give you owner access to everything so you can check it out.
Me: Sounds good

*An hour passes by*

O: Sorry it took so long, had to deal with some crap. *Insert credentials, etc*
Me: Ok, give me a few minutes to do some basic tests. What was that new feature or whatever you added?
O: *Explains long feature, and where it's located*
Me: *Begins to review the files* *Internal rage wondering what fucking developer could code such trash* *Tests a few methods, and watches CPU/RAM and an internal graph for usage*
Me: Who coded this module?
O: My developer.
Me: *Calm tone, with a mix of some anger* So, you know what, I'm just gonna do some simple math for ya. You're running 33 ticks a second for the server, with an average of about 40ish players. 33x60 = 1980 cycles a minute, now lets times that by the 40 players on average, you have 79,200 cycles per minute or nearly 4.8 fucking cycles an hour (If you maxed the server at 64 players, it's going to run an amazing fucking 7.6 million cycles an hour, like holy fuck). You're also running a MySQLite query every cycle while transferring useless data to the server, you're clusterfucking the server and overloading it for no fucking reason and that's why you're crashing it. Another question, who the fuck wrote the security of this? I can literally send commands to the server with this insecure method and delete all of your files... If you actually want your fucking server stable and secure, I'm gonna have to recode this entire module to reduce your developer's clusterfuck of 4.8 million cycles to about 400 every hour... it's gonna be $50.
D: *Angered* You're wrong, this is the best way to do it, I did stress testing! *Insert other defensive comments* You're just a shitty developer (This one got me)
Me: *Calm* You're calling me a shitty developer? You're the person that doesn't understand a timer, I get that you're new to this world, but reading the wiki or even using the game's forums would've ripped this code to shreds and you to shreds. You're not even a developer, cause most of this is so disorganized it looks like you copy and pasted it. *Get's angered here and starts some light screaming* You're wasting CPU usage, the game can't use more than 1 physical core, and after a quick test, you're stupid 'amazing' module is using about 40% of the CPU. You need to fucking realize the 40ish average players, use less than this... THEY SHOULD BE MORE INTENSIVE THAN YOUR CODE, NOT THE OPPOSITE.
O: Hey don't be rude to Venom, he's an amazing coder. You're still new, you don't know as much as him. Ok, I'll pay you the money to get it recoded.
Me: Sounds good. *Angered tone* Also you developer boy, learn to listen to feedback and maybe learn to improve your shitty code. Cause you'll never go anywhere if you don't even understand who bad this garbage is, and that you can't even use the fucking wiki for this game. The only fucking way you're gonna improve is to use some of my suggestions.
D: *Leaves call without saying anything*

TL;DR: Shitty developer ran some shitty XP system code for a game nearly 4.8 million times an hour (average) or just above 7.6 million times an hour (if maxed), plus running MySQLite when it could've been done within about like 400 an hour at max. Tried calling me a shitty developer, and got sorta yelled at while I was trying to keep calm.

Still pissed he tried calling me a shitty developer...

"I found this tool that we should use because I'm a manager and its simple enough that my tiny little manager brain could set it up!"

Oh wow good for you, Mr. Manager! And what, praytell, does the tool require?

"All proprietary and cost-ineffecient products: MSSQL Server and Windows IIS! What do you mean we have to get the data out in order for it to be scalable? Look at it! I set up a website by clicking on an EXE i downloaded from github!"

Amazing, Mr. Manager. So you violated our security practices AND want to pocket even MORE of our budget?

Kindly fuck right off and start suggesting things instead of making people embarrass you into stoping your fight for your tool (has happened on more than one occassion).

Got a job as a database manager, they wanted me to update their sql server and some of their .net apps. Turns out their sql server had no databases and all their data was stored in an ms access 2003 applications that was using windows for workgroups security!!! It also had no interface, hundreds of tables and queries and there were multiple access db it was connected to. To make things worse the person who built all this stuff used acronyms for everything he did, table names, variables, queries and even bloody window folders!!! It was hard as hell to figure out what anything ment. Oh and the .net apps were asp sites that heavily used dll for storing his code and no one knows where the original source code for them are. Did I also mention there were no comments for any of the code, no database dictionary, no notes or anything.

So apparently I'll be rebuilding everything from scratch and transferring over the data to sql server. AND NO MORE F**KING ACRONYMS!!!!!!!

When you look at some production code that has been released for 4 years and find a HUGE security, like catastrophic here is my server hack me flaw 😁

Our main server that stores everything and that everyone uses has been down for about an hour now. It's okay though I get paid by the hour. Plus, I'm working remotely today.

Probably doesn't help that we let other people other than the IT department mess with what we put on the server.

Network Security at it's best at my school.
So firstly our school has only one wifi AP in the whole building and you can only access Internet from there or their PCs which have just like the AP restricted internet with mc afee Webgateway even though they didn't even restrict shuting down computers remotely with shutdown -i.
The next stupid thing is cmd is disabled but powershell isn't and you can execute cmd commands with batch files.
But back to internet access: the proxy with Mcafee is permanently added in these PCs and you don't havs admin rights to change them.
Although this can be bypassed by basically everone because everyone knows one or two teacher accounts, its still restricted right.
So I thought I could try to get around. My first first few tries failed until I found out that they apparently have a mac adress wthitelist for their lan.
Then I just copied a mac adress of one of their ARM terminals pc and set up a raspberry pi with a mac change at startup.
Finally I got an Ip with normal DHCP and internet but port 80 was blocked in contrast to others like 443. So I set up an tcp openvpn server on port 443 elsewhere on a server to mimic ssl traffic.
Then I set up my raspberry pi to change mac, connect to this vpn at startup and provide a wifi ap with an own ip address range and internet over vpn.
As a little extra feature I also added a script for it to act as Spotify connect speaker.
So basically I now have a raspberry pi which I can plugin into power and Ethernet and an aux cable of the always-on-speakers in every room.
My own portable 10mbit/s unrestricted AP with spotify connect speaker.
Last but not least I learnt very many things about networks, vpns and so on while exploiting my schools security as a 16 year old.

A few days ago Aruba Cloud terminated my VPS's without notice (shortly after my previous rant about email spam). The reason behind it is rather mundane - while slightly tipsy I wanted to send some traffic back to those Chinese smtp-shop assholes.

Around half an hour later I found that e1.nixmagic.com had lost its network link. I logged into the admin panel at Aruba and connected to the recovery console. In the kernel log there was a mention of the main network link being unresponsive. Apparently Aruba Cloud's automated systems had cut it off.

Shortly afterwards I got an email about the suspension, requested that I get back to them within 72 hours.. despite the email being from a noreply address. Big brain right there.

Now one server wasn't yet a reason to consider this a major outage. I did have 3 edge nodes, all of which had equal duties and importance in the network. However an hour later I found that Aruba had also shut down the other 2 instances, despite those doing nothing wrong. Another hour later I found my account limited, unable to login to the admin panel. Oh and did I mention that for anything in that admin panel, you have to login to the customer area first? And that the account ID used to login there is more secure than the password? Yeah their password security is that good. Normally my passwords would be 64 random characters.. not there.

So with all my servers now gone, I immediately considered it an emergency. Aruba's employees had already left the office, and wouldn't get back to me until the next day (on-call be damned I guess?). So I had to immediately pull an all-nighter and deploy new servers elsewhere and move my DNS records to those ASAP. For that I chose Hetzner.

Now at Hetzner I was actually very pleasantly surprised at just how clean the interface was, how it puts the project front and center in everything, and just tells you "this is what this is and what it does", nothing else. Despite being a sysadmin myself, I find the hosting part of it insignificant. The project - the application that is to be hosted - that's what's important. Administration of a datacenter on the other hand is background stuff. Aruba's interface is very cluttered, on Hetzner it's super clean. Night and day difference.

Oh and the specs are better for the same price, the password security is actually decent, and the servers are already up despite me not having paid for anything yet. That's incredible if you ask me.. they actually trust a new customer to pay the bills afterwards. How about you Aruba Cloud? Oh yeah.. too much to ask for right. Even the network isn't something you can trust a long-time customer of yours with.

So everything has been set up again now, and there are some things I would like to stress about hosting providers.

You don't own the hardware. While you do have root access, you don't have hardware access at all. Remember that therefore you can't store anything on it that you can't afford to lose, have stolen, or otherwise compromised. This is something I kept in mind when I made my servers. The edge nodes do nothing but reverse proxying the services from my LXC containers at home. Therefore the edge nodes could go down, while the worker nodes still kept running. All that was necessary was a new set of reverse proxies. On the other hand, if e.g. my Gitea server were to be hosted directly on those VPS's, losing that would've been devastating. All my configs, projects, mirrors and shit are hosted there.

Also remember that your hosting provider can terminate you at any time, for any reason. Server redundancy is not enough. If you can afford multiple redundant servers, get them at different hosting providers. I've looked at Aruba Cloud's Terms of Use and this is indeed something they were legally allowed to do. Any reason, any time, no notice. They covered all their bases. Make sure you do too, and hope that you'll never need it.

Oh, right - this is a rant - Aruba Cloud you are a bunch of assholes. Kindly take a 1Gbps DDoS attack up your ass in exchange for that termination without notice, will you?

why people around me act like dump. i have recently worked with this site, which is written in php.

customer: (yelling) my website is hacked, fix it immediately
me : ok sir, we will restore your site immediately

after finishing talk with customer. i have checked website, there is no sign of website being hacked. i have checked server logs and website for security breach, there is no sign.

me: your website is not hacked, sir. can you please tell me where you have seen hacked page.
customer: look at those pages

after seen that page i facepalmed myself. it's a bug, person who created that page just splitted string without using any multibyte function, so page is showing with corrupted characters. i fixed it and problem solved. i have told about that bug, to the person who created that page.

me: hey you have used this function which is not able to handle multibyte characters, you should use multibyte character functions for that one.
person: every characters are the same. we shouldn't need to handle that way.

he is actually a senior developer. who don't even know the difference between unicode and ascii characters.

There you are, fiddling with next.js webpack settings, because your isomorphic JS-in-CSS-in-JS SSR fallback from react-native-web to react-dom throws a runtime error on your SSR prerendering server during isomorphic asynchronous data prefetching from Kubernetes backend-for-frontend edge-server with GraphQL.

You have all that tech to display a landing page with an email form, just to send spam emails with ten tracking links and five tracking beacons per email.

Your product can be replaced by an Excel document made in two days.

It was developed in two years by a team of ten developers crunching every day under twelve project managers that can be replaced with a parrot trained to say “Any updates?”

Your evaluation is $5M+. You have 10,000 dependency security warnings, 1000 likes on Product Hunt, 500 comments on Hacker News, and a popular Twitter account.

Your future looks bright. You finish your coffee, crack your knuckles and carry on writing unit tests.

Anything I (am able to) build myself.
Also, things that are reasonably standardized. So you probably won't see me using a commercial NAS (needing a web browser to navigate and up-/download my files, say what?) nor would I use something like Mega, despite being encrypted. I don't like lock-in into certain clients to speak some proprietary "secure protocol". Same reason why I don't use ProtonMail or that other one.. Tutanota. As a service, use the standards that already exist, implement those well and then come offer it to me.

But yeah. Self-hosted DNS, email (modified iRedMail), Samba file server, a blog where I have unlimited editing capabilities (God I miss that feature here on devRant), ... Don't trust the machines nor the services you don't truly own, or at least make an informed decision about them. That is not to say that any compute task should be kept local such as search engines or AI or whatever that's best suited for centralized use.. but ideally, I do most of my computing locally, in a standardized way, and in a way that I completely control. Most commercial cloud services unfortunately do not offer that.

Edit: Except mail servers. Fuck mail servers. Nastiest things I've ever built, to the point where I'd argue that it was wrong to ever make email in the first place. Such a broken clusterfuck of protocols, add-ons (SPF, DKIM, DMARC etc), reputation to maintain... Fuck mail servers. Bloody soulsuckers those are. If you don't do system administration for a living, by all means do use the likes of ProtonMail and Tutanota, their security features are nonstandard but at least they (claim to) actually respect your privacy.

Since we are using the same password on all our servers (both QA and Production environment) my team somehow decided that it would be easier to copy the private SSH key for to ALL servers and add the public key to the authorized.keys file.

This way we SSH without password and easily add it to new servers, it also means that anyone who gets into one server can get to all of them.

I wasn't a fan of the same password on all servers, but this private key copying is just going against basic security principles.

Do they want rogue connections? Because that's how you get them.

So one of my clients had a different company do a penetrationtest on one of my older projects.

So before hand I checked the old project and upgraded a few things on the server. And I thought to myself lets leave something open and see if they will find it.

So I left jquery 1.11.3 in it with a known xss vulnerability in it. Even chrome gives a warning about this issue if you open the audit tab.

Well first round they found that the site was not using a csrf token. And yeah when I build it 8 years ago to my knowledge that was not really a thing yet.

And who is going to make a fake version of this questionair with 200 questions about their farm and then send it to our server again. That's not going to help any hacker because everything that is entered gets checked on the farm again by an inspector. But well csrf is indeed considered the norm so I took an hour out of my day to build one. Because all the ones I found where to complicated for my taste. And added a little extra love by banning any ip that fails the csrf check.

Submitted the new version and asked if I could get a report on what they checked on. Now today few weeks later after hearing nothing yet. I send my client an email asking for the status.

I get a reaction. Everything is perfect now, good job!

In Dutch they said "goed gedaan" but that's like what I say to my puppy when he pisses outside and not in the house. But that might just be me. Not knowing what to do with remarks like that. I'm doing what I'm getting paid for. Saying, good job, your so great, keep up the good work. Are not things I need to hear. It's my job to do it right. I think it feels a bit like somebody clapping for you because you can walk. I'm getting off topic xD

But the xss vulnerability is still there unnoticed, and I still have no report on what they checked. So I have like zero trust in this penetration test.

And after the first round I already mentioned to the security guy in my clients company and my daily contact that they missed things. But they do not seem to care.

Another thing to check of their to do list and reducing their workload. Who cares if it's done well it's no longer their responsibility.

2018 disclaimer: if you can't walk not trying to offend you and I would applaud for you if you could suddenly walk again.

Despite common sense, I think technology is not making our lives easier. It's just build chaos on top of chaos.

Take server-side programming for instance.

First you have to find someone to host your thing, or a PaaS provider. Then you have to figure out how much RAM and storage you need, which OS you're going to use. And then there's Docker (which will run on top of a VM on AWS or GCP anyway, making even less sense). And then there's the server technology: nginx, Apache (and many many more; if, that is, you're using a server at all). And then there are firewalls, proxies, SSL. And then you go back to the start, because you have to check if your hosting provider will support the OS or Docker or your server. (I smell infinite recursion here.)

Each of these moving parts come with their own can of worms in terms of configuration and security. A whole bible to read if you want to have the slightest clue about what you're doing.

And then there's the programming language to use and its accompanying frameworks. Can they replace the server technology? Should you? Will they conflict with each other and open yet another backdoor into your system? Is it supported by your hosting provider? (Did I mention an infinite recursion somewhere?)

And then there's the database. Does it have a port to the language/framework of your choosing? Why does it expose an web interface? Is it supposed to replace your server? And why are its security features optional again? (Just so I have to test both the insecure and the secure environments?)

And you haven't written a single line of code yet, mind you.

Sometimes your music app knows just the right song to play.

Story:
Production program was working (has been for a long time). But suddenly it starts failing. I spent a long ass time trying to see what went wrong.

Problem:
Security update on the server 🙃

Now I've got the client, his minions, and the users emailing me to fix this. But I didn't start this fire!

Song: We didn't start the fire, by Billy Joel

Not been a good day so far:
1. Woke up to my Synology in a 'Volume crashed' state. Tried to contact support via web page; support web page not loading.
2. Ancient software at work stops working. As the last remaining C++ dev, I gotta troubleshoot. Original developer wrote test program...in VB6.
3. Server config file changed, but all the admins swear up and down nobody's made any changes.
4. Client calls account rep and wants to know about our security policies, so he schedules a meeting with me and client and forgets to mention until he's emailing me asking where the hell I am. From the tone of the conversation between the rep and the client, it's clear that somehow I'm to blame for being late.

Sigh.

Well, hey, at least it's Friday, right? Right?

Hey there 👋

I am more or less throwing any burden (WhatsApp, Facebook, Google etc.) out of my life. Of course I will continue using the Google account for YouTube and some games that need it.

That's what it looks like right now:

Raspberry Pi 3B+
✅ webserver
- forum - complete (atm just for me)
- blog - no ideas and just installed october cms and nothing done yet
- nextcloud - complete and filled with my porn... eeh... data

✅ mailserver
(missing spamassassin, clam or sth. like this but it's working 😂)

✅ matrix-synapse
(as an additional alternative to messengers)

______________

Raspberry Pi 2
✅ catches dust
(any ideas?)

Of course, many more configurations and the like are necessary before everything is ready... but what then or what else is there?

At the moment I still use WhatsApp. Just wanna take time before sending everyone a message about changing the messenger and that it should be important for thinking about the own privacy, which alternatives there are bla...

Edit: For passwords I'm using Myki - didn't hear anything bad about it yet and it's very easy to use (Firefox add-on, Android app).
I love my passwords with 200 characters 😂
Maybe someone's knowing more about them?

Hope I didn't forget a thing... thanks in advance aaaaaaand... I'm gone. ☺

So our main web server got ransomware'd.

By some miracle only a shared directory was compromised and not the whole server.

The server is on an end-of-life OS (Win Server 2008r2), no antivirus solution, no WAF, no log hardening or aggregation, so basically our Security MSP told us "lol good luck finding the attack origin, nuke it and rebuild it correctly this time"

Thing is IT leadership is like "Eh, no harm done, everything is fine" and want to sweep it under the rug and not report it to senior management.

How do i go about convincing them that this is actually important and for once in their life, they should give a fuck ? (This web server is the main moneymaker, it goes tits up and heads are gonna roll).

Currently working on app that is about 10 years old at work. Here’s how today has gone:

Can’t run application locally because the process management engine doesn’t allow access locally, can’t access in development because process management engine doesn’t work here either, can run app in test but waiting on special server access to get the logs.

Make the request to security to access the server - they decline it telling me that the form I submitted is outdated and to submit a new one. Requires three approvals, am still waiting on them.

Every time I make a change and want to test, I have to commit the changes, wait for them to build. Release the changes, build the release project and then deploy it in bamboo.

I can’t wait for my new job to start.

About to start my real first Java project to learn the language in-depth: a virtual ATM featuring a GUI and a networking system for the transmission of banking data to and from a server. Since I particularly care about security this will surely help me get a better understanding of everything involved. Wish me luck.

IPAY88 is the worst payment integration. They parse html data and encoded it into xml for return the data, it is not even singlet or server to server communication , tey called it the ADVANCED BACKEND SYSTEM (My arse!) For security, they ENCODE THE STRING into BASE64 and called it ENCRYPTION ! WHAT THE FUCK?
Encoding is not encryption! I qas expecting they used diffie hellman or AES or RSA etc. THEY TOLD BE ENCODING IS ENCRYPTION? WHAT THE FUCK?

I don't know what you did yesterday, but i did make my company throw away 2 months of progress.
It all started in the beginning, since that i've made numerous complaints about the workflow or code and how to improve it. I've been told off every time, and every time i either told the boss who agreed in the end or wrote code to prove myself. Everything was a hassle and my tasks weren't better.
Team lead: you'll do X now, please do that by making Y.
Me: but Y is insecure, we should do Z.
Team lead: please do Y
Later it turns out Y is impossible and we do Z in the end...
Team lead: please do W now
Me, a few days later: i've tried and their server doesn't give http cors headers, doing W in the browser is impossible
Team lead, a few days later: have you made progress on W?
Me: * tells again it's impossible and uploads code to prove it *
Team lead: * no response *

After that i had enough. Technically i still was assigned to do W, but i used my time to look over the application and list all the things wrong with it. We had everything, giant commits, commented out code, unnecessary packages, a new commit introduced packages that crashed npm install on non-macs, angularjs-packages even though we use angular, weird logic, a security bug, all css in one file even though you can use component-specific css files...

I sent that to my boss, telling him to let the backend-guys have a look at it too and we had a meeting about this. I couldn't attend but they agreed with me completely. They decided to throw away what we have already and to let one of the backend-guys supervise our team. I guess there will be another talk with the team lead, but time will tell.
It feels so good having hope to finally escape this hellish development cycle of badly defined task, bad communication and headache-inducing merges.

I started to work in the CreditCard / Bank business a year ago.
Now they stopped the hole server migration project, so I leave again. They could have had it all. Server 2016, SQL 2016, Citrix, Surface Books and so on.
But no, the new shitty projects are more important than security or on what technology the system is build on.

Seems like the FTP Server will run on Windows 2003 forever...

Beware: Here lies a cautionary tale about shared hosting, backups, and -goes without saying- WordPress.

1. Got a call from a client saying their site presented an issue with a third-party add-on. The vendor asked us to grant him access to our staging copy.

2. Their staging copy, apparently, never got duplicated correctly because, for security reasons, their in-house dev changed the name of the wp-content folder. That broke their staging algo. So no staging site.

3. In order to recreate the staging site, we had to reset everything back to WP defaults. Including, for some reason, absolute paths inside the database. A huge fucking database. Because WordPress.

4. Made the changes directly in a downloaded sql file. Shared hosting, obviously, had an upload limit smaller to the actual database.

5. Spent half an hour trying to upload table by table to no avail.

6. In-house uploads a new, fixed database with the help of the shared hosting provider.

7. Database has the wrong path. Again.

8. In-house performs massive Find and Replace through phpMyAdmin on the production server.

9. Obviously, MySQL crashes instantly and the site gets blocked for over 3 hours for exceeding shared hosting limits.

10. Hosting provider refuses to accept this was caused by such a stupid act and says site needs to be checked because queries are too slow.

11. We are gouging our eyeballs as we see an in-house vs. hosting fight unfold. So we decide to watch a whole Netflix documentary in between.

12. Finally, the hosting folds and enables access to the site, which is obvi not working because, you know, wrong paths.

13. Documentary finishes. We log in again, click restore from backup. Go to bed. Client phones to bless us. Client’s in-house dev probably looking for a cardboard box to pack his stuff first thing in the morning. \_(ツ)_/¯

Security! I wish clients would listen to me regarding security...

The client has started to ask me to give them access to all the logins I have for the email, domain, server etc.
I created them a new account and gave them admin access.

Now they’re asking for password for all the email accounts (I don’t even store them). So I asked why, she wanted to have them in case some of the employees forgot their password.

I explained to her, deeply and many times, WHY THIS IS A BAD FUCKING IDEA. I also discovered she’s keeping it in a document, clear text.

Why do they pay me for support, when they want to have access to everything...

I’m wondering if they’re planning to find someone else to do their support, or do it themselves.

I didn’t even think 25€ pr month is that expensive for support

fuck my school. all i had to do was log in to see my grades and what do i get? the fucking stack trace. security? i think not. seriously though, why the fuck would my county want to make their own grading website when the one we had worked just fine? it looks like it was written terribly, the cause was just a bad socket connection and it even gave me the server name and version. i copied it to a google doc (it was already shortened) and it took up seven pages. jesus.

Course title: Advanced Database Management

Course Objectives:
-Create a database with SQL.
-Describe data normalization of database information.
-Describe distributed database management system.
-Design databases based on Entity Relationship modeling.
-Discuss connecting to databases with server-side scripts.
-Discuss database administration and security.
-Discuss database systems

Like. Come. On.

!Rant #motivation #hugeProject
Yesterday i started a new app and i designed some of it but classes i coded will speed up the whole coding of other parts .
Anyways today i needed to work on the server side of the project and when i was working on setting up the databases structures i realized how big is this project (it uses like 3 APIs) so i was unmotivated because its a side project and it takes alot of time and overall it dont worth it and even app may fail or may be successful.
So i said i dont care about how it will turn out
Im gonna do it , and im gonna do it right now
So i did now its 6 am and the server part is almost finished ! 75% done .
It was a secure login system and signup with verifications and more security stuff and the codes that provide the server status and most of the user parts . And some of the features of the app .
The most hard thing remaining is to setup the in app purchases and the APIs .
So if you see a project that is huge .
Dont give up . Just do it as long as you can
And you will see how much you progress !
And the huge project will be a big project ;)
Then a normal project , then a tiny project :P
Good night

I had a wonderful run-in with corporate security at a credit card processing company last year (I won't name them this time).
I was asked design an application that allowed users in a secure room to receive instructions for putting gift cards into envelopes, print labels and send the envelopes to the post. There were all sorts of rules about what combinations of cards could go in which envelopes etc etc, but that wasn't the hard part.
These folks had a dedicated label printer for printing the address labels, in their secure room.
The address data was in a database in the server room.
On separate networks.
And there was absolutely no way that the corporate security folks would let an application that had access to a printer that was on a different network also have access to the address data.
So I took a look at the legacy application to see what they did, to hopefully use as a precedent.
They had an unsecured web page (no, not an API, a web page) that listed the addresses to be printed. And a Windows application running on the users' PC that was quietly scraping that page to print the labels.
Luckily, it ceased to be an issue for me, as the whole IT department suddenly got outsourced to India, so it became some Indian's problem to solve.

When I was in 11th class, my school got a new setup for the school PCs. Instead of just resetting them every time they are shut down (to a state in which it contained a virus, great) and having shared files on a network drive (where everyone could delete anything), they used iServ. Apparently many schools started using that around that time, I heard many bad things about it, not only from my school.
Since school is sh*t and I had nothing better to do in computer class (they never taught us anything new anyway), I experimented with it. My main target was the storage limit. Logins on the school PCs were made with domain accounts, which also logged you in with the iServ account, then the user folder was synchronised with the iServ server. The storage limit there was given as 200MB or something of that order. To have some dummy files, I downloaded every program from portableapps.com, that was an easy way to get a lot of data without much manual effort. Then I copied that folder, which was located on the desktop, and pasted it onto the desktop. Then I took all of that and duplicated it again. And again and again and again... I watched the amount increate, 170MB, 180, 190, 200, I got a mail saying that my storage is full, 210, 220, 230, ... It just kept filling up with absolutely zero consequences.
At some point I started using the web interface to copy the files, which had even more interesting side effects: Apparently, while the server was copying huge amounts of files to itself, nobody in the entire iServ system could log in, neither on the web interface, nor on the PCs. But I didn't notice that at first, I thought just my account was busy and of course I didn't expect it to be this badly programmed that a single copy operation could lock the entire system. I was told later, but at that point the headmaster had already called in someone from the actual police, because they thought I had hacked into whatever. He basically said "don't do again pls" and left again. In the meantime, a teacher had told me to delete the files until a certain date, but he locked my account way earlier so that I couldn't even do it.
Btw, I now own a Minecraft account of which I can never change the security questions or reset the password, because the mail address doesn't exist anymore and I have no more contact to the person who gave it to me. I got that account as a price because I made the best program in a project week about Java, which greatly showed how much the computer classes helped the students learn programming: Of the ~20 students, only one other person actually had a program at the end of the challenge and it was something like hello world. I had translated a TI Basic program for approximating fractions from decimal numbers to Java.
The big irony about sending the police to me as the 1337_h4x0r: A classmate actually tried to hack into the server. He even managed to make it send a mail from someone else's account, as far as I know. And he found a way to put a file into any account, which he shortly considered to use to put a shutdown command into autostart. But of course, I must be the great hacker.

Client contacts our company that his site is down, we do some investigating and the only way we can access the site is on a mobile phone. From the office computers the site never loads and times out. Since we don't host the site and I've never logged into it before I don't have a lot of details so I suggest they contact whoever hosts their site. This is where things get weird.

Client tells me that the site is hosted on someone's home server. I tell him that this is quite strange in 2018 and rather unlikely and ask if he was ever given access to the site to log in or if he has access to his domain registration, GoDaddy.

He says he doesn't understand any of this and would rather I just contact his current developer and figure it out with him. We agree that he needs to get access to his site so we are going to migrate it once I get access to it.

I email his current developer letting him know the client has put me in contact with him to troubleshoot the issues with the site. I ask him some standard questions like: where is the site hosted? Can you access it from a computer? Do you have some security measures in place to block certain IP ranges? Can you give me from access to get the files? Will you send me a backup of the site for me to load up on my server?

*2days pass*

Other dev: Tell me the account number and I'll transfer the domain.

Me: I'll have to get back to you on that once I talk to the client and set up his GoDaddy account since we believe the business owner should own their domain, not their developers. In the meantime you didn't answer any of the questions I asked. Transferring the domain won't get the site on my server so I still need the files.

*3 days pass*

OD: You are trying the wrong domain. The correct domain is [redacted].com I'll have my daughter send you the files when she gets in town. We will transfer the domain to you, the client will forget to pay and the site will go down and it'll be your fault.

Me: I appreciate your advice, but the client will own their domain. I'm trying to get the site online and you have no answered any of my questions. It's been a week now and you have not transferred the domain, you have not provided a copy of the site, you have not told me where the site is hosted. The client and I are both getting impatient at this point when will we receive a backup of the site and the transfer of the domain?

OD: Go fuck yourself, tell the client they can sue me.

If the client is that terrible, wouldn't you want to hand them off to anyone willing to take them? I have never understood why developers and agencies try to hold clients hostage by keeping their domain or website and refusing access. From what I can tell this is a freelance developer without a real company so a legal battle likely isn't going to go well since the domain is worthless to him as the copyright to the name is owned by the client. This isn't the first time we've had to help clients through this sort of thing.

Speaking of.. What in your opinion would be an appropriate way to warn someone about security problems, like db passwords in git?

I once came across dozens of extremely sensitive services' infra accesses: alibaba/aliexpress, natuonal observatories, gov institutions, telecomms, etc. I had dozens [if not hundreds] routers' and firewalls' credentials along with addresses. I tried one to confirm validity - it worked. I wanted to warn them but did not want to get in trouble.

If it were servers, I'd set a motd or append some warning messages in .profile. But not sure how to do it for non-server devices

what would you do? How would you warn them?

P.S. Deleting that record was a smart move, buddy ;)

p.P.S. Sorry, wrong category... Can't edit now :(

Work story.
We have this system that's being used nation-wide and basically there's a control panel for management (it's a website)) and an app for the regular users.

I just migrated and replaced the guy before me, I'm basically the only one on the project.

The code for the website is a mess, the servers are sometimes slow, and few security problems here and there.

Project Lead comes up to me and says that few of our clients that use the website are saying it works really slowly.
I start by analyzing the networking, and found shocking things.
First of all, let's say there's a messaging option, and the management teams that are our clients can have each a lot of groups, which all have messaging.

Upon first load, ALL OF THE IMAGES, FROM ALL GROUPS, ARE PRE LOADED. It can get up to few hundred photos being preloaded upon first load, which can explain the slow loading.
After discovering that, I discovered that the Administration control panel, which only my project lead can access, with sends heavy requests to the server and loads heavy assets, is loaded every time to every single client, generating heavy stress on our server and slowing everything down.

I tell that to my project lead and say that that's what causing the slow downs, I coded a fix that currently sits and is not being merged to the master branch to be deployed, and somehow I need to find a way to fix the slowness which all comes down to the heavy requests and slow connection with servers... And they won't merge my fix that fixes the loading of the administration panel so the stress on the servers could go down, and everything will be sped up....
Ah damnit.. sometimes I don't understand it..

No experience with paid work yet, but for sysadmin work I'd mostly look at the environment and how the previous admin left the premises, and why they left. I wouldn't want to work with a bird's nest for a server room, that's got everything jammed into one clusterfuck of a god-function sort of server or something crazy like that. Separation of services, security, wire management, all those things matter because that's the state that you'll be working in, and cleaning up someone else's mess.. it makes my blood boil.

Payment is important, and if the job doesn't pay well, don't take it. Or if they place a wee bit too much value in those expensive pieces of toilet paper called certificates, it denotes incompetence from the employer by being unable to gauge your skills on their own (and I get that there's time management involved, but come on.. how long can it take to have a conversation with someone to gauge what their skillset is). But the working environment in particular is of vital importance. If it's all going to be yours to build, great (and don't you dare to half-ass it -_-). But if it's already been partially done by someone else, they'd better done it well.

Not a dev!rant,/but certainly a rant. Long post ahead.

First of all I MISSED YOU ALL

Had my fair issues of shit these months. And for that, FUCK EVERYTHING. End of rant for now. I am still managing somehow to do - slowly as fuck, but who cares at this point - like finally going to uni, finding a psychologist and not a psycho, unraveling a fuckton of previous trauma (hi abuse) and ~drums~ buying my new desktop! Not exactly a nasa server but a middish level workstation/gaming place. I am shopping right now. The previous days have been shaky with all the flashback business and emotional rollercoaster of death, but I feel like going the right way somehow. Is it true? Who knows! But after enduring several issues of suicide planning and luckily only one serious-bugged attempt epically hilariously failed, the slightest hope is a victory. I like p2p, so feel free to torrent and seed this little joy. If it is mine it can be yours. Take it!

Also, you know how much autistic I am, but I'd really like to make some friends. I make attempts but honestly I am awkward errrr.... I don't know how many dude/ttes I can count on. For friend I mean simply someone that honestly likes me somehow, is loyal, and has interest in sharing they like to do or think! (And if they want to give me tips on security/sysadmin/dev stuff, even better, but not required obviously).

Also, I may have some projects in mind. Will publish in the projects section when the roughest idea is finished.

Maybe I deserve an updoot. In real life.
(Which is also here....)

🎶🎶🎶🎶

I don't know the current total number of daily active users and rants counts on devRant. But maybe it would be nice to have a group tagged/mentioned feature. Or something similar. Or subscription to a tag?

Like for example, when it comes to security and privacy and google-free-life all of us usually mentioned linuxxx and the gang. When it comes to server, if I'm not wrong Linux and electrical hardwares for Condor, etc.

But there might be (should be) other who should be mentioned and who would want to get mentioned as well.

Might be fun as well. All those Raven and clans can communicate easily with such feature.

Thoughts anyone? If I got positive responses here, I'll open a feature request on GitHub 🤔

My project manager one time called me while I was waiting in the bank. He told me that the latest changes in the project I was working on were not deployed to production and they were having a meeting to demo those changes to the client later that day.

I had my laptop with me but it wasn't charged. I asked the security guys if I could use the socket used to power up the cleaning/sweeping machines and they didn't mind.

So it was me sitting on the floor in the bank hall using a side socket to power up my laptop holding my cellphone so I can use the hotspot and get internet connection deploying yesterday's changes to a production server.

Eventually, the client didn't attend the meeting that day!

Our school had for an open source way of dealing with home schooling and managing the school network and so on.

Now the government forced a "proprietary" system on our school and everyone hates it. The teachers didn't want it the pupils didn't want it but who cares "what we do is the best".

Btw the proprietary system costs a fuck load of money even though they just mixed many open source projects and made it their own proprietary thing.
And this company now get's loads of money for their shitty system that never really worked once since we got it.

They blocked so many ip's that we can't even access google and it's services on the school wifi and the bandwith dropped severely with the new system.

Oh and many random ip's e.g. one of my vps is accessible but the other one not.
Discord is blocked.
Web whatsapp.
And so on...

Now....

I need to learn for tests next week and need to access that stuff on the portal but...

Now they decided to switch the LDAP server to the new system and since a few hours i can't access this fucking thing.

It seems like the platform now contacts the new server which isn't even up and running....

Never change a fucking running system....

Oh and we got smart boards and it runs on android and they didn't block adb. Now i installed clash of clans on one of those things. Haha whoops.
These boards cost 7000€ and have security patches from 2 years ago....and Android 8

Fucking fuck fuck fuck outdated superiors that know jack shit about how software development works. Dnt even know about git, docker, cloud services. Everything is done on premise with network that is fucking crap and when an app is down "hey why is it down?" ask the fucking server and network admin how the fuck am i supossed to know? i have to create workaround codes when other devs just need to deploy their app and its fucking running as it should be. why the fuck do i need to spend my time debugging Ping timeouts? im a fucking dev. I have done designs, analyze requirements, build frontend, backend, optimize codes, paying attention to security and now i have to fix network problems as well? fuck off

Create Innovation my fucking arse. you just Keep saying that but then wondering "what is this new thing youre trying? its new and different why do that?" because you asked for innovation you fuck. If i copied some other concept its not innovation is it pricks.

Fuck them and all the brown nosers as well.

So this post by @Cyanide had me wondering, what does it take to be a senior developer, and what makes one more senior than the other?

You see, I started at my current company about three or four years ago. It was my first job, and I got it before even having started any real programming education. I'd say that at this point I was beyond doubt a junior. The thing is that the team I joined consisted of me and my colleague, who was only working 50%. Together we built a brand new system which today is the basis on which the company stands on.

Today I'm responsible for a bunch of consultants, handle contact during partnerships with other companies, and lead a lot of development work. I'm basically doing the exact same things as my colleague, and also security and server management. So except for the fact that he's significantly older than me the only things that I can think of that differentiates the seniority in the team are experience and code quality.

In terms of experience a longer life obviously means more opportunities to gather experiences. The thing is that my colleague seems to be very experienced in 10 year old technologies, but the current stuff is not his strong side. That leaves code quality, and if you've ever read my previous rants I think you know what I'm thinking...

So what in the world makes a person senior? If we hired a new colleague now I'm not sure it'd be instantly clear who should guide and teach them.

Question for Web Server Gurus and Security Ninjas.

How to prevent bots, crawlers, spammers sending various numerous requests to your web servers?

There have been numerous requests to routes like /admin /ssh /phpmyadmin etc etc and all kinds of stuff to the web server.

Is there a way to automatically block those stupid IPs :/

Let's talk about the cargo cult of N-factor authentication. It's not some magic security dust you can just sprinkle onto your app "for security purposes".

I once had a client who had a client who I did server maintenance for. Every month I was scheduled to go to the site, stick my fingerprint in their scanner, which would then display my recorded face prominently on their screens, have my name and purpose verified by the contact person, and only then would the guards let me in.

HAHA no of course not. On top of all of that, they ask for a company ID and will not let me in without one.

Because after all, I can easily forge my face, fingerprints, on-site client contact, appointment, and approval. But printing out and laminating a company ID is impossible.

---

With apologies to my "first best friend" in High School, I've forgotten which of the dozens of canonicalisations of which of your nicknames I've put in as my answer to your security question. I've also forgotten if I actually listed you as my first best friend, or my dog - which would actually be more accurate - and actually which dog, as there are times in my High School life that there were more tails than humans in the house.

I have not forgotten these out of spite, but simply because I have also forgotten which of the dozen services of this prominent bullshit computer company I actually signed up for way back in college, which itself has been more than a decade ago. That I actually apparently already signed up for the service before actually eludes me, because in fact, I have no love for their myriad products.

What I have NOT forgotten is my "end of the universe"-grade password, or email, or full legal name and the ability to demonstrate a clear line of continuity of my identity from wherever that was to now.

Because of previous security screwups in the past, this prominent bullshit company has forced its users to activate its second, third, and Nth factors. A possibly decade-old security question; a phone number long lost; whatever - before you can use your account.

Note: not "view sensitive data" about the account, like full name, billing address, and contact info. Not "change settings" of the account, such as changing account info, email, etc. Apparently all those are the lowest tier of security meant to be protected by mere "end of the universe"-grade passwords and a second factor such as email, which itself is likely to be sold by a company that also cargo cults N-factor auth. For REAL hard info, let's ask the guy who we just showed the address to "What street he lived in" and a couple others.

Explaining this to the company's support hotline is an exercise in...

"It's for your security."

"It's not. You're just locking me out of my account. I can show you a government ID corroborating all the other account info."

"But we can't, for security."

"It's not security. Get me your boss."

...

"It's for security."

Question

What server monitoring do you use, both for statistics and security?

--------------------
tl;dr ends here

Ideally I would like to have one clean dashboard that shows me all the nodes I have, proxmox already offers a great range of stats - but it is a page per container etc. so not ideal, I thought of having datadoghq, but their per host pricing is huge, since I have more than 5 hosts to track.

Providing hosting and site management services to clients was the best decision Ive ever made. Now they don't get access to their websites until I get paid.

Getting a managed dedicated server was an even better decision. Allowing me to focus on the development while a professional team takes care of my clients security.

Coding has brought me into new communities and is the reason I have some new friends. I have to say, the best part is knowing how things work. I love knowing how this rant is sent to a remote devRant server thru a socket. How my rant gets divided up into an array of characters, each just a string of 0’s and 1’s. How my rant is stored in a database. How the devRant server connects everyone, and how everyone can (if they have to) use a VPN if it’s blocked, etc. And of course, how it’s all done securely. It’s great having that confidence going into the future knowing that you’ll be relevant and you have technological security. I love talking with people and explaining how things work. How when people say “stop acting so smart, you don’t know anything about X,” which to I reply “do you know how many fucking Xs I made.” Coding is great.

When customers pretend to really care about security but then share server folders to "everyone" 🤨

Windows rant incoming!
For fucks sake! I think Windows have asked me 117 times if I want to update now. The answer is still fucking no!
And I don't care how much of a security improvement it might be, when your shitty update causes a Memory Management error.
So fuck off, stop minimising my game while I play and go fix your shitty update first!
Fuck you Microsoft, fuck your QA team and while I'm at it, I want to say fuck you to all versions of Windows Server as well!

Imagine implementing PHP scripts which execute shell commands defined in URL GET query params on your customer's dedicated server without any basic authentication or similar. The only security is by barely obfuscating it's URL.
I think I've seen it all now...

I once wanted to participate in a free activity that requires signing up for a crappy website.
Unfortunately all spots for the activity I wanted were filled, so I gave it a few minutes and it turned out that the registration is done by sending an HTTP request to a domain with all of the details. So I changed the activity details and selected the hours I wanted and boom - "Thanks for signing up with our site, did you like it ?" Yes.😈

Pentesting for undisclosed company. Let's call them X as to not get us into trouble.
We are students and are doing our first pentest at an actual company instead of assignments at school. So we're very anxious. But today was a good day.
We found some servers with open ports so we checked a few of them out. I had a set of them with a bunch of open ports like ftp and... 8080. Time to check this out.
"please install flash player"... Security risk 1 found!

System seemed to be some monitoring system. Trying to log in using admin admin... Fucking works. Group loses it cause the company was being all high and mighty about being secure af. Other shit is pretty tight though.

Able to see logs, change password, add new superuser, do some searches for USERS_LOGGEDIN_TODAY! I shit you not, the system even had SUGGESTIONS for usernames to search for. One of which had something to do with sftp and auth keys. Unfortunatly every search gave a SQL syntax error. Used sniffing tools to maybe intercept message so we could do some queries of our own but nothing. Query is probably not issued from the local machine.

Tried to decompile the flash file but no luck. Only for some weird lines and a few function names I presume. But decompressing it and opening it in a text editor allowed me to see and search text. No GET or POST found. No SQL queries or name checks or anything we could think of.

That's all I could do for today. So we'll have to think of stuff for next week. We've already planned xss so maybe we can do that on this server as well.

We also found some older network printers with open telnet. Servers with a specific SQL variant with a potential exploit to execute terminal commands and some ftp and smb servers we need to check out next week.

Hella excited about this!

If you guys have any suggestions let us know. We are utter noobs when it comes to this.

TLDR: I need advice on reasonable salary expectations for sysadmin work in the rural United States.

I need some community advice. I’m the sysadmin at a small (35 employee) credit card processing company. I began as an intern and have now become their full time sysadmin/networking specialist. Since I was hired in January I have:

-migrated their 2007 Exchange server to Office 365

-Upgraded their ailing Windows server 2003 based architecture to 2012R2

-Licensed their unlicensed VMware ESXi servers (which they had already paid for license keys for!!!) and then upgraded them to 6.5 while preventing downtime on hosted VMs using tricky transfers and deployments (without vMotion!)

-Deployed a vCenter server to manage said ESXi servers easier

-Fixed a three month gap in their backups by implementing Veeam, and verifying its functionality

-Migrated a ‘no downtime’ fileserver to a new hypervisor host, implemented a ‘hot standby’ server as a backup kept up to date by the minute with DFS replication.

-Replaced failing hard drives in a RAID array underlying their one ‘business critical’ fileserver, which had no backups for 3 months at that time

-Reorganized Active Directory and Group Policy deployment from a nightmare spiderweb of OUs and duplicate policies

-Documented the entire old network and now the new one as I’ve been upgrading this

-Audited the developers AWS instances and removed redundant machines, optimized load balancing on front end Nginx servers, joined developer run Fedora workstations to the AD domain and implemented centralized syslog monitoring on them.

-Performed network scans and rewrote firewall exceptions to tighten security

There’s more, but you get the idea. I’ve now been tasked with taking point on an upcoming PCI audit which will be my first.

I’m being paid $16/hr US, with marginal health benefits. This is roughly $32,000 a year, before taxes.

I have two years previous work experience managing a third party Apple repair facility (SimplyMac) and every Apple certification for warranty repair and software troubleshooting. I have a two year degree in general sciences, with about 4 years of college credit (Two years of a physics education and two years of computer science after I switched focus) I’m actively pursuing a CCNA and MCSA server 2016 with exams paid for and scheduled.

I’m going into a salary negotiation in two months. What is a reasonable salary to request, from your perspective, for someone in my position?

Thanks in advance!

My task was securing the server, and I finshed it... With only one mistake...
I updated the hosts.deny file to be ALL:ALL which are more secure... But I forgot to add any IPs in hosts.allow... The result is, nobody even me can connect to the server... Luckly it is internal testing server...

Don't need Netflix when you have a production deployment right before a long weekend. It has failed since last two weeks due to vulnerabilities present in one of libraries(P.S. FUCK JAVASCRIPT and Post release vulnerability scans!). You have rewritten the whole functionality from scratch twice! Security gates finally open for you, welcoming with arms wide open. So you click Deploy! DAFUQ!! FUCK MY LIFE! Deployment failed! It's only a 3 hour window to deploy! You frantically re-review your code, is it me?? Not again!! It isn't! Well, why is the deployment failing, you work against the clock. Going through configs, code, documentation! WTF is it?? Should I give up and raise a support ticket? Nope! You login to the server, sifting through logs and configs, there's a couple of other tickets with today's deadline. What are you going to do? And you get a hint! You take the hunch, change the config 5 minutes before deadline!
Get merge request approved, wait for the build, hit DEPLOY!! Nail biting 3 minutes! Your eyes fixed on the logs! Building..... Pushing instances..... Starting App..... SUCCESS!!! Finish the remaining tickets! Your long weekend still exists!

I've been working on the ecommerce website from hell for over a year now. I should have heard the alarm bells when the studio who were running the project took a month to pay my deposit but still expected me to start working, but I explained that I wouldn't start without some form of security and they were cool with it, so I carried on.

It started off as a simple build with simple products, no product variations etc and a few links on the designs which appeared to lead to external links, and checkout and cart pages were nowhere to be seen. It wasn't a big money job so I just build them in as plain and straightforward as I could, in line with how the rest of the site looked. They then changed their mind about how they wanted these to look, and added loads of functionality to the site throughout the build, so by the end of the line, the scope of work had completely changed. I also had loads of disagreements in terms of design and useability, as their designs straight-up weren't going to function otherwise, plus every round of changes meant that I had to prolong the job further and fit it around work for other clients.

Fastforward a few more months and I get sent a really angry email with some of the client's complaints, including one that raised an issue with the user journey, and the finger of blame was pointed at me. The user journey had been a part of the designs from the start, and this was never raised as an issue for A WHOLE YEAR. They then said that it had to go live on Monday (three days after they sent email with these huge new structural changes). I told them I could no longer work on the project but was happy to waive the rest of my fee (3/4 of the total fee, when I had essentially completed the site, minus 2 minor bugs), so they could find another developer in the limited time they had. At first they refused to hire another developer, claiming that it would be too expensive, which made no sense, as for a few minor fixes and out of scope additions he could get paid a wage that would have otherwise paid for the majority of the work I had done on the site. I stood my ground and finally they found someone, so I sent over all of the files and database to their new developer and asked him to give me a heads up when I could remove the staging site from my server. The next day, I received an email from the studio asking me to fix some bugs the developer was requesting I fix so he could carry on with the site. They were basically asking me to work more, for free, to enable him to walk off with the majority of the money and do less work. They also forwarded a suuuuuper shitty, condescending email from him, listing all the things he thought was wrong with the site (he even listed 'no favicon' although they'd never supplied a graphic for this). He also wrote a paragraph at the bottom EXPLAINING MY JOB TO ME and telling me:

I get the feeling you like to write Javascript, while being one of the easiest languages to learn, it can also be one of the hardest to master. While I applaud you for writing Vanilla JS, it looks like you have a general problem with structuring your application.

Not sure if I'm being oversensitive here but it felt so patronising, and i couldn't even go for an angry walk to get it out my system because of social distancing lol.

Let a girl quarantine in peace!!!!!!

I'm currently planning to set myselv up with some vps/dedicated server's for a project. What i plan to do to secure these servers is.
*Use centos 7
* Setup Wireguard and join all of the servers +1 client (my pc) to that network
*Disable SSH Access from outside that VPN
*Only allow RSA Key login to the Servers
*Install Cockpit for monitoring
*Intall docker/kubernetes for the applications i plan to run

What do you guys think of that as a baseline? Im not sure if my lower powered VPS (VPS M SSD from Contabo) will work as Kubernetes Nodes, does anyone have experience with that?

In general these Servers will be used for my projects and other fooling around.

If you guys have other suggestions for Securing/monitoring or other software i could put on to have more control without eating up to much of the Servers power, let me know :D