Hi, I am a Javascript apprentice. Can you help me with my project?

- Sure! What do you need?

Oh, it’s very simple, I just want to make a static webpage that shows a clock with the real time.

- Wait, why static? Why not dynamic?

I don’t know, I guess it’ll be easier.

- Well, maybe, but that’s boring, and if that’s boring you are not going to put in time, and if you’re not going to put in time, it’s going to be harder; so it’s better to start with something harder in order to make it easier.

You know that doesn’t make sense right?

- When you learn Javascript you’ll get it.

Okay, so I want to parse this date first to make the clock be universal for all the regions.

- You’re not going to do that by yourself right? You know what they say, don’t repeat yourself!

But it’s just two lines.

- Don’t reinvent the wheel!

Literally, Javascript has a built in library for t...

- One component per file!

I’m lost.

- It happens, and you’ll get lost managing your files as well. You should use Webpack or Browserify for managing your modules.

Doesn’t Javascript include that already?

- Yes, but some people still have previous versions of ECMAScript, so it wouldn’t be compatible.

What’s ECMAScript?

- Javascript

Why is it called ECMAScript then?

- It’s called both ways. Anyways, after you install Webpack to manage your modules, you still need a module and dependency manager, such as bower, or node package manager or yarn.

What does that have to do with my page?

- So you can install AngularJS.

What’s AngularJS?

- A Javascript framework that allows you to do complex stuff easily, such as two way data binding!

Oh, that’s great, so if I modify one sentence on a part of the page, it will automatically refresh the other part of the page which is related to the first one and viceversa?

- Exactly! Except two way data binding is not recommended, since you don’t want child components to edit the parent components of your app.

Then why make two way data binding in the first place?

- It’s backed up by Google. You just don’t get it do you?

I have installed AngularJS now, but it seems I have to redefine something called a... directive?

- AngularJS is old now, you should start using Angular, aka Angular 2.

But it’s the same name... wtf! Only 3 minutes have passed since we started talking, how are they in Angular 2 already?

- You mean 3.

2.

- 3.

4?

- 5.

6?

- Exactly.

Okay, I now know Angular 6.0, and use a component based architecture using only a one way data binding, I have read and started using the Design Patterns already described to solve my problem without reinventing the wheel using libraries such as lodash and D3 for a world map visualization of my clock as well as moment to parse the dates correctly. I also used ECMAScript 6 with Babel to secure backwards compatibility.

- That’s good.

Really?

- Yes, except you didn’t concatenate your html into templates that can be under a super Javascript file which can, then, be concatenated along all your Javascript files and finally be minimized in order to reduce latency. And automate all that process using Gulp while testing every single unit of your code using Jasmine or protractor or just the Angular built in unit tester.

I did.

- But did you use TypeScript?

My last internship (it was awesome). A programmer developed a vacation/free day request application for internal use.
Asked if I could test it for security.
The dev working on it thought that was a very good idea as he wasn't much into security and explained how the authentication process worked.
I immediately noticed a flaw just from his explanation. He said it was secure anyways (with an explanation but his way of thinking was wrong in this case). Asked if I was allowed to show him. He said he was intrigued by this so gave me a yes right away.

For the record, user levels were normal user, general admin and super admin (he was the only super admin).

Wrote a quick thingy server side (one of my own servers/domains) for testing purposes.

Then I started.

Went from normal user to super admin (his account) through a combination of XSS and Session Hijacking within 15 seconds.

Explained him where he went wrong and he wrote a patch under my guidance 😃.

That felt so fucking awesome.

New Dutch (or european?) law requiring https for any website with a contact form or higher is going into effect very soon. Were contacting customers so they can still be on time with this, this is how most convo's go:

Collegue: *explains*
Client: Im sure my security is good enough...
Collegue: i'd really recommend it, we've got free options as well!
Client: its just a secure connection, whats the big deal...
Collegue: *more arguments*
Client: I just don't see the point, security.... well.... does it really matter that much...
Collegue: Google might place you lower in the search results if you don't get a secure connection.

Client: 😶😥😵 uhm so what were the https options again? 😅

I hope they all die a painful death 😠

There's this guy that sits next to me in a class.

Guy: Hey, you're a hacker right?
Me: I'm a programmer.
Guy: Can you hack into my email account?
Me: Nope, I work in a different field of computer science.

In reality, I want to give him a piece of my mind.

I already know his email so I open up the login page and enter it. I click "forgot password", and it asks for his favorite teacher's name. Keep in mind that he made this account this year.

Me: So anyways, who's your favorite teacher?
Guy: *proceeds to give me favorite teacher's name*
Me: 🤦‍♂️

I change his password and log into his account. After that, I show him and tell him about how he should keep his account secure.

He left class with a priceless look on his face.

The spam denier
_____

An old phone conversation with a client:

Me : Hello

Client : My website and server are suspended? why is that?

Me : Your server sends spam messages.

Client : We do not send spam messages, we are on vacation, there is none in the office.

Me : Yes, but it is not necessarily you, according to our logs, your server sent spam messages in Chinese and Russian, so someone from Russia or China....etc.

Client : I do not believe you, we do not speak russian or chinese, how could we then write spam messages in those languages?

Me : I told you, maybe someone exploited some vulnerability in your website or server firewall. And if you want to activate your services, please check with your webmaster and sysadmin to secure your ....

Client: I tell you my son, because I am old and I have more life experience than you ... I am 60 years old and I tell you, spam does not exist, and YOU suspended my website and server, and created issues to sell me more of your solutions and services.

I won't check my server, I won't hire a webmaster or a sysadmin, AND YOU WILL ACTIVATE MY SERVER NOW !

(I suddenly realized that I am talking to a wall, so I switched to a robotic tone).

Me : Please resolve the issue to activate your services..

Client : YOU WILL ACTIVATE MY S...

Me : Please resolve the issue to activate your services...

Client : WHAT IS THIS SPAM STORY ANYWAY, I DO NOT BELIEVE YOU ...

Me : Please google that word and you will understand what is spam is...

Client : YOU ARE F**ING LIARS, SPAM DOES NOT EXIST... ACTIVATE MY WEBSITE N.... Beeeep !

I hang up.

Well, I thought about configuring an automatic response for this client, or a for-loop.

His voice was really unpleasant, as if he is a heavy smoker.

Another one, teach secure programming for fucks sake! This always happened at my study:

Me: so you're teaching the students doing mysql queries with php, why not teach them PDO/prepared statements by default? Then they'll know how to securely run queries from the start!
Teachers: nah, we just want to go with the basics for now!

Me: why not teach the students hashing through secure algorithms instead of always using md5?
Teacher: nah, we just want to make sure they know the basics :)

For fucks fucking sake, take your fucking responsibilities.

I was reviewing one dev's work. It was in PHP. He used MD5 for password hashing. I told him to use to password_hash function as MD5 is not secure...

He said no we can't get a password from MD5 hashed string. It's one way hashing...

So I asked him to take couple of passwords from the users table and try to decode those in any online MD5 decoder and call me after that if he still thinks MD5 is secure.

I have not got any call from him since.

Started talking with someone about general IT stuff. At some point we came to the subject of SSL certificates and he mentioned that 'that stuff is expensive' and so on.

Kindly told him about Let's Encrypt and also that it's free and he reacted: "Then I'd rather have no SSL, free certificates make you look like you're a cheap ass".

So I told him the principle of login/registration thingies and said that they really need SSL, whether it's free or not.

"Nahhh, then I'd still rather don't use SSL, it just looks so cheap when you're using a free certificate".

Hey you know what, what about you write that sentence on a whole fucking pack of paper, dip it into some sambal, maybe add some firecrackers and shove it up your ass? Hopefully that will bring some sense into your very empty head.

Not putting a secure connection on a website, (at all) especially when it has a FUCKING LOGIN/REGISTRATION FUNCTION (!?!?!?!!?!) is simply not fucking done in the year of TWO THOUSAND FUCKING SEVENTEEN.

'Ohh but the NSA etc won't do anything with that data'.

Has it, for one tiny motherfucking second, come to mind that there's also a thing called hackers? Malicious hackers? If your users are on hacked networks, it's easy as fuck to steal their credentials, inject shit and even deliver fucking EXPLOIT KITS.
Oh and you bet your ass the NSA will save that data, they have a whole motherfucking database of passwords they can search through with XKeyScore (snowden leaks).

Motherfucker.

Ranted about him before but this just came to my mind again.
The fucking windows (to the max) fanboy I had to deal with for too long.

Every time I mentioned something about what programming language to use in a project he was NOT part of:
"I know it's none of my business, BUT I think you should use .net"
(All backend JavaScript and php guys).

Every time I mentioned something about what server system to use:
"I know it's none of my business but I think you should use Windows server"
(All Linux guys)

Every time I'd say something positive about Linux he'd search as long as needed to prove that that was also a windows thing (didn't even come close sometimes)

Every time I told the devs there about a windows security issue (as in "guys they found this thing, install the next update to stay safe :)" - "ahhh will do, thanks for letting know man!") he'd search as long as needed to prove that Linux also had had security issues like that.
(Okay?!? I know?!? I'm just trying to notify people so their systems stay secure and they're genuinely happy with that so STFU)

MOTHERFUCKER.

Navy story time, and this one is lengthy.
As a Lieutenant Jr. I served for a year on a large (>100m) ship, with the duties of assistant navigation officer, and of course, unofficial computer guy. When I first entered the ship (carrying my trusty laptop), I had to wait for 2 hours at the officer's wardroom... where I noticed an ethernet plug. After 15 minutes of waiting, I got bored. Like, really bored. What on TCP/IP could possibly go wrong?
So, scanning the network it is. Besides the usual security holes I came to expect in ""military secure networks"" (Windows XP SP2 unpatched and Windows 2003 Servers, also unpatched) I came along a variety of interesting computers with interesting things... that I cannot name. The aggressive scan also crashed the SMB service on the server causing no end of cute reactions, until I restarted it remotely.
But me and my big mouth... I actually talked about it with the ship's CO and the electronics officer, and promptly got the unofficial duty of computer guy, aka helldesk, technical support and I-try-to-explain-you-that-it-is-impossible-given-my-resources guy. I seriously think that this was their punishment for me messing around. At one time I received a call, that a certain PC was disconnected. I repeatedly told them to look if the ethernet cable was on. "Yes, of course it's on, I am not an idiot." (yea, right)
So I went to that room, 4 decks down and 3 sections aft. Just to push in the half-popped out ethernet jack. I would swear it was on purpose, but reality showed me I was wrong, oh so dead wrong.
For the full year of my commission, I kept pestering the CO to assign me with an assistant to teach them, and to give approval for some serious upgrades, patching and documenting. No good.
I set up some little things to get them interested, like some NMEA relays and installed navigation software on certain computers, re-enabled the server's webmail and patched the server itself, tried to clean the malware (aka. Sisyphus' rock), and tried to enforce a security policy. I also tried to convince the CO to install a document management system, to his utter horror and refusal (he was the hard copy type, as were most officers in the ship). I gave up on almost all besides the assistant thing, because I knew that once I left, everything would go to the high-entropy status of carrying papers around, but the CO kept telling me that would be unnecessary.
"You'll always be our man, you'll fix it (sic)".
What could go wrong?
I got my transfer with 1 week's notice. Panic struck. The CO was... well, he was less shocked than I expected, but still shocked (I learned later that he knew beforehand, but decided not to tell anybody anything). So came the most rediculous request of all:
To put down, within 1 A4 sheet, and in simple instructions, the things one had to do in order to fulfil the duties of the computer guy.
I. SHIT. YOU. NOT.
My answer:
"What I can do is write: 'Please read the following:', followed by the list of books one must read in order to get some introductory understanding of network and server management, with most accompanying skills."
I was so glad I got out of that hellhole.

So a group of 'researchers' (you'll get later why I call them 'researchers') conducted research to find the most secure browser.

Their result is Google Chrome!

Few minor details:

- THE WHOLE FUCKING RESEARCH THINGY WAS (mostly?) SPONSORED BY GOOGLE.

- THEY COMPARED IT MOSTLY TO INTERNET FUCKING EXPLORER AND EDGE.

Are they fucking retarded or something?! Yeah if it's going to go like that, Google Chrome will certainly become the winner/number 1.

Mother of fucking god.

A quite severe vulnerability was found in Skype (at least for windows, not sure about other systems) allowing anyone with system access (remote or local) to replace the update files skype downloads before updating itself with malicious versions because skype doesn't check the integrity of local files. This could allow an attacker to, once gaining access to the system, 'inject' any malicious DLL into skype by placing it in the right directory with the right file name and waiting for the user to update (except with auto updates of course).

From a company like Microsoft, taking in mind that skype has hundreds of millions of users worldwide, I'd expect them to take a very serious stance on this and work on a patch as soon as possible.

What they said about this: they won't be fixing it anytime soon as it would require a quite big rewrite of skype.

This kinda shit makes me so fucking angry, especially when it comes from big ass companies 😡. Take your fucking responsibility, Microsoft.

My disk isn't corrupted, it's just so secure that even I can't access it

So the new mass surveillance law will be going into effect from the 1st of January.

Of course, since I'm very keen on my security/privacy, I'm going to implement some precautions.

- A few vps's connecting to tor, i2p and VPN provider so that I can always use a secure connection.

- Setup anti tracker/ads/etc etc shit on the VPS's. Probably through DnsMasq and the hosts file.

- Use Tor browser by default. I've tried this for a while now and damn, the tor network has become way faster than only even a year ago! Some pages literally only take a few seconds to load.

- Wipe my laptop, encrypt the harddrive and at least put QubesOS on it together with probably a few other systems.

- Ungoogle my new phone, use it with VPN by default.

- Get rid of all non encrypted communication services. I think that only leaves me with a few account removals because I haven't chatted unencrypted for nearly a fucking year now.

If anyone has any more ideas, please share!

I hate this attitude of my study (when i studied):

"it might be a good idea to teach the students how to program securely by default?"

"oh no but we just want to teach them the basics"

"so why not the secure basics by default?!"

"nah we just want them to get started and understand it, that's all. We'll get to the secure way later on"

Well, fuck you.

"Do you have 2 factor auth for the database?"
a customer asked. I stared on the wall in front of me and suddenly fel and urge to punch and piss on something.
I took a deep breath while thinking to myself
*Oh boy, here we go. Another retard*
I put on my nice voice and asked:
"What you mean?"
The customer seems confused, as if my question did not make sense and he said:
"TWO FACTOR AUTHENTICATION! Dont you know what it is? To make the database more secure."

I was fucking right, this person reads to much shit. The fact that the email signature of that person said "Wordpress Developer" made me more angry.
I, still with the nice voice asked
"How would that work?"
"Two factor authentication when I am connecting to the database."
"So, do you want it by SMS then? You'll get alot of messages if it is going to send you one every time a query is made."
The following 7 seconds was dead silent until I heard the person hang up.

Goddamn I'm retarded to the next level.

Rebooted my phone a few days ago, some stuff didn't work well anymore and I'm looking for a new one which supports custom roms but I shouldn't spend too much right now so I thought I'd let it go for now.

Rebooted again last night and the network time wouldn't set properly so set it manually. Today I suddenly noticed that any app/page loading through a secure connection wasn't loading at all.

This to the goddamn point that my phone was becoming useless.

Started to search for a quick, cheap replacement supporting custom roms while debugging on and on.

I just (now) looked at the date and BAM, it hit me: I set it to one month earlier.

Mother of god I'm stupid. Brain fart to the max.

The amount of thinking and programming that goes into writing a secure backend is fucking high but I love it!

It helps to think like someone who'd want to hack a user or the application so you know most security measures you have to take :)

I think the coolest project I did was a few years ago, it was actually a Minecraft plugin.

I decided to learn Java for Minecraft, and a few months after I started learning Java, I was approached by someone who'd like to work with me to create this full-blown Gun Game style gamemode for Minecraft. I made it clear I didn't have the most knowledge, but I was willing to learn.

We began working on the project, the projects main class was bigger than any project I had worked on. Within a few months, it became one of the more popular plugins out there, even though we were still in an alpha mode. Had nearly 1,000 servers running the plugin, over 10k+ players total testing out the plugin.

Cause of this project, I learnt how to properly organize my code, how to make it efficient, learnt how to network, learned how to properly secure and verify anything being sent by the client, working with dependencies, adding features that can support a bunch of other plugins that other developers had, and a bunch more.

Sadly we couldn't finish the plugin anymore, so we gave someone else the source code who has kept it updated to this day. (I know I didn't provide much insight into what I'm saying and just gave a general overview, got a killer headache.)

I wonder why banks are always so terribly insecure, given how much money there's for grabs in there for hackers.

Just a while ago I got a new prepaid credit card from bpost, our local postal service that for some reason also does banking. The reason for that being that - thank you 'Murica! - a lot of websites out there don't accept anything but credit cards and PayPal. Because who in their right mind wouldn't use credit cards, right?! As it turns out, it's pretty much every European I've spoken to so far.

That aside, I got that card, all fine and dandy, it's part of the Mastercard network so at least I can get my purchases from those shitty American sites that don't accept anything else now. Looked into the manual of it because bpost's FAQ isn't very clear about what my login data for their online customer area now actually is. Not that their instruction manual was either.

I noticed in that manual that apparently the PIN code can't be changed (for "security reasons", totally not the alternative that probably they didn't want to implement it), and that requesting a forgotten PIN code can be done with as little as calling them up, and they'll then send the password - not a reset form, the password itself! IN THE FUCKING MAIL.

Because that's apparently how financial institutions manage their passwords. The fact that they know your password means that they're storing it in plain text, probably in a database with all the card numbers and CVC's next to it. Wouldn't that be a treasure trove for cybercriminals, I wonder? But YOU the customer can't change your password, because obviously YOU wouldn't be able to maintain a secure password, yet THEY are obviously the ones with all the security and should be the ones to take out of YOUR hands the responsibility to maintain YOUR OWN password.

Banking logic. I fucking love it.

As for their database.. I reckon that that's probably written in COBOL too. Because why wouldn't you.

I’m so mad I’m fighting back anger tears. This is a long rant and I apologize but I’m so freaking mad.

So a few weeks ago I was asked by my lead staff person to do a data analysis project for the director of our dept. It was a pretty big project, spanning thousands of users. I was excited because I love this sort of thing and I really don’t have anything else to do. Well I don’t have access to the dataset, so I had to get it from my lead and he said he’d do it when he had a chance. Three days later he hadn’t given it to me yet. I approach him and he follows me to my desk, gives me his login and password to login to the secure freaking database, then has me clone it and put it on my computer.

So, I start working on it. It took me about six hours to clean the database, 2 to set up the parameters and plan of attack, and two or three to visualize the data. I realized about halfway through that my lead wasn’t sure about the parameters of the analysis, and I mentioned to him that the director had asked for more information than what he was having me do. He tells me he will speak with director.

So, our director is never there, so I give my lead about a week to speak with her, in the mean time I finish the project to the specifications that the director gave. I even included notes about information that I would need to make more accurate predictions, to draw conclusions, etc. It was really well documented.

Finally, exasperated, and with the project finished but just sitting on my computer for a week, I approached my director on a Saturday when I was working overtime. She confirmed that I needed to what she said in the project specs (duh), and also mentioned she needed a bigger data set than what I was working with if we had one. She told me to speak to my lead on Monday about this, but said that my work looked great.

Monday came and my lead wasn’t there so I spoke with my supervisor and she said that what I was using was the entire dataset, and that my work looked great and I could just send it off. So, at this point 2/3 of my bosses have seen the project, reviewed it, told me it was great, and confirmed that I was doing the right thing.

I sent it off to the director to disseminate to the appropriate people. Again, she looked at it and said it was great.

A week later (today) one of the people that the project was sent to approaches me and tells me that i did a great job and thank you so much for blah blah blah. She then asks me if the dataset I used included blahblah, and I said no, that I used what was given to me but that I’d be happy to go in and fix it if given the necessary data.

She tells me, “yeah the director was under the impression that these numbers were all about blahblah, so I think there was some kind of misunderstanding.” And then implied that I would not be the one fixing the mistake.

I’m being taken off of the project for two reasons: 1. it took to long to get the project out in the first place,
2. It didn’t even answer the questions that they needed answered.

I fucking told them in the notes and ALL THROUGH THE VISUALIZATIONS that I needed additional data to compare these things I’m so fucking mad. I’m so mad.

So I was at work and send to another location (distribution centers) and in the lunch break my guider for that day and I started a conversation about servers etc (he appeared to do loads of stuff with that). He recommended me all those programs but I didn't recognize anything so I asked him what kinda servers he ran. He runs a lot of Windows servers. No problem for me but I told him that I am into Linux servers myself.

Guy: "Linux guy, eh? That system is considered to be so secure but in reality it's insecure as fuck!".

Me: (If he would come up with real/good arguments I am not going to argue against that by the way!) Uhm howso/why would you think that?
Guy: "Well all those script kiddies being able to execute code on your system doesn't seem that secure.".

*me thinking: okay hold on, let's ask for an explanation as that doesn't make any fucking sense 😐*

Me: "Uhm how do you mean, could you elaborate on that?"

Guy: "Well since it's open source it allows anyone to run any shit on your system that they'd like. That's why windows rocks, it doesn't let outsiders execute bad code on it.".

Seriously I am wondering where the hell he heard that. My face at that moment (internally, I didn't want to start a heated discussion): 😐 😲.

Yeah that was one weird conversation and look on open source operating systems...

I hate Linux so much. I mean, how could anyone of you barbarians like it??

I don't understand the hate for windows. It's secure, emphasizes privacy, and it's Microsoft. What's not to love?

Linux is just proprietary malware.

I still miss my college days. Our crappy IT Dept restricted internet usage on campus. Each student used to get 10 GB of internet data and they used Cyberoam for login (without HTTPS). 10 GB was so less (at least for me).

Now, thanks to CS50, I learned that HTTP was not secure and somehow you can access login credentials. I spent a night figuring things out and then bam!! Wireshark!!!!

I went to the Central Library and connected using Wireshark. Within a matter of minutes, I got more than 30 user ids and passwords. One of them belonged to a Professor. And guess what, it had unlimited data usage with multiple logins. I felt like I was a millionaire. On my farewell, I calculated how much data I used. It was in TBs.

Lesson: Always secure your URLs.

Following a conversation with a fellow devRanter this came to my mind ago, happened a year or two ago I think.

Was searching for an online note taking app which also provided open source end to end encryption.

After searching for a while I found something that looked alright (do not remember the URL/site too badly). They used pretty good open source JS crypto libraries so it seemed very good!

Then I noticed that the site itself did NOT ran SSL (putting the https:// in front of the site name resulted in site not found or something similar).

Went to the Q/A section because that's really weird.

Saw the answer to that question:

"Since the notes are end to end encrypted client side anyways, we don't see the point in adding SSL. It's secure enough this way".

😵

I emailed them right away explaing that any party inbetween their server(s) and the browser could do anything with the request (includingt the cryptographic JS code) so they should start going onto SSL very very fast.

Too badly I never received a reply.

People, if you ever work with client side crypto, ALWAYS use SSL. Also with valid certs!

The NSA for example has this thing known as the 'Quantum Insert' attack which they can deploy worldwide which basically is an attack where they detect requests being made to servers and reply quickly with their own version of that code which is very probably backdoored.

This attack cannot be performed if you use SSL! (of course only if they don't have your private keys but lets assume that for now)
Luckily Fox-IT (formerly Dutch cyber security company) wrote a Snort (Intrustion Detection System) module for detecting this attack.

Anyways, Always use SSL if you do anything at all with crypto/sensitive data! Actually, always use it but at the very LEAST really do it when you process the mentioned above!

- Let's make the authentication system so the user can only login in one device at time, because this is more secure.
- You know that this will be a general-public application, right?
- Yeah!
- Sou you want to "punish" users with a logoff on the other device when he tries to login in a new one?
- Yeah!
- But before you said we will use Json Web Token to make the backend stateless.
- Yeah!
- And how will we check if the token is the last one generated?
- We will store the last generated token for this user on a table in our DB.
- So... you are basically describing the old authentication model, with session tokens stored on the backend and communicating them via cookies.
- Yeah, but the token will be sent on the Header, not on cookies
- Okay, so why will we use Json Web Token to do this in the first place?
- Because this is how they're doing now, and this will make the backend stateless.

A moment of silence, please.

Just wanted to say cheers to all those coders among you who make sure their login is encrypted, their passwords are hashed and salted, their codes are tested and their forms are code injection safe.

No client will understand what you did, so take my props for it! After all, its our responsibility to make sure software is secure. That's all :)

I hate Wordpress. I hate Wordpress. I hate Wordpress.

Wordpress can take a big shit on itself and crawl into a deep dark hole far away from all that is good.

Who even uses Wordpress? Bloggers? Come on, let’s be honest, they’re using more intuitive sites like weebly, wix, and square space. So WHAT is Wordpress for? I’ll tell you, it’s just to FUCKING TORTURE PEOPLE.

So, being the “techy guy” of the family, a relative contacts me asking for some help with their website because they need to install an SSL certificate but they don’t know how to. I tell them I’d gladly do it because, sure, they’re family and how long can it possibly take to install a certificate? I’ve done it before!

Well, I get to work and log into the sluggish Wordpress dashboard and try to use a plugin that would issue a LetsEncrypt certificate because they are free and just as good as any other SSL. But one plugin after the next I keep getting errors about how my hosting wouldn’t allow it.

So I contact GoDaddy (don’t get me fucking started) and ask them about the issue. The guy tells me it’s “policy” to only be able to use GoDaddy’s certificates. How much do they cost? Oh, how about $100 a year?! Fuck you.

I figured out the only way to escape this hell was to ask them to open an economy Linux hosting account with cPanel on GoDaddy (the site was formerly hosted on a “Managed Wordpress” account which is just bullshit for not wanting to give you any control over your own goddamn content). So now I have to deal with migrating the site.

GoDaddy representative tells me that it should only take 20 minutes for me to do this (I’ve already spent way too much time on this but whatever) so I go forward with the new account. I decide I should migrate the site by exporting a backup and manually placing everything on the new server. Doesn’t it end up taking an entire hour to back up a 200MB site because GoDaddy throttled the processing speed?!

So, it’s another hour later and I’ve installed all the databases and carried over all the files. At this point, I’m really at the end of my rope and can’t wait to install the certificate and be done with this fuckery.

I install the certificate and finally get ready to be on my way, but then I see it. A warning. A warning from my browser telling me the site is only partially secure. It turns out the certificate was properly installed but whoever initially made the site HARDCODED ALL THE LINKS to images, websites, and style sheets to be http instead of https.

I’m gonna explode.

I swear, I’m gonna fucking explode.

After a total of 5 hours of work, I finally get the site secure by using search and replace on every fucking file.

Wordpress can go suck a big one. Actually, Wordpress can go suck the largest fuckin one in existence and choke on it.

TL;DR I agree to install an SSL certificate but end up with much more work than I bargained.

--- SUMMARY OF THE APPLE KEYNOTE ON THE 30TH OF OCTOBER 2018 ---

MacBook Air:
> Retina Display
> Touch ID
> 17% less volume
> 8GB RAM
> 128GB SSD
> T2 Chip (Core i5 with 1.6 GHz / 3.6 GHz in turbo mode)
Price starting at $1199

Mac Mini:
> T2 Chip
> up to 64GB RAM
> up to 2TB all-flash SSD
> better cooling than previous Mac Mini
> more ports than previous Mac Mini - even HDMI, so you can connect it to any monitor of your choice!
> stackable - yes, you can build a whole data center with them!
Price is 799$

Both MacBook Air and Mac Mini are made of 100% recyled aluminium!
Good job, Apple!

iPad Pro:
> home-button moved to trash
> very sexy edges (kinda like iPhone 4, but better)
> all-screen design - no more ugly borders on the top and bottom of the screen
> 15% thinner and 25% less volume than previous iPads
> liquid retina display (same as the new iPhone XR)
> Face ID - The most secure way to login to your iPad!
> A12X Bionic Chip - Insane performance!
> up to 1TB storage - Whoa!
> USB-C - Allow you to connect your iPad to anything! You can even charge your iPhone with your iPad! How cool is that?!
> new Apple Pencil that attaches to the iPad Pro and charges wirelessly
> new, redesigned physical keyboard
Price starting at 799$

Also, Apple introduced "Today at Apple" - Hundreds of sessions and workshops hosted at apple stores everywhere in the world, where you can learn about photography, coding, art and more! (Using Apple devices of course)

I'm not sure if this entirely qualifies and I might have ranted about it a few years ago but fuck it.

My last internship. Company was awesome and my mentor/technical manager got along very well with me to the point that he often asked me to help out with Linux based stuff (he preferred Linux but was a C# guy and wasn't as familiar with it as me (Linux)).

We had to build an internal site thingy (don't remember what it was) and we delivered (me and some interns) and then the publishing moment came so I went to out project manager (a not-as-technical one) and asked if he could install a LetsEncrypt certificate on the site (he knew how and was one of the only ones who had direct access to the server).

He just stared at us and asked why the fuck we needed that since it was an internal thing anyways.
I kindly told that since it's free and can secure the connection, I preferred that and since its more secure, why the fuck not?
He wasn't convinced so it was off.

Next day I came in early and asked my mentor if he could do the SSL since he usually had access to that stuff. He stared at me with "what?" eyes and I explained what the PM said.

Then he immediately ssh'd in and got the damn cert with "we're going to go secure by default, of course!"

A minute later it was all set.

!rant && sarcasm

For a long time now I've been trying to convince people to use secure communication. I'm used to getting called "paranoid", but the killer phrase always was (and still is): "Why do you want me to encrypt my communication, I HAVE NOTHING TO HIDE, so I don't care who's reading it" - "It's not about hiding something, it's about private stuff staying private" - "Yeah, whatever"

"I have nothing to hide". That always killed the conversation... until I asked them to hand me their phones, unlocked, for 5 minutes.

"No" - "Why? I thought, you had nothing to hide and don't care who's reading it?" - "Uhmmm..."

More and more people around me are popping up in my Signal contact list.
Looks like they suddenly care a lot about private stuff staying private </sarcasm>

"please use a secure password*"

* But don't make it too secure, 20 Charakters is enough.

Why would you fucking do this? The only reason I can think about is a scenario like this:
"How do we store the passwords in the database?"
"Just like anything else?"
"So I create a VARCHAR(20)?"
"Yeah why not? It's good enough for a name, and you shouldn't use your or anyone else's name as a password, so it should be perfect"

You know what you sound like when you say that "I want to be a programmer but this code is offensive so remove it"? It's like saying that "I want to be a surgeon but I don't like blood, so remove the blood right now."

I personally don't really like blood a whole lot, especially when it comes out of the bodies of other people. I don't really want to become a surgeon, but let's say that I would. "Teacher, I don't like blood, I want to become a surgeon but I hate blood!!! MAKE ALL PATIENTS STOP BLEEDING NOW!!!"

To which my teacher surgeon would of course respond: "Well how about you don't become a surgeon then, because humans that are cut open do bleed, and there's nothing we can do about it."

Same thing with code. You know why code is written? To be a useful tool, for people to become more productive by running the thing (unlike the average SJW). And normal people, you know how much they care about the code? They only care for it as much as for it to be able to run properly. And the ones that do look in the source code either want to improve its functionality or check whether it's actually something decent, secure, safe to run etc etc. People don't normally look at code for the sake of getting offended by something.

But the formulation used in the code, does it even matter? Jerk, it's a term that's used in physics. Does it refer to your despised white cis males whacking off? Of course it doesn't, it's a term to describe change in acceleration. Masters and slaves in code, does it refer to slavery? Most certainly it doesn't. So why bother?

TL;DR I'm fucking sick and tired of Devs cutting corners on security! Things can't be simply hidden a bit; security needs to be integral to your entire process and solution. Please learn from my story and be one of the good guys!

As I mentioned before my company used plain text passwords in a legacy app (was not allowed to fix it) and that we finally moved away from it. A big win! However not the end of our issues.

Those Idiot still use hardcoded passwords in code. A practice that almost resulted in a leak of the DB admin password when we had to publish a repo for deployment purposes. Luckily I didn't search and there is something like BFG repo cleaner.

I have tried to remedy this by providing a nice library to handle all kinds of config (easy config injection) and a default json file that is always ignored by git. Although this helped a lot they still remain idiots.
The first project in another language and boom hardcoded password. Dev said I'll just remove before going live. First of all I don't believe him. Second of all I asked from history? "No a commit will be good enough..."

Last week we had to fix a leak of copyrighted contend.
How did this happen you ask? Well the secure upload field was not used because they thought that the normal one was good enough. "It's fine as long the URL to the file is not published. Besides now we can also use it to upload files that need to be published here"
This is so fucking stupid on so many levels. NEVER MIX SECURE AND INSECURE CONTENT it is confusing and hard to maintain. Hiding behind a URL that thousands of people have access to is also not going to work. We have the proof now...
Will they learn? Maybe for a short while but I remain sceptic. I hope a few DevrRanters do!

Client reads about MomgoDB ransomware attacks online.

Him: I heard that the MongoDB is not secure, we should use something else in our system.
Me: Those databases got attacked because security features were turned off. If you want you can have an external security team to test the system when it's done.
Him: I don't wana take any risk, so I we should use something else.

We have been working on this system for almost a year and the final stage was supposed to be delivered in a month.

He wants me to replace it with MySQL

Some 'wk306' highlights from different people:

Walk around the office in his underwear, because he forgot he left his trousers in the bathroom

Run a red light outside the office due to not wearing his required glasses. When questioned by co-workers, replied "I don't follow those facist rules"

Asking if we work less will we get paid more, because the project will take longer to do (while in a startup with no funding trying to secure some)

Tell a senior dev to stop testing in his spare time, as we won't be able to release on time if he keeps finding critical security bugs

Telling me "your timezone is not my concern", when asking for help with new tooling so we don't have to be online at the same time

Blaming my team for requesting too much help, leading to his team missing deadlines, in a meeting with very senior managers. When the reason we were requesting help was the handover doc we were given was filled with lies about features being finished and "ready to ship" and lacking any unit tests

Being accused of bullying and harassment to the CEO, because someone asked "did you follow up with X about the partnership they emailed us about". The person who was responsible, forgot 4 times, and saw it as an "attack" to mention it in team meetings

Telling an entire office/building mid November they've secured funding for at least the next year, then announcing in January after the Christmas break that its cheaper to move to India, so they are closing the office in 30 days

Warning: long read....

I got a call this morning from a client who was panicking about not being able to login to his web panel.

So I went to the web panel and tried to login and was just redirected back to the login page. No errors or anything (at least visible on the page). Went looking for an error_log file and found it.

It turns out there was an error was showing: Disk quota exceeded.

So I went into the cPanel and checked, he used about 16GB out of 100GB and that got me confused. So I looked around and found out he was using about 510000/500000 inodes.

Went looking trough FTP to see where he has so many files and try and remove some.

Well it turns out that there were about 7 injected websites (warez, online casino, affiliate one etc) and a full hacking web panel on his FTP. After detailed analysis some who actually built the site (I just maintain some parts) made an upload form available to public with any checks on it. Meaning anyone could upload whatever they wanted and the form would allow it.

The worst part is that the client is not allowing us to secure the form with some sort of login or remove it completely (the best option) as it is not really needed but he uses it to upload some pdf catalogs or something.

TL; DR;
Old programmer created an upload form that was accessible to anyone on the web without adding any security or check as to see what kind of files was getting uploaded. Which lead to having maximum number on inodes used on server and client being unable to login.

Side note:
And ofc I had to go and fix the mess behind him again, even though he stopped working a long time ago and I started just recently and have been having nightmares of this project.

*logs out of Google on Android*
*has this persistent Google search bar on launcher which I keep on accidentally tapping*

Alright, so I'm not logged into Google to see how it goes. Kind of an experiment to see just how intertwined Android and my life are with Google. And it's going quite well actually, except for my prime apps that I can't seem to get around.

*reads Google privacy policy*
"We protect your data by keeping it secure!"
Hmm, yeah.. you and 3 letter agencies are keeping it secure and out of the hands of other individuals.. that makes sense.
Don't be evil.. unless you're the devil, right?
Fuck you, I won't login like this.

*accidentally opens Google*
*le trending results show up*

- KSI vs Logan Paul weigh-in!
- KSI vs Logan Paul Manchester!
- KSI vs Logan Paul arena fight!

*opens up NewPipe in which I am not logged in either*
- KSI vs Logan Paul!!!
- Did you see the KSI vs Logan Paul stuff yet?!

*logs back into Google straight away*
Personalized search engine.. many hate it, but boy do I fucking love it.

Damn, credit cards are so fucking secure these days that you hardly can BUY shit with them!
I need some special electronics that I only can get from a vendor in the US, which is overseas. Click click, buy, done. Well no, credit card refused. WTF? Click retry link. No, still refused. FUCK.
Called up the 24/7 hotline of my CC company. Oh yeah, that got blocked by the security system, somehow. We disable that for 20 minutes, just retry. Clicked retry link at the vendor. No failure mail. Hmmm, too good to be true?! Called up the electronics vendor. Yeah should work, stuff is in the warehouse stage. 40 minutes later: credit card declined. FUCK.
Called up the CC company again. Ok, disable blocker for one hour. Nice advice from them, tell the vendor it's only 45 minutes so that there's some buffer. Clicked retry link at the vendor and called them up to make sure that they retry before the time runs out.
LO AND BEHOLD, I could finally pay the shit!!

Let me explain a tiny corner of some awful code I read earlier today, in layman’s terms.

It’s a method to see if the user is in a secure session — not to set up the session, just to see if it exists. The method ends with a question mark, so it’s basically a question. It should look up the info (without changing anything) and should always give a clear yes/no answer. Makes sense, right?

Let’s say the question is “am I in school right now?”

The code… well.

If there isn’t a student, the answer it gives is null, not yes or no. Null is a fancy word for no, pretty much, so that’s kinda fine, but it really should be a simple no.

It then checks to see if the school is open today. If it is open, it then checks to see if I made my lunch, if I took my backpack, and if I rode the bus — and makes these things happen if they didn’t. Forgot my backpack? Just ask “am I in school today?” And poof! There’s my backpack! … but only if the school is open.

It then, finally, checks to see if I’m actually in the school, and gives that answer.

It could just see if I’m in the school — I mean, I could be in school without a backpack, or walked there on the weekend, right? Ha! You and your silly logic have no place here.

So, by asking if the user is in a secure session, we change the answer: they weren’t before, but the act of asking makes it so. This isn’t profound or anything: I don’t work with Schrödinger. My coworkers are just idiots.

And no, the rest of the code isn’t any better…

Recently, one of our passwords was accidently published on a public page for a few minutes before it was noticed and removed. Unfortunately, this password opens nearly every locked account so it's a pretty big deal.

Management was informed of this mistake and told that we should change the passwords as well as implement a few other protocols to make sure this doesn't happen again including things like unique passwords, more secure passwords, using a password manager, etc.

Their response? It wasn't online long, probably no one saw it. There will be no changes in how we handle ours or our clients' secure passwords.

I love how the Keybase Linux client installs itself straight into /keybase. Unix directory structure guidelines? Oh no, those don't apply to us. And after uninstalling the application they don't even remove the directory. Leaving dirt and not even having the courtesy to clean it up. Their engineers sure are one of a kind.

Also, remember that EFAIL case? I received an email from them at the time, stating some stuff that was about as consistent as their respect for Unix directory structure guidelines. Overtyping straight from said email here:

[…] and our filesystem all do not use PGP.
> whatever that means.

The only time you'll ever use PGP encryption in Keybase is when you're sitting there thinking "Oh, I really want to use legacy PGP encryption."
> Legacy encryption.. yeah right. Just as legacy as Vim is, isn't it?

You have PGP as part of your cryptographic identity.
> OH REALLY?! NO SHIT!!! I ACTIVELY USED 3 OS'S AND FAILED ON 2 BECAUSE OF YOUR SHITTY CLIENT, JUST TO UPLOAD MY FUCKING PUBLIC KEY!!!

You'll want to remove your PGP key from your Keybase identity.
> Hmm, yeah you might want to do so. Not because EFAIL or anything, just because Keybase clearly is a total failure on all levels.

Written quickly,
the Keybase team
> Well that's fucking clear. Could've taken some time to think before hitting "Send" though.

Don't get me wrong, I love the initiatives like this with all my heart, and greatly encourage secure messaging that leverages PGP. But when the implementation sucks this much, I start to ask myself questions about whether I should really trust this thing with my private conversations. Luckily I refrained from uploading my private key to their servers, otherwise I would've been really fucked.

Can someone explain to me why the fuck I should even care about the fact, that some companies collect, use and sell my data? I'm not famous, I'm not a politician and I'm not a criminal, I think most of us aren't and won't ever be. We aren't important. So what is this whole bullshittery all about? I seriously don't get it and I find it somewhat weird that especially tech guys and IT "experts" in the media constantly just make up these overly creepy scenarios about big unsafe data collecting companies "stealing" your "private" information. Welcome to the internet, now get the fuck over it or just don't be online. It's your choice, not their's.

I honestly think, some of these "security" companies and "experts" are just making this whole thing bigger than it actually is, because it's a damn good selling point. You can tell people that your app is safe and they'll believe you and buy your shit app because they don't understand and don't care what "safe" or "unsafe" means in this context. They just want to be secure against these "evil monster" companies. The same companies, which you portrayed them as "evil" and "unfair" and "mean" and "unrepentant" for over a decade now.

Just stop it now. All your crappy new "secure" messenger apps have failed awesomely. Delete your life now, please. This isn't about net neutrality or safety on the internet. This is all about you, permanently exaggerating about security and permanently training people to be introverted paranoid egoistic shit people so that they buy your elitist bullshit software.

Sorry for my low english skills, but please stop to exist, thank you.

I've just been given a beautiful turd of a PC with only 512MB RAM to get ready for someone in the residence. Way too small for any modern Windows or even Linux with a halfway decent GUI. And the user doesn't have any technical background so I highly doubt that they'll be able to maintain a Linux system. Windows XP is full of security issues but it might just be able to run on that craptop. Due to me knowing that it's a vulnerable system though, I've got an ethical issue with that. Windows XP is insecure but at least the user would be able to use it.. and Linux is secure but it'd never get updated, and I really don't want that guy to come knock on my door every time he wants to install a piece of software.. the guy fucking stinks! What would you do in a situation like that?

Taking IT classes in college. The school bought us all lynda and office365 accounts but we can't use them because the classroom's network has been severed from the Active Directory server that holds our credentials. Because "hackers." (The non-IT classrooms don't have this problem, but they also don't need lynda accounts. What gives?)

So, I got bored, and irritated, so I decided to see just how secure the classroom really was.

It wasn't.

So I created a text file with the following rant and put it on the desktop of the "locked" admin account. Cheers. :)

1. don't make a show of "beefing up security" because that only makes people curious.
I'm referring of course to isolating the network. This wouldn't be a problem except:

2. don't restrict the good guys. only the bad guys.
I can't access resources for THIS CLASS that I use in THIS CLASS. That's a hassle.
It also gives me legitimate motivation to try to break your security.

3. don't secure it if you don't care. that is ALSO a hassle.
I know you don't care because you left secure boot off, no BIOS password, and nothing
stopping someone from using a different OS with fewer restrictions, or USB tethering,
or some sort malware, probably, in addition to security practices that are
wildly inconsistent, which leads me to the final and largest grievance:

4. don't give admin priveledges to an account without a password.

seriously. why would you do this? I don't understand.
you at least bothered to secure the accounts that don't even matter,
albeit with weak and publicly known passwords (that are the same on all machines),
but then you went and left the LEAST secure account with the MOST priveledges?
I could understand if it were just a single-user machine. Auto login as admin.
Lots of people do that and have a reason for it. But... no. I just... why?

anyway, don't worry, all I did was install python so I could play with scripting
during class. if that bothers you, trust me, you have much bigger problems.

I mean you no malice. just trying to help.

For real. Don't kick me out of school for being helpful. That would be unproductive.
Plus, maybe I'd be a good candidate for your cybersec track. haven't decided yet.

-- a guy who isn't very good at this and didn't have to be
have a nice day <3

oh, and I fixed the clock. you're welcome.

Can someone please explain to me WHY THE FUCK non devs feel like they know shit. I DON'T GIVE A FUCK ABOUT HOW YOU FOUND SOME UNTRUE SHIT ON GIZMODO. I'VE KNOW SO MUCH ABOUT THIS SHIT, AND YOU LOOKED UP THE FIRST EXAMPLE YOU COULD FIND THE SUPPORTS YOUR CASE. The most recent time this happened was OVER THE LAST FEW DAYS when this DUMBASS that my friends and I BULLY but HE STILL HANGS AROUND. (By bully, yes sometimes we are mean to him, but we're not out to get him. He comes to us and we don't wanna be with him). So after the SEVENTH groupchat (on two apps) he created that night, HE WANTED TO SWITCH BACK TO ANOTHER APP I SPENT A WEEK TRYING TO GET THEM TO SWITCH FROM PREVIOUSLY (It was whatsapp, i got them to switch to telegram). THEN HE TRIED to ARGUE with me about how TELEGRAM wasnt secure. HE SEARCHED "is telegram secure" on Google and chose the FIRST ARTICE from the previously mentioned, GIZMODO which says that TELEGRAM chats ARENT ENCRYPTED by DEFAULT. HOW THE FUCK DO DUMBASSES GET THIS KIND OF PUBLICITY. There's a difference between ENCRYPTION and END TO END DUMBASS. Then he told me whatsapp is more secure than telegram. NO ITS FUCKING NOT. In telegram, your encryption keys CHANGE every chat, or every 100 messages. To my best research, whatsapp only has ONE key per USER. I could go on forever about how chat backups in whatsapp are UNENCRYPTED or how FACEBOOK stores your data, but blocked you works to.

CAN YOU PLEASE UPDATE TO 2018!!!

My bank just sent me a message, that they have a new service where you can send a private message to your banker.

I needed to transfer money, and didn't have my cheque book on me, so I sent him a message to please transfer XX dollars to account YY.

His response?
Please send us a fax.

A FAX?? ARE YOU SERIOUS??

And that is supposed to be more secure than a private message from your website, after you force me to change my password every 90 days with crazy requirements that only satisfy hackers???

I told my friend that he will get his money when the bank updates the century they live in ...

At my previous job we had to complete an online security training exercise. It shows you how to behave secure in the work place, to not open unknown links etc. The scary part was that the entire training thing was BUILT IN FUCKING FLASH. So I'm suppose to listen to some god damn virus shitting flash application on how to do online security?! Get your shit together before teaching others.

So this PR company hired my firm to convert their client's Wix website to WordPress to have better control over content and SEO, not to mention get away from the piss-poor "absolute position everything" setup of Wix. This is a single page design. 2 days later, we deliver it, performing faster than Wix and with a few extra goodies on the UI.

The client's director of IT wants to stay on Wix, because it's "the most secure provider", and will only move their ONE PAGE INFORMATIONAL WEBSITE to another platform and host if they answer a 133 item "security questionnaire". Short of SSNs, they want to basically know everything, including our proprietary and confidential security practices. You aren't Google...stop acting like you are...

How are people this stupid a "director" of anything?

"You've been working on this for 6 weeks, and I don't see any changes. What have you done?"
"I completely overhauled the backend, now everything makes more sense and we're using more modern APIs"
"But nothing's changed at all! The front-end looks exactly the same!!"
"*sigh* The new backend is also more secure.. "
"Oh, so it's a security upgrade, that's good, but why did it take six weeks?"
-_-

Back when I migrated my file server to a VM, I used robocopy to copy everything over (and caused quite a few fuckups before it'd behave halfway decent.. or so I thought). Now I tried to add my desktop's SSH key to the authorized_keys on said server but it wouldn't accept my key after that. After a bit of digging I've found that my entire home directory (where the file server hosts its mirror of my D: drive) had everything set to 777, and that's why the key isn't accepted. Great permission mode, isn't it? Much secure, very wow! Thank you so much robocopy!!!

One of the more memorable computer problems I solved were when I added some lego blocks to solve a recurring windows bluescreen
A friend had a Pentium 3 (slot 1) that kept throwing him several bluescrens per day so I decided to help
I open up the computer and saw that the processor were not properly securred in it's place and the plastic pieces that should have holding it in place were gone, so I improvised pressing in some lego pieces that I found somewhere to secure that the processor didn't move if someone were walking close to the computer and after that he didn't have any more bluescreens than the rest of us

To this day I can't figure out why people still drink the windows koolaid.

It's less secure, slower, bloatier (is that a word?), Comes with ads, intrudes on privacy, etc. People say it's easier to use than Linux, but 99% of what anyone does happens on a chrome based web browser which is the same on all systems!

When it comes to dev, it boggles the mind that people will virtualize a Linux kernel in Windows to use npm, docker, k8s, pip, composer, git, vim, etc. What is Windows doing for you but making your life more complicated? All your favorite browsers and IDEs work on Linux, and so will your commands out of the box.

Maybe an argument can be made for gaming, but that's a chicken an egg scenario. Games aren't built for Linux because the Linux market is too small to be worth supporting, not that the games won't work on it...

Rant:
Why in the freezing cold all people think that linux = secure. Ransomware... Bla bla not happening on linux bla bla... Linux is secure.

If Linux would have been the most popular one people will pretty much run everything on root and install every stupid package available and never run: apt-get update.

Users were so dumb they got scammed by a phising mail... In freaking 2017... This is user stupidity not OS fault...

God its stupidly annoying seeing the same stuff : Linux secure...
Everything can be secure if you paid attention to the same stuff in freaking 2000.

so yeah let's have conference about security but its perfectly fine to have registrations over non-secure connection!

Was just thinking of building a command line tool's to ease development of some of my games assets (Just packing them all together) and seeing as I want to use gamemaker studio 2 thought that my obsession with JSON would be perfect for use with it's ds_map functions so lets start understanding the backend of these functions to tie them with my CL tool...

*See's ds_map_secure_save*

Oh this might be helpful, easily save a data structure with decent encryption...

*Looks at saved output and starts noticing some patterns*

Hmm, this looks kinda familiar... Hmmm using UTF-8, always ends with =, seems to always have 8 random numbers at the start.. almost like padding... Wait... this is just base64!

Now yoyogames, I understand encryption can be hard but calling base64 'secure' is like me flopping my knob on the table and calling it a subtle flirt...

some people are fucking idiots.

i remember one time - i made a website which ended up having a slightly major security flaw.

the big isnt the point though. this guy told me to just "write secure code."

i consequently told him, "how about you go fuck yourself?"

well, he was a painter, so i then told him "maybe you should fucking draw better," and promptly left.

well, here i present what that would be like if other people were told shit like that.

depressed person - "just be happy"

teacher - "just make your students smarter"

homosexual - "just like the opposite sex"

presidential candidate - "just win the election"

homeless person - "just get a house"

idiot - "just stop being my client" (sorry had to vent)

well you get the idea.

devs should be treated as functioning members of society.

TL; DR: Bringing up quantum computing is going to be the next catchall for everything and I'm already fucking sick of it.

Actual convo i had:

"You should really secure your AWS instance."

"Isnt my SSH key alone a good enough barrier?"

"There are hundreds of thousands of incidents where people either get hacked or commit it to github."

"Well i wont"

"Just start using IP/CIDR based filtering, or i will take your instance down."

"But SSH keys are going to be useless in a couple years due to QUANTUM FUCKING COMPUTING, so why wouldnt IP spoofing get even better?"

"Listen motherfucker, i may actually kill you, because today i dont have time for this. The whole point of IP-based security is that you cant look on Shodan for machines with open SSH ports. You want to talk about quantum computing??!! Lets fucking roll motherfucker. I dont think it will be in the next thousand years that we will even come close to fault-tolerant quantum computing.

And even if it did, there have been vulnerabilities in SSH before. How often do you update your instance? I can see the uptime is 395 days, so probably not fucking often! I bet you "dont have anything important anyways" on there! No stored passwords, no stored keys, no nothing, right (she absolutely did)? If you actually think I'm going to back down on this when i sit in the same room as the dude with the root keys to our account, you can kindly take your keyboard and shove it up your ass.

Christ, I bet that the reason you like quantum computing so much is because then you'll be able to get your deepfakes of miley cyrus easier you perv."

About browsers and whole SSL CERT thing...

Most likely everyone here noticed, that https site with broken certificate will throw these big red warnings, in your face and there is so much wording like "ITS NOT SECUREEEE" or "ITS HACKEDDD" almost like it was written by passionate fanatic.

But when you are on plaintext http browsers reaction is like ¯\_(ツ)_/¯
Even if you have plaintext with password, it will for example in chromium put small little red thingy that almost no one notices.

I believe that broken cert with some error like invalid date is MORE secure than plaintext password, yet still there is this hypocracy with browsers...

I dont say that broken SSL cert is good, or something, Im just pointing out contrast of "broken" https vs plain http.... One looks for casual Joe like end of the world is coming and second is bearly noticable. Da fuck?

I disagree with this approach

Call me boring but...

Working in a secure job with a great work/life balance, little or no travel, great people, really interesting challenges, earning a tidy salary, contributing to open source, all the while creating something worthwhile and interesting.

I have a few of those already, so can't complain.

My old job was almost perfect. I was a systems engineer for a research network. My duties were to configure, build, install, secure, manage and repair Linux hosts used for research on projects so advanced/cutting edge that I could spend days just listening to researchers explaining them and I honestly loved it! I understood less than half of the projects but just seeing how motivated and excited the researchers are made the job my favourite. Unfortunately I had to leave and get a job closer to my house because having a 2 hour (one way) commute for two years was killing me :-/ relocation wasn't an option and still isn't but I'd be lying to myself if I tried to say I wouldn't go back as soon as I could.

Someone ask to me as a security engineer.

Bro : what do you think about most secure way to authenticate, i read news using fingerprint no longer safe?
Me : yes they can clone your fingerprint if you take a photo with your fingerprint to camera.
Bro : so what is the other way to authenticate more secure and other people can't see in picture ?
Me : D*ck authentication is more secure now, other people can't see your d*ck pattern right?

Being a programmer for a while now it always irritates me to try to explain what I'm working on to friends and family. I forget what I knew before I developed. I'm always like "I made the strings in the database- oh I mean the words...well they're actually more like strings of letters- well anyway I made a code to sanitize the user input- I mean make it so it is secure before uhhh saving." I spend so much time watering what I'm saying down I forget what I'm talking about

It's not even funny. It'd be funny if one single person in my family or friend group understood what I meant to some degree.

So my goverment is hosting a competition to secure govt systems from malwares like wannacry etc

solution I submitted: Remove windows and install linux. 😂😂😂😂😂

You probably know the "marshmellow experiment": have one marshmellow now, or delay the gratification by some time, then get two. What the experiment is supposed to measure is something like intelligence or impulse control.

Hot take: what it also measures, and much more so when it comes to reality, is trust. If I don't trust the other side to be both able and willing to deliver on the promise later, I will rather secure the smaller reward right now.

This fcktard client that insist on using an iframe and demands support for browsers like IE7. You are costing me years of my life.

Fucking fuck of a Microsoft trying to protect people against tracking from 3d parties in an iframe in random ways in some versions of IE7. Or IE11 in IE7 compatibility mode.

If you are going to refuse sessions just do it! I got a fucking check and fix for that. Because these fuck faces friendly people at Apple like to refuse sessions on iPads and iPhone too. But we worked that out, because they are at least consistent. So a few dirty little hacks made it all Okay.

But no, Boo Hoo I'm Microsoft and I will throw a tantrum. I like my browsers to be like an magican, instead of an usefull piece of software. If you look in this page, or look here we got them. I got your sessions​, safe and secure.

But when you need me, to verify that the user is allowed to access data we do a little hocus pocus and now they are gone. Nowhere to be seen or found again. Fun times free fucking magic shows all day long.

It's morning but maybe its time for a bottle of scotch. Maybe if I'm in the state as this browser. Where I don't know what I'm doing because I'm shitfaced drunk it will start working.

When in Rome do as the romans do.

Security lifehacks 101

Why pay for password managers? Just use one secure password for every service you use! Password managers are really designed for fools who don’t know that you can just use one password for every service and who are ready to pay for that shit.

The best practice is to use your name starting with a capital letter + your main credit card number + CVC code from the back of that card as your go-to password. It’s long and hard to bruteforce and you can remember everything that way! You just need to remember that one password and you’ll always remember your payment info! No need for apple’s bad Apple Pay which is not so secure after all like everything else that Apple offers.

!rant

YES YES YES YES YES

GIMME SOME OF THOSE TYPED PROPERTIES <3

When I first started trying out Java I hated that I had to type every variable I declared, coming from a javascript and php background

nowadays I can't live without them, it feels so safe and secure <3 <3 <3

Wow our network is so safe, our network is so secure, our network is so non exploitable that our devs can't downloade packages in VS, our company only have two IT dudes who can fix that issue and they're non existing. Wow..

why do i have an iphone?

well, let's start with the cons of android.

- its less secure. this isn't even arguable. it took the fbi a month or something (i forget) to break into an ios device

- permission, permissions, permissions. many of the android apps i use ask for the not obscure permissions.
· no, you don't need access to my contacts
· no, you don't need access to my camera to take notes
· no, you don't need access to my microphone to send messages
· no, you don't need access to my saved passwords to be a functioning calculator

- not being able to block some apps from an internet connection

- using an operating system created and maintained by an advertising company, aka no more privacy

- i like ios's cupertino more than material design, but that's just personal preference

pros of ios:

- being able to use imessage, at my school if you don't have an iphone you're just not allowed to be in the group chat

- the reliability. i've yet a data loss issue

- the design and feel. it just feels premium

- if i could afford it, ios seems like a lot of fun to develop for (running a hackintosh vm compiled a flutter app 2x as fast as it did on not-a-vm windows)

so that's why i like iphones
google sucks

It's 28°C and the fucking (2015)macbook's metal body is running at atleast 70, burning my legs and making the inside temperature even worse ..

And Im only running Idea and Chrome...

Why have you designed a hellish tool like this instead of a normal laptop? What good is it to me that It's so slim and mobile if I have to have it on a table to avoid having 2nd degree burns on a daily basis?!

Seriously, what the fuck... I didn't ask for this shit, but my company requires me to use this "secure" laptop... Fuck everyone that was involved in this laptops design!!!

I'm a game designer student in a Brazilian university. In my class I'm the only one who likes code and made the secure choice to be a future game programmer.

But recently some dudes on my class started to discourage me and telling me to give up that course and change to a computer science course.

I didn't feel that way... I think game programmers who know all the stuff and process of game development( modelling, concepts etc) are better professionals than the ones who just knows the scripting process. But sometimes their opinion flows up my head and I feel so unknown if I staying in the right way or not.

(Sry if my english still bad..hope you all understand anyway)

We are required to use corporate SSO for any authenticated internal websites, and one of the features they require you to implement is a "logout" button.

They provide a whole slew of specifications, including size and placement/visibility, etc. They provide an SSO logout URL you must redirect to after you take care of your own application logout tasks.

Makes sense... except the logout URL they provide to serve the actual SSO logout function broke over 3 months ago, and remains non-functional to this day.

Apparently I'm the first person (and perhaps one of the only people) who reported it, and was told "just not to worry about it".

So, we have a standing feature request to provide a button... that doesn't actually work.

Corporate Security - Making your corporation _appear_ more secure every day...

Clients r wankers. He wants to be able to send login details incl passwords in email to his clients when he adds them in the cms. The passwords are encrypted and generated on creation of a new user. Ive told him that sending credentials in email is shit and not secure. The stubborn bastard wont budge, so instead i've put explicit instructions to reset password once logged in with the credentials they send. Any other suggestions?

Overheard a dev bragging about how our site is fully PCI compliant. So much so even the invoice data is secure. My BS meter went off, so I decided to look at what 'secure' code looked like.

Guys what I want to know is how do you secure your code so that they pay you after you deliver the code to them?
So recently I was in this internship that I secured with an over-the-phone interview and the guy who was contacting me was the CEO of the company (I'm going to refer to him as "the fucking cunt" from now on). He asked me to do some OCR and translations and I managed to write a few scripts that automate the entire process. The fucking cunt made me login remotely to his desktop which was connected to the server (who the fuck does that) and I had to operate on the server from his system. I helped him with the installation and taught him how to use the scripts by altering the parameters and stuff, and you know what the fucking cunt did from the next day onward? Dropped contact. Like completely. I kept bombing emails upon emails and tried calling him day after day, the fucking cunt either picked up and cut the call immediately on recognising its me or didn't pick up at all. And the reason he wasn't able to pay me was, and I quote, "I am in US right now, will pay you when I get back to India." I was like "The fuck was PayPal invented for?" Being the naive fool that I was, I believed him (it was my first time) and waited patiently till the date he mentioned and then lodged a complain in the portal itself where he had posted the job initially. They raised a concern with the employer and you know what the fucking cunt replied? "He has not been able to achieve enough accuracy on the translations". Doesn't even know good translation systems don't exist till date ( BTW I used a client for the google translate API). It has been weeks now and still the bitch has not yet resolved the issue.And the worst part of it was I got a signed contract and gave him a copy of my ID for verification purposes.
I'm thinking of making a mail bomb and nagging him every single day for the rest of his life. What do you guys think?

Because of some theft this year and even though we already have security cameras, my apartment building decided to check the front door locks so it's more secure.

This key looks very high tech... Only issue though is I never use the key anyway... I just entered the door code...

So what is the point of changing the locks? I'm going to guess whoever is stealing isn't picking the lock... People would notice... They must know the code.

Also it seems most of the apartment locks are digital key card/pins too. Wondering if this just means most owners are young or just are techies/devs...

!dev && rant

Can we talk about banks? Those fuckers! Suposed to keep our money save and be competent... They today gave me the biggest scare of my live and I've run one an update query on a prod db without a where clause! (Okay I knew we had a backup but still pretty scarry moment!)

As a few know, besides being a dev I help to organize a small openair music festival here in Switzerland. The openair was this weekend. Every thing wen't well, until I checked our ebanking account today. There was only 2/3 of the money that should be there. A quick call to the bank and they told me, nope they never received it. As we've thrown it in a secure locker during the night, we didn't receive any receipt or something like that. It took those fuckers 3.5 hours to actually go and check the looker, just to find the remaining money in the corner of it. What the fuck people, can't you open your fucking eyes and not give me a fucking heartatack? I thought you guys are professionals!

Note locker: we get a key to open it from the outside, place our payment during the night, as soon as we close it, it falls inside a vault, so there it's a pay in only system, for lack of a better word, I called it locker.

My heart is still beating like mad, because of them.

Managed to land 2 interviews:

The first one was for a startup that was looking for a react programmer (I've never used react before).

The later was a php job at a big company. They told me they used cakephp which is a framework I had not used before either.

Still, I'm more familiar with php than react so I felt more confident with the second interview. However, I felt there was a lot of good chemistry going on in the first interview.

The interviewer was incredibly nice (he was the lead dev, not an HR person as opposed to the second interviewer)

He gave me a small react test to be completed within a week. I barely managed to do it in time but I felt good about the solution.

Just as I was sending it, I get a call from the second interviewer saying I landed the php job.

I wasn't sure if my novice react skills would be impressive enough to secure me the react job (and I really needed a job) so I accepted.

After explaining everything to the guy who was interviewing me for the react job, he understood and was kind enough to schedule a code review where he walked through my novice code explaining what could be improved, helping me learn more in the process.

I regret not accepting the react position. The PHP they got me working with is fucking PHP5 with Cake2 :/

Don't get me wrong, I like the salary and the people are nice but the tech stack they're using (lacking source control by the way!), as well as all the lengthy meetings are soul-draining.

So a few weeks ago I wiped my MacBook Pro to regain some space and speed, it wasn't really that slow I just had the disk partitioned into two installments of MacOS. When I erased the disk I thought the secure thing to do would be to set the format to journaled, encrypted rather than just journaled. Everything was working fine, there seemed to be this weird step of login when I restarted but whatever, except iCloud Drive. On my iMac it works fine but for whatever reason my MacBook Pro doesn't want to download custom folders (ones that aren't created by an app and don't have an app icon on folder icon) from my account despite them being clearly available in iCloud.com. So after this much time of messing with it I'm wiping my MacBook Pro again and formatting it as journaled (not encrypted). Wish me luck...

Despite common sense, I think technology is not making our lives easier. It's just build chaos on top of chaos.

Take server-side programming for instance.

First you have to find someone to host your thing, or a PaaS provider. Then you have to figure out how much RAM and storage you need, which OS you're going to use. And then there's Docker (which will run on top of a VM on AWS or GCP anyway, making even less sense). And then there's the server technology: nginx, Apache (and many many more; if, that is, you're using a server at all). And then there are firewalls, proxies, SSL. And then you go back to the start, because you have to check if your hosting provider will support the OS or Docker or your server. (I smell infinite recursion here.)

Each of these moving parts come with their own can of worms in terms of configuration and security. A whole bible to read if you want to have the slightest clue about what you're doing.

And then there's the programming language to use and its accompanying frameworks. Can they replace the server technology? Should you? Will they conflict with each other and open yet another backdoor into your system? Is it supported by your hosting provider? (Did I mention an infinite recursion somewhere?)

And then there's the database. Does it have a port to the language/framework of your choosing? Why does it expose an web interface? Is it supposed to replace your server? And why are its security features optional again? (Just so I have to test both the insecure and the secure environments?)

And you haven't written a single line of code yet, mind you.

Gj Mastercard! My card just got blocked because every time I want pay and 3D secure code is needed, every first SMS that day is delayed by 5 minutes so session expires and I have to try again...now it happened quite a few times and card got blocked. Fucking shit...

Security fail here. I've just started a PPI claim and have been provided a link to a so called "very secure" client area.

There are no username or passwords and the screenshot is not a first time sign up screen.

All I need to login is a surname, postcode and DOB - all information easy enough to find online.

Pretty bad IMO, esp, so considering the effort required to add a proper login using a username/password combination.

I mean I'm logged in now and have no option to set an account password :|

I don't understand privacy advocators.

Am I the only one who wouldn't give up practicality in exchange for "potentially more secure"?

I don't understand so much what the deal is with people who avoid Facebook, or don't trust Google or Microsoft, just in the basis of "privacy" or "security".

Websites tracking you to serve ads? Well, it's pointless because I very rarely buy something from the internet or let myself be influenced, ads are waste of time, just use an adblocker.

I can pretty much upload my whole life or documents on Google drive, even if I made it public no one would really care or read it all. It's like that GitHub project you uploaded but never documented, so no one cares. I usually use alternative software not because of "privacy" but because it has features other software doesn't have.

In reality you realize people aren't that interested in your life more than their own life.

A classmate saw me using Firefox today and laughed at me saying Chrome is more secure. I'm not very knowledgeable about the security; I use Firefox because it uses less memory and it's more stable on my machine.

I doubt that info of his is current so can someone who actually knows about the security give me some counter-arguments for him? The more facts the better :D

Anything I (am able to) build myself.
Also, things that are reasonably standardized. So you probably won't see me using a commercial NAS (needing a web browser to navigate and up-/download my files, say what?) nor would I use something like Mega, despite being encrypted. I don't like lock-in into certain clients to speak some proprietary "secure protocol". Same reason why I don't use ProtonMail or that other one.. Tutanota. As a service, use the standards that already exist, implement those well and then come offer it to me.

But yeah. Self-hosted DNS, email (modified iRedMail), Samba file server, a blog where I have unlimited editing capabilities (God I miss that feature here on devRant), ... Don't trust the machines nor the services you don't truly own, or at least make an informed decision about them. That is not to say that any compute task should be kept local such as search engines or AI or whatever that's best suited for centralized use.. but ideally, I do most of my computing locally, in a standardized way, and in a way that I completely control. Most commercial cloud services unfortunately do not offer that.

Edit: Except mail servers. Fuck mail servers. Nastiest things I've ever built, to the point where I'd argue that it was wrong to ever make email in the first place. Such a broken clusterfuck of protocols, add-ons (SPF, DKIM, DMARC etc), reputation to maintain... Fuck mail servers. Bloody soulsuckers those are. If you don't do system administration for a living, by all means do use the likes of ProtonMail and Tutanota, their security features are nonstandard but at least they (claim to) actually respect your privacy.

RANT:
Google is just a steaming pile of shit!!

I've recently installed LineageOS onto my phone and wanted to degooglify my life.

So my current Smartphone doesn't have any GApps installed and I get along fairly well.

Should I need anything, I should just be able to use it in my browser right?
RIGHT?

Nono!! As soon as I want to log into a third party Service using Google (older acccounts with the other choice only being Facebook) I need to "verify my identity". And the only option are my old smartphone who still have Gapps on it but are slow and don't accessible when I'm away!

For those who say: "Google is just beeing secure. They don't want anyone to steal your account.". I USE 2FA AND HAVE BACKUP CODES.
BEFORE DEGOOGLING MY DEVICE IT NEVER ASKED SUCH A THING!!! WHAT A PILE OF SPYING SHIT!!!

And the best part, after I remotely started my PC at home and just want to take a screenshot of the message for this post before just using a working session, the message didn't appear.
Somehow google decided that me logging in 15 mins later (same ip) proves my identity?!?!?!

IF THIS CAN BE ATTRIBUTED TO AI. FUCK THIS SHIT. GOOGLED SHOULD BE TREATED LIKE AN ONLINE CASINO BECAUSE THE CHANCE OF JUST GETTING LOGGED SEEMS COMPLETELY RANDOM!!!

(I also had this prior when using my smartphone browser. There I couldn't "circumvent" this and I was at home. But having this shit on my browser which should've a session is unacceptable.)

i want to get my own social network up and running.

so far ive got -
login 100% securely
register (1000% securely)
view someone’s profile (10^7% securely)

to add -
scrypt (maybe bcrypt, however scrypt looks like the better option)
friend a user
track their every move (ill use facebooks and googles apis for that)

to describe my product -
ai
blockchain
iot
big data
machine learning
secure
empower
analysis

call me when im a gazillionaire

but seriously, im making a social network and i hope its done by wk105 tbh

When i was younger, lesser experienced and more naive than now; i got away with a lot of things. By lot of things i mean security flaws in my applications and overall architecture. I realise now i could've so easily been pawned.

Not that i claim to be totally secure even now, or would ever. It is a process, slow and painful one - Learning.

What i wish to point out is the role of favorable probability (non believers would call it luck). Security is so much about it. You get away with so many things for so long. And bang one day the roll of dice is unfavorable. On such rare occasions, just look back and wonder - damn i should've been breached long ago.

This is a true story. We had this subject, called “Web Design” (really, “design”), where we studied HTML, CSS, JavaScript, PHP and MySQL (confusing, right?). And when we get the PHP (e-)book, it was this old PDF (probably downloaded illegally) teaching the legacy 4.0 version of PHP. Anyway, when we had to develop the final project, the sane professor allowed us to use a newer version of PHP — 5.2, released on 2008. I had to follow the rules, so I developed probably the less secure web application I will ever develop. That means no protection from SQL injection, XSS vulnerable and a bunch of other security holes… And that’s how they liked it developed!

I'd never do anything "risky" in a prod environment if I considered it so at the time, but in retrospect there's *lots* of things considered risky now (both from a security and good practice viewpoint) that were standard practice not long ago:

- Not using any form of version control
- No tests (including no unit tests)
- Not considering XSS vulnerabilities
- Completely ignoring CSRF vulnerabilities
- Storing passwords as unsalted MD5 hashes (heck that was considered very *secure* in the days of plaintext password storage.)

...etc. I'm guilty of all of those previously. I daresay in the future there will be yet more things that may be standard practice now, but become taboos we look back on with similar disdain.

I had a wonderful run-in with corporate security at a credit card processing company last year (I won't name them this time).
I was asked design an application that allowed users in a secure room to receive instructions for putting gift cards into envelopes, print labels and send the envelopes to the post. There were all sorts of rules about what combinations of cards could go in which envelopes etc etc, but that wasn't the hard part.
These folks had a dedicated label printer for printing the address labels, in their secure room.
The address data was in a database in the server room.
On separate networks.
And there was absolutely no way that the corporate security folks would let an application that had access to a printer that was on a different network also have access to the address data.
So I took a look at the legacy application to see what they did, to hopefully use as a precedent.
They had an unsecured web page (no, not an API, a web page) that listed the addresses to be printed. And a Windows application running on the users' PC that was quietly scraping that page to print the labels.
Luckily, it ceased to be an issue for me, as the whole IT department suddenly got outsourced to India, so it became some Indian's problem to solve.

Never have I been so satisfied as I am right now after having implemented a login and user account system with the ability to update user preferences with databases n' shit in PHP after only knowing PHP for a day.

Speaking of all that, do you guys know of any good place to make sure all my stuff is secure? No SQL injections n' the like.

TL;DR my first vps got hacked, the attacker flooded my server log when I successfully discovered and removed him so I couldn't use my server anymore because the log was taking up all the space on the server.

The first Linux VPN I ever had (when I was a noob and had just started with vServers and Linux in general, obviously) got hacked within 2 moths since I got it.
As I didn't knew much about securing a Linux server, I made all these "rookie" mistakes: having ssh on port 22, allowing root access via ssh, no key auth...

So, the server got hacked without me even noticing. Some time later, I received a mail from my hoster who said "hello, someone (probably you) is running portscans from your server" of which I had no idea... So I looked in the logs, and BAM, "successful root login" from an IP address which wasn't me.

After I found out the server got hacked, I reinstalled the whole server, changed the port and activated key auth and installed fail2ban.
Some days later, when I finally configured everything the way I wanted, I observed I couldn't do anything with that server anymore. Found out there was absolutely no space on the server. Made a scan to find files to delete and found a logfile. The ssh logfile. I took up a freaking 95 GB of space (of a total of 100gb on the server). Turned out the guy who broke into my server got upset I discovered him and bruteforced the shit out of my server flooding the logs with failed login attempts...

I guess I learnt how to properly secure a server from this attack 💪

Colleagues cannot seem to grasp that allowing a user to manually update a field via an Api, that only business process should update is a bad idea.

The entire team of around 10 'software developers' cannot grasp that just because the frontend website won't set it doesn't mean its secure. I have tried many times now...

Just an example honestly... Our project follows a concrete repository pattern using no interfaces or inheritance, returning anaemic domain models (they are just poco) that then get mapped into 'view models' (its an api). The domain models exist to map to 'view models' and have no methods on them. This is in response to my comments over the last 2 years about returning database models as domain transfer objects and blindly trusting all Posts of those models being a bad idea due to virtual fields in Ef.

Every comment on a pull request triggers hours of conversation about why we should make a change vs its already done so just leave it. Even if its a 5 minute change.

After 2 years the entire team still can't grasp restful design, or what the point is.

Just a tiny selection of constant incompetence that over the years has slowly warn me down to not really caring.

I can't really understand anymore if this is normal.

Seems like my connection to much-security isn't so... secure 😂
Didn't you forget something, @linuxxx?

You know what a payment feature that is “so secure even the correct user can’t use it” is called?

FUCKING BROKEN. Jesus Christ I hate it when “customer service” people are trying to sound smart.

My best prank: A year ago I was at my friends flat, which he finally rented with his new girlfriend. He is a kind of person, which has like constantly opened 110 tabs in chrome, three or four instances of chrome running, torrenting at full speed and in the meanwhile a few films having opened to "watch" later. He is very very secure about his computer and NEVER leaves me or anyone else alone with his computer. That day we were just talking in the same room, and he goes for some food. I was like yeah thats my chance to prank him. So I opened a new tab and came with an idea - what If I change his desktop background to some random chick, to prank both him and his gf. I knew she will not be mad but his reaction would be priceless (it was his first gf). So I started googling, found a three pretty naked chicks. This was like soft porn, they were still "dressed" but not much. I did not wanted to use a porn for this.
So I was about to download image - right click - save as - little window opened and..

...what the hell, that guy had literally like terabytes of porn in download folder, all totally in one chaos, thousands of images, millions of downloaded videos, all categories just everything from gangbang to milfs or old/ young, what the fuck that computer was like cursed station of porn.

In that point I was like fuck that. This prank has no sense then. So I just closed that little window and did nothing. Prank failed.

Nowdays, He still does not know what I know about his "hobbies". And I will never say him lol. About a months after he broke with his gf and moved to different house. He has now three monitors attached to his computer and 4tb of space. He is still complaining about "lack of space" and "too big downloaded movies" but we all know what is going on lol. We call his "working deck" a sacred porn station.

Tried to dual boot Arch with Windows yesterday.

Everything was going smoothly. Shrunk the C: partition, ran the installer, installed the OS fine. But it was still booting straight to Windows.

So I edited the BCD to point to Grub instead of Wilndows. Then the plan was to boot into Arch, find Windows, and add it to Grub, problem solved.

Wrong. I had forgotten to disable secure boot. Arch and Grub were booting in BIOS mode, but Windows was UEFI. Grub couldn't boot or even see Windows.

So now I was stuck with just Arch. So I flashed a Windows drive, booted from that, automatic startup repair failed. Opened up the command prompt, tried to rebuild the BCD from there. Surely I can just rebuild it and forget about trying to dual boot right? I just want to get back to being able to use my PC.

Wrong again. Didn't find Windows. Had to get rid of the BCD file before I could rebuild it, but couldn't find it. Found out that I could use diskpart to mount the system partition and assign it a drive letter, renamed the BCD, rebuilt it, and finally was able to reboot into Windows.

Learn from my arrogance. First time Linux users should not attempt to install Arch, let alone do it alongside Windows on the same disk.

Finally got a new laptop at work!
The first thing to do: install linux in it so the beast could roar free.

Download mint iso, dd it into an usb drive, boot it up in uefi mode, .... /dev/sda read error: -110. Fuck, must be smth w/ secure-boot. Disable it, rinse and repeat. Same error. Wtf, could my drive be broken?
dd iso into another usb drive, boot live env -- read error. THE FUCK! It's wildly unlikely my both usb drives died on the same fucking day!

Go to it admin to ask for an usb drive. Iso->usb, boot -- live env is up. My my, look who's unfortunate today :)

cryptsetup, install, reboot et voila, the beast is finally roaring!

I've been using keepass for everything and just recently I've just come to realization of just how hard it is to get into my accounts now that I've done this.

Literally, I'm useless if i don't have a computer to get my passwords. (I know it's for android too, but i need the database)

I was trying to log into my spotify, but I couldn't remember my password. Then I thought, oh i know i'll just log into facebook and do it that way.

LOL JK you don't know the password
Fuck... what about my email???
LOL NOPE!

Seriously if i was held at gun point and told to log into anything I'd be dead. I've literally secured myself out of my own accounts...

I guess if there is any silver lining, it's that no-one, and I mean 'no-one' is getting into my accounts any time soon.

You see that, over there?

That massive, 10-ton bag of dicks sitting there in the corner?

Secure Code Warrior can eat that ENTIRE FUCKING THING!

SO many flaws in their tests... SO much HIGHLY questionable content... utterly RIDICULOUS bullshit code with no comments and no context... asking me fucking Angular questions when I'm doing an Express test... two answers that are IDENTICAL... and a busted-ass site on top of it all.

I hate this motherfucking bullshit SO much, and at this moment I hate my employer even more for forcing me to deal with it.

But, hey, I hope you enjoy no work getting done today since you seem to prefer I do this instead, so I guess I'll just scare my dog some more as I yell about this bullshit.

Fuck you Secure Code Warrior, fuck you very, VERY much.

!Rant #motivation #hugeProject
Yesterday i started a new app and i designed some of it but classes i coded will speed up the whole coding of other parts .
Anyways today i needed to work on the server side of the project and when i was working on setting up the databases structures i realized how big is this project (it uses like 3 APIs) so i was unmotivated because its a side project and it takes alot of time and overall it dont worth it and even app may fail or may be successful.
So i said i dont care about how it will turn out
Im gonna do it , and im gonna do it right now
So i did now its 6 am and the server part is almost finished ! 75% done .
It was a secure login system and signup with verifications and more security stuff and the codes that provide the server status and most of the user parts . And some of the features of the app .
The most hard thing remaining is to setup the in app purchases and the APIs .
So if you see a project that is huge .
Dont give up . Just do it as long as you can
And you will see how much you progress !
And the huge project will be a big project ;)
Then a normal project , then a tiny project :P
Good night

I was once asked to create a fully secure chat system prototype (the ui didn't matter) in 2 days. We ended up building a client in python (which I wrote) and it kinda worked and a c# backend that didn't really work.

1 hour before we had to present the project to some high up management we decided that we couldn't fix the bugs in the system.

So I came up with a cool idea. Why not use ssh?
So I set up a bash script that writes to a file and tail -f that reads from the file. That way you could chat securely with another person.
I made it 15 minutes before the presentation with no Internet working :) they said it was hacky but a cool solution they saw that day :p I felt happy and that I had to thank Linux for being there for me

Do you know what angers me more than anything else ?

Wasted potential. Thats what. That there are people out there that look at their bank account and see a large number and spend large amounts of time finding ways to push people down during sensitive times where they could be learning and growing and have the right attitude and energy to do so, just because it makes their horrible selves feel secure knowing how 'superior' daddy made them, not to mention likely factories filled with half naked Chinese kids sewing shoes and soccer balls and separating out precious metals with blow torches.

I cannot help but think about this again as I'm frustrated that I had to relearn something just now which created more questions which I once everything is dashed to pieces again I won't think to or know to look into, if the information even exists, all so some easily duped younger people can form the next generation of well... us, and fall for the same tricks while I feel like I'm falling behind.

Getting high during work sounds cool, but once it caused me real trouble.

So, I was just finished with the service I was building and I had files ready to be uploaded on server but I was high at that time and I completely forgot to secure my backend files and BOOM.
Server stopped working. Server support was shocked because overnight we utilized 300GB bandwith .
It was some WORM and it kept coming back.
We were helped in the end though and provided fresh IPs.
P.S. Dont do important stuff when stoned

Webmin because why not ✓
Lamp stack ✓
Dynamic DNS client ✓
PhpMyAdmin X

Dear DigitalOcean. SINCE WHEN do you consider a PMA installation
without Https SECURE?
And why the fuck do you make me install an aptitude package that skips both file system AND Apache config cleanup on purging?
It's just a raspberry, but if it runs lamp I want PMA, and if it runs anything, I want Https. Is that too much to ask for from a tutorial source otherwise so reliable that I do anything you say without a questioning thought?

telco sysadmin: hey maybe we should secure our SMTP server with SSL and password verification so our clients can e-mail safely!
senior exec be like: nah just filter incoming connections for our own IP-range, that'll do.

result: I can impersonate any client of the telco and send e-mail in their name (from any home network connected to that provider), but I can't send e-mail over cellular network.

# Retrospective as Backend engineer

Once upon a time, I was rejected by a startup who tries to snag me from another company that I was working with.
They are looking for Senior / Supervisor level backend engineer and my profile looks like a fit for them.
So they contacted me, arranged a technical test, system design test, and interview with their lead backend engineer who also happens to be co-founder of the startup.

## The Interview

As usual, they asked me what are my contribution to previous workplace.
I answered them with achievements that I think are the best for each company that I worked with, and how to technologically achieve them.

One of it includes designing and implementing a `CQRS+ES` system in the backend.
With complete capability of what I `brag` as `Time Machine` through replaying event.

## The Rejection

And of course I was rejected by the startup, maybe specifically by the co-founder. As I asked around on the reason of rejection from an insider.

They insisted I am a guy who overengineer thing that are not needed, by doing `CQRS+ES`, and only suitable for RND, non-production stuffs.

Nobody needs that kind of `Time Machine`.

## Ironically

After switching jobs (to another company), becoming fullstack developer, learning about react and redux.
I can reflect back on this past experience and say this:

The same company that says `CQRS+ES` is an over engineering, also uses `React+Redux`.
Never did they realize the concept behind `React+Redux` is very similar to `CQRS+ES`.

- Separation of concern
- CQRS: `Command` is separated from `Query`
- Redux: Side effect / `Action` in `Thunk` separated from the presentation
- Managing State of Application
- ES: Through sequence of `Event` produced by `Command`
- Redux: Through action data produced / dispatched by `Action`
- Replayability
- ES: Through replaying `Event` into the `Applier`
- Redux: Through replay `Action` which trigger dispatch to `Reducer`

---

The same company that says `CQRS` is an over engineering also uses `ElasticSearch+MySQL`.
Never did they realize they are separating `WRITE` database into `MySQL` as their `Single Source Of Truth`, and `READ` database into `ElasticSearch` is also inline with `CQRS` principle.

## Value as Backend Engineer

It's a sad days as Backend Engineer these days. At least in the country I live in.
Seems like being a backend engineer is often under-appreciated.
Company (or people) seems to think of backend engineer is the guy who ONLY makes `CRUD` API endpoint to database.

- I've heard from Fullstack engineer who comes from React background complains about Backend engineers have it easy by only doing CRUD without having to worry about application.
- The same guy fails when given task in Backend to make a simple round-robin ticketing system.
- I've seen company who only hires Fullstack engineer with strong Frontend experience, fails to have basic understanding of how SQL Transaction and Connection Pool works.
- I've seen company Fullstack engineer relies on ORM to do super complex query instead of writing proper SQL, and prefer to translate SQL into ORM query language.
- I've seen company Fullstack engineer with strong React background brags about Uncle Bob clean code but fail to know on how to do basic dependency injection.
- I've heard company who made webapp criticize my way of handling `session` through http secure cookie. Saying it's a bad practice and better to use local storage. Despite my argument of `secure` in the cookie and ability to control cookie via backend.

Sometimes life takes unexpected turns:

I studied mechanical engineering and did some "computer stuff" in my free time, you know, "programming" with Java, toyed around with HTML/CSS/PHP a few years ago, some local server stuff with a raspberry pi, nothing fancy.

Half a year ago i got hired as engineer first but they said they needed an "IT Guy" also.

What i did since then
*Researching, Testing and Planning the introduction of an ERP software
*Planning, coordinating and (partially) setting up a new server for the company (actually two cause redundancy (heavy lifting got done by our IT partner, its not like i suddenly know how to do the entire windows server administration)
*Writing 3 minor tools for some guys in the company in java
*Creating numereous excel vba scripts that make work a lot easier
*doing all the day to day business that comes up when absolutly noone know how to use a pc in the company
*consulting the boss about webshops and websites in general and finding a decent partner
*and some engineering

Did i mentioned that i studied mechanical engineering? I know nothing about all this, or rather, i know enough to know that i know not enough.

My current side project is creating a small intranet, so creating a new VM in Hyper V, setting up some OS (probably slim CentOS), getting a Webserver running and making it somewhat secure. Then i need to create some content, i am very close to just install a mediawiki and call it a day. If i write anything in PHP i fear that i make way to many erros or just reinvent the wheel, on the other hand, i couldnt find anything resembling what i need. I also had to create the front end side, i knew CSS around 2010, there is probably tons of stuff i dont know and i will make so many errors.

This is frustrating, everything i touch feels like i am venturing the beaten path but noone ever showed me the ropes so everything i do feels like childs play. I need an adult. Also the biggest Question remains: What i am?

Workarounds are great. I remember one time, I had a server that let anyone access any file as long as the knew the right path. I wanted to store data in a .txt (it wasnt secure passwords or anything, so calmyourtities), but then had access too it. Now, this server wasn't running anything except PHP, so I created a database.php, and within was just some php tags. I ended up modifying the database.php from other PHP scripts and storing all the data as PHP comment, then parsing thru it as I needed, so loading mydomain.biz/database.php wouldn't show the data. ex of my database.php (to all that might not understand because I'm bad at explaining):
<?php
//USER1:DATA1
//USER2:DATA2
?>

!Rant
Awesomeness ensues!!!!!

I finally quit my day job at the place I was working to finally go full time with my business, TerraNimbus. I was able to secure a small loan to cover business and personal expenses until I can drum up enough business to keep things a float.

I’m super fucking stoked because I’ve been wanting to branch out and do this for about 4 years now and finally feel like I have the right pieces in play to make it work. I’m as nervous as hell but so fucking excited too!

I just needed to share this here cause the DevRant community is world class and you guys/gals are fucking killing it everyday being AWESOME!!! And you all feel like extended family members to me all going through the motions in each of your lives and keeping ‘in touch’ through devRant on a daily basis. So I wanted to share my story with everyone here.

We code hard in these cubicles

My style’s nerd-chic, I’m a programmin’ freak

We code hard in these cubicles

Only two hours to your deadline?

Don’t sweat my technique.

Sippin’ morning coffee with that JAVA swirl.

Born to code; my first words were “Hello World”

Since 95, been JAVA codin’ stayin’ proud

Started on floppy disks, now we take it to the cloud.

On my desktop, JAVA’s what’s bobbin’ and weavin’

We got another winning app before I get to OddEven.

Blazin’ code like a forest fire, climbin’ a tree

Setting standards like I Triple E….
Boot it on up, I use the force like Luke,

Got so much love for my homeboy Duke.

GNU Public Licensed, it’s open source,

Stop by my desk when you need a crash course

Written once and my script runs anywhere,

Straight thuggin’, mean muggin’ in my Aeron chair.

All the best lines of code, you know I wrote ‘em

I’ll run you out of town on your dial-up modem.

Cause…
We code hard in these cubicles

Me and my crew code hyphy hardcore

We code hard in these cubicles

It’s been more than 10 years since I’ve seen the 404.

Inheriting a project can make me go beeee-serk

Ain’t got four hours to transfer their Framework.

The cleaners killed the lights, Man, that ain’t nice,

Gonna knock this program out, just like Kimbo Slice

I program all night, just like a champ,

Look alive under this IKEA lamp.

I code HARDER in the midnight hour,

E7 on the vending machine fuels my power.

Ps3 to Smartphones, our code use never ends,

JAVA’s there when I beat you in “Words with Friends”.

My developing skills are so fresh please discuss,

You better step your game up on that C++.

We know better than to use Dot N-E-T,

Even Dan Brown can’t code as hard as me.

You know JAVA’s gettin’ bigger, that’s a promise not a threat,

Let me code it on your brain

We code hard in these cubicles,

it’s the core component…of what we implement.

We code hard in these cubicles,
Straight to your JAVA Runtime Environment.

We code hard in these cubicles,
Keep the syntax light and the algorithm tight.

We code hard in these cubicles,

Gotta use JAVA if it’s gonna run right.

We code hard in these cubicles

JAVA keeps adapting, you know it’s built to last.

We code hard in these cubicles,

Robust and secure, so our swag’s on blast

CODE HARD

So my friend wanted a website, and I was kinda busy, so I asked him to find a web host. Five minutes later he comes back asking to use Tor and to make a .onion site. He said they're "secure and all the rave" nowadays. He was shocked to learn that most .onion sites are illegal and that Tor is a web browser to reach those illegal sites. I still make fun on him.

So... I finally decided to secure my VPS, so I started with sudo less /var/log/auth.log ...
Short story, not even gonna read every line, just gonna reset my VPS lol

For all the hate against windows I built over the now 8 years using linux as my main os. Now I feel windows 10 is quite good.

I got a little beefier desktop lately, been using just laptops from the last 8 years(8D) so I got this urge to get a desktop for gaming, I bought an entry level machine. ryzen 5 2400g, put my lovely linux mint and... the fucking machine was hanging up when the load was too high, and the load was too high too often because react/node etc.

I gave up in less than a day, I just did a quick search and some people said about secure boot or whatnot, some other claimed that ryzen cpus had no problem with mint, I got fed up quickly and did not try any solution with linux. Then I installed windows 10, installed the godamned drivers from the provided dvd ... since then it was a breeze.

The dark mode is gorgeous and no hanging up at all... I'm just sad that mint did not worked soo well. I wanted to have consistency between my laptop/desktop and I loved mint above everything. But well, some things improve while you're not looking at them, win 10 is quite good, I'll keep my desktop as gaming/programming pc with win 10, and well, the laptop will be auxiliar programming machine.

¯\_(ツ)_/¯

I got notified that tomorrow I'm gonna start a porting project from a FileNet ecosystem.

Well, I don't know what is FileNet, but at least I've enough time to study its architecture. Let's start from the official IBM page:

The FileNet® P8 platform offers enterprise-level scalability and flexibility to handle the most demanding content challenges, the most complex business processes, and integration to all your existing systems. FileNet P8 is a reliable, scalable, and highly available enterprise platform that enables you to capture, store, manage, secure, and process information to increase operational efficiency and lower total cost of ownership.

Thank you IBM, now I surely know how to use FileNet. Well, I hope that wikipedia explains me what it is:

FileNet is a company acquired by IBM, developed software to help enterprises manage their content and business processes.

Oh my god. I tried searching half an hour so far and everything I found was just advertisements and not a clue about what it is.

Then they wonder why I hate IBM so much

Just had a very "OMG WTF!" kind of mini conversation with my co-founder, of a web dev startup.

Him: So what's LastPass then?
Me: It's a secure password management system.
Him: So let's use LastPass instead of Dropbox then. :-)

** quickly searches dropbox for passwords **

A little knowledge can be extremely dangerous if left unsupervised.

So i tried installing elementary on my friend's computer

I keep ending up with this error : 'in it ram fs : cannot find a medium with a live file system'

This error can be replicated on one other computer but works without the error on another one.

I'm using a UEFI boot on all of them
What I've tried :
1. Switching USB ports
2. Burning the image using Rufus, lily USB
3.secure boot on/off
4. Converted any dynamic partitions to basic
5. Converted MBR to GPT
6. Disabled Intel PTT

I've tried Ubuntu as well, same results

RANT!

I still struggle to find the suitable address book software for our company. It supposed to be secure and inexpensive. But how so? It's flipping not possible to have both!
My boss answer to almost everything I say: Just do it! - in German: einfach machen! Please hulp!

LOL, somebody thought Zoom was secure! Hahahahaha! Some people were caught planning violence and a potential coup...on...Zoom!

The lack of understanding of technology creates interesting convergences of events.

So, if you are planning to break the law, don't use Zoom. Mmmkay?

-Rant-
How do you (not) secure your Rest based web service?
1. Chain it to shady organic authentication system built by a hoard of monkeys high on Tequila.
2. have secret keys that get copy pasted into config flat files, and index them on your code search engine.
3. make the onboarding extremely platform specific that you need 500 environment variables, 50 scripts, 5 fancy device presses and a tap dance to make a GET call to the service.
4. fish through 500 rotating log files that the authentication system generates for each API call made.
5. Leave traces all over the host so if you have to start over, you should sudo rm -rf / and set fire to your computer.

Because I am very interested in cyber security and plan on doing my masters in it security I always try to stay up to date with the latest news and tools. However sometimes its a good idea to ask similar-minded people on how they approach these things, - and maybe I can learn a couple of things. So maybe people like @linuxxx have some advice :D Let's discuss :D

1) What's your goto OS? I currently use Antergos x64 and a Win10 Dualboot. Most likely you guys will recommend Linux, but if so what ditro, and why? I know that people like Snowden use QubesOS. What makes it much better then other distro? Would you use it for everyday tasks or is it overkill? What about Kali or Parrot-OS?

2) Your go-to privacy/security tools? Personally, I am always conencted to a VPN with openvpn (Killswitch on). In my browser (Firefox) I use UBlock and HttpsEverywhere. Used NoScript for a while but had more trouble then actual use with it (blocked too much). Search engine is DDG. All of my data is stored in VeraCrypt containers, so even if the system is compromised nobody is able to access any private data. Passwords are stored in KeePass. What other tools would you recommend?

3) What websites are you browsing for competent news reports in the it security scene? What websites can you recommend to find academic writeups/white papers about certain topics?

4) Google. Yeah a hate-love relationship, but its hard to completely avoid it. I do actually have a Google-Home device (dont kill me), which I use for calender entries, timers, alarms, reminders, and weather updates as well as IOT stuff such as turning my LED lights on and off. I wouldn"t mind switching to an open source solution which is equally good, however so far I couldnt find anything that would a good option. Suggestions?

5) What actions do you take to secure your phone and prevent things such as being tracked/spyed? Personally so far I havent really done much except for installing AdAway on my rooted device aswell as the same Firefox plugins I use on my desktop PC.

6) Are there ways to create mirror images of my entire linux system? Every now and then stuff breaks, that is tedious to fix and reinstalling the system takes a couple of hours. I remember from Windows that software such as Acronis or Paragon can create a full image of your system that you can backup and restore at any point to get a stable, healthy system back (without the need to install everything by hand).

7) Would you encrypt the boot partition of your system, even tho all data is already stored in encrypted containers?

8) Any other advice you can give :P ?

Dev industry develop so fast. This is because information available anywhere in the internet and people try to learn any programming language they want . But only few know whether they following secure coding practice or not

But the thing is most of Dev people dosent care about security. They focus just to develop a application but not to secure it?

Pentesting for undisclosed company. Let's call them X as to not get us into trouble.
We are students and are doing our first pentest at an actual company instead of assignments at school. So we're very anxious. But today was a good day.
We found some servers with open ports so we checked a few of them out. I had a set of them with a bunch of open ports like ftp and... 8080. Time to check this out.
"please install flash player"... Security risk 1 found!

System seemed to be some monitoring system. Trying to log in using admin admin... Fucking works. Group loses it cause the company was being all high and mighty about being secure af. Other shit is pretty tight though.

Able to see logs, change password, add new superuser, do some searches for USERS_LOGGEDIN_TODAY! I shit you not, the system even had SUGGESTIONS for usernames to search for. One of which had something to do with sftp and auth keys. Unfortunatly every search gave a SQL syntax error. Used sniffing tools to maybe intercept message so we could do some queries of our own but nothing. Query is probably not issued from the local machine.

Tried to decompile the flash file but no luck. Only for some weird lines and a few function names I presume. But decompressing it and opening it in a text editor allowed me to see and search text. No GET or POST found. No SQL queries or name checks or anything we could think of.

That's all I could do for today. So we'll have to think of stuff for next week. We've already planned xss so maybe we can do that on this server as well.

We also found some older network printers with open telnet. Servers with a specific SQL variant with a potential exploit to execute terminal commands and some ftp and smb servers we need to check out next week.

Hella excited about this!

If you guys have any suggestions let us know. We are utter noobs when it comes to this.

I wanna go back to the age where a C program was considered secure and isolated based on its system interface rathe than its speed. I want a future where safety does not imply inefficiency. I hate spectre and I hate that an abstraction as simple and robust as assembly is so leaky that just by exposing it you've pretty much forfeited all your secrets.
And I especially hate that we chose to solve this by locking down everything rather than inventing an abstraction that's a similarly good compile target but better represents CPUs and therefore does not leak.

I absolutely hate software to the point where I started converting from sysadmin to becoming more like a dev. That way I could just write my own implementations at will. Easier said than done, that's for sure. And it goes both ways.

I think that in order to be a good dev, you need these skills the most:
- Problem solving skills
- Creativity, you're making stuff
- Logical reasoning
- Connecting the dots
- Reading complex documentation
- Breaking down said documentation
- A strong desire to create order and patterns
- ...

If you don't have the above, you may still be able to become a dev.. but it would be harder for sure, and in some cases acceptance will be lower (seriously, learn to Google!)

One thing I don't think you need in development is mathematics. Sure there's a correlation between it and logic reasoning, but you're not solving big mathematical monsters here. At most you'd probably be dealing with arrays and loops (well.. program logic).

Also, written and spoken English! The language of the internet must be known. If it's not your first language, learn it. All the good (and crucial) documentation out there is in English after all.

One final thing would be security in my opinion, since you're releasing your application to the internet and may even run certain services, and deal with a lot of user data. Making those things secure takes some effort and knowledge on security, but it's so worth it. At the most basic level, it requires a certain mindset: "how would I break this thing I just made?"

THREE DAYS of debugging, reading all the logs I could find, creating tens of new logs in our appliaction, and SUDDENLY an email from your IT admin:

"Hey your CURL requests are being rejected by my !oh so secure! firewall rule".

Not that I haven't said at the beggining, that THIS IS YOUR F...G NETWORK PROBLEM because we get "connection reset by peer" errors, and you ASSURED that everything is CHECKED and OK!

I discovered a commit message from one of my (senior) colleagues today. It made me shudder. It read, 'Just adding some changes made outside of source control and deployed (over last 12 months)'.

I genuinely think he can't follow any processes he didn't design. He controls the servers too, so it's not like any pipeline would prevent him from just doing what he wants. It's a bit scary to be honest, he thinks MD5 is a secure password hash!

My passwords are so secure, they want to talk about sex with me.

When your college gets a gitlab server and a dozen or so people who know what it is are excited, but you're the only one who knows about the crisis that happened with gitlab, so have to just stand and stare as they tell everyone how gitlab is secure and risk free.

@linuxFanboys
I'm getting a Chromebook, and, obviously, I'd rather wget all my webpages before I use chrome as my main os. so any recommendations for distros? I want a good, smooth ui, kinda like what windows was aiming for but so terribly messed up. I want apt package manager, and I wouldn't mind pentesting tools, and it has to be light enough to use on a computer with 4gb ram and 16gb ssd. I assume it's implied with linux, but I want one that's generally consider to be secure. I plan to run android studio (I expect it to be slower than a commodore 64 running windows 10), eclipse, gcc, if that helps. any suggestions? thanks!

My brother wanted me to post:
Devrant is so secure, it even blocks passwords. Look here is mine ***************

I was curious to how many would fall for it. But I was afraid It could be seen as malicious intent

Salesforce lightning web components have such bullshit limitations that they claim is because of security but it's just because it's overengineered garbage.

Want to use web components? Nope.

Want to pass in a value to a function in a click listener expression? Nope.

Want to use scss? Nope, compile it to css yourself.

Want to use the fucking document object? Guess what it's overridden except for very specific third party frameworks.

Who in the fuck thought it was a good idea to override the document object? Your app isn't more secure, literally the entire internet uses the document object and it still becomes available in runtime anyway so what the fuck??

LWC is the biggest garbage I've ever seen, you know a framework's a big red flag when there are developers solely for the framework.

There is a new security release coming out that apparently removes some of these nuances (understatement) so there might be some light at the end of the tunnel.

The coolest project I ever worked on wasn't programming per second, though it involved a bit of scripting. The company I worked for had an FTP over TLS backup solution and it was put together with glue and paperclips by a guy that hadn't the slightest idea what he was doing. In order to conform with the insurance, data had to be encrypted. I setup a raid-ed server with full disk encryption on the raid volume that fetched the key over the network at boot from another secure server. I wrote a series of scripts for provisioning users and so on. The backup connections was sftp using a ssh tunnel, the users were chrooted to their own home directories, and were unable to open shells. The system was 100x more robust and secure than the original. I set it up on short notice and received absolutely no recognition for saving the company's ass, but it was definitely a fun project.

I never understood how people have any problems with getting paid for freelancing work, when middleman/escrow platforms like upwork exist, just don't be retarded when applying for a job. I am so sick of those shit ass stories from people telling me "my client didnt pay meeee 😭😭😭" ITS YOUR FAULT. I never had any client not paying, if you don't have the option of escrow, then just fucking put remote execution via "update" system in for fucks sake or give remote control to the client while monitoring it, there is so much fucking ways to secure yourself, just don't be retarded and many clients instantly show their character when talking budget and turnaround time.

AWS is so secure that even with full access I cannot access the resource I need and the error message is so cryptic every hacker will give up first. Amazing!

Got one right now, no idea if it’s the “most” unrealistic, because I’ve been doing this for a while now.

Until recently, I was rewriting a very old, very brittle legacy codebase - we’re talking garbage code from two generations of complete dumbfucks, and hands down the most awful codebase I’ve ever seen. The code itself is quite difficult to describe without seeing it for yourself, but it was written over a period of about a decade by a certifiably insane person, and then maintained and arguably made much worse by a try-hard moron whose only success was making things exponentially harder for his successor to comprehend and maintain. No documentation whatsoever either. One small example of just how fucking stupid these guys were - every function is wrapped in a try catch with an empty catch, variables are declared and redeclared ten times, but never used. Hard coded credentials, hard coded widths and sizes, weird shit like the entire application 500ing if you move a button to another part of the page, or change its width by a pixel, unsanitized inputs, you name it, if it’s a textbook fuck up, it’s in there, and then some.

Because the code is so damn old as well (MySQL 8.0, C#4, and ASP.NET 3), and utterly eschews the vaguest tenets of structured, organized programming - I decided after a month of a disproportionate effort:success ratio, to just extract the SQL queries, sanitize them, and create a new back end and front end that would jointly get things where they need to be, and most importantly, make the application secure, stable, and maintainable. I’m the only developer, but one of the senior employees wrote most of the SQL queries, so I asked for his help in extracting them, to save time. He basically refused, and then told me to make my peace with God if I missed that deadline. Very helpful.

I was making really good time on it too, nearly complete after 60 days of working on it, along with supporting and maintaining the dumpster fire that is the legacy application. Suddenly my phone rings, and I’m told that management wants me to implement a payment processing feature on the site, and because I’ve been so effective at fixing problems thus far, they want to see it inside of a week. I am surprised, because I’ve been regularly communicating my progress and immediate focus to management, so I explain that I might be able to ship the feature by end of Q1, because rather than shoehorn the processor onto the decrepit piece of shit legacy app, it would be far better to just include it in the replacement. I add that PCI compliance is another matter that we must account for, and so there’s not a great chance of shipping this in a week. They tell me that I have a month to do it…and then the Marketing person asks to see my progress and ends up bitching about everything, despite the front end being a pixel perfect reproduction. Despite my making everything mobile responsive, iframe free, secure and encrypted, fast, and void of unpredictable behaviors. I tell her that this is what I was asked to do, and that there should have been no surprises at all, especially since I’ve been sending out weekly updates via email. I guess it needed more suck? But either way, fuck me and my two months of hard work. I mean really, no ego, I made a true enterprise grade app for them.

Short version, I stopped working on the rebuild, and I’m nearly done writing the payment processor as a microservice that I’ll just embed as an iframe, since the legacy build is full of those anyway, and I’m being asked to make bricks without straw. I’m probably glossing over a lot of finer points here too, just because it’s been such an epic of disappointment. The deadline is coming up, and I’m definitely going to make it, now that I have accordingly reduced the scope of work, but this whole thing has just totally pissed me off, and left a bad taste about the organization.

My very first time was when I first saw a Web page, I really wanted to know how they did it. Two weeks later I built an intranet at home and I thought I was so cool I was shitting out ice cubes.

The very first programme I ever wrote was a secret diary application(C#) for myself I thought it was really secure because I had my own file extension. Not one of my finer moments.

Fuck, I want to report a bug to KDE, but the more I think of it the more it looks like it's someone who implemented the shit.

It's a feature!

For some fucking reason KDE launcher overrides the commands from one of my programs with its shortcut entries. That's mostly OK.

Now, the problem is that if for some reason the shortcut goes broken, KDE makea sure it is stores in some sort of database, so that even if you delete it from the disk you will still have a broken link overriding the real command.

Until here it's OK. The thing is that, if you delete the shortcut , you will be prompted with a message showing its contents, asking if is it secure to launch the corresponding shortcut?

I'm like, what? Man I deleted the file, there's no shortcut anymore, just let it go and show me the original command.

why would I want you to store previously deleted shortcuts so you may make sure I launch my programs through them?

PS: forgot to tell the whole problem started from a bug in another program, which for some nonsensical reason creates shortcuts calling system commands through itself rather than just calling them out. The result is that once this program is removed all the shortcuts it created no longer work.

lol

I had weird apple charges on my credit card so I called the bank and told them I didn't do them and own nothing apple.
they cancelled my card and sent me a new one.
the new one came with a paper saying I need to activate it and the first time I use it I might need to type in the pin.

credit cards typically worked if you insert or swipe you have to type in pin,
and you can wave it over the machine for small charges and that won't ask for pin, which is probably what they're saying is I can't wave until I pin.

so I go to the nearby grocery store so I can activate the card with the pin and order online groceries later, and coincidentally they have a new payment machine (why?), one of those without buttons that just looks like a phone.
I insert it, expecting it to ask me a pin... it beeps saying approved

so

I got credit card fraud and they sent me a new card
and the new card is literally less secure

it's like banks want fraud

when I was calling in or being re-routed with the bank the messages were always "higher number of calls than expected"

how bad is financial fraud rn. why are they making it worse

I don't think my card was leaked due to pinning though. when you order stuff online there should be an approval process on your end to confirm but it just doesn't exist. so if anyone gets your credit card info they can just sell that. I had to order a very hard to find drug from one sketchy (to me) website and after I did so that email got signed up to a weird newsletter and I harassed the shit out of that newsletter company for contacting me. I would assume they also sold my credit card details, or it "leaked" in a hack, whatever. this whole damned circus. I have 4 months of the drug but at some point I'll need more and they're the only ones that have it... so I guess I'll get to find out

A conversation that i had with my co-worker today. I was having trouble getting into UAT to troubleshoot.

me
i lost access to UAT again

co-worker
F. So secure we can't even get in

me:
lol

co-worker:
I'll email whoever we did last

me:
i can get through the first phase(where you enter pin+rsa)
it denies me access after that
says bad username or password

co-worker:
Oh ok. Prolly just need to reset your pwd then. I'll find the email for helpdesk and fwd.
At least ur RSA works.

me:
yeah what a joy

co-worker:
If it's locked you may need to try from a Windows box. Horizon is bugged on Mac where the submit button stays disabled even when you type a pwd.

me:
i couldnt contain my happiness that my RSA worked
😃

co-worker:
Yeah it's exhilarating
Whenever I pick up my rsa token my life re-finds it's purpose and I feel like I'm meddling through a field of sunflowers.

I once tried to get my RSA token tattooed but it switched too quick.

me:
lol its faster that Usain Bolt

co worker:
Russia got kicked out because of their RSA tokens

# NEED SUGGESTIONS

I am working on a secure end to end encrypted note taking web application. I am the sole developer and working on weekends and will make it open source.

The contents you save will be end to end encrypted, and server won't save the key, so even I can't read or NSA or CIA.

So I wanted to know if the idea is good? There are lot of traditional note sharing apps like Google Keep and Evernote. But they store your stuff in plaintext. So as a user will u switch to this secure solution?