Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "thanks for my password"
I had a secondary Gmail account with a really nice short nickname (from the early invite/alpha days), forwarded to another of my mailboxes. It had a weak password, leaked as part of one of the many database leaks.
Eventually I noticed some dude in Brazil started using my Gmail, and he changed the password — but I still got a copy of everything he did through the forwarding rule. I caught him bragging to a friend on how he cracked hashes and stole and sold email accounts and user details in bulk.
He used my account as his main email account. Over the years I saw more and more personal details getting through. Eventually I received a mail with a plaintext password... which he also used for a PayPal account, coupled to a Mastercard.
I used a local website to send him a giant expensive bouquet of flowers with a box of chocolates, using his own PayPal and the default shipping address.
I included a card:
"Congratulations on acquiring my Gmail account, even if I'm 7 years late. Thanks for letting me be such an integral part of your life, for letting me know who you are, what you buy, how much you earn, who your family and friends are and where you live. I've surprised your mother with a cruise ticket as you mentioned on Facebook how sorry you were that you forgot her birthday and couldn't buy her a nice present. She seems like a lovely woman. I've also made a $1000 donation in your name to the EFF, to celebrate our distant friendship"33
I was 15 years old and the first year of high school. Everything was new to me and I was such a newbie. At that time I had 2-3 year of programming behind me at an institution where they taught competitive programming. And I knew something about computers. Not much but more than most of my school mates. At that time I wanted to become "super cool hacker".
So we had this very very thought teacher for history which was also our form master. She really knows how to explained everything about history and in an interesting way. But while she was teaching we also had to write down notes from her powerpoints that were on a projector. And occasionally she would wait for us to copy everything and then move on with her lecture. But sometimes she didn't. This was frustrating as hell. The whole class would complain about this because you couldn't take notes down normal, you had to do it at double speed.
But she got one weak spot. She was not very good with computers. Our school computers were locked in some kinda closet so that students didn't have physical access to a computer and were also password protected. So I came up with the plan to plant wireless mouse in her computer so that I could control her mouse. At that time it seemed like SUPER HACKER MASTER PLAN.
So I got an opportunity one time when she left the classroom and let closet where the computer was open. I quickly sneaked the USB of the wireless mouse in the computer and then go back to the seat.
So THE FUN began.
Firstly I would only go back in powerpoint so that all my schoolmates could write down notes including me. And it was hilarious to watch when she didn't know what is happening. So then I would move her mouse when she tried to close some window. I would just move it slightly so she wouldn't notice that somebody else is controlling mouse. And by missing X button just by slight she would click other things and other things would pop up and now she had to close this thing so it became a nightmare for her. And she would become angry at the mouse and start complaining how the computer doesn't work and that mouse doesn't obey her.
One time when she didn't pay attention to her computer and projector I went to paint program and drew a heart and wrote we love you (In Slovenian Imamo vas radi -> See the picture below) and one of my school mates has the picture of it. We were all giggling and she didn't know what is was for. And I managed to close everything before she even noticed.
So it got to the point where she couldn't hand it more so she called our school IT guy so that he would check her computer (2 or 3 weeks passed before she called IT guy). And he didn't find anything. He was really crappy IT guy in general. So one week passed by and I still had messed with her mouse. So she got a replacement computer. Who would guessed all the problems went away (because I didn't have another mouse like that). I guess when our IT guy took the computer to his room and really thoroughly check it he found my USB.
So he told her what was the problem she was so pissed off really I didn't see her pissed off so much in all my 4 years in high school. She demanded the apology from whom did it. And at that moment my mind went through all possible scenarios... And the most likely one was that I was going to be expelled... And I didn't have the balls to say that I did it and I was too afraid... Thanks to God nobody from my school mates didn't tell that it was me.
While she waited that somebody would come forward there was one moment when our looks met and at that moment both of us knew that I was the one that did it.
Next day the whole class wrote the apology letter and she accepted it. But for the rest of 4 years whenever was there a problem with the computer I had to fixed it and she didn't trust anybody not even our IT guy at school. It was our unwritten contract that I would repair her computer to pay off my sin that I did. And she once even trusted me with her personal laptop.
So to end this story I have really high respect for her because she is a great teacher and great persons that guide me through my teen years. And we stayed in contact.17
I was in a hostel in my high school days.. I was studying commerce back then. Hostel days were the first time I ever used Wi-Fi. But it sucked big time. I'm barely got 5-10Kbps. It was mainly due to overcrowding and download accelerators.
So, I decided to do something about it. After doing some research, I discovered NetCut. And it did help me for my purposes to some extent. But it wasn't enough. I soon discovered that my floor shared the bandwidth with another floor in the hostel, and the only way I could get the 1Mbps was to go to that floor and use NetCut. That was riskier and I was lazy enough to convince myself look for a better solution rather than go to that floor every time I wanted to download something.
My hostel used Netgear's routers back then. I decided to find some way to get into those. I tried the default "admin" and "password", but my hostel's network admin knew better than that. I didn't give up. After searching all night (literally) about how to get into that router, I stumbled upon a blog that gave a brief info about "telnetenable" utility which could be used to access the router from command line. At that time, I knew nothing about telnet or command line. In the beginning I just couldn't get it to work. Then I figured I had to enable telnet from Windows settings. I did that and got a step further. I was now able to get into the router's shell by using default superuser login. But I didn’t know how to get the web access credentials from there. After googling some and a bit of trial and error, I got comfortable using cd, ls and cat commands. I hoped that some file in the router would have the web access credentials stored in cleartext. I spent the next hour just using cat to read every file. Luckily, I stumbled upon NVRAM which is used to store all config details of router. I went through all the output from cat (it was a lot of output) and discovered http_user and http_passwd. I tried that in the web interface and when it worked, my happiness knew no bounds. I literally ran across the floor screaming and shouting.
I knew nothing about hiding my tracks and soon my hostel’s admin found out I was tampering with the router's settings. But I was more than happy to share my discovery with him.
This experience planted a seed inside me and I went on to become the admin next year and eventually switch careers.
So that’s the story of how I met bash.
Thanks for reading!10
Thanks, I am happy to be sharing my payment details with your company.
ATTACHED TO THE LOGIN DETAILS YOU EMAILED ME!6
I'm a member of an international hacker group.
As you could probably have guessed, your account [email@example.com] was hacked, because I sent message you from it.
Now I have access to you accounts!
For example, your password for [firstname.lastname@example.org] is [RANDOM_ALPHABET_HERE]
Within a period from July 7, 2018 to September 23, 2018, you were infected by the virus we've created, through an adult website you've visited.
So far, we have access to your messages, social media accounts, and messengers.
Moreover, we've gotten full damps of these data.
We are aware of your little and big secrets...yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..
But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!
I think you are not interested show this video to your friends, relatives, and your intimate one...
Transfer $700 to our Bitcoin wallet: 13DAd45ARMJW6th1cBuY1FwB9beVSzW77R
If you don't know about Bitcoin please input in Google "buy BTC". It's really easy.
I guarantee that after that, we'll erase all your "data" :)
A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.
Your data will be erased once the money are transferred.
If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.
You should always think about your security.
We hope this case will teach you to keep secrets.
Take care of yourself.
>> RE >>
Well f### you, thanks for telling my password which is obviously fake. I have sent your details to the local police department, shall rest in peace. Don't earn money by this kind of action. STUPID!19
I really, honestly, am getting annoyed when someone tells me that "Linux is user-friendly". Some people seem to think that because they themselves can install Linux, that anyone can, and because I still use Windows I'm some sort of a noob.
So let me tell you why I don't use Linux: because it never actually "just works". I have tried, at the very least two dozen times, to install one distro or another on a machine that I owned. Never, not even once, not even *close*, has it installed and worked without failing on some part of my hardware.
My last experience was with Ubuntu 17.04, supposed to have great hardware and software support. I have a popular Dell Alienware machine with extremely common hardware (please don't hate me, I had a great deal through work with an interest-free loan to buy it!), and I thought for just one moment that maybe Ubuntu had reached the point where it just, y'know, fucking worked when installing it... but no. Not a chance.
It started with my monitors. My secondary monitor that worked fine on Windows and never once failed to display anything, simply didn't work. It wasn't detected, it didn't turn on, it just failed. After hours of toiling with bash commands and fucking around in x conf files, I finally figured out that for some reason, it didn't like my two IDENTICAL monitors on IDENTICAL cables on the SAME video card. I fixed it by using a DVI to HDMI adapter....
Then was my sound card. It appeared to be detected and working, but it was playing at like 0.01% volume. The system volume was fine, the speaker volume was fine, everything appeared great except I literally had no fucking sound. I tried everything from using the front output to checking if it was going to my display through HDMI to "switching the audio sublayer from alsa to whatever the hell other thing exists" but nothing worked. I gave up.
My mouse? Hell. It's a Corsair Gaming mouse, nothing fancy, it only has a couple extra buttons - none of those worked, not even the goddamn scrollwheel. I didn't expect the *lights* to work, but the "back" and "Forward" buttons? COME ON. After an hour, I just gave up.
My media keyboard that's like 15 years old and is of IBM brand obviously wasn't recognized. Didn't even bother with that one.
Of my 3 different network adapters (2 connectors, one wifi), only one physical card was detected. Bluetooth didn't work. At this point I was so tired of finding things that didn't work that I tried something else.
My work VPN... holy shit have you ever tried configuring a corporate VPN on Linux? Goddamn. On windows it's "next next next finish then enter your username/password" and on Linux it's "get this specific format TLS certificate from your IT with a private key and put it in this network conf and then run this whatever command to...." yeah no.
And don't get me started on even attempting to play GAMES on this fucking OS. I mean, even installing the graphic drivers? Never in my life have I had to *exit the GUI layer of an OS* to install a graphic driver. That would be like dropping down to MS-DOS on Windows to install Nvidia drivers. Holy shit what the fuck guys. And don't get me started on WINE, I ain't touching this "not an emulator emulator" with a 10-foot pole.
And then, you start reading online for all these problems and it's a mix of "here are 9038245 steps to fix your problem in the terminal" and "fucking noob go back to Windows if you can't deal with it" posts.
It's SO FUCKING FRUSTRATING, I spent a whole day trying to get a BASIC system up and running, where it takes a half-hour AT MOST with any version of Windows. I'm just... done.
I will give Ubuntu one redeeming quality, however. On the Live USB, you can use the `dd` command to mirror a whole drive in a few minutes. And when you're doing fucking around with this piece of shit OS that refuses to do simple things like "playing audio", `dd` will restore Windows right back to where it was as if Ubuntu never existed in the first place.
Thanks, `dd`. I wish you were on Windows. Your OS is the LEAST user friendly thing I've ever had to deal with.26
Well, i have a few stories i would like to share with you :)
My neighbour asked me to fix her webcam.
I told her: But I am a programmer, not a repair service .
Next time my neighbour forgot her Skype password. Se asked me to hack it for her.
I told her: But I am a programmer, not a hacker.
My sister asked me to help her out in her program, because of some bug. Well, she is in the other part of the Country. But, i said, lets give it a try.
Well, it turned out to be some kind of mechanical remote scanner, with needed that exact same remote locally.
I told her: But I am a programmer, not a fictional remote signal scanner repairer.
My grandpa asked me, to copy his old gmail emails into his new laptop.
Well, i told him to log in. He logged in. Than i told him: It is done :D
Thanks for reading it :)6
Thanks to mandatory password change, today:
- My windows account got locked because my phone kept logging into wifi using
- Google Hangouts were silently running in background with old session until I re-opened it. Work of others delayed by 4 hours due to missing message notifications.
- Docker for Windows lost credentials needed to use SMB mounts - 1h of debugging why my containers mount empty folders ( now I will know)
- Google G-Sync for Outlook asked for new password on outlook restart - few mails delayed.
All of that for sake of security that could be easily solved with 2FA instead, not faking that "I do not change number at the end of my password"
Discord and captchas can go get fucked in the ass by a rusty, tetanus ridden 2m pole....
I changed my discord-password yesterday and, naturally it prompted me for a login today. So I enter my new password and that motherfucking spawn from satans anus himself with the name of captcha threw itself at me... I seriously had to select fucking street signs for about 5min before Discord let me know that I apparently logged in from a new IP (thanks VPN) and therefore needed to confirm my e-Mail address. Alright, so off to my inbox I go.
SURPRISE, I also changed my password there yesterday (LastPass Security Challenge, I changed like 30 passwords yesterday) and guess what was waiting for me?... If you guessed a captcha, you just got full fucking marks. So I was busy selecting busses and streets for the next 3min again before I could finally log into that piece of trash and autorize my IP-address and log into Discord5
tldr; Windows security sucks. You as a org-admin cant do anything about it. Encrypt your device. Disable USB Live boot in the bios and protect it with a STRONG password.
First of i just want to say that i DO NOT want to start the good ol' Linux VS Windows debate. I'm just ranting about Windows Security here...
Second, here's why i did all of this. I did all of this mainly becuase i wanted to install some programs on my laptop but also to prove that you can't lock down a Windows pc. I don't recomend doing this since this is against the contract i signed.
So when i got my Laptop from my school i wanted to install some programs on it, sush as VS Code and Spotify. They were not avalible in the 'Software Center' so i had to find another way. Since this was when we still used Windows 7 it was quite easy to turn sticky keys in to a command prompt. I did it this way (https://github.com/olback/...). I decided to write a tutorial while i was at it becuase i didn't find any online using this exact method. I couldn't boot from a USB cause it's disabled in the bios wich is protected by a password. Okey, Sticky keys are now CMD. So let's spam SHIFT 5 times before i log in? Yeah, thanks for the command promt. Running 'whoami' returned 'NT SYSTEM'. Apparantly NT System has domain administator rights wich allowed me to make me an Administrator on the machine. So i installed Everything i wanted, Everything was fine untill it was time to migrate to a new domain. It failed of course. So i handed my Laptop to the IT retards (No offense to people working in IT and managing orgs) and got it back the day after, With Windows 10. Windows 10 is not really a problem, i don't mind it. The thing is, i can't use any of the usual Sticky keys to CMD methods since they're all fixed in W10. So what did i do? Moved the Laptop disk to my main PC and copied cmd.exe to sethc.exe. And there we go again. CMD running as NT System on Windows 10. Made myself admin again, installed Everything i needed. Then i wanted to change my wallpaper and lockscreen, had to turn to PowerShell for this since ALL settings are managed by my School. After some messing arround everything is as i want it now.
'Oh this isnt a problem bla bla bla'. Yes, this is a problem. If someone gets physical access your PC/Laptop they can gain access to Everything on it. They can change your password on it since the command promt is running as NT SYSTEM. So please, protect your data and other private information you have on your pc. Encypt your machine and disable USB Live boot.
Have a good wekend!
*With exceptions for spelling errors and horrible grammar.4
TL;DR: Google asked me to PROVIDE a phone number to verify connection from a new device, on the said device.
Yesterdayto log into my work Google account from my personal laptop to check emails, calendars update and so on. I opened up a private navigation window, went to Google sign-in page, entered my credentials, all is well.
Google then decided to "verify it's me" and prompted me to PROVIDE a phone number (work account without work phone means no phone number set up) so that they can send a verification code to the number I just provided to make sure the connection is legit.
Didn't want to do that, clicked "use another method" and got asked to fill the last password I remember, which would be my current password thanks to my trusty password manager. After submitting, I'm prompted with an error saying I have to contact my admin to reset my password because they can't log me in with my CURRENT password.
I ain't gonna do that, so went back to login page, provided my phone number, got the code, filled in the code, next thing I know I'm browsing through my emails.
What the duck? Could have been anybody giving any phone number. So much for extra security.
Also don't care that they have my phone number, the issue is more about the way used to obtain it: locking me out of my account and having no other way of logging in.6
tldr: Fuck Apple AND Microsoft...
Tried to check my "me" email today (iCloud)... and well it's apparently "locked" for god only knows what reason, and they will only let me recover it through a Hotmail account that I haven't used in >10years.. So I tried that and after one login attempt outlook.com is telling me "you've entered too many wrong password attempts, you must reset your password"... ugh OK, so I hit the button and it's asking me "my" security question.. 'where did you and your spouse meet?'.. wtf? I'm not married now nor was I @12yrs old when I made this account....
Well thanks so I guess that's fucked for forever...7
I am trying to "invent" secure client-side authentication where all data are stored in browser encrypted and only accessible with the correct password. My question is, what is your opinion about my idea. If you think it is not secure or there is possible backdoor, let me know.
- test string (hidden, random, random length)
- password again
- hash test string with sha-512
- encrypt test string with password
- save hash of test string
- decrypt test string
- hash decrypted string with sha-512
- compare hashes
- create password hash sha-512 (and delete password from memory, so you cannot get it somehow - possible hole here because hash is reversible with brute force)
// DATA PROCESSING
- encrypt/decrypt with password hash as secret (AES-256)
EDIT: Maybe some salt for test string would be nice8
Just moved flats with a last minute confirmation, sadly the flat in question is not eligible for fibre broadband (high-rise) so had to settle for good old ASDL.
Find a good deal (as all providers are offering the same speeds/technology, all ASDL broadband is provided in the UK through BT landlines) to discover there is a mandatory 2 week waiting period to switch over ownership...
Fine, will wait 10 days for internet (torture except from dev rant on mobile internet, thanks for being text only), box arrives 3 days ago stating not to plug it in until activation date...
Fine I shall wait, today I get impatient and setup the router without connecting it to the landline so I can use the WiFi to connect to my Nas etc, login to WiFi navigate to Nas IP .... Automatic reroute to "login" page "We have detected your router is not connected to the landline, ensure your router is properly connected". Try logging into management site, works, change admin password etc. No setting to disable "self heal" functionality. No setting to setup static routes for my lab router, No setting to switch to modem only mode for when I inevitably buy a new wireless router for when this piece of crap can't handle the internal network traffic...
All this for a pitiful 10/? Mbps average, I want my fibre connection back :'(2
I've been wondering about renting a new VPS to get all my websites sorted out again. I am tired of shared hosting and I am able to manage it as I've been in the past.
With so many great people here, I was trying to put together some of the best practices and resources on how to handle the setup and configuration of a new machine, and I hope this post may help someone while trying to gather the best know-how in the comments. Don't be scared by the lengthy post, please.
The following tips are mainly from @Condor, @Noob, @Linuxxx and some other were gathered in the webz. Thanks for @Linux for recommending me Vultr VPS. I would appreciate further feedback from the community on how to improve this and/or change anything that may seem incorrect or should be done in better way.
1. Clean install CentOS 7 or Ubuntu (I am used to both, do you recommend more? Why?)
2. Install existing updates
3. Disable root login
4. Disable password for ssh
5. RSA key login with strong passwords/passphrases
6. Set correct locale and correct timezone (if different from default)
7. Close all ports
8. Disable and delete unneeded services
9. Install CSF
10. Install knockd (is it worth it at all? Isn't it security through obscurity?)
11. Install Fail2Ban (worth to install side by side with CSF? If not, why?)
12. Install ufw firewall (or keep with CSF/Fail2Ban? Why?)
13. Install rkhunter
14. Install anti-rootkit software (side by side with rkhunter?) (SELinux or AppArmor? Why?)
15. Enable Nginx/CSF rate limiting against SYN attacks
16. For a server to be public, is an IDS / IPS recommended? If so, which and why?
17. Log Injection Attacks in Application Layer - I should keep an eye on them. Is there any tool to help scanning?
If I want to have a server that serves multiple websites, would you add/change anything to the following?
18. Install Docker and manage separate instances with a Dockerfile powered base image with the following? Or should I keep all the servers in one main installation?
19. Install Nginx
20. Install PHP-FPM
21. Install PHP7
22. Install Memcached
23. Install MariaDB
24. Install phpMyAdmin (On specific port? Any recommendations here?)
I am sorry if this is somewhat lengthy, but I hope it may get better and be a good starting guide for a new server setup (eventually become a repo). Feel free to contribute in the comments.22