I feel like a fucking abomination at the moment.

I have been working on an app that is almost like Wireshark. More so for practice than anything else.

I decided that today I would try it out on the network here at my house, so I started the packet sniffer and wanted to see what was going on. I was checking for unencypted text (like telnet and whatnot) and came across this odd address that I hadn't seen before.

I did something that I shouldn't have done, and I fucking clicked and did the equivalent of "follow TCP stream" on wireshark. I fucking went and looked what the text being sent over this fucking network was.

It was my girlfriend, using fuck knows what messenger, but it was unencrypted. I just found out that she is cheating on me. I don't want to go into what the texts exactly say, because it fucking hurts me deep down.

Why didn't she just use whatsapp or something, fuck man. I really don't need this in life at the moment. I am genuinely trying to get my shit in order, I have been coding my ass off at night for extra money to make it, I have been working overtime where I can - fuck I have even tried sucking up to management (I would never do this under normal circumstances) - and to top this off, the motherfucking tax man is giving me hell.

Fuck sakes.

If you want to cheat, fucking do it properly. Because I am in a state of pure sadness and hatred and the moment - and I don't know what the fuck to do.

So the new mass surveillance law will be going into effect from the 1st of January.

Of course, since I'm very keen on my security/privacy, I'm going to implement some precautions.

- A few vps's connecting to tor, i2p and VPN provider so that I can always use a secure connection.

- Setup anti tracker/ads/etc etc shit on the VPS's. Probably through DnsMasq and the hosts file.

- Use Tor browser by default. I've tried this for a while now and damn, the tor network has become way faster than only even a year ago! Some pages literally only take a few seconds to load.

- Wipe my laptop, encrypt the harddrive and at least put QubesOS on it together with probably a few other systems.

- Ungoogle my new phone, use it with VPN by default.

- Get rid of all non encrypted communication services. I think that only leaves me with a few account removals because I haven't chatted unencrypted for nearly a fucking year now.

If anyone has any more ideas, please share!

Manager: "The password must be encrypted to store it inside the database."
Me: "Great! No problem."
Manager: "Then it must have a copy of the unencrypted password to send it by email."
😐

"We don't need to invest in security - noone is going to hack us anyway" == "We don't need a fire department in our city - fire is not going to start here anyway"

We don't need to invest in security - everything is public anyway" == "We don't need a fire department in our city - our buildings are made out of straws anyway"

-- my thoughts after seing a line in client's spec: "sensitive data is transferred via a secure tcp channel (https) and all the public data is transferred via an unencrypted tcp (http) channel"

My bio professor has a word doc called passwords that she keeps on an unencrypted external hard drive.

She leaves the hard drive in the room with all of her other stuff when she goes for a break between classes.

- devRant TOR rant! -

There is a recent post that just basically says 'fuck TOR' and it catches unfortunate amount of attention in the wrong way and many people seem to aggree with that, so it's about time I rant about a rant!

First of all, TOR never promised encryption. It's just used as an anonymizer tool which will get your request through its nodes and to the original destination it's supposed to arrive at.

Let's assume you're logging in over an unencrypted connection over TOR and your login information was stolen because of a bad exit node. Is your privacy now under threat? Even then, no! Unless of course you had decided to use your personal information for that login data!

And what does that even have to do with the US government having funded this project even if it's 100%? Are we all conspiracy theorists now?

Let's please stop the spread of bs and fear mongering so that we can talk about actual threats and attack vectors on the TOR network. Because we really don't have any other reliable means to stop a widely implemented censorship.

Had a discussion with a developer about security. His software transfers all user data (password and files) unencrypted, so anyone can grab them with wireshark. I told him that this is a severe issue. He said no its no problem because if you get hacked its your own fault, because you probably used an insecure network. NO ! YOU FUCKING MALADJUSTED SHEEP-MOLESTING OBJECT OF EXECRATION, YOU SHOULD ALWAYS ENCRYPT SENSITIVE USERDATA NO MATTER WHAT NETWORK YOU USE. FUCKING KILL ME ALREADY.
Not implementing encryption is one thing but then acting like its no problem is a fucking nother one. Why do people not understand that security of userdata is important???

The tech stack at my current gig is the worst shit I’ve ever dealt with...

I can’t fucking stand programs, especially browser based programs, to open new windows. New tab, okay sure, ideally I just want the current tab I’m on to update when I click on a link.

Ticketing system: Autotask
Fucking opens up with a crappy piss poor sorting method and no proper filtering for ticket views. Nope you have to go create a fucking dashboard to parse/filter the shit you want to see. So I either have to go create a metric-arse tonne of custom ticket views and switch between them or just use the default turdburger view. Add to that that when I click on a ticket, it opens another fucking window with the ticket information. If I want to do time entry, it just feels some primal need to open another fucking window!!! Then even if I mark the ticket complete it just minimizes the goddamn second ticket window. So my jankbox-supreme PC that my company provided gets to strugglepuff along trying to keep 10 million chrome windows open. Yeah, sure 6GB of ram is great for IT work, especially when using hot steaming piles of trashjuice software!

I have to manually close these windows regularly throughout the day or the system just shits the bed and halts.

RMM tool: Continuum
This fucker takes the goddamn soggy waffle award for being utterly fucking useless. Same problem with the windows as autotask except this special snowflake likes to open a login prompt as a full-fuck-mothering-new window when we need to open a LMI rescue session!!! I need to enter a username and a password. That’s it! I don’t need a full screen window to enter credentials! FUCK!!! Btw the LMI tools only work like 70% of the time and drag ass compared to literally every other remote support tool I’ve ever used. I’ve found that it’s sometimes just faster to walk someone through enabling RDP on their system then remoting in from another system where LMI didn’t decide to be fully suicidal and just kill itself.

Our fucking chief asshat and sergeant fucknuts mcdoogal can’t fucking setup anything so the antivirus software is pushed to all client systems but everything is just set to the default site settings. Absolutely zero care or thought or effort was put forth and these gorilla spunk drinking, rimjob jockey motherfuckers sell this as a managed AntiVirus.

We use a shitty password manager than no one besides I use because there is a fully unencrypted oneNote notebook that everyone uses because fuck security right? “Sometimes it’s just faster to have the passwords at the ready without having to log into the password manager.” Chief Asshat in my first week on the job.

Not to mention that windows server is unlicensed in almost every client environment, the domain admin password is same across multiple client sites, is the same password to log into firewalls, and office 365 environments!!!

I’ve brought up tons of ways to fix these problems, but they have their heads so far up their own asses getting high on undeserved smugness since “they have been in business for almost ten years”. Like, Whoop Dee MotherFucking Doo! You have only been lucky to skate by with this dumpster fire you call a software stack, you could probably fill 10 olympic sized swimming pools to the brim with the logarrhea that flows from your gullets not only to us but also to your customers, and you won’t implement anything that is good for you, your company, or your poor clients because you take ten minutes to try and understand something new.

I’m fucking livid because I’m stuck in a position where I can’t just quit and work on my business full time. I’m married and have a 6m old baby. Between both my wife and I working we barely make ends meet and there’s absolutely zero reason that I couldn’t be providing better service to customers without having to lie through my teeth to them and I could easily support my family and be about 264826290461% happier!

But because we make so little, I can’t scrap together enough money to get Terranimbus (my startup) bootstrapped. We have zero expendable/savable income each month and it’s killing my soul. It’s so fucking frustrating knowing that a little time and some capital is all that stands between a better life for my family and I and being able to provide a better overall service out there over these kinds of shady as fuck knob gobblers.

9 days.
9 fucking days without internet.
9 fucked up days with access to a national intranet with the only accessible things being websites with privacy-respect policy of facebook, with all your unencrypted data streaming under dictator hands.

HOW FUCKING HARD CAN IT BE TO NOT STORE PASSWORDS IN CLEARTEXT AND THEN PROCEED TO SEND ME AN UNENCRYPTED EMAIL WITH THE PASSWORD IN IT??? THE SITE HAS A PREMIUM FUCKING SSL AND SAFETY CERTIFICATES YET THEY STILL DON'T COMPLY TO THIS? FUCK YOU! IF IT WASN'T FOR THAT I HAD TO ORDER A NEW SCREEN FOR MY BROKEN PHONE, YOU COULD'VE SUCKED BETTER THAN ME + VACUUM CLEANER.

Sorry abt that. But for real, mytrendphone stores passwords in plain texts and waves a fucking safety certificate in your face...

A few weeks ago I stepped onto the grounds of lovely Canada. Back then - coming from Europe - I was surprised. Free WiFi everywhere without all the bells and whistles of creating an account and such.

Well ... at least I thought so ...

Today I went to a location where they actually charge you for their wireless services - fair enough the coverage area is pretty huge - and provide you with an access coupon. All good my optimistic me told me but once the login page loaded...

There are a lot of things about UX I could rant about but let's put that aside. The coupon came from the office where they KNEW all your contact details but it required you to create an account with all of them again to redeem the coupon.

Not only that but it asked for things like the phone number - obviously asking for a Canadian landline number since hell who uses mobiles anyway with numbers longer than ten characters?! - and even though it had a nice country selection it kept the states field there even when selecting a country that doesn't have states ...
Oh, and on a regular phone screen (which would be the target user for WiFi on a campground I suppose) the input fields for state and zip were occluded by the margins of the input rendering the content invisible.

And if that weren't enough after creating your account they made you watch an ad as if the personal data and the 4$ you paid them wasn't enough for the lousy 400 KB/s you get for 24h ...

Gets better though! After creating the account they display your password to make sure you remembered it ... over a non-secured WiFi network ... and send you an email afterward ... password via unencrypted mail via an unencrypted WIRELESS connection ... not that it protects anything that would matter anyways you can just snoop the MAC of your neighbor and get in that way or for that sake get their password but oh well ...

Gosh, sometimes I just feel the urgent need to find the ones responsible and tell them to GTFO of the IT world ...

Is it just me feeling like this about crappy UI/UX design? Always wondering...

Unencrypted, plain text passwords stored in SQL, from lowest role all the way up through Admin. In the same system, they had a "backdoor" password that would log in any user...

"Wanted: Dangerous PHP Developer"

I edit on live during peak hours with no backups using basic Notepad over an unencrypted network. That dangerous enough?

My GF is a non-tech-savvy linguistics bachelor who uses elementaryOS as her only operating system on her only laptop. I'm not responsible for this, I only helped her install it instead of Windows when she asked me to do so.

She's a living proof that the stereotype of Linux being "too hard" or "exclusively for geeks" is outdated to say the least. Yes, Ubuntu and elementaryOS are not as kewl as Arch and Gentoo, but they are still better than a popular blue-colored American operating system that sends unencrypted screenshots of your desktop to some unknown IP addresses every 10 minutes.

Its been 1 month and still no reply from my university IT department after i inforned them the login was transmitting usernames and passwords unencrypted over http and that the password field was case-insensitive for some fucking reason.

Might have to break out the sniffer and setup a script to automatically email them different students account details until they fix it, i should cc the dean 😂

Can someone please explain to me WHY THE FUCK non devs feel like they know shit. I DON'T GIVE A FUCK ABOUT HOW YOU FOUND SOME UNTRUE SHIT ON GIZMODO. I'VE KNOW SO MUCH ABOUT THIS SHIT, AND YOU LOOKED UP THE FIRST EXAMPLE YOU COULD FIND THE SUPPORTS YOUR CASE. The most recent time this happened was OVER THE LAST FEW DAYS when this DUMBASS that my friends and I BULLY but HE STILL HANGS AROUND. (By bully, yes sometimes we are mean to him, but we're not out to get him. He comes to us and we don't wanna be with him). So after the SEVENTH groupchat (on two apps) he created that night, HE WANTED TO SWITCH BACK TO ANOTHER APP I SPENT A WEEK TRYING TO GET THEM TO SWITCH FROM PREVIOUSLY (It was whatsapp, i got them to switch to telegram). THEN HE TRIED to ARGUE with me about how TELEGRAM wasnt secure. HE SEARCHED "is telegram secure" on Google and chose the FIRST ARTICE from the previously mentioned, GIZMODO which says that TELEGRAM chats ARENT ENCRYPTED by DEFAULT. HOW THE FUCK DO DUMBASSES GET THIS KIND OF PUBLICITY. There's a difference between ENCRYPTION and END TO END DUMBASS. Then he told me whatsapp is more secure than telegram. NO ITS FUCKING NOT. In telegram, your encryption keys CHANGE every chat, or every 100 messages. To my best research, whatsapp only has ONE key per USER. I could go on forever about how chat backups in whatsapp are UNENCRYPTED or how FACEBOOK stores your data, but blocked you works to.

When you find out your password is unencrypted.

Security rant ahead, you have been warned!
As part of a scholarship application, our government requires a scan/copy of the applicant's credit card. Since the IBAN is now on the back, you have to send both sides.
The back is also where the CVC (security code) is. Any bank will strictly tell you NOT TO EVER SHARE IT - not even with them!
To make things even more fun, you now have the option to send this over email which is, of course, NOT ENCRYPTED!!!!!
I'm basically sending all the info needed to steal all my money over an unencrypted connection to an underpaid secretary, who will print it out and leave it on their desk for anyone with decent binoculars to see.
These people are fucking insane!!!!

This is fucking bad. I just stumbled across a database online, unencrypted plain text containing ALL details of thousands of students at my university. Full names, ID number (SSN), student numbers, address, family info, medical aid info, physical fitness reports

What do I do? I was not on any VPN or proxy when I accessed it

Registered an account with a local pizza business and rated them 5* on Yell moments before checking my email and finding they had emailed me my unencrypted password, GREAT NOW I WON'T BE ABLE TO EAT

These dimwits emailed my receipt for my dues (not shown) AND MY USERNAME AND PASSWORD in the same PLAINTEXT UNENCRYPTED email...

Off to go write a cranky email...

I think I finally found a reason to have a phone with 8GB of RAM.
So that when TWRP craps out on data decryption and decides not even to ask for a password, at least I can push a whole fucking ROM into RAM to unfuck the phone. Because why not?! Why on Earth would software work properly when you can just throw more hardware at it?

Long live FBE, TWRP what craps out on it, and you remember those things.. SD cards for data storage? I could've used an unencrypted SD card so fucking badly right now, you know... Long live soldered in storage that's encrypted, "for security". Except for when the person who owns said data actually wants to use the bloody data.

FUCK!

FUCK!
After submitting a registration form I noticed the site is served over plain HTTP. Their marketing site is served encrypted, but login and register are not! What the fuck!!!

Fuck everyone who does this stupid fucking shit with disregard to basic security features! Their goddamn bullshit privacy policy is bragging about how it's top priority to protect their customers' information and shit like that. Get the fuck out, cunts!!

I contacted them so I might have a continuation to this rant if I'm not satisfied with their answers.

Goddamn it!

Major state insurance provider, all past and current members data stored unencrypted (including SSN, date of birth, home address, etc.). All developers and contract developers had read access to it. Reported it, nothing was done. Reported it again in my exit interview. Was basically told they had intrusion detection systems in place so it was not an issue.

A puzzle, just for fun.

Two friends, (a)lice and (b)ob are communicating through a channel encrypted with random numbers XOR'd together, like so:

keyA = randint(1024, 1024**2)
keyB = randint(1024, 1024**2)

msg = randint(1024, 1024**2)

You, an interloper, have watched all these communications, siphoning the packets as they went.

When alice sends a message to bob's mailbox, she does it like so:

mailBoxB = keyA^msg

Bob's mailbox receives the mail automatically, and applies his own key, sending it back to alice's mailbox:

mailBoxA = keyB^mailBoxB

Next, Alice's mailbox notices the message, and automatically removes her key and sends it back to bob's mailbox. All of this, the first message, the second, and the third, happens in milliseconds, the back and forth.

mailBoxB2 = mailBoxA^keyA

Finally, bob's mailbox removes his key, and deposits the now unencrypted message in his box, for him to read in the morning:

mailBoxBFinal = mailBoxB2^keyB

As as a spy, you know the first packet sent to bob, had a value of 589505.

The packet bob sent back to alice, after applying his key, has a value of 326166

The message sent *back* to bob after alice removed *her* key, had a value of:
576941

What are the values of keyA, keyB, and what is the value of the msg?

Social Captain (a service to increase a user's Instagram followers) has exposed thousands of Instagram account passwords. The company says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. Users are asked to enter their Instagram username and password into the platform to get started.

According to TechCrunch : Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain text, as they had connected their account to the platform. A website bug allowed anyone access to any Social Captain user's profile without having to log in ; simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account and their Instagram login credentials. Because the user account IDs were for the most part sequential, it was possible to access any user's account and view their Instagram password and other account information easily. The security researcher who reported the vulnerability provided a spreadsheet of about 10,000 scraped user accounts to TechCrunch.

My university has a internal developed system, where everything is managed from e-mails, exams to personal data.

What I'd like most about it, they talk all day about Internet Security and store our passwords in plain text and if you press the "I've forgott my Password button", they even send your password unencrypted, plaintext via e-mail. (Hello Wiresharks)

I don't know how to feel about this, it just hurts :(

Hmm...recently I've seen an increase in the idea of raising security awareness at a user level...but really now , it gets me thinking , why not raise security awareness at a coding level ? Just having one guy do encryption and encoding most certainly isn't enough for an app to be considered secure . In this day an age where most apps are web based and even open source some of them , I think that first of all it should be our duty to protect the customer/consumer rather than make him protect himself . Most of everyone knows how to get user input from the UI but how many out here actually think that the normal dummy user might actually type unintentional malicious code which would break the app or give him access to something he shouldn't be allowed into ? I've seen very few developers/software architects/engineers actually take the blame for insecure code . I've seen people build apps starting on an unacceptable idea security wise and then in the end thinking of patching in filters , encryptions , encodings , tokens and days before release realise that their app is half broken because they didn't start the whole project in a more secure way for the user .

Just my two cents...we as devs should be more aware of coding in a way that makes apps more secure from and for the user rather than saying that we had some epic mythical hackers pull all the user tables that also contained unhashed unencrypted passwords by using magix . It certainly isn't magic , it's just our bad coding that lets outside code interact with our own code .

Sent patient health information in a screenshot of a bug I found, unencrypted, through email. No one thought to mention the test DB had real patient info. 😐

Mozilla will update the browser to DNS-over-HTTPS security feature to all Firefox users in the U.S. by default in the coming weeks.

According to the report of TechCrunch : Whenever you visit a website ; even if it's HTTPS enabled, the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. DNS-over-HTTPS or DoH encrypts the request so that it can not be intercepted or hijacked in order to send a user to a malicious site. These unencrypted DNS queries can also be used to snoop on which websites a user visits. The feature relies on sending DNS queries to third-party providers such as Cloudflare and NextDNS which will have their DoH offering into Firefox and will process DoH queries. Mozilla also said it plans to expand to other DoH providers and regions.

Fuck windows and fuck policies that read my hdd as unencrypted forcing me to restart in the middle of a massive data transfer operation. That is all.

Diffi-Hellman is actual magic. You can exchange keys over an unencrypted channel and end up with guarenteed unique keys, on which you can start a secure channel

Like how??

PSA Cloudflare had a bug in there system where they were dumping random pieces of memory in the body of HTML responses, things like passwords, API tokens, personal information, chats, hotel bookings, in plain text, unencrypted. Once discovered they were able to fix it pretty quickly, but it could have been out in the wild as early as September of last year. The major issue with this is that many of those results were cached by search engines. The bug itself was discovered when people found this stuff on the google search results page.

It's not quite end of the world, but it's much worse than Heartbleed.

Now excuse me this weekend as I have to go change all of my passwords.

I dug up my old ledger web app that I wrote when I was in my late twenties, as I realized with a tight budget toward the end of this year, I need to get a good view of future balances. The data was encrypted in gpg text files, but the site itself was unencrypted, with simple httpasswd auth. I dove into the code this week, and fixed a lot of crap that was all terrible practice, but all I knew when I wrote it in the mid-2000s. I grabbed a letsencrypt cert, and implemented cookies and session handling. I moved from the code opening and parsing a large gpg file to storing and retrieving all the data in a Redis backend, for a massive performance gain. Finally, I switched the UI from white to dark. It looks and works great, and most importantly, I have that future view that I needed.

If I were to change all my passwords into hashes (so take a random word and hash it, ex 'table') and then use those on various websites, would people ever guess that my password is _an actual hash_ rather than a password in hashed form if they were to see it? Would such a meta-hash be safer if 'hackers' were to find it unencrypted?

A hidden page that you enter a user name and it displays the encrypted and unencrypted versions of their password... It was quickly deleted after I stumbled across it. I assume it was to test a homemade encryption algorithm that wasn't worth much anyway, passwords shouldn't be reversible

I'm studying a mix of computer science and engineering. This semester we were tasked with hacking a "smart-production"-production-machine.... And OMFG it's shit!

This is a product by a major company and it's version 4... How the fuck is it this bad?
Like, using the same 5-letter password on all the PLC's FOR THE ROOT USER!!! WTF!!! AND open, unencrypted Telnet.....
This is a million dollar machine and, as soon as a hacker is on the same network it is done for! wtf.... I just can't believe how easy it was to get in and reek havoc.

Got a new job. Its all good. Fun work, great colleagues and good pay. However, last week they mandated some new surveillance tech so all network traffic is unencrypted, logged, stored and analyzed.

Should I stay or should I go? I am big into privacy. What would you do?

It’s really easy to gain administrative access on unencrypted windows machines with a single usb. You know what’s also easy? Extracting admin passwords with mimikatz.

Edit: this was back in 5th grade

Reading "duh... that link looks sketchy" time after time when attempting to nudge people in the direction of good resources, e.g., on-line manual pages, becomes rather irritating. Is typing the URL into VirusTotal or something really such a fucking hassle? Are you sufficiently special to warrant the creation of an IP grabber which is dedicated to targeting you... AFTER you posted your exact location on Instagram last week?

Similarly, some pants-shitting, worm-eating troglodytes who have the gall to claim to know anything about cybersecurity STILL think that for all Web sites k, that k's URL begins with "https" implies that k is secure. NO! Unencrypted Web sites are FINE unless sensitive information is being transferred. Are publicly available manual pages sensitive information now?

Grabbing the campaign hat and writing death threats and very personal insults is sometimes slightly tempting.

Signed up for an account on an online store, which then proceeded to send me my full password in plaintext, and in an unencrypted email.

Sent them an email 3 weeks ago detailing the security issue (i was extremely nice about it), but no response.

What else can i do?

There are tools i use more often, but a place in my heart is reserved for ILSpy.

It shows IL code as c# code and it helped me so much at understanding how components work.

Best moment was when a support guy from a company told me stuff that wasn't correct according to the code...

...no need to tell him. Hope it stays unencrypted :-D

I don't get it

why is it that people still use FTP?

Like, in current, fairly recent (2018) projects, for public downloads.
I get that when you're just hosting public files without any authentication you don't need to worry about the unencrypted passwords, but like
the random ports are a shitty and annoying practice and also http exists just let your custom patcher program download the release from github where it's already available

Apparently,some universities don’t understand it’s not a good idea to send passwords ove an unencrypted connection. And btw, post requests work the same as get ones, it’s not more secure.

Not going to put the website for privacy reasons, but 🖕 this university!🖕🖕

When you send the client an encrypted mail and he answers a quick "Thanks" ... Unencrypted.

my sophomore year of highschool I went to a public hangout / study area after class was over and installed a raspberry pi above the ceiling tile. I ran a cord along the wall and into the ceiling to power the device. I ran a sniffing script over the next few weeks and collected all the user/pass data that went through in plaintext. You'd be surprised what goes unencrypted... ;)

First I thought I finally found some public WiFi which isn't unencrypted (Password was on a sign outside).

*Opens WiFi settings*

*WiFi is unencrypted*

Huh? *Connects*

*Sign in page opens up which asks for the password*

Well... VPN is the way to go...

For those wondering why so many people are leaving GitHub, it is due to the fact Microsoft is part of the PRISM surveillance program, where the NSA and other agencies can get their hands on your raw, unencrypted data without anyone knowing.

This is the reason 2 companies and 20ish devs gave me as to why they moved from GitHub to a self hosted Gitlab