When you got an unsecure printer.

Source: Postize

One of our customer thought it would be too unsecure to send us his AWS credentials by email. So he printed it and sent it as registered mail to us. The password we received was "hallo123".

The first time I decided to hack around a bit:D

One of my teachers made a quiz software, which is only used by him(his lectures are about databases), and it is highly unsecure. When I heard that it is written in C# I decided to look in it's source code. The biggest problem I ran into: this program is only available on the computers in his classroom, and he monitors the computers display. However, I successfully put it into my pendrive without getting caught.

So when I got home, I just had to use a .NET decompiler(in this case: dotPeek) to get the fully functional source code. The basic function of the program was to download a quiz from his database server, and when it was finished, grade it client-side. Than, I realized how bad it was: It contains the number of questions, the number of correct and incorrect answers.
I've just made a modified .exe, which contained really little modification(like correctAnswers=maxQuestions, incorrectAnswers=0). Everything looks the same, you just have to click over it, and everytime it will return with 100%.

And the bonus: The program connects to the database as a user with root access, and without password. I was able to log in, download(dropping was available too, but didn't try) databases(with all the answers) and so on.

Never had to use it though, it was just a sort-of experience gaining.:)

Today 🙄
This dev goes "I connect using plain FTP over a VPN to update why can't you!?"

Because it's unsecure you fucking idiot.

His FTP server can't even do secure connections. Some how.

Guess I have a new site to take over 😏

I've found and fixed any kind of "bad bug" I can think of over my career from allowing negative financial transfers to weird platform specific behaviour, here are a few of the more interesting ones that come to mind...

#1 - Most expensive lesson learned

Almost 10 years ago (while learning to code) I wrote a loyalty card system that ended up going national. Fast forward 2 years and by some miracle the system still worked and had services running on 500+ POS servers in large retail stores uploading thousands of transactions each second - due to this increased traffic to stay ahead of any trouble we decided to add a loadbalancer to our backend.

This was simply a matter of re-assigning the IP and would cause 10-15 minutes of downtime (for the first time ever), we made the switch and everything seemed perfect. Too perfect...

After 10 minutes every phone in the office started going beserk - calls where coming in about store servers irreparably crashing all over the country taking all the tills offline and forcing them to close doors midday. It was bad and we couldn't conceive how it could possibly be us or our software to blame.

Turns out we made the local service write any web service errors to a log file upon failure for debugging purposes before retrying - a perfectly sensible thing to do if I hadn't forgotten to check the size of or clear the log file. In about 15 minutes of downtime each stores error log proceeded to grow and consume every available byte of HD space before crashing windows.

#2 - Hardest to find

This was a true "Nessie" bug.. We had a single codebase powering a few hundred sites. Every now and then at some point the web server would spontaneously die and vommit a bunch of sql statements and sensitive data back to the user causing huge concern but I could never remotely replicate the behaviour - until 4 years later it happened to one of our support staff and I could pull out their network & session info.

Turns out years back when the server was first setup each domain was added as an individual "Site" on IIS but shared the same root directory and hence the same session path. It would have remained unnoticed if we had not grown but as our traffic increased ever so often 2 users of different sites would end up sharing a session id causing the server to promptly implode on itself.

#3 - Most elegant fix

Same bastard IIS server as #2. Codebase was the most unsecure unstable travesty I've ever worked with - sql injection vuns in EVERY URL, sql statements stored in COOKIES... this thing was irreparably fucked up but had to stay online until it could be replaced. Basically every other day it got hit by bots ended up sending bluepill spam or mining shitcoin and I would simply delete the instance and recreate it in a semi un-compromised state which was an acceptable solution for the business for uptime... until we we're DDOS'ed for 5 days straight.

My hands were tied and there was no way to mitigate it except for stopping individual sites as they came under attack and starting them after it subsided... (for some reason they seemed to be targeting by domain instead of ip). After 3 days of doing this manually I was given the go ahead to use any resources necessary to make it stop and especially since it was IIS6 I had no fucking clue where to start.

So I stuck to what I knew and deployed a $5 vm running an Nginx reverse proxy with heavy caching and rate limiting linked to a custom fail2ban plugin in in front of the insecure server. The attacks died instantly, the server sped up 10x and was never compromised by bots again (presumably since they got back a linux user agent). To this day I marvel at this miracle $5 fix.

Sometimes, when I write scripts to scan random IP addresses for an unsecure VNC server or develop my own NES emulator and someone asks me "Whatcha doin'?", it's just easier to lie rather than start explaining, so I reply:
- Nothing... Just some web dev.

I was told by my manager that I (the guy hired to be the lead developer on this project) was not a developer I was a designer and that writing php instead of using a knockoff version of dreamweever to drag and drop all of the items was an "unsecure and unsafe practice". He screamed at me for another 30 mins over this and then sent me on my way and laid me off a week and a half later after I finished the project because "we can't afford you" I was doing ITS, network and service installs, security, and web development for $10.00 an hour. #stupidboss

I just signed up to get this off my chest.
Dear Windows, you god damn moronic, ugly, unuseable abomination of an excuse for an OS. I wonder how we could end up here in this situation. You suck, in every way imaginable. I didnt choose Linux or Mac, you made me do it.
I know no other OS that can screw you up this bad when setting up. My friend is an experienced windows user and the last install took him 2 days. I just spend the last day trying to get this uncompatible sucker installed. I manage to set up an hackintosh quicker than I was able to install Windows the last three times I checked, you scumbag.
Your error messages suck ass, there is nothing I cant figure out given enough time, except your useless hints and pathetic attemps to get anything done on your own.
And you are fucking slow. Just why, do you keep installing stuff I didnt ask you to. Now I got this ugly ass Bing-Toolbar because I missed a damn checkbox in an .exe, which could have also been an exploit, you never know.
You are cluttered with useless stuff. I dont care about you lame ass app store, idc about your cortana annoying spy assistant and I certainly dont care about your forced updates.
Just sit back and feel your PC getting slower every day by background processes. Watch your productivity decline while dealing with their brain dead privilege and file system.
You ugly malformed mutation of software. When I look at your UI I feel disgust while wondering how you can fail with the most basic principles of UX.
How pathetic, badly supported, bug ridden and dangerously unsecure can an OS be you ask while trying to navigate through the settings, a pile of legacy software debt this garbage pile was build on. And your shell... what a sick joke.
I hate you Windows. For screwing other OS with your asshole boot manager, hardware driver requirements and making people send me .zip and .docx. You should be embarrassed to charge money for this unfunctional junk, but you do, a lot.
I really try to see the positive here. You got all the software, but thats not on you, thats because all those poor suckers are trapped with you and the effort to change is too big.
This OS is the most disappointing thing technology could come up with today. I would rather set myself on fire than work with this pain in the ass software professionally. I mean if you are a serious developer at some point you have to admit that you just cant develop on windows. You will get fucked 5 times as often as any Mac or Linux user. Fuck you, Windows.
Hey Microsoft, thanks for Typescript and VSCode and all the other good things you have done. But burn in hell for what you have done to all of us with this piece of shit OS.

WTH twitter.

I got a project to "refactor" some shitty site. It was written in nativ php. The guy who wrote this is a moron.
The site is so unsecure that my dog could broke into it while barking at cats.

It's sooo unreadable and illogical.
Every time i look at the code i get sadder and sadder. And now i understand why so many people hate php..

**Jump in time**
After i planned the new logic. My boss told me i can't do any of this. Because they only need a new user lever..
Now i just stare at this pile of horse sh*t and rant about it.

For a long time, I wanted to be a part of open source communities. I've been a dev for 6 years now.

I have the skills needed to help out but usually I'm fairly unexperienced on working with big teams, code reviews, and build-test systems they often use. So I'm scared as hell to even begin with. I feel unsecure to reach out and ask for helping or send a basic fix / pull-request.

What are your suggestions, how did you start working on open source projects?

Teach me senpai.

Am I the only one who thinks OSX is stupidly insecure unless you encrypt the whole disk? I mean, how dumb is it to boot into safe moot and provide a root shell without prompting for credentials?

I really lost my faith in our profession.
A Software&Hardware solution that costs more several 10.000€ is broken after every update.

The Producer even achieves to break untouched features in new releases.
No communication at all. If you report Bugs, they are your fault. The whole system has absolutely no security at all.
It is unsecure by design.

And even if they hear your Bug report you have to pray that they will fix it.
Most if the time you have to wait the whole year for a new release tio get your bugfixes.
But there are also bugs that are untouched for years.

WHY? WE PAY YOU!
I want to cry

Windows 10 Action Center yesterday alerted me to set a PIN for my laptop.

Turned on PC this morning and typed in my regular password then realized it wanted the PIN.

Thinking how this feature came to be....

1. Windows wants you to link your login to your Microsoft/Hotmail Account and it makes it a pain in the ass to set a seperate one (Windows 8)
2. 2018 arrived an logins are a pain, everything is autologin or PIN/code based (aka short 'unsecure' passwords)
3. MS backtracks and realizes email logins are too long so they make a partial fix which basically reverts back to the pre-Win8 days of a seperate system login.. except now its called a new feature!

I realized now under enter a PIN the reason for the checkbox that says: Allow symbols and letters. It's a nice way of saying: please type in your old password again.

**Also rant #2: cuz i dont feel like waiting 1hr**
I felt great yesterday when my boss told me apparantly I have like an Expert designation at the company.

Feel like crap today cuz some user is complaining about some report:
- they asked us to create months ago
- now complaining its all wrong but never gave any formal requirements and actually did sign off on it during testing
- FIXED ASAP

HELLO!!!!!!!!!!! STOP MAKING IT SOUND LIKE IT'S MY FAULT U CAN'T BE BOTHERED TO PROVIDE CLEAR REQUIREMENTS AND THEN TAKING FOREVER TO COME BACK WITH UR PROBLEMS AND NOW NEED IT FIXED ASAP BY USING A NEW DATA SOURCE THAT I HAVE NO IDEA WHAT THE FUCK IS SINCE U USED A RANDOM ABBREVIATION LIKE I CAN MIND READ.

IF I COULD MINDREAD, ID BE WORKING ON A PLAN TO GET UR ASS FIRED.....

Happy friday and long weekend... Got 3 days to relax before i need to deal with this shit again...

Hey Guys
Linux VPS + Apache2 + https
I'm a noob in Linux, got my VPS live, but I'm serving http... Even if my page doesn't save even cookies It will marked as unsecure.
Is it possible to config Apache2 to serve https?
Thank you
PS.: Googled and got nothing special, only info about Apache2

Updated my TP-Link router's firmware today. Because.. new is better than old? Anyway, I tried to enter the settings page. Page not found. Chrome seems to find the page too unsecure to enable me to access it. Before the upgrade I've never had an issue opening that page with Chrome.
Opened it through IE and, a miracle, the page is right there for me to use.
Google had very little to say on the matter. Looks like I'll be using IE once in a while after all.
Any ideas on why that's happening?

Update to previous rant: My e-banking account is blocked, because apparently I already set a password on a website I never seen before.

- Tried the declined one
- Tried the unsecure one I chossed after the declined one
- Tried the pin number from mobile app.

BAM@#%$#%!!1!one1! YOU ARE BLOCKED FOR ENTERING WRONG PASSWORD TOO MANY TIMES. PLEASE CALL THE FUCKING BANK ON MONDAY.

I seriously hate this stupid country, and companies that don't know a first thing about web getting picked on government and public sector projects, sucking 100s of thousands of euros and providing the user experience that gives you a fucking diarrhea, at every SINGLE ONE OUF THEM!

Can you write me a sync plugin for this API. Wait the 'authentication' is with a 'key' in a plaintext unsecure GET request with no throttling? #omg

Going through another department's API documentation and wrapper library where it has documented samples on how to use it. One of the samples specifically shows how to disable HTTPs requests for when retrieving customer info but it also states in the documentation to specifically NOT USE this disable function.

When it comes to customer info, I don't know why the fuck you would allow an override option to do everything over unsecure requests, and even document about it!

Need some advice 🤔
This other dev company is unsecure and my client which is also there's should be secure
So Im getting them to secure it but what if they only do it for my client all their other clients are unsecure and they are teaching the young devs to do it unsecurely

Huge ethical issues here...

How the heck do people that setup custom login wifi networks never take into account that people have SSL-enabled sites as homepages??

Every damn time I want to connect to one on my phone I have to go into my own unsecure websites to be able to login. how do even not-it-interested people do this?
On a second thought this might as well be a chrome android rant, but it sure is annoying

I'm on vacation and we wanted VPN connections back to Sweden to access some sites thats only available in Sweden
So I setup a raspberry pi as access point using hostapd and openvpn from there.
So we have two wireless network options where we are: fast unsecure or slow and from Sweden, just choose what you are going to do on the device that you connect with.
Tablets, computer, phones and so on.

Websites that have a password length limit that's way too short and/or don't allow symbols.
Example, I think EA has a password limit to 15 characters and doesn't allow spaces, underscores or even symbols, meaning that your password must be only letters and numbers, which is quite unsecure.

I'm following a course to become a Fullstack Web Developer. We have class in the morning and in the afternoon we get some "homeworks" to do. In the afternoon we are followed by some tutors that help us understand better what we did in the morning.
I have this one tutor that never answers to my doubts regarding bugs and errors (in my homeworks) and opens new doubts and problems I didn't think I had..

Why do ppl have to do this, like I'm alreay having one trouble that makes me feel unsecure.. Why do you make things bad and never help?