Yesterday: Senior dev messages out a screenshot of someone using an extension method I wrote (he didn’t know I wrote it)..

SeniorDev: “OMG…that has to be the stupidest thing I ever saw.”
Me: “Stupid? Why?”
SeniorDev: “Why are they having to check the value from the database to see if it’s DBNull and if it is, return null. The database value is already null. So stupid.”
Me: “DBNull is not null, it has a value. When you call the .ToString, it returns an empty string.”
SeniorDev: ”No it doesn’t, it returns null.”
<oh no he didn’t….the smack down begins>
Me: “Really? Are you sure?”
SeniorDev: “Yes! And if the developer bothered to write any unit tests, he would have known.”
Me: “Unit tests? Why do you assume there aren’t any unit tests? Did you look?”
<at this moment, couple other devs take off their head phones and turn around>
SeniorDev:”Well…uh…I just assumed there aren’t because this is an obvious use case. If there was a test, it would have failed.”
Me: “Well, let’s take a look..”
<open up the test project…navigate to the specific use case>
Me: “Yep, there it is. DBNull.Value.ToString does not return a Null value.”
SeniorDev: “Huh? Must be a new feature of C#. Anyway, if the developers wrote their code correctly, they wouldn’t have to use those extension methods. It’s a mess.”
<trying really hard not drop the F-Bomb or two>
Me: “Couple of years ago the DBAs changed the data access standard so any nullable values would always default to null. So no empty strings, zeros, negative values to indicate a non-value. Downside was now the developers couldn’t assume the value returned the expected data type. What they ended up writing was a lot of code to check the value if it was DBNull. Lots of variations of ‘if …’ , ternary operators, some creative lamda expressions, which led to unexpected behavior in the user interface. Developers blamed the DBAs, DBAs blamed the developers. Remember, Tom and DBA-Sam almost got into a fist fight over it.”
SeniorDev: “Oh…yea…but that’s a management problem, not a programming problem.”
Me: “Probably, but since the developers starting using the extension methods, bug tickets related to mis-matched data has nearly disappeared. When was the last time you saw DBA-Sam complain about the developers?”
SeniorDev: “I guess not for a while, but it’s still no excuse.”
Me: “Excuse? Excuse for what?”
<couple of awkward seconds of silence>
SeniorDev: “Hey, did you guys see the video of the guy punching the kangaroo? It’s hilarious…here, check this out.. ”

Pin shoulders the mat…1 2 3….I win.

TLDR : I left a company which doesn't understand the concept of email id and passwords.

Me (trying to login to the alumni website) *no register user option*

Customer support - you've to click on forgot password to create an account.
Me - Wonderful

*clicks on reset password*
*enters employee id, name, email, father's name, DOB, date of joining , date of leaving, current city because apparently if I just enter my employee id it is as if they never knew me. Sigh*
*your password will be sent to your email id*

Me - okay. *waits for two weeks because I assumed someone will manually go and create my account and email me, considering the state of system. *

After two weeks,

Me - I still haven't received my password on email after I created my account. Can you please check?

After one week,

Customer support - you need to click on forget password if you forgot your password.

Me - *inventing new curse words* I have not forgot my password, I never received it in the first place!

After one week,
Customer support - yes you'll receive your password on your email id.

Me - *runs out of curse words* seriously dude?
* proceeds to reset password*
System - your password has been reset. Your new password will be sent to your email id. *apparently anyone can reset passwords if you have the employee id, which is an integer*

After a week

Me - Am I going to ever receive the password? I've tried generating passwords, resetting my password. I never get my passwords. What should I do!!

Customer support - yes you need to click on Forgot password.

Me - are you fucking kidding me!!!
You fuckers need to be fired and replaced by a FAQ page which has no question and just a single answer, because a peanut has higher IQ than you. For any questions you may have, just reset password. Goddammit idiots!
Also, which email id are you sending my passwords to?

Customer support - myname@oldcompany.com

Me - you do realize that this is the alumni website for the company. Alumni means ex members.
Being ex members, you can assume we don't have access to our company email ids obviously?

Customer support - yes.

Me - how am I supposed to get the password using my old email id then?

Customer support - you need to click on forgot password option.

I think I should probably move to the Himalayas for my anger management issues. Plus it'll be probably easier to throw idiots off a mountain.

Oh, man, I just realized I haven't ranted one of my best stories on here!

So, here goes!

A few years back the company I work for was contacted by an older client regarding a new project.

The guy was now pitching to build the website for the Parliament of another country (not gonna name it, NDAs and stuff), and was planning on outsourcing the development, as he had no team and he was only aiming on taking care of the client service/project management side of the project.

Out of principle (and also to preserve our mental integrity), we have purposely avoided working with government bodies of any kind, in any country, but he was a friend of our CEO and pleaded until we singed on board.

Now, the project itself was way bigger than we expected, as the wanted more of an internal CRM, centralized document archive, event management, internal planning, multiple interfaced, role based access restricted monster of an administration interface, complete with regular user website, also packed with all kind of features, dashboards and so on.

Long story short, a lot bigger than what we were expecting based on the initial brief.

The development period was hell. New features were coming in on a weekly basis. Already implemented functionality was constantly being changed or redefined. No requests we ever made about clarifications and/or materials or information were ever answered on time.

They also somehow bullied the guy that brought us the project into also including the data migration from the old website into the new one we were building and we somehow ended up having to extract meaningful, formatted, sanitized content parsing static HTML files and connecting them to download-able files (almost every page in the old website had files available to download) we needed to also include in a sane way.

Now, don't think the files were simple URL paths we can trace to a folder/file path, oh no!!! The links were some form of hash combination that had to be exploded and tested against some king of database relationship tables that only had hashed indexes relating to other tables, that also only had hashed indexes relating to some other tables that kept a database of the website pages HTML file naming. So what we had to do is identify the files based on a combination of hashed indexes and re-hashed HTML file names that in the end would give us a filename for a real file that we had to then search for inside a list of over 20 folders not related to one another.

So we did this. Created a script that processed the hell out of over 10000 HTML files, database entries and files and re-indexed and re-named all this shit into a meaningful database of sane data and well organized files.

So, with this we were nearing the finish line for the project, which by now exceeded the estimated time by over to times.

We test everything, retest it all again for good measure, pack everything up for deployment, simulate on a staging environment, give the final client access to the staging version, get them to accept that all requirements are met, finish writing the documentation for the codebase, write detailed deployment procedure, include some automation and testing tools also for good measure, recommend production setup, hardware specs, software versions, server side optimization like caching, load balancing and all that we could think would ever be useful, all with more documentation and instructions.

As the project was built on PHP/MySQL (as requested), we recommended a Linux environment for production. Oh, I forgot to tell you that over the development period they kept asking us to also include steps for Windows procedures along with our regular documentation. Was a bit strange, but we added it in there just so we can finish and close the damn project.

So, we send them all the above and go get drunk as fuck in celebration of getting rid of them once and for all...

Next day: hung over, I get to the office, open my laptop and see on new email. I only had the one new mail, so I open it to see what it's about.

Lo and behold! The fuckers over in the other country that called themselves "IT guys", and were the ones making all the changes and additions to our requirements, were not capable enough to follow step by step instructions in order to deploy the project on their servers!!!

[Continues in the comments]

PM: You know that screen that pops up at the start of the app asking for permission to access health data?

Me: Yeah the iOS HealthKit permission screen. What about it?

PM: Can you take that out. I don't think people are going to agree to it. I want people to use the app.

Me: Well we can't do that, apple says if we want to use HealthKit we have to ask for permission. We shouldn't be touching that data without permission anyway.

PM: Oh no permission is fine I get that, but is it not implied by downloading the app, its clearly a health app. I really don't want people to download it and then uninstall it because they don't like this.

Me: Not really, not everyone will know what data is needed, some of it might be sensitive to them.

PM: Nah I don't buy into that. I asked 5 of my friends on the golf course at the weekend and 3 of them said they wouldn't agree to it, thats 60% of our user base, we can't have that.

Me: ... ok, well I don't agree that your 5 friends is a fair sample to judge the whole world by, either way we have no choice.

Pm: No this isn't going to fly, can we not build our own HealthKit that doesn't have this kind of permission screen? Maybe we could start our own, and invite our partners to use it?

Me: ... no

Pm: why not? We'll have legal draw up something we put in the terms and conditions.

Me: ... it will take months to build for all the different types of devices we have, if they even let us get access to them, and then we will have a different standard to everyone else.

Pm: ... no your not seeing the big picture, i'll run the idea up the ladder.

**It was approved up the ladder, and subsequently cancelled when they realised the scale of the work involved which is both a "thank god" and a "wtf" moment**

On Slack
Me: I can't access the VPN
Network team: You have to create a user incident
My browser: 403
Network team: Yeah you need to be on the VPN to access the incident system
Me: 😐

First time poster here. Please be nice :)

My biggest workaround is one that's being currently deployed to 40 truck drivers (trucking company here), preventing printers being out of usage while on the road. We also have to use HP ePrint to wirelessly print documents, but that's another story for another time I guess :)

CEO asked us to install wifi printers in our 40-ish trucks which has wifi on board. However he's always picking one of the cheapest options possible, so we got consumer grade printers (Laserjet 1002w). Those printers often disconnects without getting back on the truck wifi network EVER. I have to get physically in the truck, wire the printer via USB onto my laptop and reconfigure Wifi on it with the HP Windows tool. This means lots of printer downtime, which always happens when the drivers are three timezones away from our office

Then I thought: "What if I could sniff what HP sends via USB while I (re)configure the printer, and replay whats being sent later? Our trucks all have an Android tablet with a USB type-A connector with host capability, so I could write a small app that replays the config when plugged in by the user.

Three days of hacking around later, I have a working app. By chance, HP printers (or at least those models we have) uses HTTP POST via USB, so I could easily replay the request.

Edit: the end result is that truck drivers just plug the printer to their tablet, press "reconfigure" in a home made Android app, printer is reconnected to the truck and they're good to go. They don't have access to the network nor know enough to debug themselves anyways

I’m a senior dev at a small company that does some consulting. This past October, some really heavy personal situation came up and my job suffered for it. I raised the flag and was very open with my boss about it and both him and my team of 3 understood and were pretty cool with me taking on a smaller load of work while I moved on with some stuff in my life. For a week.

    Right after that, I got sent to a client. “One month only, we just want some presence there since it’s such a big client” alright, I guess I can do that. “You’ll be in charge of a team of a few people and help them technically.” Sounds good, I like leading!

    So I get here. Let’s talk technical first: from being in a small but interesting project using Xamarin, I’m now looking at Visual Basic code, using Visual Studio 2010. Windows fucking Forms.

    The project was made by a single dev for this huge company. She did what she could but as the requirements grew this thing became a behemoth of spaghetti code and User Controls. The other two guys working on the project have been here for a few months and they have very basic experience at the job anyways. The woman that worked on the project for 5 years is now leaving because she can’t take it anymore.

    And that’s not the worse of it. It took from October to December for me to get a machine. I literally spent two months reading on my cellphone and just going over my shitty personal situation for 8 hours a day. I complained to everyone I could and nothing really worked.

    Then I got a PC! But wait… no domain user. Queue an extra month in which I could see the Windows 7 (yep) log in screen and nothing else. Then, finally! A domain user! I can log in! Just wait 2 extra weeks for us to give your user access to the subversion rep and you’re good to go!

    While all of this went on, I didn’t get an access card until a week ago. Every day I had to walk to the reception desk, show my ID and request they call my boss so he could grant me access. 5 months of this, both at the start of the day and after lunch. There was one day in particular, between two holidays, in which no one that could grant me access was at the office. I literally stood there until 11am in which I called my company and told them I was going home.

    Now I’ve been actually working for a while, mostly fixing stuff that works like crap and trying to implement functions that should have been finished but aren’t even started. Did I mention this App is in production and being used by the people here? Because it is. Imagine if you will the amount of problems that an application that’s connecting to the production DB can create when it doesn’t even validate if the field should receive numeric values only. Did I mention the DB itself is also a complete mess? Because it is. There’s an “INDEXES” tables in which, I shit you not, the IDs of every other table is stored. There are no Identity fields anywhere, and instead every insert has to go to this INDEXES table, check the last ID of the table we’re working on, then create a new registry in order to give you your new ID. It’s insane.

   

    And, to boot, the new order from above is: We want to split this app in two. You guys will stick with the maintenance of half of it, some other dudes with the other. Still both targeting the same DB and using the same starting point, but each only working on the module that we want them to work in. PostmodernJerk, it’s your job now to prepare the app so that this can work. How? We dunno. Why? Fuck if we care. Kill you? You don’t deserve the swift release of death.

    Also I’m starting to get a bit tired of comments that go  ‘THIS DOESN’T WORK and ‘I DON’T KNOW WHY WE DO THIS BUT IT HELPS and my personal favorite  ‘??????????????????????

"could I get admin privileges to reboot this server?"

Sounds valid enough, right?

OH YEAH SURE, YOU'RE A TINY USER ON A HUGE ASS SHARED SERVER, OF COURSE I'LL GIVE YOU ROOT ACCESS TO REBOOT THE WHOLE FUCKING SERVER.

Worst part, he didn't understand why that would be weird.

Can I buy a little common sense somewhere for this guy?

!rant

This was over a year ago now, but my first PR at my current job was +6,249/-1,545,334 loc. Here is how that happened... When I joined the company and saw the code I was supposed to work on I kind of freaked out. The project was set up in the most ass-backward way with some sort of bootstrap boilerplate sample app thing with its own build process inside a subfolder of the main angular project. The angular app used all the CSS, fonts, icons, etc. from the boilerplate app and referenced the assets directly. If you needed to make changes to the CSS, fonts, icons, etc you would need to cd into the boilerplate app directory, make the changes, run a Gulp build that compiled things there, then cd back to the main directory and run Grunt build (thats right, both grunt and gulp) that then built the angular app and referenced the compiled assets inside the boilerplate directory. One simple CSS change would take 2 minutes to test at minimum.

I told them I needed at least a week to overhaul the app before I felt like I could do any real work. Here were the horrors I found along the way.

- All compiled (unminified) assets (both CSS and JS) were committed to git, including vendor code such as jQuery and Bootstrap.
- All bower components were committed to git (ALL their source code, documentation, etc, not just the one dist/minified JS file we referenced).
- The Grunt build was set up by someone who had no idea what they were doing. Every SINGLE file or dependency that needed to be copied to the build folder was listed one by one in a HUGE config.json file instead of using pattern matching like `assets/images/*`.
- All the example code from the boilerplate and multiple jQuery spaghetti sample apps from the boilerplate were committed to git, as well as ALL the documentation too. There was literally a `git clone` of the boilerplate repo inside a folder in the app.
- There were two separate copies of Bootstrap 3 being compiled from source. One inside the boilerplate folder and one at the angular app level. They were both included on the page, so literally every single CSS rule was overridden by the second copy of bootstrap. Oh, and because bootstrap source was included and commited and built from source, the actual bootstrap source files had been edited by developers to change styles (instead of overriding them) so there was no replacing it with an OOTB minified version.
- It is an angular app but there were multiple jQuery libraries included and relied upon and used for actual in-app functionality behavior. And, beyond that, even though angular includes many native ways to do XHR requests (using $resource or $http), there were numerous places in the app where there were `XMLHttpRequest`s intermixed with angular code.
- There was no live reloading for local development, meaning if I wanted to make one CSS change I had to stop my server, run a build, start again (about 2 minutes total). They seemed to think this was fine.
- All this monstrosity was handled by a single massive Gruntfile that was over 2000loc. When all my hacking and slashing was done, I reduced this to ~140loc.
- There were developer's (I use that term loosely) *PERSONAL AWS ACCESS KEYS* hardcoded into the source code (remember, this is a web end app, so this was in every user's browser) in order to do file uploads. Of course when I checked in AWS, those keys had full admin access to absolutely everything in AWS.
- The entire unminified AWS Javascript SDK was included on the page and not used or referenced (~1.5mb)
- There was no error handling or reporting. An API error would just result in nothing happening on the front end, so the user would usually just click and click again, re-triggering the same error. There was also no error reporting software installed (NewRelic, Rollbar, etc) so we had no idea when our users encountered errors on the front end. The previous developers would literally guide users who were experiencing issues through opening their console in dev tools and have them screenshot the error and send it to them.
- I could go on and on...

This is why you hire a real front-end engineer to build your web app instead of the cheapest contractors you can find from Ukraine.

A wild Darwin Award nominee appears.

Background: Admins report that a legacy nightly update process isn't working. Ticket actually states problem is obviously in "the codes."

Scene: Meeting with about 20 people to triage the issue (blamestorming)

"Senior" Admin: "update process not working, the file is not present"
Moi: "which file?"
SAdmin: "file that is in ticket, EPN-1003"
Moi: "..." *grumbles, plans murder, opens ticket*
...
Moi: "The config dotfile is missing?"
SAdmin: "Yes, file no there. Can you fix?"
Moi: "Engineers don't have access to the production system. Please share your screen"
SAdmin: "ok"
*time passes, screen appears*
Moi: "ls the configuration dir"
SAdmin: *fails in bash* > ls

*computer prints*
> ls
_.legacyjobrc

Moi: *sees issues, blood pressure rises* "Please run list all long"
SAdmin: *fails in bash, again* > ls ?
Moi: *shakes* "ls -la"
SAdmin: *shonorable mention* > ls -la

*computer prints*
> ls -la
total 1300
drwxrwxrwx- 18 SAdmin {Today} -- _.legacyjobrc

Moi: "Why did you rename the config file?"
SAdmin: "Nothing changed"
Moi: "... are you sure?"
SAdmin: "No, changed nothing."
Moi: "Is the job running as your account for some reason?"
SAdmin: "No, job is root"
Moi: *shares screenshot of previous ls* This suggests your account was likely used to rename the dotfile, did you share your account with anyone?
SAdmin: "No, I rename file because could not see"
Moi: *heavy seething* so, just to make sure I understand, you renamed a dotfile because you couldn't see it in the terminal with ls?
SAdmin: "No, I rename file because it was not visible, now is visible"
Moi: "and then you filed a ticket because the application stopped working after you renamed the configuration file? You didn't think there might be a correlation between those two things?"
SAdmin: "yes, it no work"
Interjecting Director: "How did no one catch this? Why were there no checks, and why is there no user interface to configure this application? When I was writing applications I cared about quality"
Moi: *heavy seething*
IDjit: "Well? Anyone? How are we going to fix this"
Moi: "The administrative team will need to rename the file back to its original name"
IDjit: "can't the engineering team do this?!"
Moi: "We could, but it's corporate policy that we have no access to those environments"
IDjit: "Ok, what caused this issue in the first place? How did it get this way?!"

TFW you think you've hit the bottom of idiocy barrel, and the director says, "hold my mango lassi."

Things have been a little too quiet on my side here, so its time for an exciting new series:

practiseSafeHex's new life as a manager.

Episode 1: Dealing with the new backend team

It's great to be back folks. Since our last series where we delved into the mind numbing idiocy of former colleagues, a lot has changed. I've moved to a new company and taken a step up as a Dev manager / Tech lead. Now I know what you are all thinking, sounds more dull and boring right? Well it wouldn't be a practiseSafeHex series if we weren't ...

<audience-shouting>
DEALING! ... WITH! ... IDIOTS!
</audience-shouting>

Bingo! so lets jump right in and kick us off with a good one.

So for the past few months i've been on an on-boarding / fact finding / figuring out this shit-storm, mission to understand more about what it is i'm suppose to do and how to do it. Last week, as part of this, I had the esteemed pleasure of meeting face to face with the remote backend team i've been working with. Lets rattle off a few facts to catch us all up:

- 8 hour time difference to me
- No documentation other than a non-maintained swagger doc
- Swagger is reporting errors and several of the input models are just `Type: String`
- The one model that seems accurate, has every property listed as optional, including what must be the primary key
- Properties go missing and get removed at the drop of a hat and we are never told.
- First email I sent them took 27 days to reply, my response to that hasn't been answered so far 31 days later (new record! way to go team, I knew we could do it!!!)
- I deal directly with 2 of them, the manager and the tech lead. Based on how things have gone so far, i've nick named them:
1) Ass
2) Hole

So lets look at some example of their work:

- I was trying to test the new backend, I saw no data in QA. They said it wouldn't show up until mid day their time, which is middle of the night for us. I said we need data in our timezone and I was told: a) "You don't understand how big this system is" (which is their new catch phrase) b) "Your timezone is not my concern"

- The whole org started testing 2 days later. The next day a member from each team was on a call and I was asked to give an update of how the testing was going on the mobile side. I said I was completely blocked because I can't get test data. Backend were asked to respond. They acknowledged they were aware, but that mobile don't understand how big the system is, and that the mobile team need to come up with ideas for the backend team, as to how mobile can test it. I said we can't do anything without test data, they said ... can you guess what? ... correct "you don't understand how big the system is"

- We eventually got something going and I noticed that only 1 of the 5 API changes due on their side was done. Opened tickets. 2 days later asked them for progress and was told that "new findings" always go to the bottom of the backlog, and they are busy with other things. I said these were suppose to be done days ago. They said you can't give us 2 days notice and expect everything done. I said the original ticket was opened a month a go *sends link* ......... *long silence* ...... "ok, but you don't understand how big the system is, this is a lot of work"

- We were on a call. Product was asking the backend manager (aka "Ass") a question about a slight upgrade to the new feature. While trying to talk, the tech lead (aka "Hole") kept cutting everyone off by saying loudly "but thats not in scope". The question was "is this possible in the future" and "how long would it take", coming from management and product development. Hole just kept saying "its not in scope", until he was told to be quiet by several people.

- An API was sending down JSON with a string containing a message for the user with 2 bits of data inside it. We asked for one of those pieces to also come down as a property as the string can change and we needed it client side. We got that. A few days later we found an edge case and asked for the second piece of data to be a property too. Now keep in mind, they clearly already have access to them in order to make the string. We were told "If you keep requesting changes like this, you are going to delay the release of the backend by up to 2 weeks"

Yes folks, there you have it, the most minuscule JSON modifications, can delay your release by up to 2 weeks ........ maybe I should just tell product, that they don't understand how big the app is, and claim we can't build it on our side? Seems to work for them

Thats all the time we have for today,

Tune in for more, where we'll be looking into such topics as:

- If god himself was an iOS developer ... not
- Why automate when you can spend all day doing it by hand
- Its more time-efficient to just give everything a story point of 5
- Why waste time replying to emails ... when you can do nothing instead

See you all next week,
practiseSafeHex

The website i made has been hacked today.

Stored in their server.

They didnt give me an access for it.

The user account in the cms i used for updating content while building the website was revoked when the website is completed.

Now they ask me for the latest backup.

I have no backup because how the hell i do a backup when i got no access to the cpanel.

The only backup is the zip file for initial uploading into their server and the contents were added after the website is on their server.

That goddamn IT guy who wont give me any access for “securty sake” is calling me furiously asking for the backup and how to set up the stuffs from the beginning.

I thought he was the one who know his shit but i was wrong.

Fuck me?

No.

Fuck you.

But i still responding to him telling him step by step how to do shit with some swearing and sarcasm.

ALWAYS BACKUP YOUR SHITS, MATE

A quite severe vulnerability was found in Skype (at least for windows, not sure about other systems) allowing anyone with system access (remote or local) to replace the update files skype downloads before updating itself with malicious versions because skype doesn't check the integrity of local files. This could allow an attacker to, once gaining access to the system, 'inject' any malicious DLL into skype by placing it in the right directory with the right file name and waiting for the user to update (except with auto updates of course).

From a company like Microsoft, taking in mind that skype has hundreds of millions of users worldwide, I'd expect them to take a very serious stance on this and work on a patch as soon as possible.

What they said about this: they won't be fixing it anytime soon as it would require a quite big rewrite of skype.

This kinda shit makes me so fucking angry, especially when it comes from big ass companies 😡. Take your fucking responsibility, Microsoft.

The first time I decided to hack around a bit:D

One of my teachers made a quiz software, which is only used by him(his lectures are about databases), and it is highly unsecure. When I heard that it is written in C# I decided to look in it's source code. The biggest problem I ran into: this program is only available on the computers in his classroom, and he monitors the computers display. However, I successfully put it into my pendrive without getting caught.

So when I got home, I just had to use a .NET decompiler(in this case: dotPeek) to get the fully functional source code. The basic function of the program was to download a quiz from his database server, and when it was finished, grade it client-side. Than, I realized how bad it was: It contains the number of questions, the number of correct and incorrect answers.
I've just made a modified .exe, which contained really little modification(like correctAnswers=maxQuestions, incorrectAnswers=0). Everything looks the same, you just have to click over it, and everytime it will return with 100%.

And the bonus: The program connects to the database as a user with root access, and without password. I was able to log in, download(dropping was available too, but didn't try) databases(with all the answers) and so on.

Never had to use it though, it was just a sort-of experience gaining.:)

Example #1 of ??? Explaining why I dislike my coworkers.

[Legend]
VP: VP of Engineering; my boss’s boss. Founded the company, picked the CEO, etc.
LD: Lead dev; literally wrote the first line of code at the company, and has been here ever since.
CISO: Chief Information Security Officer — my boss when I’m doing security work.

Three weeks ago (private zoom call):
> VP to me: I want you to know that anything you say, while wearing your security hat, goes. You can even override me. If you need to hold a release for whatever reason, you have that power. If I happen to disagree with a security issue you bring up, that’s okay. You are in charge of release security. I won’t be mad or hold it against you. I just want you to do your job well.

Last week (engineering-wide meeting):
> CISO: From now on we should only use external IDs in urls to prevent a malicious actor from scraping data or automating attacks.
> LD: That’s great, and we should only use normal IDs in logging so they differ. Sounds more secure, right?
> CISO: Absolutely. That way they’re orthogonal.
> VP: Good idea, I think we should do this going forward.

Last weekend (in the security channel):
> LD: We should ONLY use external IDs in urls, and ONLY normal IDs in logging — in other words, orthogonal.
> VP: I agree. It’s better in every way.

Today (in the same security channel):
> Me: I found an instance of using a plain ID in a url that cancels a payment. A malicious user with or who gained access to <user_role> could very easily abuse this to cause substantial damage. Please change this instance and others to using external IDs.
> LD: Whoa, that goes way beyond <user_role>
> VP: You can’t make that decision, that’s engineering-wide!

Not only is this sane security practice, you literally. just. agreed. with this on three separate occasions in the past week, and your own head of security also posed this before I brought it up! And need I remind you that it is still standard security practice!?

But nooo, I’m overstepping my boundaries by doing my job.

Fucking hell I hate dealing with these people.

Devs: We need access to PROD DB in order to provide support you're asking us for.

Mgmt: No, we cannot trust you with PROD DB accesses. That DB contains live data and is too sensitive for you to fuck things up

Mgmt: We'll only grant PROD DB access to DBAs and app support guys

Mgmt: <hire newbies to app support>

App_supp: `update USER set invoice_directory = 54376; commit;`

----------------
I have nothing left to say....

One of my first jobs as a Web Designer / Developer.

Boss had me update a WordPress site that the previous dude built. It had some pages that only members were meant to access.

These were listed on a navbar at all times. If the user clicked on them, a JS alert would show up telling the visitor to log in first.

That was the ONLY protection those pages had. No matter it was a WordPress-powered site, to begin. If you knew the URL or simply altered the code right there on the browser to remove the onclick-bound JS, you could get in.

And that was just the beginning of it. Eventually I convinced the boss to rebuild the site.

User: I can't access the system, it keeps asking me to change my password!
Me: ....
Me: Tried changing your password?
User: Not yet

Trend of the day:
1. Facebook is really compromising user privacy, will delete my account!
2. Post about deleting Fb account to twitter, instagram, etc
3. "Ok google, what is privacy?"
4. Find a random app in play store and allow access regardless

Buckle up kids, this one gets saucy.

At work, we have a stress test machine that trests tensile, puncture and breaking strength for different materials used (wood construction). It had a controller software update that was supposed to be installed. I was called into the office because the folks there were unable to install it, they told me the executable just crashed, and wanted me to take a look as I am the most tech-savvy person there.

I go to the computer and open up the firmware download folder. I see a couple folders, some random VBScript file, and Installation.txt. I open the TXT, and find the first round of bullshit.

"Do not run the installer executable directly as it will not work. Run install.vbs instead."

Now, excuse me for a moment, but what kind of dick-cheese-sniffing cockmonger has end users run VBScript files to install something in 2018?! Shame I didn't think of opening it up and examining it for myself to find out what that piece of boiled dogshit did.

I suspend my cringe and run it, and lo and behold, it installs. I open the program and am faced with entering a license key. I'm given the key by the folks at the office, but quickly conclude no ways of entering it work. I reboot the program and there is an autofilled key I didn't notice previously. Whatever, I think, and hit OK.

The program starts fine, and I try with the login they had previously used. Now it doesn't work for some reason. I try it several times to no avail. Then I check the network inspector and notice that when I hit login, no network activity happens in the program, so I conclude the check must be local against some database.

I browse to the program installation directory for clues. Then I see a folder called "Databases".

"This can't be this easy", I think to myself, expecting to find some kind of JSON or something inside that I can crawl for clues. I open the folder and find something much worse. Oh, so much worse.

I find <SOFTWARE NAME>.accdb in the folder. At this point cold sweat is already running down my back at the sheer thought of using Microsoft Access for any program, but curiosity takes over and I open it anyway.

I find the database for the entire program inside. I also notice at this point that I have read/write access to the database, another thing that sent my alarm bells ringing like St. Pauls cathedral. Then I notice a table called "tUser" in the left panel.

Fearing the worst, I click over and find... And you knew it was coming...

Usernames and passwords in plain text.

Not only that, they're all in the format "admin - admin", "user - user", "tester - tester".

I suspend my will to die, login to the program and re-add the account they used previously. I leave the office and inform the peeps that the program works as intended again.

I wish I was making this shit up, but I really am not. What is the fucking point of having a login system at all when your users can just open the database with a program that nowadays comes bundled with every Windows install and easily read the logins? It's not even like the data structure is confusing like minified JSON or something, it's literally a spreadsheet in a program that a trained monkey could read.

God bless them and Satan condemn the developers of this fuckawful program.

I still miss my college days. Our crappy IT Dept restricted internet usage on campus. Each student used to get 10 GB of internet data and they used Cyberoam for login (without HTTPS). 10 GB was so less (at least for me).

Now, thanks to CS50, I learned that HTTP was not secure and somehow you can access login credentials. I spent a night figuring things out and then bam!! Wireshark!!!!

I went to the Central Library and connected using Wireshark. Within a matter of minutes, I got more than 30 user ids and passwords. One of them belonged to a Professor. And guess what, it had unlimited data usage with multiple logins. I felt like I was a millionaire. On my farewell, I calculated how much data I used. It was in TBs.

Lesson: Always secure your URLs.

Boss hands over to me an old security audit report and tells me "Go through this and check if all the problems mentioned have been resolved". Quick glance through the report shows all expected issues - SQLi, plaintext transmission and storage etc. I tell him that I need access to the application both from admin and a user with restricted privileges.
He hands me the admin credentials and tells me, "After you login in, just go the "Users" tab. You'll find the profiles of all the users there. You can get the emails and passwords of any user you want from there."
I had to hold back a chuckle. There's nothing to verify. If they haven't resolved storing plain text passwords in the database (AND displaying it IN PLAIN TEXT in the website itself (which to my surprise wasn't mentioned in the audit)), they probably haven't even looked at the report.

The last year my school installed MagicBoards (whiteboard with beamer that responses to touch) in every class room and called itself "ready for the future of media". What they also got is A FUCKING LOW SPEC SERVER RUNNING DEBIAN 6 W/O ANY UPDATES SINCE 2010 WHICH IS DYING CONSTANTLY.

As I'm a nice person I asked the 65 y/o technician (who is also my physics teacher) whether I could help updating this piece of shit.

Teacher: "Naahh, we don't have root access to the server and also we'll get a new company maintaining our servers in two years. And even if we would have the root access, we can't give that to a student."

My head: "Two. Years. TWO YEARS?! ARE YOU FUCKING KIDDING ME YOU RETARDED PIECE OF SHIT?! YOU'RE TELLING ME YOU DON'T HAVE TO INSTALL UPDATES EVEN THOUGH YOU CREATE AN SSH USER FOR EVERY FUCKING STUDENT SO THEY CAN LOGIN USING THEIR BIRTH DATE?! DID YOU EVER HEAR ABOUT SECURITY VULNERABILITIES IN YOUR LITTLE MISERABLE LIFE OR SOUNDS 'CVE-2016-5195' LIKE RANDOM LETTERS AND NUMBERS TO YOU?! BECAUSE - FUNFACT - THERE ARE TEN STUDENTS WHO ARE IN THE SUDO GROUP IF YOU EVEN KNOW WHAT THAT IS!"

Me (because I want to keep my good grades): "Yes, that sounds alright."

Oh you'll love this. A master password to access any user.

Something like:
const masterpassword = <dayABCyearXYZ>
if (password == dbpassword || password == masterpassword) { // allow access }

The best part is this code is available to our clients. They can literally see how this "master password" is generated. And they don't want me to remove it because it's being used by testers.

User removes admin access to himself and complains why he can't perform admin functions...

I'm editing the sidebar on one of our websites, and shuffling some entries. It involves moving some entries in/out of a dropdown and contextual sidebars, in/out of submenus, etc. It sounds a little tedious but overall pretty trivial, right?

This is day three.
I learned React+Redux from scratch (and rebuilt the latter for fun) in twice that long.

In my defense, I've been working on other tasks (see: Alerts), but mostly because I'd rather gouge my freaking eyes out than continue on this one.

Everything that could be wrong about this is. Everything that could be over-engineered is. Everything that could be written worse... can't, actually; it's awful.

Major grievances:
1) The sidebars (yes, there are several) are spread across a ridiculous number of folders. I stopped counting at 20.
2) Instead of icon fonts, this uses multiple images for entry states.
3) The image filenames don't match the menu entry names. at all. ("sb_gifts.png" -> orders); active filenames are e.g. "sb_giftsactive.png"
4) The actions don't match the menu entry names.
5) Menu state is handled within the root application controller, and doesn't use bools, but strings. (and these state flags never seem to get reset anywhere...)
6) These strings are used to construct the image filenames within the sidebar views/partials.
7) Sometimes access restrictions (employee, manager, etc.) are around the individual menu entries, sometimes they're around a partial include, meaning it's extremely difficult to determine which menu entries/sections/subsections are permission-locked without digging through everything.
8) Within different conditionals there are duplicate blocks markup, with duplicate includes, that end up render different partials/markup due to different state.
9) There are parent tags outside of includes, such as `<ul>#{render 'horrific-eye-stabbing'}</ul>`
10) The markup differs per location: sometimes it's a huge blob of non-semantic filthiness, sometimes it's a simple div+span. Example filth: section->p->a->(img,span) ... per menu entry.
11) In some places, the markup is broken, e.g. `<li><u>...</li></u>`
12) In other places, markup is used for layout adjustments, such as an single &nbsp; nested within several divs adorned with lots of styles/classes.
13) Per-device layouts are handled, not within separate views, but by conditionally enabling/disabling swaths of markup, e.g. (if is_cordova_session?).
14) `is_cordova_session` in particular is stored within a cookie that does not expire, and within your user session. disabling it is annoying and very non-obvious. It can get set whether or not you're using cordova.
15) There are virtually no stylesheets; almost everything is inline (but of course not actually everything), which makes for fun layout debugging.
16) Some of the markup (with inline styling, no less) is generated within a goddamn controller.
17) The markup does use css classes, but it's predominately not for actual styling: they're used to pick out elements within unit tests. An example class name: "hide-for-medium-down"; and no, I can't figure out what it means, even when looking at the tests that use it. There are no styles attached to that particular class.
18) The tests have not been updated for three years, and that last update was an rspec version bump.
19) Mixed tabs and spaces, with mixed indentation level (given spaces, it's sometimes 2, 4, 4, 5, or 6, and sometimes one of those levels consistently, plus an extra space thereafter.)
20) Intentional assignment within conditionals (`if var=possibly_nil_return_value()`)
21) hardcoded (and occasionally incorrect) values/urls.

... and last but not least:
22) Adding a new "menu sections unit" (I still haven't determined what the crap that means) requires changing two constants and writing a goddamn database migration.

I'm not even including minor annoyances like non-enclosed ternaries, poor naming conventions, commented out code, highly inefficient code, a 512-character regex (at least it's even, right?), etc.

just.

what the _fuck_

Who knew a sidebar could be so utterly convoluted?

Worst WTF dev experience? The login process from hell to a well-fortified dev environment at a client's site.
I assume a noob admin found a list of security tips and just went like "all of the above!".

You boot a Linux VM, necessary to connect to their VPN. Why necessary? Because 1) their VPN is so restrictive it has no internet access 2) the VPN connection prevents *your local PC* from accessing the internet as well. Coworkers have been seen bringing in their private laptops just to be able to google stuff.
So you connect via Cisco AnyConnect proprietary bullshit. A standard VPN client won't work. Their system sends you a one-time key via SMS as your password.

Once on their VPN, you start a remote desktop session to their internal "hopping server", which is a Windows server. After logging in with your Windows user credentials, you start a Windows Remote Desktop session *on that hopping server* to *another* Windows server, where you login with yet another set of Windows user credentials. For all these logins you have 30 seconds, otherwise back to step 1.
On that server you open a browser to access their JIRA, GitLab, etc or SSH into the actual dev machines - which AGAIN need yet another set of credentials.

So in total: VM -> VPN + RDP inside VM -> RDP #2 -> Browser/SSH/... -> Final system to work on
Input lag of one to multiple seconds. It was fucking unusable.

Now, the servers were very disconnect-happy to prevent anything "fishy" going on. Sitting at my desk at my company, connected to my company's wifi, was apparently fishy enough to kick me out every 5 to 20 minutes. And that meant starting from step 1 inside the VM again. So, never forget to plugin your network cable.

There's a special place in hell for this admin. And if there isn't, I'll PERSONALLY make the devil create one. Even now that I'm not even working on this any more.

I've got a confession to make.

A while ago I refurbished this old laptop for someone, and ended up installing Bodhi on it. While I was installing it however, I did have some wicked thoughts..

What if I could ensure that the system remains up-to-date by running an updater script in a daily cron job? That may cause the system to go unstable, but at least it'd be up-to-date. Windows Update for Linux.

What if I could ensure that the system remains protected from malware by periodically logging into it and checking up, and siphoning out potential malware code? The network proximity that's required for direct communication could be achieved by offering them free access to one of my VPN servers, in the name of security or something like that. Permanent remote access, in the name of security. I'm not sure if Windows has this.

What if I could ensure that the system remains in good integrity by disabling the user from accessing root privileges, and having them ask me when they want to install a piece of software? That'd make the system quite secure, with the only penetration surface now being kernel exploits. But it'd significantly limit what my target user could do with their own machine.

At the end I ended up discarding all of these thoughts, because it'd be too much work to implement and maintain, and it'd be really non-ethical. I felt filthy from even thinking about these things. But the advantages of something like this - especially automated updates, which are a real issue on my servers where I tend to forget to apply them within a couple of weeks - can't just be disregarded. Perhaps Microsoft is on to something?

2 weeks ago I was writing an `rm -rf --no-preserve-root /` oneliner as a joke - as an answer to a question "I have access to my competitor's server; what should I do?". I was crafting it so that it'd do as much damage to the business (not the server) as it could.

And I accidentally executed it on my work laptop. In the background (with an `&`).

It ran for a good 5-7 seconds on an i7-11850H with an SSD, until I issued a `kill %%`

Good thing it ran as a non-root user. Bad thing - I have no idea what it may have deleted nor whether it touched my /home.

I'm afraid to restart my laptop now :)

whoopsie :)

There was a time I made an update on one of our client's e-commerce website sign-up page. The update caused a bug that allowed new users to create an account without actually creating an account.

The code block meant to save user credentials (i.e email address and password) to the database was commented out for some reasons I still can't remember to this day. After registration new users had their session created just as normal but in reality they have no recorded account on the platform. This shit went on like this for a whole week affecting over 350 new customers before the devil sent me a DM.

I got a call from my boss on that weekend that some users who had made purchases recently can't access their account from a different device and cannot also update their password. Nobody likes duty calls on a weekend, I grudgingly and sluggishly opened up my PC to create a quick fix but when I saw what the problem was I shut down my PC immediately, I ran into the shower like I was being chased by a ghost, I kept screaming "what tha fuck! what tha fuck!!" cus I knew hell was about to break loose.

At that moment everything seemed off as if I could feel everything, I felt the water dripping down my spine, I could hear the tiniest of sound. I thought about the 350 new customers the client just lost, I imagined the raving anger on the face of my boss, I thought about how dumb my colleagues would think I was for such a stupid long running bug.

I wondered through all possible solutions that could save me from this embarrassment.
-- "If this shitty client would have just allowed us verify users email before usage things wouldn't have gotten to this extent"
-- "Should I call the customers to get their email address using their provided telephone?... No they'd think I'm a scammer"
-- "Should I tell my boss the database was hacked? Pffft hack my a**",
-- "Should I create a page for the affected users to re-verify their email address and password? No, some sessions may have expired"
-- "Or maybe this the best time to quit this f*ckn job!"
... Different thoughts from all four corners of the bathroom made it a really long bath. Finally, I decided it was best I told my boss what had happened. So I fixed the code, called my boss the next day and explained the situation on ground to him and yes he was furious. "What a silly mistake..!" he raged and raged. See me in my office by Monday.
That night felt longer than usual, I couldn't sleep properly. I felt pity for the client and I blamed it all on myself... yeah the "silly mistake", I could have been more careful.

Monday came boss wasn't at the office, Tuesday, Wednesday, Thursday, Friday not available. Next week he was around and when we both met the discussion was about a different project. I tried briefing him about last week incident, he seems not to recall and demands we focus on the current project.

However, over three hundred and fifty customers swept under the carpet courtesy of me. I still felt the guilt of that f*ck up till this day.

I'm fixing a security exploit, and it's a goddamn mountain of fuckups.

First, some idiot (read: the legendary dev himself) decided to use a gem to do some basic fucking searching instead of writing a simple fucking query.

Second, security ... didn't just drop the ball, they shit on it and flushed it down the toilet. The gem in question allows users to search by FUCKING EVERYTHING on EVERY FUCKING TABLE IN THE DB using really nice tools, actually, that let you do fancy things like traverse all the internal associations to find the users table, then list all users whose password reset hashes begin with "a" then "ab" then "abc" ... Want to steal an account? Hell, want to automate stealing all accounts? Only takes a few hundred requests apiece! Oooh, there's CC data, too, and its encryption keys!

Third, the gem does actually allow whitelisting associations, methods, etc. but ... well, the documentation actually recommends against it for whatever fucking reason, and that whitelisting is about as fine-grained as a club. You wanna restrict it to accessing the "name" column, but it needs to access both the "site" and "user" tables? Cool, users can now access site.name AND user.name... which is PII and totally leads to hefty fines. Thanks!

Fourth. If the gem can't access something thanks to the whitelist, it doesn't catch the exception and give you a useful error message or anything, no way. It just throws NoMethodErrors because fuck you. Good luck figuring out what they mean, especially if you have no idea you're even using the fucking thing.

Fifth. Thanks to the follower mentality prevalent in this hellhole, this shit is now used in a lot of places (and all indirectly!) so there's no searching for uses. Once I banhammer everything... well, loads of shit is going to break, and I won't have a fucking clue where because very few of these brainless sheep write decent test coverage (or even fucking write view tests), so I'll be doing tons of manual fucking testing. Oh, and I only have a week to finish everything, because fucking of course.

So, in summary. The stupid and lazy (and legendary!) dev fucked up. The stupid gem's author fucked up, and kept fucking up. The stupid devs followed the first fuckup's lead and repeated his fuck up, and fucked up on their own some more. It's fuckups all the fucking way down.

Long rant ahead.. so feel free to refill your cup of coffee and have a seat 🙂

It's completely useless. At least in the school I went to, the teachers were worse than useless. It's a bit of an old story that I've told quite a few times already, but I had a dispute with said teachers at some point after which I wasn't able nor willing to fully do the classes anymore.

So, just to set the stage.. le me, die-hard Linux user, and reasonably initiated in networking and security already, to the point that I really only needed half an ear to follow along with the classes, while most of the time I was just working on my own servers to pass the time instead. I noticed that the Moodle website that the school was using to do a big chunk of the course material with, wasn't TLS-secured. So whenever the class begins and everyone logs in to the Moodle website..? Yeah.. it wouldn't be hard for anyone in that class to steal everyone else's credentials, including the teacher's (as they were using the same network).

So I brought it up a few times in the first year, teacher was like "yeah yeah we'll do it at some point". Shortly before summer break I took the security teacher aside after class and mentioned it another time - please please take the opportunity to do it during summer break.

Coming back in September.. nothing happened. Maybe I needed to bring in more evidence that this is a serious issue, so I asked the security teacher: can I make a proper PoC using my machines in my home network to steal the credentials of my own Moodle account and mail a screencast to you as a private disclosure? She said "yeah sure, that's fine".
Pro tip: make the people involved sign a written contract for this!!! It'll cover your ass when they decide to be dicks.. which spoiler alert, these teachers decided they wanted to be.

So I made the PoC, mailed it to them, yada yada yada... Soon after, next class, and I noticed that my VPN server was blocked. Now I used my personal VPN server at the time mostly to access a file server at home to securely fetch documents I needed in class, without having to carry an external hard drive with me all the time. However it was also used for gateway redirection (i.e. the main purpose of commercial VPN's, le new IP for "le onenumity"). I mean for example, if some douche in that class would've decided to ARP poison the network and steal credentials, my VPN connection would've prevented that.. it was a decent workaround. But now it's for some reason causing Moodle to throw some type of 403.

Asked the teacher for routers and switches I had a class from at the time.. why is my VPN server blocked? He replied with the statement that "yeah we blocked it because you can bypass the firewall with that and watch porn in class".
Alright, fair enough. I can indeed bypass the firewall with that. But watch porn.. in class? I mean I'm a bit of an exhibitionist too, but in a fucking class!? And why right after that PoC, while I've been using that VPN connection for over a year?

Not too long after that, I prematurely left that class out of sheer frustration (I remember browsing devRant with the intent to write about it while the teacher was watching 😂), and left while looking that teacher dead in the eyes.. and never have I been that cold to someone while calling them a fucking idiot.

Shortly after I've also received an email from them in which they stated that they wanted compensation for "the disruption of good service". They actually thought that I had hacked into their servers. Security teachers, ostensibly technical people, if I may add. Never seen anyone more incompetent than those 3 motherfuckers that plotted against me to save their own asses for making such a shitty infrastructure. Regarding that mail, I not so friendly replied to them that they could settle it in court if they wanted to.. but that I already knew who would win that case. Haven't heard of them since.

So yeah. That's why I regard those expensive shitty pieces of paper as such. The only thing they prove is that someone somewhere with some unknown degree of competence confirms that you know something. I think there's far too many unknowns in there.

Nowadays I'm putting my bets on a certification from the Linux Professional Institute - a renowned and well-regarded certification body in sysadmin. Last February at FOSDEM I did half of the LPIC-1 certification exam, next year I'll do the other half. With the amount of reputation the LPI has behind it, I believe that's a far better route to go with than some random school somewhere.

Not just another Windows rant:

*Disclaimer* : I'm a full time Linux user for dev work having switched from Windows a couple of years ago. Only open Windows for Photoshop (or games) or when I fuck up my Linux install (Arch user) because I get too adventurous (don't we all)

I have hated Windows 10 from day 1 for being a rebel. Automatic updates and generally so many bugs (specially the 100% disk usage on boot for idk how long) really sucked.

It's got ads now and it's generally much slower than probably a Windows 8 install..

The pathetic memory management and the overall slower interface really ticks me off. I'm trying to work and get access to web services and all I get is hangups.

Chrome is my go-to browser for everything and the experience is sub par. We all know it gobbles up RAM but even more on Windows.

My Linux install on the same computer flies with a heavy project open in Android Studio, 25+ tabs in Chrome and a 1080p video playing in the background.

Up until the creators update, UI bugs were a common sight. Things would just stop working if you clicked them multiple times.

But you know what I'm tired of more?

The ignorant pricks who bash it for being Windows. This OS isn't bad. Sure it's not Linux or MacOS but it stands strong.

You are just bashing it because it's not developer friendly and it's not. It never advertises itself like that.

It's a full fledged OS for everyone. It's not dev friendly but you can make it as much as possible but you're lazy.

People do use Windows to code. If you don't know that, you're ignorant. They also make a living by using Windows all day. How bout tha?

But it tries to make you feel comfortable with the recent bash integration and the plethora of tools that Microsoft builds.

IIS may not be Apache or Nginx but it gets the job done.

Azure uses Windows and it's one of best web services out there. It's freaking amazing with dead simple docs to get up and running with a web app in 10 minutes.

I saw many rants against VS but you know it's one of the best IDEs out there and it runs the best on Windows (for me, at least).

I'm pissed at you - you blind hater you.

Research and appreciate the things good qualities in something instead of trying to be the cool but ignorant dev who codes with Linux/Mac but doesn't know shit about the advantages they offer.

A few weeks ago I stepped onto the grounds of lovely Canada. Back then - coming from Europe - I was surprised. Free WiFi everywhere without all the bells and whistles of creating an account and such.

Well ... at least I thought so ...

Today I went to a location where they actually charge you for their wireless services - fair enough the coverage area is pretty huge - and provide you with an access coupon. All good my optimistic me told me but once the login page loaded...

There are a lot of things about UX I could rant about but let's put that aside. The coupon came from the office where they KNEW all your contact details but it required you to create an account with all of them again to redeem the coupon.

Not only that but it asked for things like the phone number - obviously asking for a Canadian landline number since hell who uses mobiles anyway with numbers longer than ten characters?! - and even though it had a nice country selection it kept the states field there even when selecting a country that doesn't have states ...
Oh, and on a regular phone screen (which would be the target user for WiFi on a campground I suppose) the input fields for state and zip were occluded by the margins of the input rendering the content invisible.

And if that weren't enough after creating your account they made you watch an ad as if the personal data and the 4$ you paid them wasn't enough for the lousy 400 KB/s you get for 24h ...

Gets better though! After creating the account they display your password to make sure you remembered it ... over a non-secured WiFi network ... and send you an email afterward ... password via unencrypted mail via an unencrypted WIRELESS connection ... not that it protects anything that would matter anyways you can just snoop the MAC of your neighbor and get in that way or for that sake get their password but oh well ...

Gosh, sometimes I just feel the urgent need to find the ones responsible and tell them to GTFO of the IT world ...

Is it just me feeling like this about crappy UI/UX design? Always wondering...

One of our newly-joined junior sysadmin left a pre-production server SSH session open. Being the responsible senior (pun intended) to teach them the value of security of production (or near production, for that matter) systems, I typed in sudo rm --recursive --no-preserve-root --force / on the terminal session (I didn't hit the Enter / Return key) and left it there. The person took longer to return and the screen went to sleep. I went back to my desk and took a backup image of the machine just in case the unexpected happened.

On returning from wherever they had gone, the person hits enter / return to wake the system (they didn't even have a password-on-wake policy set up on the machine). The SSH session was stil there, the machine accepted the command and started working. This person didn't even look at the session and just navigated away elsewhere (probably to get back to work on the script they were working on).

Five minutes passes by, I get the first monitoring alert saying the server is not responding. I hoped that this person would be responsible enough to check the monitoring alerts since they had a SSH session on the machine.
Seven minutes : other dependent services on the machine start complaining that the instance is unreachable.

I assign the monitoring alert to the person of the day. They come running to me saying that they can't reach the instance but the instance is listed on the inventory list. I ask them to show me the specific terminal that ran the rm -rf command. They get the beautiful realization of the day. They freak the hell out to the point that they ask me, "Am I fired?". I reply, "You should probably ask your manager".

Lesson learnt the hard-way. I gave them a good understanding on what happened and explained the implications on what would have happened had this exact same scenario happened outside the office giving access to an outsider. I explained about why people in _our_ domain should care about security above all else.

There was a good 30+ minute downtime of the instance before I admitted that I had a backup and restored it (after the whole lecture). It wasn't critical since the environment was not user-facing and didn't have any critical data.

Since then we've been at this together - warning engineers when they leave their machines open and taking security lecture / sessions / workshops for new recruits (anyone who joins engineering).

TIL that TI has no goddamn chill

Texas Instruments released the TI-83+ calculator model in 1996. The Z80 was not at all stock and has the following features:

- 3 access levels (priveleged kernel, kernel, user)
- Locking Flash (R/O when locked for most pages, some pages protected and unreadable as well, only unlockable from protected Flash pages by reading a certain order of bits then setting a port)
- Locking hardware ports (lock state always the same as flash)
- Customizable execution whitelist range (via locked ports)
- Configurable hardware (Flash/RAM size changeable in software via locked ports, max RAM is 8MB which is fucking mental compared to the 64k in the thing)
- Userland virtualization (always-on)
- Reset on violation of security model
- Multithreading
- Software-overclockable CPU
- Hardware MD5 and cert handling

TI made a calculator in 1996 with security features PCs wouldn't see until like 2010 what the *actual* fuck

This is something that happened 2 years ago.

1st year at uni, comp sci.

Already got project to make some app for the univ that runs in android, along with the server

I thought, omg, this is awesome! First year and already got something to offer for the university 😅
(it's a new university, at the time I was the 2nd batch)

Team of 12, we know our stuffs, from the programming POV, at least, but we know nothing about dealing with client.

We got a decent pay, we got our computers upgraded for free, and we even got phones of different screen sizes to test out our apps on.

No user requirement, just 2-3 meetings. We were very naive back then.

2 weeks into development, Project manager issues requirement changes

we have a meeting again, discussing the important detail regarding the business model. Apparently even the univ side hadn't figure it out.

1 month in the development, the project manager left to middle east to pursue doctoral degree

we were left with "just do what you want, as long as it works"

Our projects are due to be done in 3 months. We had issues with the payment, we don't get paid until after everything's done. Yet the worse thing is, we complied.

Month 3, turns out we need to present our app to some other guy in the management who apparently owns all the money. He's pleased, but yet, issued some more changes. We didn't even know that we needed to make dashboard at that time.

The project was extended by one month. We did all the things required, but only got the payment for 3 months.

Couldn't really ask for the payment of the fourth month since apparently now the univ is having some 'financial issues'.

And above all: Our program weren't even tested, let alone being used, since they haven't even 'upgraded' the university such that people would need to use our program as previously planned.

Well, there's nothing to be done right now, but at least I've learned some REALLY valuable lesson:

1. User Requirement is a MUST! Have them sign it afterwards, and never do any work until then. This way, change of requirements could be rejected, or at least postponed

2. Code convention is a MUST! We have our code, in the end, written in English and Indonesian, which causes confusion. Furthermore, some settle to underscore when naming things, while other chooses camel case.

3. Don't give everyone write access to repository. Have them pull their own, and make PR later on. At least this way, they are forced to fix their changes when it doesn't meet the code convention.

4. Yell at EVERYONE who use cryptic git commit message. Some of my team uses JUST EMOTICONS for the commit message. At this point, even "fixes stuffs" sound better.

Well, that's for my rant. Thanks for reading through it. I wish some of you could actually benefit from it, especially if you're about to take on your first project.

Did i just get rick rolled through a user agent?

"[17/Nov/2020:10:20:42 +0000] "GET / HTTP/1.1" 200 1274 "-" "We are no strangers to love. You know the rules and so do I. A full commitment is what Im thinking of. You wouldnt get this from any other guy.." "-""

Dev: Can you please tell me why you changed this?
Me: Because we need to handle permissions in the app. The quickest way of doing it, according to the docs, is [insert change log here]
Dev: But we can just check for the user's token.
Me: That's not exactly a permission, because...
Dev: I was only showing the information related to the user according to their token.
Me: I understand. But that means you're filtering data, not authorising users to access it. If a user is logged in, but changes query parameters, they can still access data they shouldn't be able to.
Dev: Whatevs.

Le me then proceeds to try to push my changes (that took the whole day to implement), gets a "you need to pull first" message from git, doesn't understand why, logs onto GitHub and realises dev has implemented their "permissions".

I was the one responsible for making those changes. Le dev was meant to be doing other things.

How do I even begin to explain?

A LOT of this article makes me fairly upset. (Second screenshot in comments). Sure, Java is difficult, especially as an introductory language, but fuck me, replace it with ANYTHING OTHER THAN JAVASCRIPT PLEASE. JavaScript is not a good language to learn from - it is cheaty and makes script kiddies, not programmers. Fuck, they went from a strong-typed, verbose language to a shit show where you can turn an integer into a function without so much as a peep from the interpreter.

And fUCK ME WHY NOT PYTHON?? It's a weak typed but dynamic language that FORCES good indentation and actually has ACCESS TO THE FILE SYSTEM instead of just the web APIs that don't let you do SHIT compared to what you SHOULD learn.

OH AND TO PUT THE ICING ON THE CAKE, the article was comparing hello worlds, and they did the whole Java thing right but used ALERT instead of CONSOLE.LOG for JavaScript??? Sure, you can communicate with the user that way too but if you're comparing the languages, write text to the console in both languages, don't write text to the console in Java and use the alert api in JavaScript.

Fuck you Stanford, I expected better you shitty cockmunchers.

Taking IT classes in college. The school bought us all lynda and office365 accounts but we can't use them because the classroom's network has been severed from the Active Directory server that holds our credentials. Because "hackers." (The non-IT classrooms don't have this problem, but they also don't need lynda accounts. What gives?)

So, I got bored, and irritated, so I decided to see just how secure the classroom really was.

It wasn't.

So I created a text file with the following rant and put it on the desktop of the "locked" admin account. Cheers. :)

1. don't make a show of "beefing up security" because that only makes people curious.
I'm referring of course to isolating the network. This wouldn't be a problem except:

2. don't restrict the good guys. only the bad guys.
I can't access resources for THIS CLASS that I use in THIS CLASS. That's a hassle.
It also gives me legitimate motivation to try to break your security.

3. don't secure it if you don't care. that is ALSO a hassle.
I know you don't care because you left secure boot off, no BIOS password, and nothing
stopping someone from using a different OS with fewer restrictions, or USB tethering,
or some sort malware, probably, in addition to security practices that are
wildly inconsistent, which leads me to the final and largest grievance:

4. don't give admin priveledges to an account without a password.

seriously. why would you do this? I don't understand.
you at least bothered to secure the accounts that don't even matter,
albeit with weak and publicly known passwords (that are the same on all machines),
but then you went and left the LEAST secure account with the MOST priveledges?
I could understand if it were just a single-user machine. Auto login as admin.
Lots of people do that and have a reason for it. But... no. I just... why?

anyway, don't worry, all I did was install python so I could play with scripting
during class. if that bothers you, trust me, you have much bigger problems.

I mean you no malice. just trying to help.

For real. Don't kick me out of school for being helpful. That would be unproductive.
Plus, maybe I'd be a good candidate for your cybersec track. haven't decided yet.

-- a guy who isn't very good at this and didn't have to be
have a nice day <3

oh, and I fixed the clock. you're welcome.

My code review nightmare?

All of the reviews that consisted of a group of devs+managers in a conference room and a big screen micro-analyzing every line of code.
"Why did you call the variable that? Wouldn't be be more efficient to use XYZ components? You should switch everything to use ServiceBus."
and/or using the 18+ page coding standard document as a weapon.

PHB:"On page 5, paragraph 9, sub-section A-123, the standards dictate to select all the necessary data from the database. Your query is only selecting 5 fields from the 15 field field table. You might need to access more data in the future and this approach reduces the amount of code change."
Me: "Um, if the data requirements change, wouldn't we have change code anyway?"
PHB: "Application requirements are determined by our users, not you. That's why we have standards."
Me: "Um, that's not what I ..."
PHB: "Next file, oh boy, this one is a mess. On page 9, paragraph 2, sub-section Z-987, the standards dictate to only select the absolute minimum amount of the data from the database. Your query is selecting 3 fields, but the application is only using 2."
Me: "Yes, the application not using the field right now, but the user stated they might need the data for additional review."
PHB: "Did they fill out the proper change request form?"
Me: "No, they ...wait...Aren't the standards on page 9 contradictory to the standards on page 5?"
PHB: "NO! You'll never break your cowboy-coding mindset if you continue to violate standards. You see, standards are our promise to customers to ensure quality. You don't want to break our promises...do you?"

Putting chatgpt to some good use. Writing a complaint mail to the idiots maintaining my banking app in the style of shakespare.

Hark thee, App Support Team,

With grave disquiet and vexation doth I write to thee concerning thy recent update of the application. As a software developer, the option to enable developer settings on mine own mobile device is of paramount importance for mine work. Yet thy latest update hath impeded mine access to mine own bank account until I disable this setting. Upon launching the app, it doth redirect me to a browser tab, where I am compelled to deactivate the developer setting to avail of thy services.

This conduct of thine is most unacceptable and unprofessional in mine eyes. It doth seem a transgression of privacy, for thy app doth dictate what settings I may or may not have on mine own personal phone. How canst thou deny me access to mine own bank account information merely on the grounds of having enabled developer options? How doth this option interfere with thy application, such that thou must needs coerce thy users to forsake their phone settings to utilize thy app?

I beseech thee to rectify this issue with all due haste, so that I may access mine own bank account without hindrance. If thou art incapable of doing so, then prithee, might thou recommend a more user-friendly banking application to which I may gladly switch?

With frustration and discontent at this time,
A locked-out person.

Backstory : So recently one of my banking app stopped working and forced me to update to their latest version. As soon as i opened the newer version , it shut down and redirected to my browser with a shitty html page with just one message : Disable developer options on your device to continue using our app. I was extremely frustated and couldnt understand what kind of idiots were maintaining this app.So i decided to write up an email hoping to find some solution for this.

It took forever to get SSH access to our office network computers from outside. Me and other coworkers were often told to "just use teamviewer", but we finally managed to get our way.

But bloody incompetents! There is a machine with SSH listening on port 22, user & root login enabled via password on the personal office computer.

"I CBA to setup a private key. It's useless anyways, who's ever gonna hack this computer? Don't be paranoid, a password is enough!"

A little more than 30 minutes later, I added the following to his .bashrc:

alias cat="eject -T && \cat"
alias cp="eject -T && \cp"
alias find="eject -T && \find"
alias grep="eject -T && \grep"
alias ls="eject -T && \ls"
alias mv="eject -T && \mv"
alias nano="eject -T && \nano"
alias rm="eject -T && \rm"
alias rsync="eject -T && \rsync"
alias ssh="eject -T && \ssh"
alias su="eject -T && \su"
alias sudo="eject -T && \sudo"
alias vboxmanage="eject -T && \vboxmanage"
alias vim="eject -T && \vim"

He's still trying to figure out what is happening.

Highlights from my week:

Prod access: Needed it for my last four tickets; just got it approved this week. No longer need it (urgently, anyway). During setup, sysops didn’t sync accounts, and didn’t know how. Left me to figure out the urls on my own. MFA not working.

Work phone: Discovered its MFA is tied to another coworker’s prod credentials. Security just made it work for both instead of fixing it.

My merchant communication ticket: I discovered sysops typo’d my cronjob so my feature hasn’t run since its release, and therefore never alerted merchants. They didn’t want to fix it outside of a standard release. Some yelling convinced them to do it anyway.

AWS ticket: wow I seriously don’t give a crap. Most boring ticket I have ever worked on. Also, the AWS guy said the project might not even be possible, so. Weee, great use of my time.

“Tiny, easy-peasy ticket”: Sounds easy (change a link based on record type). Impossible to test locally, or even view; requires environments I can’t access or deploy to. Specs don’t cover the record type, nor support creating them. Found and patched it anyway.

Completed work: Four of my tickets (two high-priority) have been sitting in code review for over a month now.

Prod release: Release team #2 didn’t release and didn’t bother telling anyone; Release team #1 tried releasing tickets that relied upon it. Good times were had.

QA: Begs for service status page; VP of engineering scoffs at it and says its practically impossible to build. I volunteered. QA cheered; VP ignored me.

Retro: Oops! Scrum master didn’t show up.

Coworker demo: dogshit code that works 1 out of 15 times; didn’t consider UX or user preferences. Today is code-freeze too, so it’s getting released like this. (Feature is using an AI service to rearrange menu options by usage and time of day…)

Micromanager response: “The UX doesn’t matter; our consumers want AI-driven models, and we can say we have delivered on that. It works, and that’s what matters. Good job on delivering!”

Yep.
So, how’s your week going?

We gave admin access to a user who thinks he knows what he's doing. Why did we give admin access to a user who thinks he knows what he's doing?

🔐How can a manufacturer(Netgear) not allow changing username of the admin user???🔥

That effectively lets anyone bruteforce the damn thing like its being grilled on a BBQ!

Yet they implement remote access router management via 8080 and alley you set up VPN server on the incapable thing.

dear api author at my company pt. 2:

If you're gonna create an api method that takes some arguments.

And one of those arguments is an array.

THEN MAKE THE FUCKING ARGUMENT'S NAME PLURAL YOU FUCKING PIECE OF SHIT.

REPEAT WITH ME, MOTHERFUCKER.
ARRAY, PLURAL, NON-ARRAY, SINGULAR.

I need to pass a shitload of filters for the data for this table, and for every suckin fuckin filter I need to singularize this shit. Thank god for es6.

I know this sounds like nitpick, but I swear to fucking alpha omega this guy is inconsistent as fuck.

Every time it feels like he makes up a new rule.

Sometimes I need to send arrays of ids, other times arrays of objects with an id property on each.

He uses synonyms too, sometimes it's remove, other times erase.

PICK ONE MOTHERFUCKER.

If you can't do the basic things well, then what is to expect of more advanced stuff?

Naming conventions you fucking idiot, follow them. It's programming 101.

You're already sending them as plural in the fucking response. Why change them for the request?

And that's just style, conventions.

This idiot asshole also RARELY DOES ANY FUCKING CHECK ON THE ARGUMENTS.

"Oh, you sent a required argument as null? 500"

We get exceptions on sentry UP THE ASS thanks to this useless bone container.

YOU'RE SEEING THE EXCEPTIONS TOO!!!!! 500'S ARE BUGS YOU NEED TO FIX, YOU CUMCHUGGER

And sometimes he does send 400, you know what the messages usually are?
"Validation failed".

WHYYYYYY YOU GODDAMN APATHETIC TASTELESS FUCK???
WHAT EXACTLY CAUSED THE FUCKING VALIDATION TO FAIL????

EXCEPTIONS HAPPEN AND THANKS TO YOU I HAVE NO IDEA WHY.

The worst of all... the worst of fucking all is that everytime I make a suggestion to change shit, every time, you act like you care.
You act like the api is the way it is because you designed it in a calculated manner.

MOTHERFUCKER. IF A USER HAS ONLY PRODUCT A, THEN HE SHOULDN'T BE ABLE TO ACCESS DATA FOR PRODUCT B. IT IS NOT ENOUGH TO JUST RESTRICT SHIT WITH ADMIN ROLES. IDIOT!!!!!

This is the work of someone who has no passion for programming.

Just now I realized that for some reason I can't mount SMB shares to E: and H: anymore.. why, you might ask? I have no idea. And troubleshooting Windows.. oh boy, if only it was as simple as it is on Linux!!

So, bimonthly reinstall I guess? Because long live good quality software that lasts. In a post-meritocracy age, I guess that software quality is a thing of the past. At least there's an option to reset now, so that I don't have to keep a USB stick around to store an installation image for this crap.

And yes Windows fanbois, I fucking know that you don't have this issue and that therefore it doesn't exist as far as you're concerned. Obviously it's user error and crappy hardware, like it always is.

And yes Linux fanbois, I know that I should install Linux on it. If it's that important to you, go ahead and install it! I'll give you network access to the machine and you can do whatever you want to make it run Linux. But you can take my word on this - I've tried everything I could (including every other distro, custom kernels, customized installer images, ..), and it doesn't want to boot any Linux distribution, no matter what. And no I'm not disposing of or selling this machine either.

Bottom line I guess is this: the OS is made for a user that's just got a C: drive, doesn't rely on stuff on network drives, has one display rather than 2 (proper HDMI monitor recognition? What's that?), and God forbid that they have more than 26 drives. I mean sure in the age of DOS and its predecessor CP/M, sure nobody would use more than 26 drives. Network shares weren't even a thing back then. And yes it's possible to do volume mounts, but it's unwieldy. So one monitor, 1 or 2 local drives, and let's make them just use Facebook a little bit and have them power off the machine every time they're done using it. Because keeping the machine stable for more than a few days? Why on Earth would you possibly want to do that?!!

Microsoft Windows. The OS built for average users but God forbid you depart from the standard road of average user usage. Do anything advanced, either you can't do it at all, you can do it but it's extremely unintuitive and good luck finding manuals for it, or you can do it but Windows will behave weirdly. Because why not!!!

Client project manager calls me up one day

PM: hey can you make some precise estimates on some items for a project you’re not working on? It should be easy. It’s very similar to the project you ARE working on and it’s only a handful of user stories, mostly front end stuff. We´ll need this to be done by tomorrow night.

Me: um, I guess if it’s just a few simple items. ok

PM: great! I’ll let you know when you get access to the backlog.

Me: sounds good

Link to project is sent to me. Backlog contains over 20 user stories, most of which are backend related. And it doesn’t have much to do with my current project.

I contact PM: this isn’t exactly what you announced when I had you on the phone. If you want precise estimates with a minimum of design, this could take up to a week. I could however proceed to some ballpark estimates (poker planning) for starters if you need this quickly for your roadmap.

PM: no I need PRECISE estimates down to the hour for each item.

Me: ok then, it’ll take up to a week.

PM: 🤬🤬🤬. You told me it could be done in a day. I’m coming to realize your word can’t really be trusted.

Me: 🤦🏻‍♂️

We have to use this tool in work for classifying new and existing projects for GDPR. Long story short you have to fill out a REALLY long questionnaire, then it gets reviewed by someone in legal. The tool will also assign you tasks and suggest actions to common issues (e.g. suggesting a banner to explain cookie policy if you tick a certain box).

I have spent about an hour trying to re-assign the assessment I started, as i'm due to leave the company in a few days, to the guy taking over from me.

1. There is a “generate shareable URL” button, with the ability to click a button that says “replace me with the logged in user who opens this”. All it does is duplicate the name and description fields and send a new copy to that person, with no access to any of my other content or answers.

2. I did find a re-assign button eventually, again all it does it create a duplicate, and throws and error saying names must be unique when I try to save it.

3. While I couldn’t find a way to do that, I did find another button to at least assign the reviewer. It told me i’m forbidden to change the reviewer on assessments i’ve created.

This is THE WORST piece of nonsensical shit on earth. The entire application is absolute garbage and sssssssooooooo slow.

When you first create an assessment it brings you to a page that has all the questions, makes sense right? Wrong. All the questions are in read-only mode, and they are simply there as a "this is what you can expect to see later on", telling you whether or not they will be freeform, multiple choice etc.

The way to actually answer the questions is to click the "start survey" button hidden in the "status" dropdown.

I don't have much advice to anyone around GDPR, but please stay the hell away from TrustArc.

Someone once sent me an email talking about vulnerabilities in my website. He sent a full document with step by step instructions and code.

I emailed back and said woah! Thanks for the heads up I really appreciate it!

He responds back and says
"usually people send a payment as thank you"

I said sorry we're poor.

And he responds with "should I disclose the issue to your users?"

I said "we have like 6 users and most of them are my mom. Lol"

This was the email title:

Vulnerability Report 1 : Clickjacking On Login Lead to Account Takeover Of Any User/Cross Site Scripting Attacks/User Account Privilege Escalation/Victim Privilege Escalation/Malware Execution/Victim PC Hijack/Unauthorized Access To Any User Account/Account Takeover Of All The Users Registered On Your Application 

I bought hosting and domain last year, I uploaded my site and left it for months. Last month I logged onto my webhost's user panel and the "login to cpanel" option of my hosting directed me to someone else's premium hosting, I realised it late and I had already deleted whole of the WP site as I presumed it was mine. I left the database intact, reached out to the domain owner getting the info via whois, surprisingly he is was all fine losing his merchant navy academy website.

However, I WAS NOT FINE because I am not fucking expecting my webhost to give someone access to my hosting, just like I got access to his.

Been two weeks and they are unable to fix it and I am pissed off. I had no urgent need but I WANT ACCESS WHEN I WANT.

They are not as big as GoDaddy but they are a reputed hosting provider in my country with nice and fancy WP domain etc management portal and everything. I never expected this from then. How the fuck would they let this happen.

As IT, I hate being too accessible to users (I'm a software dev, not help desk support). One particular user...let's call him Fred (even though his real name is Joe)...sits close to me.

---

Fred: Bobby, fix my Outlook (he says it jokingly but serious). It keeps saying it needs to be repaired.

Me: Yeah had the same issue last week. I just reinstalled it.

Fred: So...you can't fix it?

---

Fred: Bobby, I need access to X.

Me: Ok go to this link to request access and a manager will approve it.

Fred: Whaaat? That's too much work. You are IT and should just give me access.

---

Fred: Youtube isn't working.

Me: Ok...and?

Fred: It means my internet isn't working!

Me: *sigh*

I previously worked as a Linux/unix sysadmin. There was one app team owning like 4 servers accessible in a very speciffic way.
* logon to main jumpbox
* ssh to elevated-privileges jumpbox
* logon to regional jumpbox using custom-made ssh alternative [call it fkup]
* try to fkup to the app server to confirm that fkup daemon is dead
* logon to server's mgmt node [aix frame]
* ssh to server directly to find confirm sshd is dead too
* access server's console
* place root pswd request in passwords vault, chase 2 mangers via phone for approvals [to login to the vault, find my request and aprove it]
* use root pw to login to server's console, bounce sshd and fkupd
* logout from the console
* fkup into the server to get shell.

That's not the worst part... Aix'es are stable enough to run for years w/o needing any maintenance, do all this complexity could be bearable.

However, the app team used to log a change request asking to copy a new pdf file into that server every week and drop it to app directory, chown it to app user. Why can't they do that themselves you ask? Bcuz they 'only need this pdf to get there, that's all, and we're not wasting our time to raise access requests and chase for approvals just for a pdf...'

oh, and all these steps must be repeated each time a sysadmin tties to implement the change request as all the movements and decisions must be logged and justified.

Each server access takes roughly half an hour. 4 servers -> 2hrs.

So yeah.. Surely getting your accesses sorted out once is so much more time consuming and less efficient than logging a change request for sysadmins every week and wasting 2 frickin hours of my time to just copy a simple pdf for you.. Not to mention that threr's only a small team of sysadmins maintaining tens of thousands of servers and every minute we have we spend working. Lunch time takes 10-15 minutes or so.. Almost no time for coffee or restroom. And these guys are saying sparing a few hours to get their own accesses is 'a waste of their time'...

That was the time I discovered skrillex.

I work as the entire I.T. department of a small business which products are web based, so naturally, I do tech support in said website directly to our clients.

It is normal that the first time a new client access our site they run into questions, but usually they never call again since it is an easy website.

There was an unlucky client which ran into unknown problems and blamed the server.
I couldn't determine the exact cause, but my assumption was a network error for a few seconds which made the site unavailable and the user tried to navigate the site through the navbar and exited the process he was doing. It goes without saying but he was very angry.

I assured him there was nothing wrong with the site, and told him that it would not be charged for this reason. Finally i told him that if he had the same problem, to let me know instead of trying to fix it himself.

The next time he used the site I received a WhatsApp message saying:
- there is something clearly wrong with the site... It has been doing this for so long!
And attached was a 10 second video which showed that he filled a form and never pressed send (my forms have small animations and text which indicates when the form is being send and error messages when an error occurs, usually not visible because the data they send is small and the whole process is quite fast)

To which I answer
- It seems that the form has not been send that's why it looks that way
- So... What an I supposed to do?
- click send
It took a while but the client replied
- ok

To this day I wonder how much time did the client stared at the form cursing the server.

Chrome, Firefox, and yes even you Opera, Falkon, Midori and Luakit. We need to talk, and all readers should grab a seat and prepare for some reality checks when their favorite web browsers are in this list.

I've tried literally all of them, in search for a lightweight (read: not ridiculously bloated) web browser. None of them fit the bill.

Yes Midori, you get a couple of bonus points for being the most lightweight. Luakit however.. as much as I like vim in my terminal, I do not want it in a graphical application. Not to mention that just like all the others you just use webkit2gtk, and therefore are just as bloated as all the others. Lightweight my ass! But programmable with Lua, woo! Not like Selenium, Chrome headless, ... does that for any browser. And that's it for the unique features as far as I'm concerned. One is slow, single-threaded and lightweight-ish (Midori) and another has vim keybindings in an application that shouldn't (Luakit).

Pretty much all of them use webkit2gtk as their engine, and pretty much all of them launch a separate process for each tab. People say this is more secure, but I have serious doubts about that. You're still running all these processes as the same user, and they all have full access to the X server they run under (this is also a criticism against user separation on a single X session in general). The only thing it protects against is a website crashing the browser, where only that tab and its process would go down. Which.. you know.. should a webpage even be able to do that?

But what annoys me the most is the sheer amount of memory that all of these take. With all due respect all of you browsers, I am not quite prepared to give 8 fucking gigabytes - half the memory in this whole box! - just for a dozen or so tabs. I shouldn't have to move my web browser to another lesser used 16GB box, just to prevent this one from going into fucking swap from a dozen tabs. And before someone has a go at the add-ons, there's 4 installed and that's it. None of them are even close to this complete and utter memory clusterfuck. It's the process separation. Each process consumes half a GB of memory, and there's around a dozen of them in a usual browsing session. THAT is the real problem. And I want to get rid of it.

Browsers are at their pinnacle of fucked up in my opinion, literally to the point where I'm seriously considering elinks. Being a sysadmin, I already live my daily life in terminals anyway. As such I also do have resources. But because of that I also associate every process with its cost to run it, in terms of resources required. Web browsers are easily at the top of the list.

I want to put 8GB into perspective. You can store nearly 2 entire DVD movies in that memory. However media players used to play them (such as SMPlayer) obviously don't do that. They use 60-80MB on average to play the whole movie. They also require far less processing power than YouTube in a web browser does, even when you download that exact same video with youtube-dl (either streamed within the media player or externally). That is what an application should be.

Let's talk a bit about these "complicated" websites as well. I hate to break it to you framework web devs, but you're a dime a dozen. The competition is high between web devs for that exact reason. And websites are not complicated. The document itself is plain old HTML, yes even if your framework converts to it in the background. That's the skeleton of your document, where I would draw a parallel with documents in office suites that are more or less written in XML. CSS.. oh yes, markup. Embolden that shit, yes please! And JavaScript.. oh yes, that pile of shit that's been designed in half a day, and has a framework called fucking isEven (which does exactly what it says on the tin, modulo 2 be damned). Fancy some macros in your text editor? Yes, same shit, different pile.

Imagine your text editor being as bloated as a web browser. Imagine it being prone to crashing tabs like a web browser. Imagine it being so ridiculously slow to get anything done in your productivity suite. But it's just the usual with web browsers, isn't it? Maybe Gopher wasn't such a bad idea after all... Oh and give me another update where I have to restart the browser when I commit the heinous act of opening another tab, just because you had to update your fucking CA certs again. Yes please!

Why I love Salesforce 👀

- Run a test method
- failure: no field found

- checks test, queries field
- checks field security (access permissions) visible to user

- runs test again
- failure: no field found
- adds debug log of queried field

- runs test again
- succes

Thanks, thanks for fucking with me today 🥲

Anybody do any cloud gaming? As a Linux user, I lack access to a reliable Windows gaming machine, so I rent one through paperspace, and pay 40¢ an hour to stream gameplay though parsec to my Linux desktop.

I've been playing a lot of Subnautica lately with it. How about you?

Thank God the week 233 rants are over - was getting sick of elitist internet losers.

The worst security bug I saw was when I first started work as a dev in Angular almost year ago. Despite the code being a couple of years old, the links to the data on firebase had 0 rules concerning user access, all data basically publicly available, the API keys were uploaded on GitHub, and even the auth guard didn't work. A proper mess that still gives me the night spooks to this day.

A project I'm working on uses Elastic for internal monitoring and logs. The customer asked to access those logs - not something we'd normally do, but it's isolated from other things we use and there's no critical data there, so what the heck, let them have it.

Ever since, we're getting tons of questions like "There are tons of [insert random info message] all the time, do you have any plans to resolve them?" and it gets to the point where I'm just about ready to scream back "NO, SUZAN, BOOKING NOT COMPLETED MANS THE USER F###ING CANCELLED IT, IT'S NOT SOMETHING I CAN FIX IN THE CODE"

Edit: the customer's name isn't actually Suzan

My recent hobby is to deny permissions that an android app asks for and see the app break into pieces... I don't know how people can assume that user is going to provide access... 😑

Have a couple I want to air today.

First was at my first gig as a dev, 4-5 months out of school. I was the only dev at a startup where the owner was a computer illiterate psycopath with serious temper tantrums. We're talking slamming doors, shouting at you while you are on the phone with customers, the works...

Anyways, what happened was that we needed to do an update in our database to correct some data on a few order lines regarding a specific product. Guess who forgot the fucking where-clause... Did I mention this boss was a cheap ass, dollar stupid, penny wise asshole that refused to have anything but the cheapest hosting? No backups, no test/dev/staging environment, no local copies... Yeah, live devving in prod, fucking all customers with a missing semi-colon (or where clause).

Amazingly, his sheer incompetance saved my ass, because even if I explained it, he didn't get it, and just wanted it fixed as best we could.

The second time was at a different company where we were delivering managed network services for a few municipalities. I was working netops at that time, mostly Cisco branded stuff, from Voice-over-IP and wifi to switches and some routing.

One day I was rolling out a new wireless network, and had to add the VLAN to the core switch on the correct port. VLAN's, for those who don't know, are virtual networks you can use to run several separated networks on the same cable.

To add a VLAN on a Cisco switch one uses the command:

switchport access vlan add XYZ

My mistake was omitting the 'add', which Cisco switches happily accept without warning. That command however can be quite disruptive as it replaces all of the excisting VLAN's with the new one.

Not a big deal on a distribution switch supplying an office floor or something, but on a fucking core switch in the datacenter this meant 20K user had no internet, no access to the applications in the DS, no access to Active Directory etc. Oh and my remote access to that switch also went down the drain...

Luckily a colleague of mine was on site with a console cable and access to config backups. Shit was over within 15 minutes. My boss at that time was thankfully a pragmatic guy who just responded "Well, at least you won't make that mistake again" when we debriefed him after the dust settled.

when I was a newbie I was given a task to upload a site.
I had done that many times before so I thought it wont be a big deal so I thought I never gave a try uploading through ftp.
Okay I began work on it the server was of godaddy and credentials I got were of delegate access.
right I tried connecting through ftp but it wasn't working thought there's some problem with user settings why shouldn't I create my own user to stay away from mess.
Now I creater my own user and could easily login but there were no files in it saw that by creating user my folder is different and I dont have access to server files I wanted to take backup before I do upload.
now I was thinking to give my user access to all files so I changed the access directory to "/" checked ftp again there was still no file.
don't know what happened to me I thought ahh its waste of time for creating ftp user it does nothing and I deleted my ftp account.
now I went through web browser to download data and earth skids beneath my foots. Holy fuck I lost all the data, all were deleted with that account it scared the shit out of me.
There were two sites running which were now gone.
Tried every bit to bring them back but couldn't do so. i contact support of godaddy they said you haven't enabled auto backup so you can't have them for free however they can provide their service in $150. Which is 15k in my country.
I decided to tell my boss about what happened and he got us away :p I wasn't fired gladly

The security on my school computers is a joke.
The standard student accounts have no user rights, but the "guest" account has admin rights???
The teachers private data is not secured, it's just hidden from explorer, so if you manually type in the folder location into the explorer bar, you can access the teacher's data. Not to mention everything is running on Windows 7 machines from 10 years ago.

So I joined this financial institution back in Nov. Selling themselves as looking for a developer to code micro-services for a Spring based project and deploying on Cloud. I packed my stuff, drove and moved to the big city 3500 km away. New start in life I thought!
Turns out that micro-services code is an old outdated 20 year old JBoss code, that was ported over to Spring 10 years ago, then let to rot and fester into a giant undocumented Spaghetti code. Microservices? Forget about that. And whats worse? This code is responsible for processing thousands of transactions every month and is currently deployed in PROD. Now its your responsibility and now you have to get new features complied on the damn thing. Whats even worse? They made 4 replicas of that project with different functionalities and now you're responsible for all. Ma'am, this project needs serious refactoring, if not a total redesign/build. Nope! Not doing this! Now go work at it.
It took me 2-3 months just to wrap my mind around this thing and implement some form of working unit tests. I have to work on all that code base by myself and deliver all by myself! naturally, I was delayed in my delivery but I finally managed to deliver.
Time for relief I thought! I wont be looking at this for a while. So they assign me the next project: Automate environment sync between PROD and QA server that is manually done so far. Easy beans right? And surely enough, the automation process is simple and straightforward...except it isnt! Why? Because I am not allowed access to the user Ids and 3rd party software used in the sync process. Database and Data WareHouse data manipulation part is same story too. I ask for access and I get denied over and over again. I try to think of workarounds and I managed to do two using jenkins pipeline and local scripts. But those processes that need 3rd party software access? I cannot do anything! How am I supposed to automate job schedule import on autosys when I DONT HAVE ACCESS!! But noo! I must think of plan B! There is no plan B! Rather than thinking of workarounds, how about getting your access privileges right and get it right the first time!!
They pay relatively well but damn, you will lose your sanity as a programmer.
God, oh god, please bless me with a better job soon so I can escape this programming hell hole.
I will never work in finance again. I don't recommend it, unless you're on the tail end of your career and you want something stable & don't give a damn about proper software engineering principles anymore.

Not a Story about an actual hack, but a story about people being dumb and using hacks as an excuse.

A few weeks ago my little cousin would reach out to me because "his Account was hacked...". Supposedly his League of Legends account was hacked by a guy of his own age (14) and this guy was boasting about it.

So i asked the usual things: "Has the email account been hijacked? Did anyone know about details to your acvount access? Etc..."

Turns out that one if his "friends" knew his password and username, but suppsedly erased these Informationen. And that was the part i didn't buy.

This was the point where he lost. Just because i am a programmer does not mean i can retrieve an account he lost because of a dumb mistake that could have easily been avoided. And that guy who was boasting about hacking LoL Account was coincidentally freinds with the friend who had the user credentials and password.

Moral of the Story? The biggest security weakness is almost always the user or a human in between...

This fcktard client that insist on using an iframe and demands support for browsers like IE7. You are costing me years of my life.

Fucking fuck of a Microsoft trying to protect people against tracking from 3d parties in an iframe in random ways in some versions of IE7. Or IE11 in IE7 compatibility mode.

If you are going to refuse sessions just do it! I got a fucking check and fix for that. Because these fuck faces friendly people at Apple like to refuse sessions on iPads and iPhone too. But we worked that out, because they are at least consistent. So a few dirty little hacks made it all Okay.

But no, Boo Hoo I'm Microsoft and I will throw a tantrum. I like my browsers to be like an magican, instead of an usefull piece of software. If you look in this page, or look here we got them. I got your sessions​, safe and secure.

But when you need me, to verify that the user is allowed to access data we do a little hocus pocus and now they are gone. Nowhere to be seen or found again. Fun times free fucking magic shows all day long.

It's morning but maybe its time for a bottle of scotch. Maybe if I'm in the state as this browser. Where I don't know what I'm doing because I'm shitfaced drunk it will start working.

When in Rome do as the romans do.

Today was a manic-depressive kind of day. Spent the morning helping some developers with getting their code to run a stored procedure to drop old partitions, but it wasn't working on their end. It was a fairly simple proc. But working with partitions is a little like working with an array. I figured out that they were passing the wrong timestamp, and needed to add +1 to delete the right partition. Got that sorted out, and things were good. Lunch time.

After lunch I did some busy work, and then the PO comes up at about 2PM and says he's assigned some requests to me. The first was just attaching some scripts. Easy. The second, the user wants a couple of schemas exported ... at 6PM. I've been in the office since 6:45AM.

While I'm setting up some commands to run for the data export, a BA walks up and asks if I'm filling in for another DBA who is out for a few weeks. Yep. There's a change request that hasn't been assigned, and he normally does the work. I ask when it's due. Well, the pre-implementation was supposed to be done in the morning, but it wasn't, and we're in the implementation window ... half way through. I bring up the change task, and look at. Create new schema and users. That's all it says. The BA laughs. I tell I need more to go on. 10 minutes later he sends an email with the information. There's only two hours left in the window, and I can only use half of it, because the production guys have to their stuff, and we're in their window. Now I'm irritated, because I'm new to Oracle, and it's an unforgiving mistress. Fortunately, another DBA says he'll do it, so that we can get it done in time. But can't work it either, because Dev DBAs don't have access to QA, and the process required access for this task. Gets shelved until the access issue is resolved. It's now after 4:15PM. I'm going to in traffic with that 6PM deadline.

I manage to get home and to the computer by 5:45PM. Log in. Start VPN. Box pops on screen. Java needs to update. I chose skip update. Box pops up again. It won't let me log in until Java is current. Passed.

I finally get logged in, and it's 6:10PM. I'm late getting the job started. I pull up Putty and log into the first box, and paste my pre-prepared command in the command line and hit error. Command not found. I'm tired, so it's a moment to sink in. I don't have time for this.

I log into DBArtisan and pull up the first data base, use the wizard to set the job, and off it goes. Yay. Bring up the second database, and have enter the connect info. Host not found. Wut? Examine host name. Yep, it's correct. Try a different method. Host not found. Go back to Putty. Log in. Past string. Launch. Command not found. Now my brain is quitting on me. Why now? It's after 6:30PM. Fiddle with some settings, reset $Oracle home. Try again. Yay. It works. I'm done. It's after 7PM.

There is nothing like technology to snatch the euphoria of a success away from you. It's a love-hate thing, but I wouldn't trade it for anything else. I'm done. Good night.

Conversation that probably went down when they designed the pc case I use:

Person A: You know what we should do, we should design quick-release clip things so that you don't have to use tools in order to install or remove a hard drive.
Person B: That's a great idea! Should we also have the opening for the drives to slide in to on the side so the user has easy access to the drives. Or at least make the front panel completely removable for this purpose.
A: No, let's have him remove the fucking gpu in order to install a new drive.
B: That sounds impractical!
A: Fuck it, you know what, lets design it so bad that even that won't be enough. Let them take out the fucking whole motherboard, so basically let them disassemble the whole working pc in order to add a single drive! That will be hilarious!

The Instagram API sucks a Lot.

Why the fuck I've to login with my account using OAuth2 to get posts of a PUBLIC account, it's so hard to make an authentication endpoint that doesn't require the user to enter his credentials in order to access PUBLIC content?

Fucking piece of shit

Operations: Can you exclude some user records for the website? These are obsolete and we don’t want users to access these anymore.

Me: So what are you using to indicate the record is obsolete?

Ops: We changed the last name field to say “shell record - do not use.” Sometimes it’s in the first name. Actually, it gets truncated to “shell record - do not u”.

Me: A…text field…and you’re totally ok with breaking user accounts…ok ok cool cool

Not cool 😳😬🤬 I’m not causing more chaos because your record keeping has gotten messy

That feeling when someone in marketing insists that an unauthenticated user seeing a login form when trying to access a secure view is "too confusing".

So I just started a part time job in a hospital research center - because the processing is long I got a temporary user name and password (that belong to the main HR secretary) so I can start work straight away (mainly data analytics)
The kick?
Administrator privileges.
I can access edit create or delete everything in the entire fucking database. On my first God damn day.
In the 2nd largest hospital in the fucking country.
Agh. How do systems survive with so many dumb security breaches?

Haven't had such joy as with developing the devrant client in a while. (when things work of course haha)

The js plugin system works now with barely any time added to just loading the rants and in proper order too! (thanks asyncjs) now just need to add a way for the user to download and manage external ones.

The screenshot shows the test plugin linkify, which fetches from the API if there's any links and linkifies them even on the feed (which devrant web doesn't do and always annoyed me) - though since html gets stripped by handlebars I'll have to find a way for them to properly render with other tags to still be stripped (maybe handlebars has that inbuilt already? didn't check yet), plugins currently have access to all values the template would get too, so one could fuck around with e.g. the usernames too lol.

btw: the app is fully responsive even on desktop, which will be handy for me personally, iirc all the other clients I've tried always had some sort of size limit, without which it'd also better fit all our i3 archers out there.

Oh boy, this is gonna be good:

TL;DR: Digital bailiffs are vulnerable as fuck

So, apparently some debt has come back haunting me, it's a somewhat hefty clai and for the average employee this means a lot, it means a lot to me as well but currently things are looking better so i can pay it jsut like that. However, and this is where it's gonna get good:

The Bailiff sent their first contact by mail, on my company address instead of my personal one (its's important since the debt is on a personal record, not company's) but okay, whatever. So they send me a copy of their court appeal, claiming that "according to our data, you are debtor of this debt". with a URL to their portal with a USERNAME and a PASSWORD in cleartext to the message.
Okay, i thought we were passed sending creds in plaintext to people and use tokenized URL's for initiating a login (siilar to email verification links) but okay! Let's pretend we're a dumbfuck average joe sweating already from the bailiff claims and sweating already by attempting to use the computer for something useful instead of just social media junk, vidya and porn.

So i click on the link (of course with noscript and network graph enabled and general security precautions) and UHOH, already a first red flag: The link redirects to a plain http site with NOT username and password: But other fields called OGM and dossiernumer AND it requires you to fill in your age???
Filling in the received username and password obviously does not work and when inspecting the page... oh boy!

This is a clusterfuck of javascript files that do horrible things, i'm no expert in frontend but nothing from the homebrewn stuff i inspect seems to be proper coding... Okay... Anyways, we keep pretending we're dumbasses and let's move on.

I ask for the seemingly "new" credentials and i receive new credentials again, no tokenized URL. okay.

Now Once i log in i get a horrible looking screen still made in the 90's or early 2000's which just contains: the claimaint, a pie chart in big red for amount unpaid, a box which allows you to write an - i suspect unsanitized - text block input field and... NO DATA! The bailiff STILL cannot show what the documents are as evidence for the claim!

Now we stop being the pretending dumbassery and inspect what's going on: A 'customer portal' that does not redirect to a secure webpage, credentials in plaintext and not even working, and the portal seems to have various calls to various domains i hardly seem to think they can be associated with bailiff operations, but more marketing and such... The portal does not show any of the - required by law - data supporting the claim, and it contains nothing in the user interface showing as such.
The portal is being developed by some company claiming to be "specialized in bailiff software" and oh boy oh boy..they're fucked because...

The GDPR requirements.. .they comply to none of them. And there is no way to request support nor to file a complaint nor to request access to the actual data. No DPO, no dedicated email addresses, nothing.

But this is really the ham: The amount on their portal as claimed debt is completely different from the one they came for today, for the sae benefactor! In Belgium, this is considered illegal and is reason enough to completely make the claim void. the siple reason is that it's unjust for the debtor to assess which amount he has to pay, and obviously bailiffs want to make the people pay the highest amount.

So, i sent the bailiff a business proposal to hire me as an expert to tackle these issues and even sent him a commercial bonus of a reduction of my consultancy fees with the amount of the bailiff claim! Not being sneery or angry, but a polite constructive proposal (which will be entirely to my benefit)

So, basically what i want to say is, when life gives you lemons, use your brain and start making lemonade, and with the rest create fertilizer and whatnot and sent it to the lemonthrower, and make him drink it and tell to you it was "yummy yummy i got my own lemons in my tummy"

So, instead of ranting and being angry and such... i simply sent an email to the bailiff, pointing out various issues (the ones

When you get called back into work at 5:30 in the morning for an urgent problem... Come to find out its because, "I forgot my internet access password, can you reset it...?" Are you shitting me? Fucking (L)user! In taking today off, fuck this.

I think I made someone angry, then sad, then depressed.

I usually shrink a VM before archiving them, to have a backup snapshot as a template. So Workflow: prepare, test, shrink, backup -> template, document.

Shrinking means... Resetting root user to /etc/skel, deleting history, deleting caches, deleting logs, zeroing out free HD space, shutdown.

Coworker wanted to do prep a VM for docker (stuff he's experienced with, not me) so we can mass rollout the template for migration after I converted his steps into ansible or the template.

I gave him SSH access, explained the usual stuff and explained in detail the shrinking part (which is a script that must be explicitly called and has a confirmation dialog).

Weeeeellll. Then I had a lil meeting, then the postman came, then someone called.

I had... Around 30 private messages afterwards...

- it took him ~ 15 minutes to figure out that the APT cache was removed, so searching won't work
- setting up APT lists by copy pasta is hard as root when sudo is missing....
- seems like he only uses aliases, as root is a default skel, there were no aliases he has in his "private home"
- Well... VIM was missing, as I hate VIM (personal preferences xD)... Which made him cry.
- He somehow achieved to get docker working as "it should" (read: working like he expects it, but that's not my beer).

While reading all this -sometimes very whiney- crap, I went to the fridge and got a beer.

The last part was golden.

He explicitly called the shrink script.
And guess what, after a reboot... History was gone.

And the last message said:

Why did the script delete the history? How should I write the documentation? I dunno what I did!

*sigh* I expected the worse, got the worse and a good laugh in the end.

Guess I'll be babysitting tomorrow someone who's clearly unable to think for himself and / or listen....

Yay... 4h plus phone calls. *cries internally*

Data Disinformation: the Next Big Problem

Automatic code generation LLMs like ChatGPT are capable of producing SQL snippets. Regardless of quality, those are capable of retrieving data (from prepared datasets) based on user prompts.
That data may, however, be garbage. This will lead to garbage decisions by lowly literate stakeholders.
Like with network neutrality and pii/psi ownership, we must act now to avoid yet another calamity.

Imagine a scenario where a middle-manager level illiterate barks some prompts to the corporate AI and it writes and runs an SQL query in company databases.
The AI outputs some interactive charts that show that the average worker spends 92.4 minutes on lunch daily.
The middle manager gets furious and enacts an Orwellian policy of facial recognition punch clock in the office.
Two months and millions of dollars in contractors later, and the middle manager checks the same prompt again... and the average lunch time is now 107.2 minutes!
Finally the middle manager gets a literate person to check the data... and the piece of shit SQL behind the number is sourcing from the "off-site scheduled meetings" database.
Why? because the dataset that does have the data for lunch breaks is labeled "labour board compliance 3", and the LLM thought that the metadata for the wrong dataset better matched the user's prompt.

This, given the very real world scenario of mislabeled data and LLMs' inability to understand what they are saying or accessing, and the average manager's complete data illiteracy, we might have to wrangle some actions to prepare for this type of tomfoolery.

I don't think that access restriction will save our souls here, decision-flumberers usually have the authority to overrule RACI/ACL restrictions anyway.
Making "data analysis" an AI-GMO-Free zone is laughable, that is simply not how the tech market works. Auto tools are coming to make our jobs harder and less productive, tech people!
I thought about detecting new automation-enhanced data access and visualization, and enacting awareness policies. But it would be of poor help, after a shithead middle manager gets hooked on a surreal indicator value it is nigh impossible to yank them out of it.

Gotta get this snowball rolling, we must have some idea of future AI housetraining best practices if we are to avoid a complete social-media style meltdown of data-driven processes.
Someone cares to pitch in?

Whelp. I started making a very simple website with a single-page design, which I intended to use for managing my own personal knowledge on a particular subject matter, with some basic categorization features and a simple rich text editor for entering data. Partly as an exercise in web development, and partly due to not being happy with existing options out there. All was going well...

...and then feature creep happened. Now I have implemented support for multiple users with different access levels; user profiles; encrypted login system (and encrypted cookies that contain no sensitive data lol) and session handling according to (perceived) best practices; secure password recovery; user-management interface for admins; public, private and group-based sections with multiple categories and posts in each category that can be sorted by sort order value or drag and drop; custom user-created groups where they can give other users access to their sections; notifications; context menus for everything; post & user flagging system, moderation queue and support system; post revisions with comparison between different revisions; support for mobile devices and touch/swipe gestures to open/close menus or navigate between posts; easily extendible css themes with two different dark themes and one ugly as heck light theme; lazy loading of images in posts that won't load until you actually open them; auto-saving of posts in case of browser crash or accidental navigation away from page; plus various other small stuff like syntax highlighting for code, internal post linking, favouriting of posts, free-text filter, no-javascript mode, invitation system, secure (yeah right) image uploading, post-locking...

On my TODO-list: Comment and/or upvote system, spoiler tag, GDPR compliance (if I ever launch it haha), data-limits, a simple user action log for admins/moderators, overall improved security measures, refactor various controllers, clean up the code...

It STILL uses a single-page design, and the amount of feature requests (and bugs) added to my Trello board increases exponentially with every passing week. No other living person has seen the website yet, and at the pace I'm going, humanity will have gone through at least one major extinction event before I consider it "done" enough to show anyone.

help

Anyone reading these emails we are sending?

I work at a small place. A few users are using an application at our place that I develop and maintain. We all work remotely.

I announce by email to these few users a new version release of said application because of low level changes in the database, send the timeline for the upgrade, I include the new executable, with an easy illustrated 2 minutes *howto* to update painlessly.

Yet, past the date of the upgrade, 100% of the application users emailed me because they were not able to use the software anymore.

----------------

Or I have this issue where we identified a vulnerability in our systems - and I send out an email asking (as soon as possible) for which client version users are using to access the database, so that I patch everything swiftly right. Else everything may crash. Like a clean summary, 2 lines. Easy. A 30 second thing.

A week pass, no answer, I send again.

Then a second week pass, one user answers, saying:

> well I am busy, I will have time to check this out in February.

----------------

Then I am asking myself:
* Why sending email at all in the first place?

* Who wrote these 'best practices textbooks about warning users on schedule/expected downtime?'

*How about I just patch and release first and then expect the emails from the users *after* because 'something is broken', right? Whatever I do, they don't read it.

Oh and before anyone suggest that I should talk to my boss about this behavior from the users, my boss is included in the aforementioned 'users'.

Catch-22 much ? Haha thanks for reading

/rant

Hmm...recently I've seen an increase in the idea of raising security awareness at a user level...but really now , it gets me thinking , why not raise security awareness at a coding level ? Just having one guy do encryption and encoding most certainly isn't enough for an app to be considered secure . In this day an age where most apps are web based and even open source some of them , I think that first of all it should be our duty to protect the customer/consumer rather than make him protect himself . Most of everyone knows how to get user input from the UI but how many out here actually think that the normal dummy user might actually type unintentional malicious code which would break the app or give him access to something he shouldn't be allowed into ? I've seen very few developers/software architects/engineers actually take the blame for insecure code . I've seen people build apps starting on an unacceptable idea security wise and then in the end thinking of patching in filters , encryptions , encodings , tokens and days before release realise that their app is half broken because they didn't start the whole project in a more secure way for the user .

Just my two cents...we as devs should be more aware of coding in a way that makes apps more secure from and for the user rather than saying that we had some epic mythical hackers pull all the user tables that also contained unhashed unencrypted passwords by using magix . It certainly isn't magic , it's just our bad coding that lets outside code interact with our own code .

Social Captain (a service to increase a user's Instagram followers) has exposed thousands of Instagram account passwords. The company says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. Users are asked to enter their Instagram username and password into the platform to get started.

According to TechCrunch : Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain text, as they had connected their account to the platform. A website bug allowed anyone access to any Social Captain user's profile without having to log in ; simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account and their Instagram login credentials. Because the user account IDs were for the most part sequential, it was possible to access any user's account and view their Instagram password and other account information easily. The security researcher who reported the vulnerability provided a spreadsheet of about 10,000 scraped user accounts to TechCrunch.

!rant

Need some opinions. Joined a new company recently (yippee!!!). Just getting to grips with everything at the minute. I'm working on mobile and I will be setting up a new team to take over a project from a remote team. Looking at their iOS and Android code and they are using RxSwift and RxJava in them.

Don't know a whole lot about the Android space yet, but on iOS I did look into Reactive Cocoa at one point, and really didn't like it. Does anyone here use Rx, or have an opinion about them, good or bad? I can learn them myself, i'm not looking for help with that, i'm more interested in opinions on the tools themselves.

My initial view (with a lack of experience in the area):

- I'm not a huge fan of frameworks like this that attempt to change the entire flow or structure of a language / platform. I like using third party libraries, but to me, its excessive to include something like this rather than just learning the in's / out's of the platform. I think the reactive approach has its use cases and i'm not knocking the it all together. I just feel like this is a little bit of forcing a square peg into a round hole. Swift wasn't designed to work like that and a big layer will need to be added in, in order to change it. I would want to see tremendous gains in order to justify it, and frankly I don't see it compared to other approaches.

- I do like the MVVM approach included with it, but i've easily managed to do similar with a handful of protocols that didn't require a new architecture and approach.

- Not sure if this is an RxSwift thing, or just how its implemented here. But all ViewControllers need to be created by using a coordinator first. This really bugs me because it means changing everything again. When I first opened this app, login was being skipped, trying to add it back in by selecting the default storyboard gave me "unwrapping a nil optional" errors, which took a little while to figure out what was going on. This, to me, again is changing too much in the platform that even the basic launching of a screen now needs to be changed. It will be confusing while trying to build a new team who may or may not know the tech.

- I'm concerned about hiring new staff and having to make sure that they know this, can learn it or are even happy to do so.

- I'm concerned about having a decrease in the community size to debug issues. Had horrible experiences with this in the past with hybrid tech.

- I'm concerned with bugs being introduced or patterns being changed in the tool itself. Because it changes and touches everything, it will be a nightmare to rip it out or use something else and we'll be stuck with the issue. This seems to have happened with ReactiveCocoa where they made a change to their approach that seems to have caused a divide in the community, with people splitting off into other tech.

- In this app we have base Swift, with RxSwift and RxCocoa on top, with AlamoFire on top of that, with Moya on that and RxMoya on top again. This to me is too much when only looking at basic screens and networking. I would be concerned that moving to something more complex that we might end up with a tonne of dependencies.

- There seems to be issues with the server (nothing to do with RxSwift) but the errors seem to be getting caught by RxSwift and turned into very vague and difficult to debug console logs. "RxSwift.RxError error 4" is not great. Now again this could be a "way its being used" issue as oppose to an issue with RxSwift itself. But again were back to a big middle layer sitting between me and what I want to access. I've already had issues with login seeming to have 2 states, success or wrong password, meaning its not telling the user whats actually wrong. Now i'm not sure if this is bad dev or bad tools, but I get a sense RxSwift is contributing to it in some fashion, at least in this specific use of it.

I'll leave it there for now, any opinions or advice would be appreciated.

I'm performing a pentest for my client.
So after scanning my client's network I understood they're using IIS 4.5 and windows server 2012 (or 2012 R2)
I know the systems are real old.
And there are known exploits for them.

The tricky part is I have to stay hidden and I only have my own credentials for logging in to the asp page. (Uploading a script is almost crossed cuz it will reveal my identity)
Also I have access to the local network with some of the other employees user/pass.

Any recommendation for exploiting and staying hidden at the same time ?

One more question : will exploits for newer versions work for the older ones necessarily?

Today, in "Marketing showed a Beta feature to a bunch of cusomters"...:
"I shouldn't have given access to the Beta server to the new user... They're gonna find all of these bugs and they're not gonna be happy..."
You don't say

Saw this sent into a Discord chat today:

"Warning, look out for a Discord user by the name of "shaian" with the tag #2974. He is going around sending friend requests to random Discord users, and those who accept his friend requests will have their accounts DDoSed and their groups exposed with the members inside it becoming a victim as well. Spread the word and send this to as many discord servers as you can. If you see this user, DO NOT accept his friend request and immediately block him. Discord is currently working on it. SEND THIS TO ALL THE SERVERS YOU ARE IN. This is IMPORTANT: Do not accept a friend request from shaian#2974. He is a hacker.

Tell everyone on your friends list because if somebody on your list adds one of them, they'll be on your list too. They will figure out your personal computer's IP and address, so copy & paste this message where ever you can. He is going around sending friend requests to random discord users, and those who accept his requests will have their accounts and their IP Addresses revealed to him. Spread the word and send this to as many discord servers as you can. If you see this user, DO NOT accept his friend request and immediately block him. Saw this somewhere"

I was so angry I typed up an entire feature-length rant about it (just wanted to share my anger):

"1. Unless they have access to Discord data centres or third-party data centres storing Discord user information I doubt they can obtain the IP just by sending friend requests.

2. Judging by the wording, for example, 'copy & paste this message where ever you can' and 'Spread the word and send this to as many discord servers as you can. If you see this user, DO NOT accept his friend request and immediately block him.' this is most likely BS, prob just someone pissed off at that user and is trying to ruin their reputation etc.. Sentences equivalent to 'spread the word' are literally everywhere in this wall of text.

3. So what if you block the user? You don't even have their user ID, they can change their username and discrim if they want. Also, are you assuming they won't create any alts?

4. Accounts DDoSed? Does the creator of this wall of text even understand what that means? Wouldn't it be more likely that 'shaian' will be DDoSing your computer rather than your Discord account? How would the account even be DDoSed? Does that mean DDoSing Discord's servers themselves?

5. If 'shaian' really had access to Discord's information, they wouldn't need to send friend requests in order to 'DDoS accounts'. Why whould they need to friend you? It doesn't make sense. If they already had access to Discord user IP addresses, they won't even have to interact with the users themselves. Although you could argue that they are trolling and want to get to know the victim first or smth, that would just be inefficient and pointless. If they were DDoSing lots of users it would be a waste of time and resources.

6. The phrase 'Saw this somewhere' at the end just makes it worse. There is absolutely no proof/evidence of any kind provided, let along witnesses.

How do you expect me to believe this copypasta BS scam? This is like that 'Discord will be shutting down' scam a while back.

Why do people even believe this? Do you just blindly follow what others are doing and without thinking, copy and paste random walls of text?

Spreading this false information is pointless and harmful. It only provides benefits to whoever started this whole thing, trying to bring down whoever 'shaian' is.

I don't think people who copy & paste this sort of stuff are ready to use the internet yet.

Would you really believe everything people on the internet tell you?

You would probably say 'no'.

Then why copy & paste this? Do you have a reason?

Or is it 'just because of 'spread the word''?

I'm just sick of seeing people reposting this sort of stuff

People who send this are probably like the people who click 'Yes' to allow an app to make changes in the User Account Control window without reading the information about the publisher's certificate, or the people who click 'Agree' without actually reading the terms and conditions."

In today's episode of kidding on SystemD, we have a surprise guest star appearance - Apache Foundation HTTPD server, or as we in the Debian ecosystem call it, the Apache webserver!

So, imagine a situation like this - Its friday afternoon, you have just migrated a bunch of web domains under a new, up to date, system. Everything works just fine, until... You try to generate SSL certificates from Lets Encrypt.

Such a mundane task, done more than a thousand times already... Yet... No matter what you do, nothing works. Apache just returns a HTTP status code 403 - Forbidden.

Of course, what many folk would think of first when it came to a 403 error is - Ooooh, a permission issue somewhere in the directory structure!

So you check it... And re-check it to make sure... And even switch over to the user the webserver runs under, yet... You can access the challenge just fine, what the hell!

So you go deeper... And enable the most verbose level of logging apache is capable of - Trace8. That tells you... Not a whole lot more... Apparently, the webserver was unable to find file specified? But... Its right there, you can see it!

So you go another step deeper and start tracing the process' system calls to see exactly where it calls stat/lstat on the file, and you see that it... Calls lstat and... It... Returns -1? What the hell#2!

So, you compile a custom binary that calls lstat on the first argument given and prints out everything it returns... And... It works fine!

Until now, I chose to omit one important detail that might have given away the issue to the more knowledgeable right away. Our webservers have the URL /.well-known/acme-challenge/, used for ACME challenges, aliased somewhere else on the filesystem - To /tmp/challenges.

See the issue already?

Some *bleep* over at the Debian Package Maintainer group decided that Apache could save very sensitive data into /tmp, so, it would be for the best if they changed something that worked for decades, and enabled a SystemD service unit option "PrivateTmp" for the webserver, by default.

What it does is that, anytime a process started with this option enabled writes to /tmp/*, the call gets hijacked or something, and actually makes the write to a private /tmp/something/tmp/ directory, where something... Appeared as a completely random name, with the "apache2.service" glued at the end.

That was also the only reason why I managed fix this issue - On the umpteenth time of checking the directory structure, I noticed a "systemd-private-foobarbas-apache2.service-cookie42" directory there... That contained nothing but a "tmp" directory with 777 as its permission, owned by the process' user and group.

Overriding that unit file option finally fixed the issue completely.

I have just one question - Why? Why change something that worked for decades? I understand that, in case you save something into /tmp, it may be read by 3rd parties or programs, but I am of the opinion that, if you did that, its only and only your fault if you wrote sensitive data into the temporary directory.

And as far as I am aware, by default, Apache does not actually write anything even remotely sensitive into /tmp, so...

Why. WHY!
I wasted 4 hours of my life debugging this! Only to find out its just another SystemD-enabled "feature" now!

And as much as I love kidding on SystemD, this time, I see it more as a fault of the package maintainers, because... I found no default apache2/httpd service file in the apache repo mirror... So...

Dear IT troll: I am not some idiot user. I FUCKING WRITE SOFTWARE! I actually CREATE CAPABILITY! I don't create "content", I'm not some fucking suit that pumps out PowerPoint/Excel/Email all day long. I don't need to be handed a consumers screwdriver, hammer, and wrench set. I need to be able to set up the technological equivalent of MY OWN FUCKING FORGE AND ANVIL! Do you get it? Do you understand me? Give me administrator access and go the fuck away. While you're at it, please quarantine this pile of silicon onto a limited access network if it makes you feel better. My development system doesn't need to connect to the wealth of bullshit in your precious little dumbed down corporate Wiki-wannabe Sharepoint system. Keep my creative space away from Test and Prod networks while you're at it. Just give me the goddamed tools I need to do my work and fuck off!

"you realize that any user can gain admin access by signing in with their own creds and switching out the word "user" or "client" in the url for "admin"

"Yeah, I don't care. <sr dev> is under a lot of pressure"

This week I got a promotion after being a junior for a year. Boss said Im a medior now and my monthly salary raised with 400 euro per month

Feels good but what feels bad is that a coworker of mine which has been contracted recently without any development experience is still making 400 more a month..

The thing is that this "developer" wanted to become a Java developer, he has been given time during work to study Java and in the meanwhile join the team thats working on a saas product (my team, where im lead dev)

During the 3 months ive counted a maximum of 10 commits and i was done with him which conflicted in a very bad vibe at the office.

During a refinement I asked if everybody understood what needs to be done, no questions asked. Next day when i was working at a clients office on another project 9 am i git a Skype message "Can you tell me What to do? I have no idea" where I replied "you should have asked me yesterday, i am not going to help you unless u come up with a question that makes sense.. what have u tried urself?".. Well then he got mad and stopped doing what he was trying to do.

The next morning i talked with him and we agreed to have a 1hour session to talk him through the user story. When we were done, he said that he understood and was going to work on it.

Next day I check, no commits, so during stand up i confronted hmj with this and he admitted hes been lacking and wanted to talk with the boss and me after stand up.

Well he admitted things were going to fast to keep up for him because he is doing some sysadmin stuff aswell.. the plan of becoming a Java dev was now history and he left the team..

Now he is just doing some sysadmin stuff but its been 3 days that hes been saying today ill setup a tomcat on the servers and give you SSH acces to deploy your .war files, today I finally gained access but he couldnt figure out how to move the war to the webapps folder.. And i wasnt allowed to transfer it to there..

I am building a website inspired by devrant but have never built a server network before, and as im still a student I have no industry experience to base a design on, so was hoping for any advice on what is important/ what I have fucked up in my plan.

The attached image is my currently planned design. Blue is for the main site, and is a cluster of app servers to handle any incoming requests.

Green is a subdomain to handle images, as I figured it would help with performance to have image uploads/downloads separated from the main webpage content. It also means I can keep cache servers and app servers separated.

Pink is internal stuff for logging and backups and probably some monitoring stuff too.

Purple is databases. One is dedicated for images, that way I can easily back them up or load them to a cache server, and the other is for normal user data and posts etc.

The brown proxy in the middle is sorta an internal proxy which the servers need to authenticate with to connect to, that way I can just open the database to the internal proxy, and deny all other requests, and then I can have as many app servers as I want and as long as they authenticate with the proxy, they can access the database without me changing any firewall rules. The other 2 proxies just distribute requests between the available servers in the pool.

Any advice would be greatly appreciated! Thanks in advanced :D

One of our customers wants our mobile app to log out the user after 15 minutes of inactivity because of SeCuRiTy…

Why? The phones protect the apps with their hardware encryption from any malicious access.
And we are not dealing with super sensitive data here like some banking app or so.

Why do some people want to have bad UX for no reason?

They've been in a meeting with some clients the whole morning.
12PM, time for me to go. Say Happy New Year and am on my way home.
12:20 Got home, took shirt off, got something to eat from the fridge.
12:22 Bit the first slice of pizza. Phone rings.
- "Yo' we wanted to show them app 2 but I can't log in."
+ "I left the laptop (and the whole dev environment) there, and there's no PC on in my house (and no dev environment whatsoever)."
- "Well check with your phone. [SIC] Tell me when you fix it."
12:32 I had turned my personal computer on; checked the problem was what I imagined (unpkg lib with no version defined on the link had a new major/non-retrocompatible version); grabbed an online FTP tool; remembered IP, user & password; edited the single line that caused the problem; and checked it worked. Calling back.
+ "It's fixed."
- "Thanks!"
12:38 CEO sent me an image of the app not working, due to a known bug.
+ "That happens if you try to access app 1 having accessed app 2 and not logging off." (app 2 isn't being used / sold, as it's still in development) "Try logging off and logging in again from app 1."
- * radio silence *
+ * guess they could get in *

They had the whole freaking morning. 😠
I'm the hero CMMi's level one warns you about. But at what cost.
Happy early New Year's Eve everyone.

I just found a vulnerability in my companies software.
Anyone who can edit a specific config file could implant some SQL there, which would later be executed by another (unknowing) user from within the software.

The software in question is B2B and has a server-client model, but with the client directly connecting to the database for most operations - but what you can do should be regulated by the software. With this cute little exploit I managed to drop a table from my test environment - or worse: I could manipulate data, so when you realize it it's too late to simply restore a DB backup because there might have been small changes for who knows how long. If someone was to use this maliciously the damages could be easily several million Euros for some of our customers (think about a few hundred thousand orders per day being deleted/changed).

It could also potentially be used for data exfiltration by changing protection flags, though if we're talking industry espionage they would probably find other ways and exploit the OS or DB directly, given that this attack requires specific knowledge of the software. Also we don't promise to safely store your crabby patty recipe (or other super secret secrets).

The good thing is that an attack would only possible for someone with both write access to that file and insider knowledge (though that can be gained by user of the software fairly easily with some knowledge of SQL).

Well, so much for logging off early on Friday.

Since my first post was a success, here's another shameless hack-- in this case, ripping a "closed" database I don't usually have access to and making a copy in MySQL for productivity purposes. That was at a former job as an IT guy at a hardware store, think Lowes/Rona.

We had an old SCO Unix server hosting Informix SQL (curious, anyone here touched iSQL?), which has terminal only forms for the users to handle data, and has keybindings that are strangely vi based (ESC does commit changes. Mindfsck for the users!). To add new price changes to our products, this results to a lengthy procedure inside a terminal form (with ascii borders!) with a few required fields, which makes this rather long. Sadly, only I and a colleague had access to price changes.

Introducing a manager who asks a price change for a brand- not a single product, but the whole product line of a brand we sell. Oh and, those price changes ends later after the weekend (twice the work, back at regular price!)

The usual process is that they send me a price change request Excel document with all the item codes along with the new prices. However, being non technical, those managers write EVERYTHING at hand, cell by cell (code, product name, cost, new price, etc), sometimes just copy pasted from a terminal window

So when the manager asked me to change all those prices, I thought "That's the last time I manually enter all of this sh!t- and so does he". Since I already have a MySQL copy of the items & actual (live) price tables, I wrote a PHP backend to provide a basic API to be consumed to a now VBA enhanced Excel sheet.

This VBA Excel sheet had additional options like calculating a new price based on user provided choices ("Lower price by x $ or x %, but stay above cost by x $ or x %"), so the user could simply write back to back every item codes and the VBA Excel sheet will fetch & display automatically all relevant infos, and calculate a new price if it's a 20% price cut for example.

So when the managers started using that VBA sheet, I had also hidden a button which simply generate all SQL inserts for the prices written in the form, including a "back to regular price" if the user specified an end date, etc.

No more manual form entry for me, no more keyboard pecking for the managers with new prices calculated for them. It was a win/win :)

So today I found a file share containing some super super sensitive information accessible to what I think was our entire user base (6,500 users) if you knew the server name and had an interest in nosing around.

I reported it to our head of IT and heard nothing after, although 5 mins after reporting I could no longer access...

I suspect the infrastructure lead is going to be a dick (because his one of them awkward non team player kind of guys) and not thank me for preventing our company from being in national news papers... but try to spin it on why am I nosing around his servers in the first place..

I actually feel 50/50 about if I should of told or not.. but on flip side, I guess the access logs of me listing the files as I flick through to confirm my suspicions would of caused s bigger headache.

Fucking useless infrastructure engineers!

Sometimes human stupidity still surprises me.

Today I was able to stop the release of a ticket at the last moment that intended to put urls WITH A SECURITY TOKEN TO ACCESS USER DATA through a link shortener.
Some PM assumed that it would be a reasonable course of action to map an url secured via jwt through to a 4 character, countable, base64 string so that we don't have to send multiple sms if they contain this url. I can accept that the implications might slip through one person but the fact that this was put into a ticket by a pm, prioritized by PO, estimated by an entire team, implemented by a professional developer, reviewed by a senior and then scheduled for release without anyone asking themselves if there might be a reason for a security token to be long, that one shocks me.

Have you ever had the moment when you were left speechless because a software system was so fucked up and you just sat there and didn't know how to grasp it? I've seen some pretty bad code, products and services but yesterday I got to the next level.

A little background: I live in Europe and we have GDPR so we are required by law to protect our customer data. We need quite a bit to fulfill our services and it is stored in our ERP system which is developed by another company.

My job is to develop services that interact with that system and they provided me with a REST service to achieve that. Since I know how sensitive that data is, I took extra good care of how I processed the data, stored secrets and so on.

Yesterday, when I was developing a new feature, my first WTF moment happened: I was able to see the passwords of every user - in CLEAR TEXT!!

I sat there and was just shocked: We trust you with our most valuable data and you can't even hash our fuckn passwords?

But that was not the end: After I grabbed a coffee and digested what I just saw, I continued to think: OK, I'm logged in with my user and I have pretty massive rights to the system. Since I now knew all the passwords of my colleagues, I could just try it with a different account and see if that works out too.

I found a nice user "test" (guess the password), logged on to the service and tried the same query again. With the same result. You can guess how mad I was - I immediately changed my password to a pretty hard.

And it didn't even end there because obviously user "test" also had full write access to the system and was probably very happy when I made him admin before deleting him on his own credentials.

It never happened to me - I just sat there and didn't know if I should laugh or cry, I even had a small existential crisis because why the fuck do I put any effort in it when the people who are supposed to put a lot of effort in it don't give a shit?

It took them half a day to fix the security issues but now I have 0 trust in the company and the people working for it.
So why - if it only takes you half a day to do the job you are supposed (and requires by law) to do - would you just not do it? Because I was already mildly annoyed of your 2+ months delay at the initial setup (and had to break my own promises to my boss)?

By sharing this story, I want to encourage everyone to have a little thought on the consequences that bad software can have on your company, your customers and your fellow devs who have to use your services.
I'm not a security guy but I guess every developer should have a basic understanding of security, especially in a GDPR area.

Dev Diary Entry #56
Dear diary, the part of the website that allows users to post their own articles - based on an robust rights system - through a rich text editor, is done! It has a revision system and everything. Now to work on a secure way for them to upload images and use these in their articles, as I don't allow links to external images on the site.

Dev Diary Entry #57
Dear diary, today I finally finished the image uploading feature for my website, and I have secured it as well as I can.

First, I check filesize and filetype client-side (for user convenience), then I check the same things serverside, and only allow images in certain formats to be uploaded.

Next, I completely disregard the original filename (and extension) of the image and generate UUIDs for them instead, and use fileinfo/mimetype to determine extension. I then recreate the image serverside, either in original dimensions or downsized if too large, and store the new image (and its thumbnail) in a non-shared, private folder outside the webpage root, inaccessible to other users, and add an image entry in my database that contains the file path, user who uploaded it, all that jazz.

I then serve the image to the users through a server-side script instead of allowing them direct access to the image. Great success. What could possibly go horribly wrong?

Dev Diary Entry #58
Dear diary, I am contemplating scrapping the idea of allowing users to upload images, text, comments or any other contents to the website, since I do not have the capacity to implement the copyright-filter that will probably soon become a requirement in the EU... :(

Wat to do, wat to do...

PouchDB.

It promised full-blown CRDT functionality. So I decided to adopt it.

Disappointment number one: you have to use CouchDB, so your data model is under strict regulations now. Okay.

Disappointment number two: absolutely messed up hack required to restrict users from accessing other users’ data, otherwise you have to store all the user data in single collection. Not the most performant solution.

Disappointment number three: pagination is utter mess. Server-side timestamps are utter mess. ANY server-side logic is utter mess.

Just to set it to work, you need PouchDB itself, websocket adapter (otherwise only three simultaneous syncs), auth adapter (doesn’t work via sockets), which came out fucking large pile of bullshit at the frontend.

Disappointment number four, the final one: auth somehow works but it doesn’t set cookie. I don’t know how to get access.

GitHub user named Wohali, number one CouchDB specialist over there, doesn’t know that either.

It also doesn’t work at Incognito mode, doesn’t work at Firefox at all.

So, if you want to use PouchDB, bear that in mind:
1. CouchDB only
2. No server-side logic
3. Authorization is a mess
4. Error logs are mess too: “ERROR 83929629 broken pipe” means “out of disk space” in Erlang, the CouchDB language.
5. No hosting solutions. No backup solutions, no infrastructure around that at all. You are tied to bare metal VPS and Ansible.
6. Huge pile of bullshit at frontend. Doesn’t work at Incognito mode, doesn’t work at Firefox.

ZNC shenanigans yesterday...

So, yesterday in the midst a massive heat wave I went ahead, booze in hand, to install myself an IRC bouncer called ZNC. All goes well, it gets its own little container, VPN connection, own user, yada yada yada.. a nice configuration system-wise.

But then comes ZNC. Installed it a few times actually, and failed a fair few times too. Apparently Chrome and Firefox block port 6697 for ZNC's web interface outright. Firefox allows you to override it manually, Chrome flat out refuses to do anything with it. Thank you for this amazing level of protection Google. I didn't notice a thing. Thank you so much for treating me like a goddamn user. You know Google, it felt a lot like those plastic nightmares in electronics, ultrasonic welding, gluing shit in (oh that reminds me of the Nexus 6P, but let's not go there).. Google, you are amazing. Best billion dollar company I've ever seen. Anyway.

So I installed ZNC, moved the client to bouncer connection to port 8080 eventually, and it somewhat worked. Though apparently ZNC in its infinite wisdom does both web interface and IRC itself on the same port. How they do it, no idea. But somehow they do.

And now comes the good part.. configuration of this complete and utter piece of shit, ZNC. So I added my Freenode username, password, yada yada yada.. turns out that ZNC in its infinite wisdom puts the password on the stdout. Reminded me a lot about my ISP sending me my password via postal mail. You know, it's one thing that your application knows the plaintext password, but it's something else entirely to openly share that you do. If anything it tells them that something is seriously wrong but fuck! You don't put passwords on the goddamn stdout!

But it doesn't end there. The default configuration it did for Freenode was a server password. Now, you can usually use 3 ways to authenticate, each with their advantages and disadvantages. These are server password, SASL and NickServ. SASL is widely regarded to be the best option and if it's supported by the IRC server, that's what everyone should use. Server password and NickServ are pretty much fallback.

So, plaintext password, default server password instead of SASL, what else.. oh, yeah. ZNC would be a server, right. Something that runs pretty much forever, 24/7. So you'd probably expect there to be a systemd unit for it... Except, nope, there isn't. The ZNC project recommends that you launch it from the crontab. Let that sink in for a moment.. the fucking crontab. For initializing services. My whole life as a sysadmin was a lie. Cron is now an init system.

Fortunately that's about all I recall to be wrong with this thing. But there's a few things that I really want to tell any greenhorn developers out there... Always look at best practices. Never take shortcuts. The right way is going to be the best way 99% of the time. That way you don't have to go back and fix it. Do your app modularly so that a fix can be done quickly and easily. Store passwords securely and if you can't, let the user know and offer alternatives. Don't put it on the stdout. Always assume that your users will go with default options when in doubt. I love tweaking but defaults should always be sane ones.

One more thing that's mostly a jab. The ZNC software is hosted on a .in domain, which would.. quite honestly.. explain a lot. Is India becoming the next Chinese manufacturers for software? Except that in India the internet access is not restricted despite their civilization perhaps not being fully ready for it yet. India, develop and develop properly. It will take a while but you'll get there. But please don't put atrocities like this into the world. Lastly, I know it's hard and I've been there with my own distribution project too. Accept feedback. It's rough, but it is valuable. Listen to the people that criticize your project.

Worst architecture I've seen?

The worst (working here) follow the academic pattern of trying to be perfect when the only measure of 'perfect' should be the user saying "Thank you" or one that no one knows about (the 'it just works' architectural pattern).

A senior developer with a masters degree in software engineering developed a class/object architecture for representing an Invoice in our system. Took almost 3 months to come up with ..

- Contained over 50 interfaces (IInvoice, IOrder, IProduct, etc. mostly just data bags)
- Abstract classes that implemented the interfaces
- Concrete classes that injected behavior via the abstract classes (constructors, Copy methods, converter functions, etc)
- Various data access (SQL server/WCF services) factories

During code reviews I kept saying this design was too complex and too brittle for the changes everyone knew were coming. The web team that would ultimately be using the framework had, at best, vague requirements. Because he had a masters degree, he knew best.

He was proud of nearly perfect academic design (almost 100% test code coverage, very nice class diagrams, lines and boxes, auto-generated documentation, etc), until the DBAs changed table relationships (1:1 turned into 1:M and M:M), field names, etc, and users changed business requirements (ex. concept of an invoice fee changed the total amount due calculation, which broke nearly everything).

That change caused a ripple affect that resulted in a major delay in the web site feature release.

By the time the developer fixed all the issues, the web team wrote their framework and hit the database directly (Dapper+simple DTOs) and his library was never used.

So we have this really annoying bug in our system that customers keep complaining about. I've explained in detail, multiple times, why the part they think is a bug is not a bug and the workaround they keep asking me to apply doesn't make sense, won't fix the issue, and won't even stick (the system will notice that the record they want me to delete has been removed and it will repopulate itself, by design).

I've told them what we need to do as an actual workaround (change a field on the record) and what we need to do to properly fix the bug (change the default value on the record and give proper controls to change this value through the UI). We've had this conversation at least three times now over a period of several months. There is a user story in the backlog to apply the actual fix, but it just keeps getting deprioritized because these people don't care about bug fixes, only new features, new projects, new new new, shiny shiny new.

Today another developer received yet another report of this bug, and offered the suggested workaround of deleting the record. The nontechnical manager pings everyone to let them know that the correct workaround is to delete the record and to thank the other developer for his amazing detective work. I ping the developer in a private channel to let him know why this workaround doesn't work, and he brushes it off, saying that it's not an issue in this case because nobody will ever try to access the record (which is what would trigger it being regenerated).

A couple hours later, we get a report from support that one of the deleted records has been regenerated, and people are complaining about it.

🙄🙄🙄🙄🙄🙄🙄🙄🙄🙄🙄

A time I (almost) screamed at co-worker?
Too many times to keep up with.

Majority of time its code like ..
try
{
using (var connection = new SqlConnection(connectionString))
{
// data access code that does stuff
}
catch (Exception e)
{
// Various ways of dealing with the error such as ..
Console.WriteLine("Here");
ShowMessage("An error occured.");
return false;
// or do nothing.
}
}

Range of excuses

- Users can't do anything about the error, so why do or show them anything?
- I'll fix the errors later
- Handling the errors were not in the end-user specification. If you want it, you'll have to perform a cost/benefit analysis, get the changes approved by the board in writing, placed in the project priority queue ...etc..etc
- I don't know.
- Users were tired of seeing database timeout errors, deadlocks, primary key violations, etc, so I fixed the problem.

On my tip of my tongue are rages of ..

"I'm going to trade you for a donkey, and shoot the donkey!"
or
"You are about as useful as a sack full of possum heads."

I haven't cast those stones (yet). I'll eventually run across my code that looks exactly like that.

So... I've been messing arround with my first VPS (with little knowledge of Linux).
First installed lxde to learn how to do it, then back to the terminal. then I started with Apache, watching online tuts ...
Then I changed for nginx... Looks way better.
Installed my sql, php and got stuck. Dropped it for a few days.
Today I restarted, deleted Apache, mysql, reinstalled nginx, my php (with lots of problems because of old instalations). Everything is working now except php.
After going round and arround I changed my focus to relax a bit, and remembered I still have Apache on the firewall...
OK Apache and other stuff that I installed.
Delete everything
New rules only for nginx and reset.
Cant ssh to the server... What?
Oh... Forgot to add rules to OpenSSH...
No matter, I can access the terminal directly on the website....
And it loads to ldxe, with no user set...
Fuckkkk.
Oh BTW I'm in a trial free period with no support...

I've had a Xiaomi Mi 8 for a few months now. Although I'm impressed by what I got for the amount I paid (a phone that cost about $250 for 6GB RAM, Snapdragon 845, Android 9 and premium build quality is quite a steal), it definitely comes with a consequence.

MIUI (specifically MIUI 11) is godawful. It is single-handedly the worst Android ROM I've ever used since my shitty Android 2.2 phone back around 2010. If you're gonna buy a Xiaomi phone, plan to install Lineage OS on it (but even that's a pain which I'll explain why later).

- Navigation buttons don't hide while watching a video.

Why? God only knows. The ONLY way to bypass without root this is to use its garbage fullscreen mode with gestures, which is annoying as all hell.

- 2 app info pages?

Yeah, the first one you can access just by going to its disaster of a settings app, apps, manage apps and tap on any one.

The 2nd one you can access through the app info button in any 3rd party launcher. Try this: Download Nova launcher, go to the app drawer, hold on any app and tap "app info", and you'll see the 2nd one.

Basically, instead of modifying Android's FOSS source code, they made a shitty overlay. These people are really ahead of their time.

- Can only set lock screen wallpapers using the stock Gallery app

It's not that big an issue, until it is, when whatever wallpaper app you're using only allows you to set the wallpaper and not download them. I think this is both a fuckup on Xiaomi and (insert wallpaper app name here), but why Xiaomi can't include this basic essential feature that every other Android ROM ever made has is beyond me.

- Theming on MIUI 11 is broken

Why do they even bother having a section to customize the boot animation and status bar when there's not one goddamn theme that supports it? At this point you're only changing the wallpaper and icon pack which you can do on any Android phone ever. Why even bother?

They really, REALLY want to be Apple.

Just look at their phones. They're well designed and got good specs, but they don't even care anymore about being original. The notch and lack of a headphone jack aren't features, they're tremendous fuckups by the dead rotting horse known as Apple that died when Steve Jobs did.

Xiaomi tries to build a walled garden around an inherently customizable OS, and the end result is a warzone of an Android ROM that begs for mercy from its creator. Launchers integrate horribly (Does any power user actually use anything that isn't Nova or Microsoft launcher?), 3rd party themes and customization apps need workarounds, some apps don't work at all. People buy from Xiaomi to get a high end budget Android phone at the price of some ads and data collection, not a shitter iOS wannabe.

They really, REALLY want you to have a sim card

If you don't have a sim card and you're using your phone for dev stuff, you're a 2nd class citizen to Xiaomi. Without one, you can't:

- Install adb through adb
- Write to secure settings
- Unlock your bootloader and get away from this trash Android ROM

What's the point? Are they gonna shadow ban you? Does anyone contact them to unlock their bootloader saying "yeah I wanna use a custom rom to pirate lizard porn and buy drugs"? They made this 1000000000x harder than it needs to be for no reason whatsoever. Oh yeah and you gotta wait like a week or something for them to unlock it. How they fucked up this bad is beyond me.

So yeah. Xiaomi. Great phones, atrocious OS.

HP makes shit devices. How the fuck you gonna regress with product design from 7 years ago?

Like whos the fucktard that thinks “how about in order to swap a keyboard, we make the user take EVERYTHING out and then put it into a new upper housing?”

Or my favorite is “instead of screwing a screen panel in, lets use some painfully difficult to access stretch tape?”

Fuck HP’s product design team. If by some off chance any of yall know anyone who’s part of that team, tell them i said they can eat a fat dick and get aids.

It's 2022 and Firefox still doesn't allow deactivating video caching to disk.

When playing videos from some sites like the Internet Archive, it writes several hundreds of megabytes to the disk, which causes wear on flash storage in the long term. This is the same reason cited for the use of jsonlz4 instead of plain JSON. The caching of videos to disk even happens when deactivating the normal browsing cache (about:config property "browser.cache.disk.enable").

I get the benefit of media caching, but I'd prefer Firefox not to write gigabytes to my SSD each time I watch a somewhat long video. There is actually the about:config property "browser.privatebrowsing.forceMediaMemoryCache", but as the name implies, it is only for private browsing. The RAM is much more suitable for this purpose, and modern computers have, unlike computers from a decade ago, RAM in abundance, which is intended precisely for such a purpose.

The caching of video (and audio) to disk is completely unnecessary as of 2022. It was useful over a decade ago, back when an average computer had 4 GB of RAM and a spinning hard disk (HDD). Now, computers commonly have 16 GB RAM and a solid-state drive (SSD), which makes media caching on disk obsolete, and even detrimental due to weardown. HDDs do not wear down much from writing, since it just alters magnetic fields. HDDs just wear down from the spinning and random access, whereas SSDs do wear down from writing. Since media caching mostly invovles sequential access, HDDs don't mind being used for that. But it is detrimental to the life span of flash memory, and especially hurts live USB drives (USB drives with an operating system) due to their smaller size.

If I watch a one-hour HD video, I do not wish 5 GB to be written to my SSD for nothing. The nonstandard LZ4 format "mozLZ4" for storing sessions was also introduced with the argument of reducing disk writes to flash memory, but video caching causes multiple times as much writing as that.

The property "media.cache_size" in about:config does not help much. Setting it to zero or a low value causes stuttering playback. Setting it to any higher value does not reduce writes to disk, since it apparently just rotates caching within that space, and a lower value means that it just rotates writing more often in a smaller space. Setting a lower value should not cause more wear due to wear levelling, but also does not reduce wear compared to a higher value, since still roughly the same amount of data is written to disk.

Media caching also applies to audio, but that is far less in size than video. Still, deactivating it without having to use private browsing should not be denied to the user.

The fact that this can not be deactivated is a shame for Firefox.

Hopefully, you already know that the company controlled by the alledged reptiloid subhuman and olimpic testicle juggler formerly known as Mister Zuck My Tits is not to be trusted.

But as is always the case in this bitch, I've been forced into cowjizz flooded swamps' worth of stinking shit platforms for the sake of avoiding isolation.

And so, I've just found yet another way in which Facebook **THUNDERSTRIKE** ... the company, not the geriatric ward, is one of the CROWN ACHIEVEMENTS of human civilization.

Let me tell you something: some people are fucking broke. Hell, some people sleep on the streets, live on scraps, and willingly engage in acts of public defecation when provoked. But I'm not even talking about them no, just plain *broke*.

And so imagine being that guy who doesn't really use his phone much, except maybe for sharing cat pictures with mom because that's what being an absolute chad is all about. You don't get a new phone, because money is a __little__ bit tight. But THEN...

The dreaded CAPITAL strikes, and requests of you to bend and fall onto your knees so as to provide intense, intimate and manual -- as well as oral -- PLEASURE to the [NOT SO] METAPHORICAL PENIS of the """SYSTEM""".

Oh, what an abominable, drooooooling revenant that lies before you!

"Gimme your ass... " he says, menacingly, as you wail about in a futile attempt to guard and preserve the very last vestiges of your own anal virginity.

And so you fight, and kick him in the NADS with everything you have, down to the final shreds of vigor. Victory! Or so you thought...

"You must... " he mutters, mortally wounded "update WhatsApp... "

"Still you breathe?!" you exclaim, suddenly transformed into a heroic, sexy moustachoed arquebusier "After I'm done ~OILING~ my VICTORIOUS CHEST, I *shall* bestow DEATH uppon you!".

But as you rip open your shirt to apply sensual oiling to your marvellous frontal assets, your nemesis reveals it's portentous Portugal: "this new version of Android... " he gasps as he perishes "is incompatible with your device... "

"Ughh! Sacrebleu!" you shriek out in pain, realizing that you are now unable to ACCESS THE FUCKING DATA THAT IS IN YOUR OWN FUCKING HARDWARE BECAUSE OF A STUPID FORCED BINARY INCOMPATIBILITY.

That's right. Now even if I *do* get a new phone, I can't do shit about losing all of the family memes. And contacts and all of that shit, but the stickers are more important. A minor inconvenience, yes, and it didn't need all of this preamble but I was doing the dramatic fight scene bit inside my head as I was writing and I got into it.

Because the only documented way to transfer all of that data is to OPEN THE APPLICATION and scan some code, but everytime I go to do that, IT TELLS ME I NEED TO UPDATE. And every time I GO TO UPDATE, it says that MY PHONE is TOO FUCKING OLD!! AAAAAAAGHGHGHGHGHGHGHG!!!!

And you too, might be a dashing french man from centuries past, with both balls and tits down to your fucking knees, folding your arms in a position that exhumes smugness in a disgustingly irreverent and self-aggrandizing way, looking at me as a mere plebeian who cannot wrap his head around the mystical art of interacting with Google's black deuce box.

And you would be somewhat right in your judgement! But just having to fiddle about with these fucking pocket Elmo screens is such a traumatic experience for me that I'd rather lose my stickers.

[ADBREAK] Are you a debonair victorian undercover butt pirate, taking unparalleled care of your Falstaffian, highfalutin poils pubiens? Need your "sword" sharpened, as you browse through the pages of this magnanimous lexicon? Would you rather allocate final death to your coworkers than learn one more synonym for sonorous, supercilious and pontifical?

We all know that ALL you need to help keep that honor intact is slaying your enemies in high-stakes combat. But how to satisfy less gallant needs, when male prostitution is outlawed in more than sixteen duchies?

Look no further than BloodCurse, the ancient hex that will haunt your family for countless generations! With BloodCurse, you may crawl the earth as a mindless, shameless, piece of shit cockswallowing JUGGERNAUT that craves nothing BUT the consumption of scabbed human ass!

BloodCurse is easily contracted through consumption of the GENITAL fluids of highly-lecherous succubi, conjured through [EXTREMELY CENSORED]! This forbidden arcana allows the user to debour HIS OWN testicles in no time!

Get your bottle of scents, sensual Portuguese chest oils, and fucking designer-drug bath salts for the low, low price of a passionate, unceassing self-blowjob! And use my code FRONTALASSETS for 60% OFF in your next soul-robbing foray into the felational dark arts!

Big ups to BloodCurse for sponsoring this RRRRRRRR~$RRR$$RR%5RRRRR$0000:>A48CC50A E3A1B22A : 330D4750 7C24E5A5|.......*3.GP|$.. 5262E7D5 0D1C24E6 : 85594B39 1CB7593E|Rb......YK9..Y>

:~

The university I used to study CSE, they had some OLD computers with Windows XP in them. Also, all those computers had TWO user accounts. One with the admin access and another one with normal access. Until this, it was fine.
But the browsers installed there were so old, even normal website struggles to load properly. and so many outdated apps, kept bugging us for update, but every time we click on UPDATE, they ask for the admin password, which we didn't have. So, most of the students were frustrated about this, but nobody took any action! :/
So, I hacked one of the computers' admin password. the password was "BRIGHT". I'm like, these people are never gonna set different passwords in different computers and remember them for eternity. Definitely all passwords have to be the same, and they were! Which saved my time.
So, I shared the password with everyone in my class and now they can install any apps they want. Which made me so happy!
But You know, words travel fast! Just one day after the hacking incident, the Seniors ( & the juniors ) came to me with their laptops to find their forgotten password, which made me earn some money & eat some delicious foods, also got to meet some beautiful girls of our campus ^_^
& I used to go to other classes to hack those Admin passwords for fun ^_^ But I never told them the password until they pay me or feed me something delicious! ^_^

I miss those good old days! ^_^

Been working on a new project for the last couple of weeks. New client with a big name, probably lots of money for the company I work for, plus a nice bonus for myself.

But our technical referent....... Goddammit. PhD in computer science, and he probably. approved our project outline. 3 days in development, the basic features of the applications are there for him to see (yay. Agile.), and guess what? We need to change the user roles hierarchy we had agreed on. Oh, and that shouldn't be treated as extra development, it's obviously a bug! Also, these features he never talked about and never have been in the project? That's also a bug! That thing I couldn't start working on before yesterday because I was still waiting the specs from him? It should've been ready a week ago, it's a bug that it's not there! Also, he notes how he could've developes it within 40 minutes and offered to sens us the code to implement directly in our application, or he may even do so himself.... Ah, I forgot to say, he has no idea on what language we are developing the app. He said he didn't care many times so far.

But the best part? Yesterday he signales an outstanding bug: some data has been changed without anyone interacting. It was a bug! And it was costing them moneeeeey (on a dev server)! Ok, let's dig in, it may really be a bug this time, I did update the code and... Wait, what? Someone actually did update a new file? ...Oh my Anubis. HE did replace the file a few minutes before and tried to make it look like a bug! ..May as well double check. So, 15 minutes later I answer to his e-mail, saying that 4 files have been compromised by a user account with admin privileges (not mentioning I knee it was him)... And 3 minutes later he answered me. It was a message full of anger, saying (oh Lord) it was a bug! If a user can upload a new file, it's the application's fault for not blocking him (except, users ARE supposed to upload files, and admins have been requestes to be able to circumvent any kind of restriction)! Then he added how lucky I was, becausw "the issue resolved itself and the data was back, and we shouldn't waste any more yime.on thos". Let's check the logs again.... It'a true! HE UPLOADED THE ORIGINAL FILES BACK! He... He has no idea that logs do exist? A fucking PhD in computer science? He still believes no one knows it was him....... But... Why did he do that? It couldn't have been a mistake. Was he trying to troll me? Or... Or is he really that dense?

I was laughing my ass of there. But there's more! He actually phones my boss (who knew what had happened) to insult me! And to threaten not dwell on that issue anymore because "it's making them lose money". We were both speechless....

There's no way he's a PhD. Yet it's a legit piece of paper the one he has. Funny thing is, he actually manages to launch a couple of sort-of-nationally-popular webservices, and takes every opportunity to remember us how he built them from scratch and so he know what he's saying... But digging through google, you can easily find how he actually outsurced the development to Chinese companies while he "watched over their work" until he bought the code

Wait... Big ego, a decent amount of money... I'm starting to guess how he got his PhD. I also get why he's a "freelance consultant" and none of the place he worked for ever hired him again (couldn't even cover his own tracks)....

But I can't get his definition of "bug".
If it doesn't work as intended, it's a bug (ok)
If something he never communicated is not implemented, it's a bug (what.)
If development has been slowed because he failed to provide specs, it's a bug (uh?)
If he changes his own mind and wants to change a process, it's a bug it doesn't already work that way (ffs.)
If he doesn't understand or like something, it's a bug (i hopw he dies by sonic diarrhoea)

I'm just glad my boss isn't falling for him... If anything, we have enough info to accuse him of sabotage and delaying my work....

Ah, right. He also didn't get how to publish our application we needes access to the server he wantes us to deploy it on. Also, he doesn't understand why we have acces to the app's database and admin users created on the webapp don't. These are bugs (seriously his own words). Outstanding ones.

Just..... Ffs.

Also, sorry for the typos.

Security is a joke. And people don't seem to get it. Especially Data mungers.

I've spent about half an hour trying to work out how to securely connect to power BI using PowerShell in a renewable manner for unattended access later on.

Every single example I've found seems to involve you storing $user and $password variables inside your script. If I'm lucky, they're going to pass them through ConvertTo-SecureString. And nobody talks about securely storing AD auth tokens, or using the Windows Credential Manager.

I know it's possible, but it's going to take me ages to work out how from all sorts of disparate sources...

Man I fucking love debugging Windows applications... OpenVPN dun shit the bed because the management interface is locked (on the Windows client I presume?) - so poke that error message into the Gargler along with "openvpn windows"... First result, OpenVPN forums. Excellent. ... Some dickhead in the forums: "this is the wrong forum, this is for Access-Server users, and you the user MUST have terminated the process".

Come fucking on! If only I could replace this fucking device with a proper OS already (and no I can't). Windows itself being a clusterfuck is one thing but the goddamn support around it. Atrocious!

Haven't ranted for awhile but here it goes...
In a meeting with a front end user yesterday. They don't like the entry screens on our Oracle ERP system. They want us to provide them with a tool so they can create new entry screens to replace those they dont like. They want full autonomy over that tool and no interference from IT. Oh, and they want unfettered database access to the production data, including full ability to execute DML. I so wanted to say 'Are you high?'.

I just need to vent about how frustrating and terrible Windows is.

It almost seems like consistentsy and attention to detail are completely foreign concepts to Microsoft. Everything from simple text selection (WHY DOES A DOUBLE CLICK INCLUDE THE TRAILING SPACE) to using advanced software feels like a chore.

Any sympathizers here? What problems do you need to vent about when trying to navigate your OS?

FWI I'm not a Mac or Linux user, so I have the joy of using Windows at home. I wish I could switch, but I prefer full access to my Steam library so I'm stuck with this option.

XCode you fucking piece of shit...

So I just wanted to process my ios app to the app store and start the archive process. All of the sudden:
Command CodeSign failed with a nonzero exit code

What? So there is an error and you cannot tell me the error code? All information you give me that it isn't zero!? Wow... Amazing... What a great user experience. Maybe it cannot resolve the error? Maybe it is some external tool Apple has no access to and that is the only valid error they can throw at us?

Oh hell no! It has something to do with the keychain access! But why tell the user? That wouldn't be as much fun as just tell it is a nonzero error, isn't it apple?!

In the end locking and unlocking my key chain solved the problem... Thanks for nothing XCode!

Asked to implement a feature in a mobile app that wasn't actually supported by the backend. Feature had 3 possible values in the backend, only 1 and 2 were properly implemented. Below was the backend teams solution to support the third option.

- If the key is missing in API response A, means the user is not allowed access this feature.
- If the key is present in API response A, and missing from API response B, that means it hasn't been set.
- If both are the same value, user has that value.
- It will never be the case that both return option 3.
- If both are different values, one of them being option 3, display option 3.

this ... monstrosity, is in production to this very day.

Why use git, do it simple, send me your changes by email and I will merge it.
Why split split source code (js) into different files, use one so we will no have trouble about load order.
Use the same user account for github/gitlab/bitbucket/etc. So we will no worry to setup access permisions.
Use Dropbox/Drive for version control.
We will test the whole system until the end when all is finish.

Just as an extension of last rant to explain how much fun it is to keep up with Apple's security through obscurity bullshit.
AFAIK this full disk access (FDA) feature was touted to protect a user's data on macOS. Programs that want to access those files need to request the user's permissions to do so. Now to the fun part: Apple is not providing any API. A staff member suggested, that you should only try to access the files your app needs and if you can't as for the user's allowance. One should not use some fixed files and try to access them, because their locations might change, as well as their (UNIX file) access rights (ACL), or if they fall under FDA. Not to speak about the other security features that might hinder you accessing files (you might be sandboxed, or the files might be subject to SIP/rootless).
Honestly, you should be starting to take drugs, if you want to stay sane. I mean UNIX ACL are weird enough: e.g. you can make a directory only readable for root such that a user cannot list the files inside, but you can place files inside that the user can read (if she knows about their existence). On macOS you'll never know. You may have all the rights to access a file,.. but Apple will only give you the finger.
As they always do to us developers.

Latest Yandex browser (Chromium based) throws an error if "document.hasStorageAccess()" is called (:
Ie the StorageAPI that allows cross-site cookie access on user-interaction

the iFrame sandbox flags that compliment it, ie "allow-storage-access-by-user-activation" also fails on execution.
Both of these work on Edge/Chrome/Firefox.

I thought Firefox and Chromium browsers are all ive to deal with and im done but NO.
Now within Chromium-based browsers theres differences of API as well?

Kill me.

I've deployed a react app in GitHub user page, but entering a wrong URL still showing me the index.html of app. Hence, hindering the access to my GitHub projects page, any way to solve this ?

Malwares are nasty applications, that can spy on you, use your computer as an attacker or encrypt your files and hold them on ransom.

The reason that malware exists, is because how the file system works. On Windows, everything can access everything. Of course, there are security measures, like needing administrator permissions to edit/delete a file, but they are exploitable.

If the malware is not using an exploit, nothing is there to stop a user from unknowingly clicking the yes button, when an application requests admin rights.

If we want to stop viruses, in the first place, we need to create a new file-sharing system.

Imagine, that every app has a partition, and only that app can access it.

Currently, when you download a Word document, you would go ahead, start up Word, go into the Downloads folder and open the file.

In the new file-sharing system, you would need to click "Send file to Word" in your browser, and the browser would create a copy of the file in a transfer-partition. Then, it would signal to Word, saying "Hey! Here's a file that I sent to you, copy it to your partition please!". After that, Word just copies the file to its own partition, signals "Ok! I'm done!", and then the browser deletes the file from the shared partition.

A little change in the interface, but a huge change in security.

The permission system would be a better UAC. The best way I can describe it is when you install an app on Android. It shows what permission the app wants, and you could choose to install it, or not to.

Replace "install" with "grant" and that's what I imagined.

Of course, there would be blacklisted permissions, that only kernel-level processes have access to, like accessing all of the partitions, modifying applications, etc.

What do you think?

Started a new job as a dev. First days revealed no local admin rights, no right to use Linux locally and a very limited set of Software. Negotiated compromise to get a remote VM with Linux and a user who is part of sudo. VM turned out to be isolated by proxy, so I can not install anything new. At least Docker is pre-installed and I hoped it could work out. But guess what no access to dockerhub and I can not pull any images. Admin told me to copy manually the images with scp.

I'd never thought that there could be any companies out there who treats devs like that. What puzzles me most, there're lot of devs staying with that company for years, even decades already and they're good guys, please don't get me wrong.

Did you encounter anything like that? Could you make any difference there, where you met anything like it.

I reached the point after 3 weeks where I do not think I can make any difference and when it'll take ages to move people and company policy.
I do not want to give up, but I fear it is pointless to fight for change there. I am out of options and about to leave asap. Can you recommend me anything else?

Thanks in advance and for your time :)
Felt good to write it down.

I had joined a new company and got access to their codebase. They were updating password on MD5 hash of user name and their email in get request. No password validation, no token based authentication, nothing.

Eg
...com/change_password/email=(plainemail)&name= MD5(name)

That's it, you get change user password.

Mid handover - my Gmail (GApps) access stops working.

FUDGE NUTS...

Attempting to run a Docker (ECS) deploy from AWS.

ERROR
User: arn:aws:iam::XXXYYYZZZ:user/foobar@screwed.com is not authorized to perform: ecr:DescribeRepositories on resource: *

Hilarious.

Just added a group to my user without the -a option....

Result: my user no longer belongs to the sudo group and I do not have access to the root user or sudo.

Hopefully the group I added was docker, time for some container shenanigans to escalate my privilege back.

!rant && story

tl;dr I lost my path, learned to a lot about linux and found true love.

So because of the recent news about wpa2, I thought about learning to do some things network penetration with kali. My roommate and I took an old 8gb usb and turned it into a bootable usb with persistent storage. Maybe not the best choice, but atleast we know how to do that now.

Anyway, we started with a kali.iso from 2015, because we thought it would be faster than downloading it with a 150kpbs connection. Learned a lot from that mistake while waiting apt-get update/upgrade.

Next day I got access to some faster connection, downloaded a new release build and put the 2015 version out it's misery. Finally some signs of progress. But that was not enough. We wanted more. We (well atleast I) wanted to try i3, because one of my friends showed me to /r/unixporn (btw, pornhub is deprecated now). So after researching what i3 is, what a wm is AND what a dm is, we replaced gdm3 with lightdm and set i3 as standard wm. With the user guide on an other screen we started playing with i3. Apparently heaven is written with two characters only. Now I want to free myself from windows and have linux (Maybe arch) as my main system, but for now we continue to use thus kali usb to learn about how to set uo a nice desktop environment. Wait, why did we choose to install kali? 😂

I feel kinda sorry for that, but I want to experiment on there before until I feel confident. (Please hit me up with tips about i3)

Still gotta use Windows as a subsystem for gaming. 😥

At my last place we launched a new payment page and added logging.

Who ever set the logging up didn't obfuscate the user card details and stored them in the db for anyone with access to see. :-O

Any Windows Sysadmins here? I have a question for you - How do you do it?

I only very rarely have to do something that would fall under "Windows System Administration", but when I do... I usually find something either completely baffling, or something that makes me want to tear our my hair.

This time, I had a simple issue - Sis brought me her tablet laptop (You know, the kind of tablets that come with a bluetooth keyboard and so can "technically" be called a laptop) and an SD card stating that it doesn't work.

Plugging it in, it did work, only issue was that the card contained file from a different machine, and so all the ACLs were wrong.

I... Dealt with Windows ACLs before, so I went right to the usual combination of takeown and icacls to give the new system's user rights to work with the files already present. Takeown worked fine... But icacls? It got stuck on the first error it encountered and didn't go any further - very annoying.

The issue was a found.000 folder (Something like lost+found folder from linux?) that was hidden by default, so I didn't spot it in the explorer.

Trying to take ownership of that folder... Worked for for files in there, safe for one - found.000\dir0000.chk$Txf; no idea what it is, and frankly neither do I care really.

Now... Me, coming from the Linux ecosystem, bang my head hard against the table whenever I get "Permission denied" as an administrator on the machine.

Most of the times... While doing something not very typical like... Rooting around (Hah... rooting... Get it?! I... Carry on) the Windows folder or system folders elsewhere. I can so-so understand why even administrators don't have access to those files.

But here, it was what I would consider a "common" situation, yet I was still told that my permissions were not high enough.

Seeing that it was my sister's PC, I didn't want to install anything that would let me gain system level permissions... So I got to writing a little forloop to skip the one hidden folder alltogether... That solved the problem.

My question is - Wtf? Why? How do you guys do this sort of stuff daily? I am so used to working as root and seeing no permission denied that situations like these make me loose my cool too fast too often...

Also - What would be the "optimal" way to go about this issue, aside for the forloop method?

The exact two commands I used and expected to work were:
takeown /F * /U user /S machine-name /R
icacls * /grant machine-name\user:F /T

What are you guys doing against brute force attacks on your login webpages? I don't want anybody to access my porn ( ͡° ͜ʖ ͡°). But I don't want to block the useraccount because that would be annoying because you could simple lock a user out of his account :/ any suggestions? What are you doing on your sites?

Android is a complete garbage OS and Google has successfully taken the bloat crown from Microsoft.

They keep pushing these webapps, this is how they see the future a locked down app based OS on every hardware configuration (laptops, tablets..etc). zero access to the hardware proprietary sack of shit!

vote with your wallets, go buy your self an actual *nix phone.

No really, if this is the future of the software industry then I want out, this is not what I signed up for when I first joined this is not my vision nor am I the only one who feels like this.
Yes I'm all for ease of use I really am. but I'm also for user freedom. I own the machine I get to use it how ever I want. and its not hard to allow true user freedom and ease of use.

Got a pretty epic message yesterday:

"Hi, I just had a friend on phone and we got a rather "simple" idea for a website. 

Just a user ID and a password users would pay for. Then they would get access to their videos.

We are willing to pay 350 bucks for a working version and up to 680 depending on the result at the end of the project. 

Know anyone that could be interested? Or would you be? 

Have a good night. "

Solid.

Reporting server connection to database is down, probably due to a user access restriction.

reported the issue to the India sql datacenter and got back: Yes, We see that the connection is down. ( I sent them screenshot of it including the error message ) There is no such database available.
Me: Yes, well I'm in the db working right ( send screenshot) now.
India: ..... disappear offline.

For some reason I keep over engineering stuff to the point I spend 2 hours thinking the best way to do something. I'm making the backend for a project of mine and I wanted somewhat decent error handling and useful error responses. I won't go into detail here but let's say that in any other (oo) language it would be a no-brainer to do this with OOP inheritance, but Rust does OOP by composition (and there's no way to upcast traits and downcasting is hard). I ended up wasting so much time thinking of how to do something generic enough, easily extendable and that doesn't involve any boilerplate or repeated code with no success. What I didn't realize is that my API will not be public (in the sense that the API is not the service I offer), I'm the only one who needs to figure out why I got a 400 or a 403. There's no need to return a response stating exactly which field had a wrong value or exactly what resource had it's access denied to the user. I can just look at the error code, my documentation and the request I made to infer what caused the error. If that does not work I can always take a quick look at the source code of the server to see what went wrong. So In short I ended up thrashing all the refactoring I had done and stayed with my current solution for error-handling. I have found a few places that could use some improvement, but it's nothing compared to the whole revamp I was doing of the whole thing.

This is not the first time I over engineer stuff (and probably won't be the last). I think I do it in order to be future-proof. I make my code generic enough so in case any requirements change in the future I don't have to rewrite everything, but that adds no real value to my stuff since I'm always working solo, the projects aren't super big and a rewrite wouldn't take too long. In the end I just end up wasting time, sanity and keystrokes on stuff that will just slow down my development speed further down the road without generating any benefits.

Why am I like this? Oh well, I'm just glad I figured out this wasn't necessary before putting many hours of work into it.