Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "very security"
-
!rant
After over 20 years as a Software Engineer, Architect, and Manager, I want to pass along some unsolicited advice to junior developers either because I grew through it, or I've had to deal with developers who behaved poorly:
1) Your ego will hurt you FAR more than your junior coding skills. Nobody expects you to be the best early in your career, so don't act like you are.
2) Working independently is a must. It's okay to ask questions, but ask sparingly. Remember, mid and senior level guys need to focus just as much as you do, so before interrupting them, exhaust your resources (Google, Stack Overflow, books, etc..)
3) Working code != good code. You are an author. Write your code so that it can be read. Accept criticism that may seem trivial such as renaming a variable or method. If someone is suggesting it, it's because they didn't know what it did without further investigation.
4) Ask for peer reviews and LISTEN to the critique. Even after 20+ years, I send my code to more junior developers and often get good corrections sent back. (remember the ego thing from tip #1?) Even if they have no critiques for me, sometimes they will see a technique I used and learn from that. Peer reviews are win-win-win.
5) When in doubt, do NOT BS your way out. Refer to someone who knows, or offer to get back to them. Often times, persons other than engineers will take what you said as gospel. If that later turns out to be wrong, a bunch of people will have to get involved to clean up the expectations.
6) Slow down in order to speed up. Always start a task by thinking about the very high level use cases, then slowly work through your logic to achieve that. Rushing to complete, even for senior engineers, usually means less-than-ideal code that somebody will have to maintain.
7) Write documentation, always! Even if your company doesn't take documentation seriously, other engineers will remember how well documented your code is, and they will appreciate you for it/think of you next time that sweet job opens up.
8) Good code is important, but good impressions are better. I have code that is the most embarrassing crap ever still in production to this day. People don't think of me as "that shitty developer who wrote that ugly ass code that one time a decade ago," They think of me as "that developer who was fun to work with and busted his ass." Because of that, I've never been unemployed for more than a day. It's critical to have a good network and good references.
9) Don't shy away from the unknown. It's easy to hope somebody else picks up that task that you don't understand, but you wont learn it if they do. The daunting, unknown tasks are the most rewarding to complete (and trust me, other devs will notice.)
10) Learning is up to you. I can't tell you the number of engineers I passed on hiring because their answer to what they know about PHP7 was: "Nothing. I haven't learned it yet because my current company is still using PHP5." This is YOUR craft. It's not up to your employer to keep you relevant in the job market, it's up to YOU. You don't always need to be a pro at the latest and greatest, but at least read the changelog. Stay abreast of current technology, security threats, etc...
These are just a few quick tips from my experience. Others may chime in with theirs, and some may dispute mine. I wish you all fruitful careers!222 -
Hey everyone,
First off, a Merry Christmas to everyone who celebrates, happy holidays to everyone, and happy almost-new-year!
Tim and I are very happy with the year devRant has had, and thinking back, there are a lot of 2017 highlights to recap. Here are just a few of the ones that come to mind (this list is not exhaustive and I'm definitley forgetting stuff!):
- We introduced the devRant supporter program (devRant++)! (https://devrant.com/rants/638594/...). Thank you so much to everyone who has embraced devRant++! This program has helped us significantly and it's made it possible for us to mantain our current infrustructure and not have to cut down on servers/sacrifice app performance and stability.
- We added avatar pets (https://devrant.com/rants/455860/...)
- We finally got the domain devrant.com thanks to @wiardvanrij (https://devrant.com/rants/938509/...)
- The first international devRant meetup (Dutch) with organized by @linuxxx and was a huge success (https://devrant.com/rants/937319/... + https://devrant.com/rants/935713/...)
- We reached 50,000 downloads on Android (https://devrant.com/rants/728421/...)
- We introduced notif tabs (https://devrant.com/rants/1037456/...), which make it easy to filter your in-app notifications by type
- @AlexDeLarge became the first devRant user to hit 50,000++ (https://devrant.com/rants/885432/...), and @linuxxx became the first to hit 75,000++
- We made an April Fools joke that got a lot of people mad at us and hopefully got some laughs too (https://devrant.com/rants/506740/...)
- We launched devDucks!! (https://devducks.com)
- We got rid of the drawer menu in our mobile apps and switched to a tab layout
- We added the ability to subscribe to any user's rants (https://devrant.com/rants/538170/...)
- Introduced the post type selector (https://devrant.com/rants/850978/...) (which will be used for filtering - more details below)
- Started a bug/feature tracker GitHub repo (https://github.com/devRant/devRant)
- We did our first ever live stream (https://youtube.com/watch/...)
- Added an awesome all-black theme (devRant++) (https://devrant.com/rants/850978/...)
- We created an "active discussions" screen within the app so you can easily find rants with booming discussions!
- Thanks to the suggestion of many community members, we added "scroll to bottom" functionality to rants with long comment threads to make those rants more usable
- We improved our app stability and set our personal record for uptime, and we also cut request times in half with some database cluster upgrades
- Awesome new community projects: https://devrant.com/projects (more will be added to the list soon, sorry for the delay!)
- A new landing page for web (https://devrant.com), that was the first phase of our web overhaul coming soon (see below)
Even after all of this stuff, Tim and I both know there is a ton of work to do going forward and we want to continue to make devRant as good as it can be. We rely on your feedback to make that happen and we encourage everyone to keep submitting and discussing ideas in the bug/feature tracker (https://github.com/devRant/devRant).
We only have a little bit of the roadmap right now, but here's some things 2018 will bring:
- A brand new devRant web app: we've heard the feedback loud and clear. This is our top priority right now, and we're happy to say the completely redesigned/overhauled devRant web experience is almost done and will be released in early 2018. We think everyone will really like it.
- Functionality to filter rants by type: this feature was always planned since we introduced notif types, and it will soon be implemented. The notif type filter will allow you to select the types of rants you want to see for any of the sorting methods.
- App stability and usability: we want to dedicate a little time to making sure we don't forget to fix some long-standing bugs with our iOS/Android apps. This includes UI issues, push notification problems on Android, any many other small but annoying problems. We know the stability and usability of devRant is very important to the community, so it's important for us to give it the attention it deserves.
- Improved profiles/avatars: we can't reveal a ton here yet, but we've got some pretty cool ideas that we think everyone will enjoy.
- Private messaging: we think a PM system can add a lot to the app and make it much more intuitive to reach out to people privately. However, Tim and I believe in only launching carefully developed features, so rest assured that a lot of thought will be going into the system to maximize privacy, provide settings that make it easy to turn off, and provide security features that make it very difficult for abuse to take place. We're also open to any ideas here, so just let us know what you might be thinking.
There will be many more additions, but those are just a few we have in mind right now.
We've had a great year, and we really can't thank every member of the devRant community enough. We've always gotten amazingly positive feedback from the community, and we really do appreciate it. One of the most awesome things is when some compliments the kindness of the devRant community itself, which we hear a lot. It really is such a welcoming community and we love seeing devs of all kind and geographic locations welcomed with open arms.
2018 will be an important year for devRant as we continue to grow and we will need to continue the momentum. We think the ideas we have right now and the ones that will come from community feedback going forward will allow us to make this a big year and continue to improve the devRant community.
Thanks everyone, and thanks for your amazing contributions to the devRant community!
Looking forward to 2018,
- David and Tim48 -
Long but worth it...
So I was cleaning out my Google Drive last night, and deleted some old (2 years and up) files. I also deleted my old work folder, it was for an ISP I worked for over 2 years ago. After deleting the files I had a little twinge of "Man I hope they're not still using those". But seriously, it'd be a pretty big security risk if I was still the owner of those files... right? Surely they copied them and deleted all the info from the originals. IP addresses, Cisco configs, username and passwords for various devices, pretty much everything but customer info.
Guess who I get a call from this morning... "Hi this is Debbie from 'ISP'. I was trying to access the IP Master List and I can't anymore. I was just told to call you and see if there's any way to get access to it again" (Not her real name...)
I had to put her on hold so I could almost die of laughter...
Me: "Sorry about that Debbie, I haven't worked for that company for over 2 years. Your telling me in all that time no one thought to save them locally? No one made a copy? I still had the original documents?!"
Long pause
D: "Uh... Apparently not..."
Another long pause
D: "So is there any way you can give me access to them again?"
Me: "They're gone Debbie. I deleted them all last night."
D: Very worried voice "Can... Can you check?"
This kids is why you never assume you'll always have access to a cloud stored file, make local copies!!
A little bit of background on this company, the owner's wife fired me on trumped up "time card discrepancy" issues so she could hire her freshly graduated business major son. The environment over there was pretty toxic anyway...
I feel bad for "Debbie" and the other staff there, it's going to be a very bad week for them. I also hope it doesn't impact any customers. But... It is funny as hell, especially since I warned the owner as I was clearing out my desk to save copies, and plan on them being gone soon. Apparently he never listened.
This is why you should have a plan in place... And not just wing it...
PS. First Post!25 -
"You should use Windows server!"
It was a high security project which needed to run very stable. Even the windows sysadmin looked at that guy like 'dude what the actual fuck'.27 -
Internship number two.
*walks downstairs to get a coffee*
*CTO (my guider) walks in*
CTO: (dead serious face) "linuxxx (not using my first name :P), come with me please"
*walks along to his office, starting to get reallly fucking nervous*
*CTO and me walk into his office, he sits down and looks at me very serious*
*I'm slightly shaking, nervous, sweating*
CTO: "So."
*oh yes here it is its gonna come I did something wrong fuck fml 😫😥😨😩*
CTO: "So you know quite some stiff around security/privacy. Could you tell me some stuff about why I'd want to use VPN and recommend me some good providers? 😀"
😅
*nearly falls onto the ground from relief*
I explained him some stuff and sent him a list of good providers 😀30 -
My last internship (it was awesome). A programmer developed a vacation/free day request application for internal use.
Asked if I could test it for security.
The dev working on it thought that was a very good idea as he wasn't much into security and explained how the authentication process worked.
I immediately noticed a flaw just from his explanation. He said it was secure anyways (with an explanation but his way of thinking was wrong in this case). Asked if I was allowed to show him. He said he was intrigued by this so gave me a yes right away.
For the record, user levels were normal user, general admin and super admin (he was the only super admin).
Wrote a quick thingy server side (one of my own servers/domains) for testing purposes.
Then I started.
Went from normal user to super admin (his account) through a combination of XSS and Session Hijacking within 15 seconds.
Explained him where he went wrong and he wrote a patch under my guidance 😃.
That felt so fucking awesome.5 -
New Dutch (or european?) law requiring https for any website with a contact form or higher is going into effect very soon. Were contacting customers so they can still be on time with this, this is how most convo's go:
Collegue: *explains*
Client: Im sure my security is good enough...
Collegue: i'd really recommend it, we've got free options as well!
Client: its just a secure connection, whats the big deal...
Collegue: *more arguments*
Client: I just don't see the point, security.... well.... does it really matter that much...
Collegue: Google might place you lower in the search results if you don't get a secure connection.
Client: 😶😥😵 uhm so what were the https options again? 😅
I hope they all die a painful death 😠26 -
Dear self proclaimed wordpress 'developers/programmers', kindly go fuck yourself.
I'm not talking about wordpress devs/designers who don't claim to have a better skillset than they have and are actually willing to learn, those are very much fine.
I'm talking about those wordpress people who claim that they're developers, programmers or whatever kind of bullshit which they're obviously not.
"A client's site crashed, you have to fix it!!!!!" sorry, come again? It's YOUR client's site. It's hosted on our hosting platform meaning that WE are responsible for KEEPING THE SERVERS UP AND FUNCTIONING.
You call yourself a wordpress 'developer' with 'programming experience' for 10 years but the second one of your shitty sites crashes, you come to us because 'it's your responsibility!!!'.
No, it's not. Next to that fact, the fact that you have to ask US why the site is crashing while you could easily login to your control panel, go to the fucking error logs and see that one of your facebook plugins crashes with a quite English error message, shows me that you definitely don't have 10 years of programming experience. And if you can't find that fucking article which tells you exactly where the motherfucking error logs are, don't come crying to us asking to fix your own fucking bullshit.
"My clients site got hacked, you have to clean it up and get it online again ASAP!!!!" - Nah, sorry, not my responsibility. The fact that you explicitly put your wordpress installation on 'no automatic updates' also doesn't help with my urge to fucking end you right now.
Add to that that we have some quite clear articles on wordpress security which you appearantly found too difficult (really? basic shit like 'set a strong fucking password' is too difficult for you?), you're on your own.
"I'm getting an error, please explain what's going wrong as soon as you can! this is a prio 1!!!!" - Nope. You were a wordpress dev/programmer right? Please act like one.
I'm not your personal wordpress agent.
I'm not your personal hacked wordpress site cleanup guy.
I'm not even a fucking wordpress professional. No, I'd rather jump off a bridge than develop wordpress bullshit for a living.
That you chose to do this, not a problem. Just don't rely on me for fixing your shit.
I'm sick of cleaning up your bullshit.
I'm done with answering your high prio tickets about bullshit which any dev could find out with just a few minutes of searching.
Oh your wordpress site isn't showing up so high in google? Yeah sure, shoot a ticket at us blaming us for your own SEO mess. I'm a fucking sysadmin, not a SEO expert.
I'm fucking done with you.
Go die in a fucking corner.18 -
I'm at my seat during the regular morning routine of checking emails, planning the things I need to complete/study when my phone rings.
HR: Good Morning, can you come over to the conference room please ?
Me: Sure
I enter the conference room and on the other side of the table, I see a group of 3 HR Managers (not a very nice feeling), especially when it was 10 months into my first job as a Trainee Software Developer.
HR: The company hasn't been performing as expected. For this reason, we've been told to cut down our staff. We're sorry but we have to let you go. You've been doing a great job all along. Thank you.
Me: ---- (seriously ?!)
The security-in-chief 'escorts' me out of the premises and I hand over the badge. I'm not allowed to return to my desk.
This happened about 16 years ago. But it stuck with me throughout my programming career.
A couple of Lessons Learnt which may help some of the developers today :
- You're not as important as you think, no matter what you do and how well you do it.
- Working hard is one thing, working smart is another. You'll understand the difference when your appraisals comes around each year.
- Focus on your work but always keep an eye on your company's health.
- Be patient with your Manager; if you're having a rough time, its likely he/she is suffering more.
- Programming solo is great fun. However it takes other skills that are not so interesting, to earn a living.
- You may think the Clients sounds stupid, talks silly and demands the stars; ever wonder what they think about you.
- When faced with a tough problem, try to 'fix' the Client first, then look for a solution.
- If you hate making code changes, don't curse the Client or your Manager - we coders collectively created a world of infinite possibilities. No point blaming them.
- Sharing your ideas matter.
- Software Development is a really long chain of ever-growing links that you may grok rather late in your career. But its still worth all the effort if you enjoy it.
I like to think of programming as a pursuit that combines mathematical precision and artistic randomness to create some pretty amazing stuff.
Thanks for reading.14 -
This guy at an internship who only wanted to use anything Microsoft.
It was fine for his own use but he also wanted it for a high security prod environment and tried to push that through.
Luckily, the (very competent) team lead refused to use closed source stuff for high security environments.
"listen (team lead to that guy), it's not going to happen. We're simply not using software from a US based company which is closed source for high security stuff.
Why? The US is one of the biggest surveillance powers in this world, we just can't be sure what's in the software if it's US based. Now you can say that that's paranoid but whether or not it is, the surveillance part is a fact, deal with it. That you want to use it, fine, but NOT. IN. HIGH. SECURITY. PROD. (or prod at all really).
He continued to try and convert colleagues to windows and other Microsoft stuff for the rest of his internship.28 -
Me: how's your password security?
Them: of course we value security very highly, our passwords are all hashed before being stored.
Me: what hashing algorithm?
Them: oh we hash it with sha and then place that in a table indexed by the password.
Indexed. By. The fucking. Password.16 -
So I got the job. Here's a story, never let anyone stop you from accomplishing your dreams!
It all started in 2010. Windows just crashed unrecoverably for the 3rd time in two years. Back then I wasn't good with computers yet so we got our tech guy to look at it and he said: "either pay for a windows license again (we nearly spend 1K on licenses already) or try another operating system which is free: Ubuntu. If you don't like it anyways, we can always switch back to Windows!"
Oh well, fair enough, not much to lose, right! So we went with Ubuntu. Within about 2 hours I could find everything. From the software installer to OpenOffice, browsers, email things and so on. Also I already got the basics of the Linux terminal (bash in this case) like ls, cd, mkdir and a few more.
My parents found it very easy to work with as well so we decided to stick with it.
I already started to experiment with some html/css code because the thought of being able to write my own websites was awesome! Within about a week or so I figured out a simple html site.
Then I started to experiment more and more.
After about a year of trial and error (repeat about 1000+ times) I finally got my first Apache server setup on a VirtualBox running Ubuntu server. Damn, it felt awesome to see my own shit working!
From that moment on I continued to try everything I could with Linux because I found the principle that I basically could do everything I wanted (possible with software solutions) without any limitations (like with Windows/Mac) very fucking awesome. I owned the fucking system.
Then, after some years, I got my first shared hosting plan! It was awesome to see my own (with subdomain) website online, functioning very well!
I started to learn stuff like FTP, SSH and so on.
Went on with trial and error for a while and then the thought occured to me: what if I'd have a little server ONLINE which I could use myself to experiment around?
First rented VPS was there! Couldn't get enough of it and kept experimenting with server thingies, linux in general aaand so on.
Started learning about rsa key based login, firewalls (iptables), brute force prevention (fail2ban), vhosts (apache2 still), SSL (damn this was an interesting one, how the fuck do you do this yourself?!), PHP and many other things.
Then, after a while, the thought came to mind: what if I'd have a dedicated server!?!?!?!
I ordered my first fucking dedicated server. Damn, this was awesome! Already knew some stuff about defending myself from brute force bots and so on so it went pretty well.
Finally made the jump to NginX and CentOS!
Made multiple VPS's for shitloads of purposes and just to learn. Started working with reverse proxies (nginx), proxy servers, SSL for everything (because fuck basic http WITHOUT SSL), vhosts and so on.
Started with simple, one screen linux setup with ubuntu 10.04.
Running a five monitor setup now with many distro's, running about 20 servers with proxies/nginx/apache2/multiple db engines, as much security as I can integrate and this fucking passion just got me my first Linux job!
It's not just an operating system for me, it's a way of life. And with that I don't just mean the operating system, but also the idea behind it :).20 -
The original story:
"When I've got my very first android I was downloading any shit from Play Store. There was app called pattern security or something like that. The app was taking selfies everytime power button was pressed several times and then photo would sent to email. One day I left my old phone at home and at the office this is the photo i've received."12 -
So this was a couple years ago now. Aside from doing software development, I also do nearly all the other IT related stuff for the company, as well as specialize in the installation and implementation of electrical data acquisition systems - primarily amperage and voltage meters. I also wrote the software that communicates with this equipment and monitors the incoming and outgoing voltage and current and alerts various people if there's a problem.
Anyway, all of this equipment is installed into a trailer that goes onto a semi-truck as it's a portable power distribution system.
One time, the computer in one of these systems (we'll call it system 5) had gotten fried and needed replaced. It was a very busy week for me, so I had pulled the fried computer out without immediately replacing it with a working system. A few days later, system 5 leaves to go work on one of our biggest shows of the year - the Academy Awards. We make well over a million dollars from just this one show.
Come the morning of show day, the CEO of the company is in system 5 (it was on a Sunday, my day off) and went to set up the data acquisition software to get the system ready to go, and finds there is no computer. I promptly get a phone call with lots of swearing and threats to my job. Let me tell you, I was sweating bullets.
After the phone call, I decided I needed to try and save my job. The CEO hadn't told me to do anything, but I went to work, grabbed an old Windows XP laptop that was gathering dust and installed my software on it. I then had to build the configuration file that is specific to system 5 from memory. Each meter speaks the ModBus over TCP/IP protocol, and thus each meter as a different bus id. Fortunately, I'm pretty anal about this and tend to follow a specific method of id numbering.
Once I got the configuration file done and tested the software to see if it would even run properly on Windows XP (it did!), I called the CEO back and told him I had a laptop ready to go for system 5. I drove out to Hollywood and the CFO (who was there with the CEO) had to walk about a mile out of the security zone to meet me and pick up the laptop.
I told her I put a fresh install of the data acquisition software on the laptop and it's already configured for system 5 - it *should* just work once you plug it in.
I didn't get any phone calls after dropping off the laptop, so I called the CFO once I got home and asked her if everything was working okay. She told me it worked flawlessly - it was Plug 'n Play so to speak. She even said she was impressed, she thought she'd have to call me to iron out one or two configuration issues to get it talking to the meters.
All in all, crisis averted! At work on Monday, my supervisor told me that my name was Mud that day (by the CEO), but I still work here!
Here's a picture of the inside of system 8 (similar to system 5 - same hardware)15 -
My mentor/guider at my last internship.
He was great at guiding, only 1-2 years older than me, brought criticism in a constructive way (only had a very tiny thing once in half a year though) and although they were forced to use windows in a few production environments, when it came to handling very sensitive data and they asked me for an opinion before him and I answered that closed source software wasn't a good idea and they'd all go against me, this guy quit his nice-guy mode and went straight to dead-serious backing me up.
I remember a specific occurrence:
Programmers in room (under him technically): so linuxxx, why not just use windows servers for this data storage?
Me: because it's closed source, you know why I'd say that that's bad for handling sensitive data
Programmers: oh come on not that again...
Me: no but really look at it from my si.....
Programmers: no stop it. You're only an intern, don't act like you know a lot about thi....
Mentor: no you shut the fuck up. We. Are. Not. Using. Proprietary. Bullshit. For. Storing. Sensitive. Data.
Linuxxx seems to know a lot more about security and privacy than you guys so you fucking listen to what he has to say.
Windows is out of the fucking question here, am I clear?
Yeah that felt awesome.
Also that time when a mysql db in prod went bad and they didn't really know what to do. Didn't have much experience but knew how to run a repair.
He called me in and asked me to have a look.
Me: *fixed it in a few minutes* so how many visitors does this thing get, few hundred a day?
Him: few million.
Me: 😵 I'm only an intern! Why did you let me access this?!
Him: because you're the one with the most Linux knowledge here and I trust you to fix it or give a shout when you simply can't.
Lastly he asked me to help out with iptables rules. I wasn't of much help but it was fun to sit there debugging iptables shit with two seniors 😊
He always gave good feedback, knew my qualities and put them to good use and kept my motivation high.
Awesome guy!4 -
Mother of god, was listening to the US govt hearing of zuckerberg about the recent scandals. The amount of very fucking simple obvious questions he 'could not' answer normally...
Govt person: Would you be willing to change Facebook's business model if this was required for the security and privacy of Facebook users' accounts?
Zuck: I don't understand your question.
Sorry, WHAT?! You don't need particular rocket science to understand what's being asked here. A combination of common sense and knowing the English language and English grammar in combination with maybe having finished some form of education should be enough to understand this ridiculously easy question.
Do you need it written on a golden plate with fucking blue letters in Facebook's font with the S letters as dollar signs while drinking 10 gallons of 'fuck every persons privacy'?!
Or maybe shoving it up your ass in the form of heated/glowing metal letters of 10+ inches in height? We could arrange that as well.25 -
Bulma framework, thanks for existing!
Lightweight, CSS only, very fucking easy to use and understand and a beautiful!
As a backend/server/security guy, front end is hell on earth for me. I understand the basics but that's it.
This fucker makes it so simple!19 -
Alright, since Facebook released a VPN service a little while ago but they're actively advertising it as a secure and privacy friendly service, I felt like - although I'm very busy right now - I should do a security/privacy blog post about this.
If you even slightly care about your own privacy or the privacy of anyone you're communicating with, for the love of God, don't use this service.
Hereby a blog post explaining stuffs: https://much-security.nl//...44 -
!dev !rant - only very sad
I have been through the worst and saddest week of my life.
Sadly, it's getting worse every day.
I've been travelling around the world in my RV for years and haven't seen my parents for several years. Since I recently successfully completed a huge project and now have some spare time, I thought it would be nice to visit my parents. Everything went well. We were glad to see each other after a long time and had a nice day together. My father works as a security guard and had to go to work early in the evening. So I stayed alone with my mother.
In the evening my mother went to bed earlier than usual because she didn't feel well. I wished her a good night and wanted to surf the internet. But somehow I had a strange feeling (maybe a premonition) and after 5 minutes I went into her bedroom to bring her a glass of water and at this very moment she suffered a heart attack. I threw it all away and called 911 immediately. I shouted the address into the phone, screamed emergency, heart failure, unconscious while trying to start resuscitation at the same time. Fortunately, the ambulance was nearby, arrived in just a few minutes, pushed me aside and started the resuscitation procedure. It took more than an hour and dozens of electric shocks to even get a pulse.
The ambulance took her to the hospital for further medical treatment. I was in the hospital all night until at least she had a stable pulse.
As soon as I returned to my parents' house (the car was still warm, hardly 3 minutes have passed), my father, who had returned from work a few minutes earlier, suddenly suffered a thrombosis in his leg. The whole leg was slowly turning black. I immediately dragged him into the car and drove him as fast as I could to the hospital.
It's Sunday now. I haven't slept since Thursday and I've been in the hospital all the time. Both are in a coma, fighting for their lives. I thought it couldn't get any worse, my mother got sepsis and pneumonia today.
Now I have returned to my parents' house and pray that both of them will survive. Can't sleep even though I'm tired to death. Can't work, try to distract me somehow. Maybe I'll be able to sleep at least two hours. Then I'll go back to the hospital.
What a damn fuckin' week.46 -
This is kind of a horror story, with a happing ending. It contains a lot of gore images, and some porn. Very long story.
TL;DR Network upgrade
Once upon a time, there were two companies HA and HP, both owned by HC. Many years went by and the two companies worked along side each one another, but sometimes there were trouble, because they weren't sure who was supposed to bill the client for projects HA and HP had worked on together.
At HA there was an IT guy, an imbecile of such. He's very slow at doing his job, doesn't exactly understand what he's doing, nor security principles.
The IT guy at HA also did some IT work for HP from time to time when needed. But he was not in charge of the infrastructure for HP, that was the jobb for one developer who didn't really know what he was doing either.
Whenever a new server was set up at HP, the developer tried many solutions, until he landed on one, but he never removed the other tested solutions, and the config is scattered all around. And no documentation!!
Same goes with network, when something new was added, the old was never removed or reconfigured to something else.
One dark winter, a knight arrived at HP. He had many skills. Networking, server management, development, design and generally a fucking awesome viking.
This genius would often try to cleanse the network and servers, and begged his boss to let him buy new equipment to replace the old, to no prevail.
Whenever he would look in the server room, he would get shivers down his back.
(Image: https://i.bratteng.xyz/Ie9x3YC33C.j...)
One and a half year later, the powerful owners in HA, HP and HC decided it was finally time to merge HA and HP together to HS. The knight thought this was his moment, he should ask CEO if he could be in charge of migrating the network, and do a complete overhault so they could get 1Gb interwebz speeds.
The knight had to come up with a plan and some price estimates, as the IT guy also would do this.
The IT guy proposed his solution, a Sonicwall gateway to 22 000 NOK, and using a 3rd party company to manage it for 3000 NOK/month.
"This is absurd", said the knight to the CEO and CXO, "I can come up with a better solution that is a complete upgrade. And it will be super easy to manage."
The CEO and CXO gave the knight a thumbs up. The race was on. We're moving in 2 months, I got to have the equipment by then, so I need a plan by the end of the week.
He roamed the wide internet, looked at many solutions, and ended up with going for Ubiquiti's Unifi series. Cheap, reliable and pretty nice to look at.
The CXO had mentioned the WiFi at HA was pretty bad, as there was WLAN for each meeting room, and one for the desks, so the phone would constantly jump between networks.
So the knight ended up with this solution:
2x Unifi Securtiy Gateway Pro 4
2x Unifi 48port
1x Unifi 10G 16port
5x Unifi AP-AC-Lite
12x pairs of 10G unifi fibre modules
All with a price tag around the one Sonicwall for 22 000 NOK, not including patch cables, POE injectors and fibre cables.
The knight presented this to the CXO, whom is not very fond of the IT guy, and the CXO thought this was a great solution.
But the IT guy had to have a say at this too, so he was sent the solution and had 2 weeks to dispute the soltion.
Time went by, CXO started to get tired of the waiting, so he called in a meeting with the knight and the IT guy, this was the IT guys chance to dispute the solution.
All he had to say was he was familiar with the Sonicwall solution, and having a 3rd party company managing it is great.
He was given another 2 weeks to dispute the solution, yet nothing happened.
The CXO gave the thumbs up, and the knight orders the equipment.
At this time, the knight asks the IT guy for access to the server room at HA, and a key (which would take 2 months to get sorted, because IT guys is a slow imbecile)
The horrors, Oh the horrors, the knight had never seen anything like this before.
(Image: https://i.bratteng.xyz/HfptwEh9qT.j...)
(Image: https://i.bratteng.xyz/HfptwEh9qT.j...)
(Image: https://i.bratteng.xyz/hmOE2ZuQuE.j...)
(Image: https://i.bratteng.xyz/4Flmkx6slQ.j...)
What are all these for, why is there a fan ductaped to on of the servers.
WHAT IS THIS!
Why are there cables tied in a knot.
WHY!
These are questions we never will know the answers too.
The knight needs access to the servers, and sonicwall to see how this is configured.
After 1.5 month he gains access to the sonicwall and one of the xserve.
What the knight discovers baffles him.
All ports are open, sonicwall is basically in bridge mode and handing out public IPs to every device connected to it.
No VLANs, everything, just open...10 -
Fuck Microsoft.
No, not in any relation to windows this time.
Dear Microsoft, why on earth did you put us on your spam blacklist? There haven't been any spam attacks from our side, our servers have nearly the highest 'reputation' that email servers can get, we comply to all security standards and yet you're blacklisting us.
If for some reason you think something is wrong at our side anyways, we've tried to contact you and we either get ignored or get a very late response saying that we'll get delisted again within a day/week or whatsoever.
Microsoft, please go fuck yourself.25 -
Lads, I will be real with you: some of you show absolute contempt to the actual academic study of the field.
In a previous rant from another ranter it was thrown up and about the question for finding a binary search implementation.
Asking a senior in the field of software engineering and computer science such question should be a simple answer, specifically depending on the type of job application in question. Specially if you are applying as a SENIOR.
I am tired of this strange self-learner mentality that those that have a degree or a deep grasp of these fundamental concepts are somewhat beneath you because you learned to push out a website using the New Boston tutorials on youtube. FOR every field THAT MATTERS a license or degree is hold in high regards.
"Oh I didn't go to school, shit is for suckers, but I learned how to chop people up and kinda fix it from some tutorials on youtube" <---- try that for a medical position.
"Nah it's cool, I can fix your breaks, learned how to do it by reading blogs on the internet" <--- maintenance shop
"Sure can write the controller processing code for that boing plane! Just got done with a low level tutorial on some websites! what can go wrong!"
(The same goes for military devices which in the past have actually killed mfkers in the U.S)
Just recently a series of people were sent to jail because of a bug in software. Industries NEED to make sure a mfker has aaaall of the bells and whistles needed for running and creating software.
During my masters degree, it fucking FASCINATED me how many mfkers were absolutely completely NEW to the concept of testing code, some of them with years in the field.
And I know what you are thinking "fuck you, I am fucking awesome" <--- I AM SURE YOU BLOODY WELL ARE but we live in a planet with billions of people and millions of them have fallen through the cracks into software related positions as well as complete degrees, the degree at LEAST has a SPECTACULAR barrier of entry during that intro to Algos and DS that a lot of bitches fail.
NOTE: NOT knowing the ABSTRACTIONS over the tools that we use WILL eventually bite you in the ASS because you do not fucking KNOW how these are implemented internally.
Why do you think compiler designers, kernel designers and embedded developers make the BANK they made? Because they don't know memory efficient ways of deploying a product with minimal overhead without proper data structures and algorithmic thinking? NOT EVERYTHING IS SHITTY WEB DEVELOPMENT
SO, if a mfker talks shit about a so called SENIOR for not knowing that the first mamase mamasa bloody simple as shit algorithm THROWN at you in the first 10 pages of an algo and ds book, then y'all should be offended at the mkfer saying that he is a SENIOR, because these SENIORS are the same mfkers that try to at one point in time teach other people.
These SENIORS are the same mfkers that left me a FUCKING HORRIBLE AND USELESS MESS OF SPAGHETTI CODE
Specially to most PHP developers (my main area) y'all would have been well motherfucking served in learning how not to forLoop the fuck out of tables consisting of over 50k interconnected records, WHAT THE FUCK
"LeaRniNG tHiS iS noT neeDed!!" yes IT fucking IS
being able to code a binary search (in that example) from scratch lets me know fucking EXACTLY how well your thought process is when facing a hard challenge, knowing the basemotherfucking case of a LinkedList will damn well make you understand WHAT is going on with your abstractions as to not fucking violate memory constraints, this-shit-is-important.
So, will your royal majesties at least for the sake of completeness look into a couple of very well made youtube or book tutorials concerning the topic?
You can code an entire website, fine as shit, you will get tested by my ass in terms of security and best practices, run these questions now, and it very motherfucking well be as efficient as I think it should be(I HIRE, NOT YOU, or your fucking blog posts concerning how much MY degree was not needed, oh and btw, MY degree is what made sure I was able to make SUCH decissions)
This will make a loooooooot of mfkers salty, don't worry, I will still accept you as an interview candidate, but if you think you are good enough without a degree, or better than me (has happened, told that to my face by a candidate) then get fucking ready to receive a question concerning: BASIC FUCKING COMPUTER SCIENCE TOPICS
* gays away into the night53 -
This was at my first internship (ranted about this before but hey fuck it).
- discovered several high critical vulnerabilities in their product. Wrote them down and kindly gave them to my boss/manager (they were the same person). He looked at me like 'the fuck' but I just went home at the end of the day. Next day, I got called into his office. I was a fucker, cancer guy who knew nothing about security, who would never reach anything and I shouldn't criticize their product (I had no right to because I was an intern).
- Bossman went to a meeting with a coworker to present their product. They came back to the office and it very clearly had gone pretty wrong. (we had nothing to do with anything related to the project including the meeting) he called us all bad things he could think of and it was all our fault and so on.
- I do have a transpiration problem but I can partly contain that when it's not too hot and the stress levels are okay. I was only allowed to sit in front of the window. YES IT WAS A MOTHERFUCKING HUGE WINDOW, 35-40 DEGREES FEELING TEMPERATURE AND NO MOTHERFUCKING AIRCONDITIONING. (okay gotta admit that one of the installation guys fell off the roof during the installation BUT THEN AT LEAST GET FANS OR SOMETHING).
Got called into his office multiple times because I smelled and 'couldnt take care of my hygiene'. I was literally sweating my ass off full-time so what the fuck could I do in those temperatures?!?
- my only project there: Google translating their whole CRM. Took us five weeks and the bossman kept pressure on us at all times which didn't FUCKING help.
Was fired after 5 weeks for hygiene reasons and because I didn't do my work well appearantly (still fuck translating all day).
One of the worst things? He pretended everything to go well until the first review came with my mentor (mentor == awesome guy). Then he talked shit about me like it was no-one's business.
I literally cried when I walked home after being fired.16 -
So the new mass surveillance law will be going into effect from the 1st of January.
Of course, since I'm very keen on my security/privacy, I'm going to implement some precautions.
- A few vps's connecting to tor, i2p and VPN provider so that I can always use a secure connection.
- Setup anti tracker/ads/etc etc shit on the VPS's. Probably through DnsMasq and the hosts file.
- Use Tor browser by default. I've tried this for a while now and damn, the tor network has become way faster than only even a year ago! Some pages literally only take a few seconds to load.
- Wipe my laptop, encrypt the harddrive and at least put QubesOS on it together with probably a few other systems.
- Ungoogle my new phone, use it with VPN by default.
- Get rid of all non encrypted communication services. I think that only leaves me with a few account removals because I haven't chatted unencrypted for nearly a fucking year now.
If anyone has any more ideas, please share!42 -
Navy story time again. Grab that coffee and fire up Kali, the theme is security.
So, when I got promoted to Lieutenant Jr. I had to attend a 1-year school inside my nostalgic Naval Academy... BUT! I was wiser, I was older... and I was bored. Like, really bored. What could go wrong? Well, all my fellow officers were bored too, so they started downloading/streaming/torrenting like crazy, and I had to wait for hours for the Kali updates to download, so...
mdk3 wlan0mon -d
I had this external wifi atheros card with two antennae and kicked all of them off the wifi. Some slightly smarter ones plugged cables on the net, and kept going, enjoying much faster speeds. I had to go to the bathroom, and once I returned they had unplugged the card. That kind of pissed me off, since they also thought it would be funny to hide it, along with the mouse.
But, oh boy, they had no idea what supreme asshole I can be when I am irked.
So, arpspoof it is. Turns out, there were no subnetworks, and the broadcast domain was ALL of the academy. That means I shut EVERYONE off, except me. Hardware was returned in 1 minute with the requested apologies, but fuck it, I kept the whole academy off the net for 6 hours. The sysadmin ran around like crazy, because nothing was working. Not even the servers.
I finally took pity on the guy (he had gotten the duties of sysadmin when the previous sysad died, so think about that) and he almost assaulted me when I told him. As it turned out, the guy never had any training or knowledge on security, so I had to show him a few things, and point him to where he could study about the rest. But still, some selective arp poison on select douchebags was in order...
Needless to say, people were VERY polite to me after that. And the net speed was up again, so I got bored. Again. So I started scanning the net.
To be continued...3 -
I work at a small retail store and we have quite a few regular customers who know I'm studying computer science because I'm always coding at work on my laptop.
One lady who comes in quite often and is very sweet asked me if I would take a look at her phone. She said she bought it and paid the owner of a phone repair store to set it up for her, but was felt like he did something weird to it. I told her I wasn't an expert but would look at it.
Oh my god. This guy set up her phone connected to his own personal icloud account. All of his music was on there. All of his contacts were on there. All of his pictures were on there. Even nude pictures of multiple people that this lady said she definitely does not know. I tell her this is very very wrong and no one in their right mind should've set her phone up this way.
I automatically think to factory reset. I'm unfamiliar with iPhone, as the last time I used one was an iPhone4 many years ago. I was unaware that apple applies an authentication lock when the phone is reset.
The authentication is set up underneath yet ANOTHER email address that belongs to this guy, as this lady promised me she has no knowledge of any email address similar to the one listed, nor does she have access to it.
I tell her to call the guy and ask for her money back and to unlock her phone so that she can reset it herself.
He claims that he cannot accept refunds if a factory reset has been performed.
Uhm, I am calling SOOOOO much bullshit. There should be absolutely no reason why the owner of the phone cannot factory reset it. The owner should be able to do ANYTHING she wants with it, without being locked out of it because some creep at a repair store did NOT DO HIS JOB CORRECTLY AND HE KNOWS IT. Why else would he claim he can't refund if it's been reset, because he KNOWS she got locked out.
So long story short I talked on the phone with him and cussed him out telling him he was wrong for taking advantage of someone who doesn't know much about technology and that he was invading privacy and violating her security and that i would report him if he didn't fully refund her and unlock her phone.
He gave her all of her money back, unlocked the phone (which she is deciding to sell because she got so scared by this), and I'm still filing a complaint against this man and his store. Who knows how many more clueless people he did this too. Fucking scumbag.10 -
Navy story continued.
And continuing from the arp poisoning and boredom, I started scanning the network...
So I found plenty of WinXP computers, even some Win2k servers (I shit you not, the year was 201X) I decided to play around with merasploit a bit. I mean, this had to be a secure net, right?
Like hell it was.
Among the select douchebags I arp poisoned was a senior officer that had a VERY high idea for himself, and also believed he was tech-savvy. Now that, is a combination that is the red cloth for assholes like me. But I had to be more careful, as news of the network outage leaked, and rumours of "that guy" went amok, but because the whole sysadmin thing was on the shoulders of one guy, none could track it to me in explicit way. Not that i cared, actually, when I am pissed I act with all the subtleness of an atom bomb on steroids.
So, after some scanning and arp poisoning (changing the source MAC address this time) I said...
"Let's try this common exploit, it supposedly shouldn't work, there have been notifications about it, I've read them." Oh boy, was I in for a treat. 12 meterpreter sessions. FUCKING 12. The academy's online printer had no authentication, so I took the liberty of printing a few pages of ASCII jolly rogers (cute stuff, I know, but I was still in ITSec puberty) and decided to fuck around with the other PCs. One thing I found out is that some professors' PCs had the extreme password of 1234. Serious security, that was. Had I known earlier, I could have skipped a TON of pointless memorising...
Anyway, I was running amok the entire network, the sysad never had a chance on that, and he seemed preoccupied with EVERYTHING ELSE besides monitoring the net, like fixing (replacing) the keyboard for the commander's secretary, so...
BTW, most PCs had antivirus, but SO out of date that I didn't even need to encode the payload or do any other trick. An LDAP server was open, and the hashed admin password was the name of his wife. Go figure.
I looked at a WinXP laptop with a weird name, and fired my trusty ms08_067 on it. Passowrd: "aaw". I seriously thought that Ophcrack was broken, but I confirmed it. WTF? I started looking into the files... nothing too suspicious... wait a min, this guy is supposed to work, why his browser is showing porn?
Looking at the ""Deleted"" files (hah!) I fount a TON of documents with "SECRET" in them. Curious...
Decided to download everything, like the asshole I am, and restart his PC, AND to leave him with another desktop wallpaper and a text message. Thinking that he took the hint, I told the sysadmin about the vulnerable PCs and went to class...
In the middle of the class (I think it was anti-air warfare or anti-submarine warfare) the sysad burst through the door shouting "Stop it, that's the second-in-command's PC!".
Stunned silence. Even the professor (who was an officer). God, that was awkward. So, to make things MORE awkward (like the asshole I am) I burned every document to a DVD and the next day I took the sysad and went to the second-in-command of the academy.
Surprisingly he took the whole thing in quite the easygoing fashion. I half-expected court martial or at least a good yelling, but no. Anyway, after our conversation I cornered the sysad and barraged him with some tons of security holes, needed upgrades and settings etc. I still don't know if he managed to patch everything (I left him a detailed report) because, as I've written before, budget constraints in the military are the stuff of nightmares. Still, after that, oddly, most people wouldn't even talk to me.
God, that was a nice period of my life, not having to pretend to be interested about sports and TV shows. It would be almost like a story from highschool (if our highschool had such things as a network back then - yes, I am old).
Your stories?8 -
Imagine if a structural engineer whose bridge has collapsed and killed several people calls it a feature.
Imagine if that structural engineer made a mistake in the tensile strength of this or that type of bolt and shoved it under the rug as "won't fix".
Imagine that it's you who's relying on that bridge to commute every day. Would you use it, knowing that its QA might not have been very rigorous and could fail at any point in time?
Seriously, you developers have all kinds of fancy stuff like Continuous Integration, Agile development, pipelines, unit testing and some more buzzwords. So why is it that the bridges don't collapse, yet new critical security vulnerabilities caused by bad design, unfixed bugs etc appear every day?
Your actions have consequences. Maybe not for yourself but likely it will have on someone else who's relying on your software. And good QA instead of that whole stupid "move fast and break things" is imperative.
Software developers call themselves the same engineers as the structural engineer and the electrical engineer whose mistakes can kill people. I can't help but be utterly disappointed with the status quo in software development. Don't you carry the title of the engineer with pride? The pride that comes from the responsibility that your application creates?
I wish I'd taken the blue pill. I didn't want to know that software "engineering" was this bad, this insanity-inducing.
But more than anything, it surprises me that the world that relies so much on software hasn't collapsed in some incredible way yet, despite the quality of what's driving it.44 -
This was at my first internship (was fired later for other bs reasons).
They got me as a programming intern but very soon I felt very conflicted with multiple things:
1. Got to google translate their internal CRM into five languages. After two weeks (the estimate I gave them) I discovered that I overlooked the second half, apologized and got a whole shitstorm at my face.
2. Was only allowed to use Internet Explorer for everything *cry face*.
3. Saw multiple security flaws in their main product, told my boss (also my internship manager) about it because hey, I'm security oriented and it might help them. Next day he called me into his office and I got a huge speech about who the fuck I am to criticize their product and that I was a security wannabee who doesn't know shit.
4. Boss came home after a product presentation went sideways. The interns didn't have anything to do with that but he called (or, yelled big time) us every dirty word he could think of and blamed us.
Luckily I was fired after like five weeks. I literally cried of happiness when I walked home. I was too shy to stand up for myself by that time (even only 2-3 years ago)14 -
Awesome teacher number two: another Linux teacher!
Didn't have many classes from him but damn he could interact with the students!
He was very open (it just autocorrected that to porn O.o) minded, very passionate about Linux and new shitloads about security. You'd expect him to be like 50 as for his knowledge amounts but he was around 27 I think.
He could go into discussions with students on the windows vs Linux subject, made it look like they were winning and then completely burn them in just a few sentences.
I think he liked me a lot because we would talk all kinds of Linux stuff.
He'd also help people with windows sometimes but windows servers where a very fucking no-go for him.
Man, I miss that guy 😞10 -
Well, here's the OS rant I promised. Also apologies for no blog posts the past few weeks, working on one but I want to have all the information correct and time isn't my best friend right now :/
Anyways, let's talk about operating systems. They serve a purpose which is the goal which the user has.
So, as everyone says (or, loads of people), every system is good for a purpose and you can't call the mainstream systems shit because they all have their use.
Last part is true (that they all have their use) but defining a good system is up to an individual. So, a system which I'd be able to call good, had at least the following 'features':
- it gives the user freedom. If someone just wants to use it for emailing and webbrowsing, fair enough. If someone wants to produce music on it, fair enough. If someone wants to rebuild the entire system to suit their needs, fair enough. If someone wants to check the source code to see what's actually running on their hardware, fair enough. It should be up to the user to decide what they want to/can do and not up to the maker of that system.
- it tries it's best to keep the security/privacy of its users protected. Meaning, by default, no calling home, no integrating users within mass surveillance programs and no unnecessary data collection.
- Open. Especially in an age of mass surveillance, it's very important that one has the option to check the underlying code for vulnerabilities/backdoors. Can everyone do that, nope. But that doesn't mean that the option shouldn't be there because it's also about transparency so you don't HAVE to trust a software vendor on their blue eyes.
- stability. A system should be stable enough for home users to use. For people who like to tweak around? Also, but tweaking *can* lead to instability and crashes, that's not the systems' responsibility.
Especially the security and privacy AND open parts are why I wouldn't ever voluntarily (if my job would depend on it, sure, I kinda need money to stay alive so I'll take that) use windows or macos. Sure, apple seems to care about user privacy way more than other vendors but as long as nobody can verify that through source code, no offense, I won't believe a thing they say about that because no one can technically verify it anyways.
Some people have told me that Linux is hard to use for new/(highly) a-technical people but looking at my own family and friends who adapted fast as hell and don't want to go back to windows now (and mac, for that matter), I highly doubt that. Sure, they'll have to learn something new. But that was also the case when they started to use any other system for the first time. Possibly try a different distro if one doesn't fit?
Problems - sometimes hard to solve on Linux, no doubt about that. But, at least its open. Meaning that someone can dive in as deep as possible/necessary to solve the problem. That's something which is very difficult with closed systems.
The best example in this case for me (don't remember how I did it by the way) was when I mounted a network drive at boot on windows and Linux (two systems using the same webDav drive). I changed the authentication and both systems weren't in for booting anymore. Hours of searching how to unfuck this on windows - I ended up reinstalling it because I just couldn't find a solution.
On linux, i found some article quite quickly telling to remove the entry for the webdav thingy from fstab. Booted into a root recovery shell, chrooted to the harddrive, removed the entry in fstab and rebooted. BAM. Everything worked again.
So yeah, that's my view on this, I guess ;P31 -
Example #1 of ??? Explaining why I dislike my coworkers.
[Legend]
VP: VP of Engineering; my boss’s boss. Founded the company, picked the CEO, etc.
LD: Lead dev; literally wrote the first line of code at the company, and has been here ever since.
CISO: Chief Information Security Officer — my boss when I’m doing security work.
Three weeks ago (private zoom call):
> VP to me: I want you to know that anything you say, while wearing your security hat, goes. You can even override me. If you need to hold a release for whatever reason, you have that power. If I happen to disagree with a security issue you bring up, that’s okay. You are in charge of release security. I won’t be mad or hold it against you. I just want you to do your job well.
Last week (engineering-wide meeting):
> CISO: From now on we should only use external IDs in urls to prevent a malicious actor from scraping data or automating attacks.
> LD: That’s great, and we should only use normal IDs in logging so they differ. Sounds more secure, right?
> CISO: Absolutely. That way they’re orthogonal.
> VP: Good idea, I think we should do this going forward.
Last weekend (in the security channel):
> LD: We should ONLY use external IDs in urls, and ONLY normal IDs in logging — in other words, orthogonal.
> VP: I agree. It’s better in every way.
Today (in the same security channel):
> Me: I found an instance of using a plain ID in a url that cancels a payment. A malicious user with or who gained access to <user_role> could very easily abuse this to cause substantial damage. Please change this instance and others to using external IDs.
> LD: Whoa, that goes way beyond <user_role>
> VP: You can’t make that decision, that’s engineering-wide!
Not only is this sane security practice, you literally. just. agreed. with this on three separate occasions in the past week, and your own head of security also posed this before I brought it up! And need I remind you that it is still standard security practice!?
But nooo, I’m overstepping my boundaries by doing my job.
Fucking hell I hate dealing with these people.14 -
I have been a mobile developer working with Android for about 6 years now. In that time, I have endured countless annoyances in the Android development space. I will endure them no more.
My complaints are:
1. Ridiculous build times. In what universe is it acceptable for us to wait 30 seconds for a build to complete. Yes, I've done all the optimisations mentioned on this page and then some. Don't even mention hot reload as it doesn't work fast enough or just does not work at all. Also, buying better hardware should not be a requirement to build a simple Android app, Xcode builds in 2 seconds with a 8GB Macbook Air. A Macbook Air!
2. IDE. Android Studio is a memory hog even if you throw 32GB of RAM at it. The visual editors are janky as hell. If you use Eclipse, you may as well just chop off your fingers right now because you will have no use for them after you try and build an app from afresh. I mean, just look at some of the posts in this subreddit where the common response is to invalidate caches and restart. That should only be used as a last resort, but it's thrown about like as if it solves everything. Truth be told, it's Gradle's fault. Gradle is so annoying I've dedicated the next point to it.
3. Gradle. I am convinced that Gradle causes 50% of an Android developer's pain. From the build times to the integration into various IDEs to its insane package management system. Why do I need to manually exclude dependencies from other dependencies, the build tool should just handle it for me. C'mon it's 2019. Gradle is so bad that it requires approx 54GB of RAM to work out that I have removed a dependency from the list of dependencies. Also I cannot work out what properties I need to put in what block.
4. API. Android API is over-bloated and hellish. How do I schedule a recurring notification? Oh use an AlarmManager. Yes you heard right, an AlarmManager... Not a NotificationManager because that would be too easy. Also has anyone ever tried running a long running task? Or done an asynchronous task? Or dealt with closing/opening a keyboard? Or handling clicks from a RecyclerView? Yes, I know Android Jetpack aims to solve these issues but over the years I have become so jaded by things that have meant to solve other broken things, that there isn't much hope for Jetpack in my mind 😤
5. API 2. A non-insignificant number of Android users are still on Jelly Bean or KitKat! That means we, as developers, have to support some of your shitty API decisions (Fragments, Activities, ListView) from all the way back then!
6. Not reactive enough. Android has support for Databinding recently but this kind of stuff should have been introduced from the very start. Look at React or Flutter as to how easy it is to make shit happen without any effort.
7. Layouts. What the actual hell is going on here. MDPI, XHDPI, XXHDPI, mipmap, drawable. Fuck it, just chuck it all in the drawable folder. Seriously, Android should handle this for me. If I am designing for a larger screen then it should be responsive. I don't want to deal with 50 different layouts spread over 6 different folders.
8. Permission system. Why was this not included from the very start? Rogue apps have abused this and abused your user's privacy and security. Yet you ban us and not them from the Play Store. What's going on? We need answers.
9. In Android, building an app took me 3 months and I had a lot of work left to do but I got so sick of Android dev I dropped it in favour of Flutter. I built the same app in Flutter and it took me around a month and I completed it all.
10. XML.
If you're a new dev, for the love of all that is good in this world, do NOT get into Android development. Start with Flutter or even iOS. On Flutter and build times are insanely fast and the hot reload is under 500ms constantly. It's a breath of fresh air and will save you a lot of headaches AND it builds for iOS flawlessly.
To the people who build Android, advocate it and work on it, sorry to swear, but fuck you! You have created a mess that we have to work with on a day-to-day basis only for us to get banned from the app store! You have sold us a lie that Android development is amazing with all the sweet treat names and conferences that look bubbly and fun. You have allowed to get it so bad that we can't target an API higher than 18 because some Android users are still using devices that support that!
End this misery. End our pain. End our suffering. Throw this abomination away like you do with some of your other projects and migrate your efforts over to Flutter. Please!
#NoToGoogleIO #AndroidSummitBoycott #FlutterDev #ReactNative16 -
Got a call from a recruiter today. (Keep in mind that using WhatsApp is about a requirement over here.)
R: so can I app you (I hate that word to the fucking point) with further details?
Me: *oh fuck this is gonna get me fucked again* uhm I don't use it so yah...
R: ohhh okay, security reasons?
Me: *slight relief* yes indeed, sir
R: oh fair enough, you can always just text and call me!
*very relieved feeling*
It's for either a cyber security or linux job by the way.29 -
OH MY GOD
WHO NAMES A CONFERENCE ROOM AFTER AN -ADDRESS-??
At my new job, we had all day training on Friday. It was emphasized many times that we should not be late. I look at the meeting invite many times, and it says [123 Fake], with Fake being a Very Well Known Street, and I see on Google Maps that there's an office building there. Great, we must have an off-site training facility to help our clients become certified in our product. It doesn't say which floor, but I assume the small space we have in that large office building will become evident once I check in with lobby security.
Friday morning comes, I get to the office building 20 minutes early, and try to check in. They've never heard of my company. Maybe there's a computer lab we rent out? No, they don't know anything about that. I don't have work email or slack set up on my phone yet, so who do I call? I try reception, no one answers. Eventually I call our customer support line.
I shouldn't be at 123 Fake St. I should be at the office. Because that's the name of the conference room!
YOU HAD ONE JOB, ROOM NAMER!
Last night my boyfriend and I tried to think of worse names for conference rooms. The only ones I could think of were "meeting canceled" (but with that, at least I would be in the correct fucking building!) or just naming every conference room "conference room". Here's the thing: there's not just one 123 Fake St room! There's two of them right next to each other! So you can easily show up and think, I remember I was supposed to be in this room, but which one?
And I'm not even the first person to make this mistake. CLIENTS have gone to the wrong building before because they get included on meeting invitations that include conference room names! WTF!
It's pretty common to have Chicago conference rooms named after neighborhoods, or iconic buildings, etc. But nobody is going to think, "meeting in Bucktown? I'll just wander around the neighborhood until I find people with laptops". It's obviously a conference room. BUT A FUCKING ADDRESS OF A NEARBY OFFICE BUILDING? It's not even an iconic of a building!
Names matter. I care a lot about names in code. I never realized it could apply to the physical world as well. So now I am on a mission to change the names of these Goddamm conference rooms so I'm the last person to be directed to the wrong fucking building.
OH, and I'm out $9 for a taxi ride and a pair of gloves that got lost in the taxi so that's GREAT.13 -
I'm a week into my new job right now. What do I love the most about it?
Learning things all day long and getting paid for it!
I'm learning about hosting things, DNS, cyber security, configurations, Linux (although my current skill set with Linux has been enough for now) and so on!
Hell, easy day today (not that many tickets) so decided to start learning Ansible! Next to that I've gotta learn vim (it just autocorrected that to cum.... O.o), work with hosting panels, mail stuffs (dns, debugging etc etc) and so fucking on.
The boss hasn't been at location yet which will happen tomorrow but he seemed like a very chill guy.
I love this!21 -
Watching the Dutch government trying to get through the public procurement process for a "corona app" is equal parts hilarious and terrifying.
7 large IT firms screaming that they're going to make the perfect app.
Presentations with happy guitar strumming advertisement videos about how everyone will feel healthy, picnicking on green sunny meadows with laughing families, if only their app is installed on every citizen's phone.
Luckily, also plenty of security and privacy experts completely body-bagging these firms.
"It will connect people to fight this disease together" -- "BUT HOW" -- "The magic of Bluetooth. And maybe... machine learning. Oh! And blockchain!" -- "BUT HOW" -- "Shut up give us money, we promise, our app is going to cure the planet"
You got salesmen, promising their app will be ready in 2 weeks, although they can't even show any screenshots yet.
You got politicians mispronouncing technical terminology, trying hard to look as informed as possible.
You got TV presenters polling population support for "The App" by interviewing the most digitally oblivious people.
One of the app development firms (using some blockchain-based crap) promised transparency about their source code for auditing.... so they committed their source, including a backup file from one of their other apps, containing 200 emails/passwords to Github.
It's kind of entertaining... in the same way as a surgery documentary about the removal of glass shards from a sexually adventurous guy's butthole.
Imma keep watching out of morbid fascination.... from a very safe distance, far away from the blood and shit that's splattering against the walls.
And my phone -- keep your filthy infected bytes away from my sweet baby.
I'll stick with social distancing, regular hand washing, working from home and limited supermarket trips, thank you very much.26 -
So, continuing the story, in reverse order, on the warship and its domain setup...
One day, the CO told me that we needed to set up a proper "network". Until now, the "network" was just an old Telcom switch, and an online HDD. No DHCP, no nothing. The computers dropped to the default 169.254.0.0/16 link local block of addresses, the HDD was open to all, cute stuff. I do some research and present to him a few options. To start things off, and to show them that a proper setup is better and more functional, I set up a linux server on one old PC.
The CO is reluctant to approve of the money needed (as I have written before, budget constraints in the military is the stuff of nightmares, people there expect proper setups with two toothpicks and a rubber band). So, I employ the very principles I learned from the holy book Bastard Operator From Hell: terrorizing with intimidating-looking things. I show him the linux server, green letters over black font, ngrep -x running (it spooks many people to be shown that). After some techno-babble I got approval for a proper rack server and new PCs. Then came the hard part: convincing him to ditch the old Telcom switch in favour of a new CISCO Catalyst one.
Three hours of non-stop barrage. Long papers of NATO specifications on security standards. Subliminal threats on security compromises. God, I never knew I would have to stoop so low. How little did I know that after that...
Came the horrors of user support.
Moral of the story: an old greek saying says "even a saint needs terrorizing". Keep that in mind.4 -
First rant, please take pity on the noob! 😐
Recently I've secured many of my user accounts spread throughout the internet. Using the same old password for everything is bad for security and for mental health! 😫
Since I was on the mood, I've tried to do a 'break glass' scenario, simulating an attacker that possessed my Gmail account credentials. "How bad can it be?" I've thought to myself...
... Bad. Very bad. Turns out not only I use lots of oauth based services, I also wasn't able to authenticate back to Google without my pass.
So when you get home today, try simulating what would happen if someone got to your Google or Facebook account.
Makes you consider the amount of control these big companies have over your life 😶15 -
!(short rant)
Look I understand online privacy is a concern and we should really be very much aware about what data we are giving to whom. But when does it turn from being aware to just being paranoid and a maniac about it.? I mean okay, I know facebook has access to your data including your whatsapp chat (presumably), google listens to your conversations and snoops on your mail and shit, amazon advertises that you must have their spy system (read alexa) install in your homes and numerous other cases. But in the end it really boils down to "everyone wants your data but who do you trust your data with?"
For me, facebook and the so-called social media sites are a strict no-no but I use whatsapp as my primary chating application. I like to use google for my searches because yaa it gives me more accurate search results as compared to ddg because it has my search history. I use gmail as my primary as well as work email because it is convinient and an adv here and there doesnt bother me. Their spam filters, the easy accessibility options, the storage they offer everything is much more convinient for me. I use linux for my work related stuff (obviously) but I play my games on windows. Alexa and such type of products are again a big no-no for me but I regularly shop from amazon and unless I am searching for some weird ass shit (which if you want to, do it in some incognito mode) I am fine with coming across some advs about things I searched for. Sometimes it reminds me of things I need to buy which I might have put off and later on forgot. I have an amazon prime account because prime video has some good shows in there. My primary web browser is chrome because I simply love its developer tools and I now have gotten used to it. So unless chrome is very much hogging on my ram, in which case I switch over to firefox for some of my tabs, I am okay with using chrome. I have a motorola phone with stock android which means all google apps pre-installed. I use hangouts, google keep, google map(cannot live without it now), heck even google photos, but I also deny certain accesses to apps which I find fishy like if you are a game, you should not have access to my gps. I live in India where we have aadhar cards(like the social securtiy number in the USA) where the government has our fingerprints and all our data because every damn thing now needs to be linked with your aadhar otherwise your service will be terminated. Like your mobile number, your investment policies, your income tax, heck even your marraige certificates need to be linked with your aadhar card. Here, I dont have any option but to give in because somehow "its in the interest of the nation". Not surprisingly, this thing recently came to light where you can get your hands on anyone's aadhar details including their fingerprints for just ₹50($1). Fuck that shit.
tl;dr
There are and should be always exceptions when it comes to privacy because when you give the other person your data, it sometimes makes your life much easier. On the other hand, people/services asking for your data with the sole purpose of infilterating into your private life and not providing any usefulness should just be boycotted. It all boils down to till what extent you wish to share your data(ranging from literally installing a spying device in your house to them knowing that I want to understand how spring security works) and how much do you trust the service with your data. Example being, I just shared most of my private data in this rant with a group of unknown people and I am okay with it, because I know I can trust dev rant with my posts(unlike facebook).29 -
Oh you're a frontend guy? Good, we need one of those.
Oh you're a backend guy too? Good, we need one of those.
Oh you're a security guy too? Good, we need one of those.
Oh you're a devops guy too? Good, we need one of those.
Oh you're a QA guy too? Good, we need one of those.
Oh you're an SEO guy too? Good, we need one of those.
"Well, sorry to say fullStackCraft, but we found your cloud architecture skills just a little too lacking for this position. We really need someone who can do frontend, backend, security audits, QA assessments, SEO, AND build scaling cloud architecture. Oh and while you're at it, can you turn fucking water into gold? We need that at our company too. You didn't get the position, but it'd be great if you could refer us to someone who is very advanced in fucking alchemy. Thanks!"
Absolutely toxic the way software people are treated I swear. The money may be the only good thing that is left.19 -
I wonder why banks are always so terribly insecure, given how much money there's for grabs in there for hackers.
Just a while ago I got a new prepaid credit card from bpost, our local postal service that for some reason also does banking. The reason for that being that - thank you 'Murica! - a lot of websites out there don't accept anything but credit cards and PayPal. Because who in their right mind wouldn't use credit cards, right?! As it turns out, it's pretty much every European I've spoken to so far.
That aside, I got that card, all fine and dandy, it's part of the Mastercard network so at least I can get my purchases from those shitty American sites that don't accept anything else now. Looked into the manual of it because bpost's FAQ isn't very clear about what my login data for their online customer area now actually is. Not that their instruction manual was either.
I noticed in that manual that apparently the PIN code can't be changed (for "security reasons", totally not the alternative that probably they didn't want to implement it), and that requesting a forgotten PIN code can be done with as little as calling them up, and they'll then send the password - not a reset form, the password itself! IN THE FUCKING MAIL.
Because that's apparently how financial institutions manage their passwords. The fact that they know your password means that they're storing it in plain text, probably in a database with all the card numbers and CVC's next to it. Wouldn't that be a treasure trove for cybercriminals, I wonder? But YOU the customer can't change your password, because obviously YOU wouldn't be able to maintain a secure password, yet THEY are obviously the ones with all the security and should be the ones to take out of YOUR hands the responsibility to maintain YOUR OWN password.
Banking logic. I fucking love it.
As for their database.. I reckon that that's probably written in COBOL too. Because why wouldn't you.23 -
Designer: Need to file a bug, I'm not getting an option to login with FaceID
Me: Oh weird bug. Is it setup on the phone you are testing with?
Designer: yes, use it in all other apps
Me: Did you get an error during onboarding on the FaceID screen?
Designer: nope no error
Me: ..... hhhmm, can you show me your settings?
Me: ... eh, says you have FaceID disabled for this app ... did you click "No" to FaceID during onboarding?
Designer: Yes, to test edge cases
Me: ................ ok ........ if you setup the app and told it to not allow FaceID to login ......... you won't get the ability to use FaceID to login .......... like .... by design .... on purpose ...... cause .... you told it to do that
Designer: No no, it needs to have a setting on the login screen to allow me to turn that back on incase I forget my passcode
Me: the fuck it does. Yeah we can't have anything on the login page that says, without authorization, change my settings
*Deep breath*
Me: Remember we had this conversation previously, where you didn't want the user to create a passcode during onboarding as it was too much friction, and wanted to do FaceID only. With your backup plan being to allow the user to create a NEW passcode on the login screen if FaceID failed .... remember that discussion we had about security? ... and how its important? ... and that we like having any? Ok so its the same reason as that, just with a different setting this time
Designer: ... hhmm i'm not sure I like this
Me: ... tough luck then, not happening
Me: oh and btw, remember we had that other talk about reproduction steps for bugs? Like when the app crashed and you told me it was because its in light mode, and nothing else at all? So disabling FaceID, is very relevant info to the problem of "I can't login with FaceID", please tell me these things first11 -
So I said I'd rant this yesterday but a long night of server management came in the way!
Yesterday @trogus mentioned in a comment that he thinks everyone deserves a place where they feel like home and this is that place for me along with some sub-places which derived from here.
So in this linux/foss chat yesterday I was trying to get into an IRC chatroom (all people there (or at least a lot) are also like minded on privacy/security). I don't want to use email signup if not absolutely neccesary (don't judge me, everyone there own thing) and I found out very late (after 20 minutes of instructions from a fellow devRanter) that this thing required email signup. I didn't wanna do that so I said that and started typing a whole essay of why I'd rather not do that and what my reasons are (privacy partly) but then the guy said: "haha you got it man".
For one second I forgot that I don't have to explain myself over there on stuff regarding privacy that a lot of people would find paranoid. Man, that feels like being home :).6 -
The stupid stories of how I was able to break my schools network just to get better internet, as well as more ridiculous fun. XD
1st year:
It was my freshman year in college. The internet sucked really, really, really badly! Too many people were clearly using it. I had to find another way to remedy this. Upon some further research through Google I found out that one can in fact turn their computer into a router. Now what’s interesting about this network is that it only works with computers by downloading the necessary software that this network provides for you. Some weird software that actually looks through your computer and makes sure it’s ok to be added to the network. Unfortunately, routers can’t download and install that software, thus no internet… but a PC that can be changed into a router itself is a different story. I found that I can download the software check the PC and then turn on my Router feature. Viola, personal fast internet connected directly into the wall. No more sharing a single shitty router!
2nd year:
This was about the year when bitcoin mining was becoming a thing, and everyone was in on it. My shitty computer couldn’t possibly pull off mining for bitcoins. I needed something faster. How I found out that I could use my schools servers was merely an accident.
I had been installing the software on every possible PC I owned, but alas all my PC’s were just not fast enough. I decided to try it on the RDS server. It worked; the command window was pumping out coins! What I came to find out was that the RDS server had 36 cores. This thing was a beast! And it made sense that it could actually pull off mining for bitcoins. A couple nights later I signed in remotely to the RDS server. I created a macro that would continuously move my mouse around in the Remote desktop screen to keep my session alive at all times, and then I’d start my bitcoin mining operation. The following morning I wake up and my session was gone. How sad I thought. I quickly try to remote back in to see what I had collected. “Error, could not connect”. Weird… this usually never happens, maybe I did the remoting wrong. I went to my schools website to do some research on my remoting problem. It was down. In fact, everything was down… I come to find out that I had accidentally shut down the schools network because of my mining operation. I wasn’t found out, but I haven’t done any mining since then.
3rd year:
As an engineering student I found out that all engineering students get access to the school’s VPN. Cool, it is technically used to get around some wonky issues with remoting into the RDS servers. What I come to find out, after messing around with it frequently, is that I can actually use the VPN against the screwed up security on the network. Remember, how I told you that a program has to be downloaded and then one can be accepted into the network? Well, I was able to bypass all of that, simply by using the school’s VPN against itself… How dense does one have to be to not have patched that one?
4th year:
It was another programming day, and I needed access to my phones memory. Using some specially made apps I could easily connect to my phone from my computer and continue my work. But what I found out was that I could in fact travel around in the network. I discovered that I can, in fact, access my phone through the network from anywhere. What resulted was the discovery that the network scales the entirety of the school. I discovered that if I left my phone down in the engineering building and then went north to the biology building, I could still continue to access it. This seems like a very fatal flaw. My idea is to hook up a webcam to a robot and remotely controlling it from the RDS servers and having this little robot go to my classes for me.
What crazy shit have you done at your University?9 -
I can't believe this company.
They want to stop using Certificates because it bothers the customer.
I had to use https because we were using service workers for a PWA.
I tried explaining we need them for the product to work, and also it's a basic security measure.
They were removing the certificates without my knowledge.
I found out because a colleague wanted a way to disable the service worker and asked me for help.
The manager said your not the boss of the company, it's not your company to make decisions.
Just do what they say, he tried to justify the decision from above, I said ok when was the last time you installed a certificate? he said never.
Ok, then what the fuck are you talking about, its 10 minutes to get a certificate letscrypt HELLO.
This company is very hierarchical 1900 style, I'm the person who does innovation in the organization, that's the most fucked up part, they say no to everything.
OMG, I'm going to quit.
There just asking to get hacked, this is just the tip of the iceberg.
Is this common or are they morons?17 -
Root rents an office.
Among very few other things, the company I'm renting an office from (Regus) provides wifi, but it isn't even bloody secured. There's a captive portal with a lovely (not.) privacy policy saying they're free to monitor your traffic, but they didn't even bother using WEP, which ofc means everyone else out to the fucking parking lot four floors down can monitor my traffic, too.
Good thing I don't work for a company that handles sensitive data! /s But at least I don't have access to it, or any creds that matter.
So, I've been running my phone's connection through a tor vpn and sharing that with my lappy. It works, provides a little bit of security, but it's slow as crap. GET YOUR SHIT TOGETHER, REGUS.
AND WHILE YOU'RE AT IT, CLEAN THE SHIT OUT OF THE FUCKING BATHROOM FFS.
Ugh. $12/day to work in a freaking wind tunnel (thanks, a/c; you're loud as fuck and barely work), hear other people's phone conversations through two freaking walls, pee in a bathroom that perpetually smells like diarrhea, and allow anyone and everyone within a 50+ meter radius to listen to everything my computer says.
Oh, they also 'forgot' to furnish my office, like they promised. Three freaking times. At least I have a table and chair. 🙄
Desk? What desk?
Fucking hell.20 -
I'm trying to sign up for insurance benefits at work.
Step 1: Trying to find the website link -- it's non-existent. I don't know where I found it, but I saved it in keepassxc so I wouldn't have to search again. Time wasted: 30 minutes.
Step 2: Trying to log in. Ostensibly, this uses my work account. It does not. Time wasted: 10 minutes.
Step 3: Creating an account. Username and Password requirements are stupid, and the page doesn't show all of them. The username must be /[A-Za-z0-9]{8,60}/. The maximum password length is VARCHAR(20), and must include upper/lower case, number, special symbol, etc. and cannot include "password", repeated charcters, your username, etc. There is also a (required!) hint with /[A-Za-z0-9 ]{8,60}/ validation. Want to type a sentence? better not use any punctuation!
I find it hilarious that both my username and password hint can be three times longer than my actual password -- and can contain the password. Such brilliant security.
My typical username is less than 8 characters. All of my typical password formats are >25 characters. Trying to figure out memorable credentials and figuring out the hidden complexity/validation requirements for all of these and the hint... Time wasted: 30 minutes.
Step 4: Post-login. The website, post-login, does not work in firefox. I assumed it was one of my many ad/tracker/header/etc. blockers, and systematically disabled every one of them. After enabling ad and tracker networks, more and more of the site loaded, but it always failed. After disabling bloody everything, the site still refused to work. Why? It was fetching deeply-nested markup, plus styling and javascript, encoded in xml, via api. And that xml wasn't valid xml (missing root element). The failure wasn't due to blocking a vitally-important ad or tracker (as apparently they're all vital and the site chain-loads them off one another before loading content), it's due to shoddy development and lack of testing. Matches the rest of the site perfectly. Anyway, I eventually managed to get the site to load in Safari, of all browsers, on a different computer. Time wasted: 40 minutes.
Step 5: Contact info. After getting the site to work, I clicked the [Enroll] button. "Please allow about 10 minutes to enroll," it says. I'm up to an hour and 50 minutes by now. The first thing it asks for is contact info, such as email, phone, address, etc. It gives me a warning next to phone, saying I'm not set up for notifications yet. I think that's great. I select "change" next to the email, and try to give it my work email. There are two "preferred" radio buttons, one next to "Work email," one next to "Personal email" -- but there is only one textbox. Fine, I select the "Work" preferred button, sign up for a faux-personal tutanota email for work, and type it in. The site complains that I selected "Work" but only entered a personal email. Seriously serious. Out of curiosity, I select the "change" next to the phone number, and see that it gives me four options (home, work, cell, personal?), but only one set of inputs -- next to personal. Yep. That's amazing. Time spent: 10 minutes.
Step 6: Ranting. I started going through the benefits, realized it would take an hour+ to add dependents, research the various options, pick which benefits I want, etc. I'm already up to two hours by now, so instead I decided to stop and rant about how ridiculous this entire thing is. While typing this up, the site (unsurprisingly) automatically logged me out. Fine, I'll just log in again... and get an error saying my credentials are invalid. Okay... I very carefully type them in again. error: invalid credentials. sajfkasdjf.
Step 7 is going to be: Try to figure out how to log in again. Ugh.
"Please allow about 10 minutes" it said. Where's that facepalm emoji?
But like, seriously. How does someone even build a website THIS bad?rant pages seriously load in 10+ seconds slower than wordpress too do i want insurance this badly? 10 trackers 4 ad networks elbonian devs website probably cost $1million or more too root gets insurance stop reading my tags and read the rant more bugs than you can shake a stick at the 54 steps to insanity more bugs than master of orion 313 -
So this chick has been super nice to me for the past few months, and has been trying to push me towards a role in security. She said nothing but wonderful things about it. It’s easy, it’s not much work, it’s relaxing, etc.
I eventually decided I’m burned out enough that something, anything different would be good, and went for it. I’m now officially doing both dev and security. The day I started, she announced that she was leaving the security team and wouldn’t join any other calls. Just flat-out left.
She trained me on doing a security review of this release, which basically amounted to a zoom call where I did all of the work and she directed me on what to do next, ignored everything I said, and treated me like an idiot. It’s apparently an easy release. The work itself? Not difficult, but it’s very involved, very time consuming, and requires a lot of paper trail — copying the same crap to three different places, tagging lots of people, copying their responses and pasting them elsewhere, filing tickets, linking tickets, copying info back and forth to slack, signing off on things, tagging tickets in a specific way, writing up security notes in a very specific format etc. etc. etc. It’s apparently usually very hectic with lots of last-minute changes, devs who simply ignore security requests, etc.
I asked her at the end for a quick writeup because I’m not going to remember everything and we didn’t cover everything that might happen.
Her response: Just remember what you did here, and do it again!
I asked again for her to write up some notes. She said “I would recommend.. you watch the new release’s channel starting Thursday, and then review what we did here, and just do all that again. Oh, and if you have any questions, talk to <security boss> so you get in the habit of asking him instead of me. Okay, bye!”
Fucking what.
No handoff doc?
Not willing to answer questions after a day and a half of training?
A recap
• She was friendly.
• She pushed me towards security.
• She said the security role was easy and laid-back.
• I eventually accepted.
• She quit the same day.
• The “easy release” took a day and a half of work with her watching, and it has a two-day deadline.
• She treated (and still treats) me like a burden and ignores everything I said or asked.
• The work is anything but laid-back.
• She refuses to spend any extra time on this or write up any notes.
• She refuses to answer any further questions because (quote) “I should get in the habit of asking <security boss> instead of her”
So she smiled, lied, and stabbed me in the back. Now she’s treating me like an annoyance she just wants to go away.
I get that she’s burned out from this, but still, what a fucking bitch. I almost can’t believe she’s acting this way, but I’ve grown to expect it from everyone.
But hey, at least I’m doing something different now, which is what I wanted. The speed at which she showed her true colors, though, holy shit.
“I’m more of a personal motivator than anything,” she says, “and I’m first and foremost a supporter of women developers!” Exactly wrong, every single word of it.
God I hate people like this.20 -
Every single one of them, and every one that will come after them.
Google, it started out as 2 people in their garage, wanting to make a search engine that was better than the others. Nothing else, nothing evil. Just make the world a little bit better. And look what it's become now. A megacorporation with little to no regards for their user base. Because who cares about users anyway?
Microsoft, it started out with Bill Gates - young high school computer nerd - who wanted to make an operating system for the world to use. Something that's better than the competition. And boy did he do so. Well "better than the competition" aside, he did make it for the world to use. And the world adopted it. And look what it's become now. A megacorporation with little to no regards for their user base. Because who cares about users anyway?
See where I'm going here?
Apple, it started out with Steve Jobs and Steve Wozniak in their garage, just like Google did, wanting to make hardware that was better than the others. Nothing else, nothing evil. Just to make the world a little bit better. And look what it's become now. Planned obsolescence has been baked into it, just like it is in every other piece of technology. Quality control and thinking through the design has become a thing of the past. User choice, yeah who cares about that.
Samsung, it started out centuries ago actually, and I don't really remember the details of it.. ColdFusion has a video on it if memory serves me right. Do watch it if you're interested. Anyway, just like all the others they started out as a company which wanted to make the world a little bit better. And damn right did they do so.. initially. Look what they've become now. Forcing their stupid TouchWiz UI upon their customers (or products?), a Bixby button that can't even be reprogrammed.. and the latest thing.. Knox, advertised as a security feature, but as everyone who likes rooting their devices and mucking with it knows, it is an anti-feature that only serves for lockdown. Why shouldn't you be able to turn in a phone for RMA when a hardware error occurs, when all you've personally modified is the software? Why should changing the software blow that eFuse, so that you can be sure that you can't replace it without specialized equipment and a very steady hand?
I could go on and on forever about more of the tech giants out there, but I feel like this suffices for now. Otherwise I won't have anything else left for future rants! But one thing I know for sure. Every tech company started, starts, and will start out with a desire to make the world a better place, and once they gain a significant customer base, they will without exception turn into the same kind of Evil Megacorp., just like the ones before them. Some may say that capitalism itself is to blame for this, the greed for more when you already have a lot. Who knows? I'd rather say that the very human nature itself is to blame for it. We're by design greedy beings, and I hate it. I hate being human for that. I don't want humans to be evil towards one another, and be greedy for ever more. But I guess that that's just the way it is, and some things do actually never change...17 -
Root encounters HR at her new job.
So, I left my job a few weeks ago. I was pretty sad about it, so I didn't want to write anything about it. It was a great place to work, with great managers, decent coworkers, and interesting work. I also had free reign over how I built things, what to improve, etc. Within about four months, I authored over half of the total commits on their backend repo, added a testing suite with 90% coverage, significantly improved the security (more accurately: added security), etc. but I got a job offer that allowed me to work remotely, and make well over six figures (usd). I couldn't turn it down, even though I wanted to. So, I left. I'm still genuinely sad about that. I had emotions and everything. 🙁 I stayed on long enough to finish the last of the features for their new product launch, and make sure everything was stable. I'm welcome back whenever, though they don't want to have remote employees, and I want to move, so. that's probably not going to happen. sigh.
Anyway, I started my new job this week. Rented an office (read: professional closet) and everything! It's been veritable mountains of HR paperwork so far. That's all I've done besides some accounts setup. I've seriously only worked on and completed one ticket so far in two and a half days, and I still have six documents/contracts to sign! (and benefits; that'll probably take my weekend.)
But getting an I9 thing notarized? Apparently I only have three days before I'm legally unemployable by them or something, idk. HR made it sound ridiculously dire and important, and reminded me like five or more times. I figured it was just some notary service; that takes like 10 minutes, right? So I put it off until my second day so I didn't have to disappear in the middle of my first day. Anyway, I called a bunch of notary services on day 2, and apparently only like 5% of them both do notary services this time of year and aren't booked full. And of those, probably another 5% will notarize I9 documents.. No idea why it's rare, but whatever, I'm not a notary.
The HR lady assured me that I didn't need any special documents; I should just go there, present my IDs, and the notary will provide or draft documents for everything else. Totally doesn't sound right, but fine; I'm not a notary nor will I ever work in HR, so I'm not very knowledgeable about this. So, against my better judgement I decided to just go anyway. I called around and finally found a place that wasn't closed, busy, or refusing, and drove over there. Waited. Waited. Waited. Notary lady was super slow in every single action. (I should mention that it's now 10am, and I have a meeting with the Senior VP of Engineering [a stern, stubborn old goat who enjoys making people feel inadequate] at 12:30pm.) The notary lady looks like she's an npc updating in slow motion (maybe at 0.25x speed?) and can't seem to understand what I need. Eventually, she tells me exactly what I had assumed: if there's no document, she can't notarize said document, and she doesn't have an I9 for the company I'm trying to work for. (like, duh.) So I thank her for proving the flow of time is variable, which she ignores in slow motion, and drive back home. It's now about 11.
I message the same HR lady, and the useless wench gawks in surprise and says she's never heard of that ridiculous request before. It took prodding to get her to respond every time, but after some (very slow) back and forth, she says she wants to call the notary personally and ask what they need. I waited around for another response that never came, and eventually just drove to the notary place again to have them notarize the required ID documents. That plus my chat history with HR should be enough to show that I bloody well tried, and HR just shit the bed instead. I finally got them notarized at like 12:10, and totally broke the speed limit the entire way to the office, found the last remaining parking spot, and made it to my office just in time for the meeting. seriously, less than two minutes to spare. Meeting was interesting (mostly about security), but totally made me facepalm, shout "Seriously!? What the hell are you thinking!?" and make slapping motions at some of the people talking. I will probably rant about that next.
But anyway, I'm willing to bet that the useless wench won't get back to me before the notary closes, if at all, and will somehow try to blame it completely on me if I bring it up again. Passive aggressive bitch. She's probably thinking: "If I don't help her with these mandatory legal processes, it'll be her fault she didn't get them done in time. I mean, they're so easy! She's just doing it wrong." I fucking hate HR.13 -
So...
I'm penetrationtesting a network and the servers on said network
The network administrator and IT security officer knows this, because they hired me..
TL;DR a scan caused the network to crash.
Today I received a very angry email going "Stop scanning NOW!" from one of the IT departments.
Apparently I crashed their login server and thus their entire network...
It happened d the first time I scanned the network from the outside and they had spend an entire day figuring out how and repairing the service they thought was the problem, but then it crashed again, when I scanned from within the network.
Now they want to send me a list of IP's that I'm not allowed to scan and want to know exactly what and when I'm scanning...
How crap can they be at their job, if they weren't able to spot a scan... The only reason they found out it was me was because the NA had whitelistet my IP, so that I could scan in peace...5 -
Although it might not get much follow up stuffs (probably a few fines but that will be about it), I still find this awesome.
The part of the Dutch government which keeps an eye on data leaks, how companies handle personal data, if companies comply with data protection/privacy laws etc (referring to it as AP from now on) finished their investigation into Windows 10. They started it because of privacy concerns from a few people about the data collection Microsoft does through Windows 10.
It's funny that whenever operating systems are brought up (or privacy/security) and we get to why I don't 'just' use windows 10 (that's actually something I'm asked sometimes), when I tell that it's for a big part due to privacy reasons, people always go into 'it's not that bad', 'oh well as long as it's lawful', 'but it isn't illegal, right!'.
Well, that changed today (for the netherlands).
AP has concluded that Windows 10 is not complying with the dutch privacy and personal data protection law.
I'm going to quote this one (trying my best to translate):
"It appears that Microsofts operating system follows every step you take on your computer. That gives a very invasive image of you", "What does that mean? do people know that, do they want that? Microsoft should give people a fair chance for deciding this by themselves".
They also say that unless explicit lawful consent is given (with enough information on what is collected, for what reasons and what it can be used for), Microsoft is, according to law, not allowed to collect their telemetrics through windows 10.
"But you can turn it off yourself!" - True, but as the paragraph above said, the dutch law requires that people are given more than enough information to decide what happens to their data, and, collection is now allowed until explicitly/lawfully ok'd where the person consenting has had enough information in order to make a well educated decision.
I'm really happy about this!
Source (dutch, sorry, only found it on a dutch (well respected) security site): https://security.nl/posting/534981/...8 -
Coding nightmare -> the guy who wrote this application I guess wanted job security? At the VERY least to be a pain in the ass to anyone else who touches his code....WHO NAMES THEIR VARIABLES PEOPLE NAMES?!?!? do I know what "Beth" or "Sarah" stand for? ummmm....no 😢8
-
Following a conversation with a fellow devRanter this came to my mind ago, happened a year or two ago I think.
Was searching for an online note taking app which also provided open source end to end encryption.
After searching for a while I found something that looked alright (do not remember the URL/site too badly). They used pretty good open source JS crypto libraries so it seemed very good!
Then I noticed that the site itself did NOT ran SSL (putting the https:// in front of the site name resulted in site not found or something similar).
Went to the Q/A section because that's really weird.
Saw the answer to that question:
"Since the notes are end to end encrypted client side anyways, we don't see the point in adding SSL. It's secure enough this way".
😵
I emailed them right away explaing that any party inbetween their server(s) and the browser could do anything with the request (includingt the cryptographic JS code) so they should start going onto SSL very very fast.
Too badly I never received a reply.
People, if you ever work with client side crypto, ALWAYS use SSL. Also with valid certs!
The NSA for example has this thing known as the 'Quantum Insert' attack which they can deploy worldwide which basically is an attack where they detect requests being made to servers and reply quickly with their own version of that code which is very probably backdoored.
This attack cannot be performed if you use SSL! (of course only if they don't have your private keys but lets assume that for now)
Luckily Fox-IT (formerly Dutch cyber security company) wrote a Snort (Intrustion Detection System) module for detecting this attack.
Anyways, Always use SSL if you do anything at all with crypto/sensitive data! Actually, always use it but at the very LEAST really do it when you process the mentioned above!31 -
I was offered to work for a startup in August last year. It required building an online platform with video calling capabilities.
I told them it would be on learn and implement basis as I didn't know a lot of the web tech. Learnt all of it and kept implementing side by side.
I was promised a share in the company at formation, but wasn't given the same at the time of formation because of some issues in documents.
Yes, I did delay at times on the delivery date of features on the product. It was my first web app, with no prior experience. I did the entire stack myself from handling servers, domains to the entire front end. All of it was done alone by me.
Later, I also did install a proxy server to expand the platform to a forum on a new server.
And yesterday after a month of no communication from their side, I was told they are scraping the old site for a new one. As I had all the credentials of the servers except the domain registration control, they transferred the domain to a new registrar and pointed it to a new server. I have a last meeting with them. I have decided to never work with them and I know they aren't going to provide me my share as promised.
I'm still in the 3rd year of my college here in India. I flunked two subjects last semester, for the first time in my life. And for 8 months of work, this is the end result of it by being scammed. I love fitness, but my love for this is more and so I did leave all fitness activities for the time. All that work day and night got me nothing of what I expected.
Though, they don't have any of my code or credentials to the server or their user base, they got the new website up very fast.
I had no contract with them. Just did work on the basis of trust. A lesson learnt for sure.
Although, I did learn to create websites completely all alone and I can do that for anyone. I'm happy that I have those skills now.
Since, they are still in the start up phase and they don't have a lot of clients, I'm planning to partner with a trusted person and release my code with a different design and branding. The same idea basically. How does that sound to you guys?
I learned that:
. No matter what happens, never ignore your health for anybody or any reason.
. Never trust in business without a solid security.
. Web is fun.
. Self-learning is the best form of learning.
. Take business as business, don't let anyone cheat you.19 -
Working on a funny/new api/service (will be a public one) and I'm only now realizing how important good security is but especially:
The amount of time that goes into securing an api/application is too goddamn high, I'm spending about 90 percent of my time on writing security checks 😅
Very much fun but the damn.31 -
Gotta say, I find it awesome that I can connect with some devRanters through encrypted channels.
It's awesome to talk to devRanters with the same mindset through channels that offer a very high level of security/privacy.
Thanks!39 -
Not sure if this would be true since I find it very hard to judge this one myself but I hope that some people on here see me as some kind of mentorish person when it comes to either Linux, privacy of security.
Parenthesis on "hope"😅21 -
Resurrect happypenguin.org
This particular site appeared in the year 1998 with the goal to make gaming on Linux easier and more fun.
Unfortunately, 2013 the site went down due to lack of funding and time for the creator Bob Zimbinski. He released the database to the public but removed the code itself because it was created in the 90's and was a big security risk.
I want to resurrect happypenguin.org and I want some brave souls who want to participate with this. I am not a coder (I can only sysadmin) so It would be awesome if someone wanted to help out with this.
Would be awesome if you could make if look like the classic site, or make it very similar to it or https://distrowatch.com/ that also has a very retro style to it. It would also be great if the site was ad-free.
I will take care of the hosting part (servers, DNS, domain).50 -
I thought this launch (security/privacy blog) would go smooth:
- analytics fell, except for one thing, apart for yet unknown reasons
- MySQL came with a very weird error which took me like half an hour of research before I hacked my way past it.
- the firewall started to fuck around for no reason, works now though.
Nginx worked without issues though, as well as NetData 😅
Yeah, didn't go as planned :P10 -
Long story short, I'm unofficially the hacker at our office... Story time!
So I was hired three months ago to work for my current company, and after the three weeks of training I got assigned a project with an architect (who only works on the project very occasionally). I was tasked with revamping and implementing new features for an existing API, some of the code dated back to 2013. (important, keep this in mind)
So at one point I was testing the existing endpoints, because part of the project was automating tests using postman, and I saw something sketchy. So very sketchy. The method I was looking at took a POJO as an argument, extracted the ID of the user from it, looked the user up, and then updated the info of the looked up user with the POJO. So I tried sending a JSON with the info of my user, but the ID of another user. And voila, I overwrote his data.
Once I reported this (which took a while to be taken seriously because I was so new) I found out that this might be useful for sysadmins to have, so it wasn't completely horrible. However, the endpoint required no Auth to use. An anonymous curl request could overwrite any users data.
As this mess unfolded and we notified the higher ups, another architect jumped in to fix the mess and we found that you could also fetch the data of any user by knowing his ID, and overwrite his credit/debit cards. And well, the ID of the users were alphanumerical strings, which I thought would make it harder to abuse, but then realized all the IDs were sequentially generated... Again, these endpoints required no authentication.
So anyways. Panic ensued, systems people at HQ had to work that weekend, two hot fixes had to be delivered, and now they think I'm a hacker... I did go on to discover some other vulnerabilities, but nothing major.
It still amsues me they think I'm a hacker 😂😂 when I know about as much about hacking as the next guy at the office, but anyways, makes for a good story and I laugh every time I hear them call me a hacker. The whole thing was pretty amusing, they supposedly have security audits and QA, but for five years, these massive security holes went undetected... And our client is a massive company in my country... So, let's hope no one found it before I did.6 -
3 rants for the price of 1, isn't that a great deal!
1. HP, you braindead fucking morons!!!
So recently I disassembled this HP laptop of mine to unfuck it at the hardware level. Some issues with the hinge that I had to solve. So I had to disassemble not only the bottom of the laptop but also the display panel itself. Turns out that HP - being the certified enganeers they are - made the following fuckups, with probably many more that I didn't even notice yet.
- They used fucking glue to ensure that the bottom of the display frame stays connected to the panel. Cheap solution to what should've been "MAKE A FUCKING DECENT FRAME?!" but a royal pain in the ass to disassemble. Luckily I was careful and didn't damage the panel, but the chance of that happening was most certainly nonzero.
- They connected the ribbon cables for the keyboard in such a way that you have to reach all the way into the spacing between the keyboard and the motherboard to connect the bloody things. And some extra spacing on the ribbon cables to enable servicing with some room for actually connecting the bloody things easily.. as Carlos Mantos would say it - M-m-M, nonoNO!!!
- Oh and let's not forget an old flaw that I noticed ages ago in this turd. The CPU goes straight to 70°C during boot-up but turning on the fan.. again, M-m-M, nonoNO!!! Let's just get the bloody thing to overheat, freeze completely and force the user to power cycle the machine, right? That's gonna be a great way to make them satisfied, RIGHT?! NO MOTHERFUCKERS, AND I WILL DISCONNECT THE DATA LINES OF THIS FUCKING THING TO MAKE IT SPIN ALL THE TIME, AS IT SHOULD!!! Certified fucking braindead abominations of engineers!!!
Oh and not only that, this laptop is outperformed by a Raspberry Pi 3B in performance, thermals, price and product quality.. A FUCKING SINGLE BOARD COMPUTER!!! Isn't that a great joke. Someone here mentioned earlier that HP and Acer seem to have been competing for a long time to make the shittiest products possible, and boy they fucking do. If there's anything that makes both of those shitcompanies remarkable, that'd be it.
2. If I want to conduct a pentest, I don't want to have to relearn the bloody tool!
Recently I did a Burp Suite test to see how the devRant web app logs in, but due to my Burp Suite being the community edition, I couldn't save it. Fucking amazing, thanks PortSwigger! And I couldn't recreate the results anymore due to what I think is a change in the web app. But I'll get back to that later.
So I fired up bettercap (which works at lower network layers and can conduct ARP poisoning and DNS cache poisoning) with the intent to ARP poison my phone and get the results straight from the devRant Android app. I haven't used this tool since around 2017 due to the fact that I kinda lost interest in offensive security. When I fired it up again a few days ago in my PTbox (which is a VM somewhere else on the network) and today again in my newly recovered HP laptop, I noticed that both hosts now have an updated version of bettercap, in which the options completely changed. It's now got different command-line switches and some interactive mode. Needless to say, I have no idea how to use this bloody thing anymore and don't feel like learning it all over again for a single test. Maybe this is why users often dislike changes to the UI, and why some sysadmins refrain from updating their servers? When you have users of any kind, you should at all times honor their installations, give them time to change their individual configurations - tell them that they should! - in other words give them a grace time, and allow for backwards compatibility for as long as feasible.
3. devRant web app!!
As mentioned earlier I tried to scrape the web app's login flow with Burp Suite but every time that I try to log in with its proxy enabled, it doesn't open the login form but instead just makes a GET request to /feed/top/month?login=1 without ever allowing me to actually log in. This happens in both Chromium and Firefox, in Windows and Arch Linux. Clearly this is a change to the web app, and a very undesirable one. Especially considering that the login flow for the API isn't documented anywhere as far as I know.
So, can this update to the web app be rolled back, merged back to an older version of that login flow or can I at least know how I'm supposed to log in to this API in order to be able to start developing my own client?6 -
Alright, the blog seems to be running again and its not breaking yet which is a good sign :P.
Although nothing has changed on the front end yet, the backend has been partly rewritten to be more efficient and of course, post sorting based on posting date!
I'm aware of most of the front end issues so no need to tell me all of them again, I'll look at that tomorrow as I need sleep right now :(
If you'd find any bugs/security issues, please, don't exploit them but report them instead! I take security very seriously and will try to patch any security bug as soon as I can :)13 -
Dear all wonderful ranters,
I apologize profusely in advance if over the next few days I cannot contain my anger at people and rant about non-dev things. I promise I will try my best to not do this, but there are very few places (none) other than here where I feel comfortable enough to express myself freely and not censor my words.
I will be working as a security guard (3rd job) for a car show full of pretentious assholes who have a tendency to think I'm their servant. I have wonderful bosses who have my back, and there are truly amazing people in attendance as well, but if someone tries to run me over again after a long ass day, I might need to vent.
I fully accept any and all down votes, and will likely delete the rant after it's out of my system, unless there's a conversation going in comments (I wouldn't do that to you).
Please bear with me while I try boot to strangle everyone I come across. I'm hoping this year is the year everyone is nice, but history tells me that's naive and won't happen.
All my love,
Your (co)queen who may end up arrested for using her bionic arm to rip their balls off and feed them to their wives10 -
What I'm posting here is my 'manifesto'/the things I stand for. You may like it, you may hate it, you may comment but this is what I stand for.
What are the basic principles of life? one of them is sharing, so why stop at software/computers?
I think we should share our software, make it better together and don't put restrictions onto it. Everyone should be able to contribute their part and we should make it better together. Of course, we have to make money but I think that there is a very good way in making money through OSS.
Next to that, since the Snowden releases from 2013, it has come clear that the NSA (and other intelligence agencies) will try everything to get into anyone's messages, devices, systems and so on. That's simply NOT okay.
Our devices should be OUR devices. No agency should be allowed to warrantless bypass our systems/messages security/encryptions for the sake of whatever 'national security' bullshit. Even a former NSA semi-director traveled to the UK to oppose mass surveillance/mass govt. hacking because he, himself, said that it doesn't work.
We should be able to communicate freely without spying. Without the feeling that we are being watched. Too badly, the intelligence agencies of today do not want us to do this and this is why mass surveillance/gag orders (companies having to reveal their users' information without being allowed to alert their users about this) are in place but I think that this is absolutely wrong. When we use end to end encrypted communications, we simply defend ourselves against this non-ethical form of spying.
I'm a heavy Signal (and since a few days also Riot.IM (matrix protocol) (Riot.IM with end to end crypto enabled)), Tutanota (encrypted email) and Linux user because I believe that only those measures (open source, reliable crypto) will protect against all the mass spying we face today.
The applications/services I strongly oppose are stuff like WhatsApp (yes, encryted messages but the metadata is readily available and it's closed source), skype, gmail, outlook and so on and on and on.
I think that we should OWN our OWN data, communications, browsing stuffs, operating systems, softwares and so on.
This was my rant.17 -
Worst WTF dev experience? The login process from hell to a well-fortified dev environment at a client's site.
I assume a noob admin found a list of security tips and just went like "all of the above!".
You boot a Linux VM, necessary to connect to their VPN. Why necessary? Because 1) their VPN is so restrictive it has no internet access 2) the VPN connection prevents *your local PC* from accessing the internet as well. Coworkers have been seen bringing in their private laptops just to be able to google stuff.
So you connect via Cisco AnyConnect proprietary bullshit. A standard VPN client won't work. Their system sends you a one-time key via SMS as your password.
Once on their VPN, you start a remote desktop session to their internal "hopping server", which is a Windows server. After logging in with your Windows user credentials, you start a Windows Remote Desktop session *on that hopping server* to *another* Windows server, where you login with yet another set of Windows user credentials. For all these logins you have 30 seconds, otherwise back to step 1.
On that server you open a browser to access their JIRA, GitLab, etc or SSH into the actual dev machines - which AGAIN need yet another set of credentials.
So in total: VM -> VPN + RDP inside VM -> RDP #2 -> Browser/SSH/... -> Final system to work on
Input lag of one to multiple seconds. It was fucking unusable.
Now, the servers were very disconnect-happy to prevent anything "fishy" going on. Sitting at my desk at my company, connected to my company's wifi, was apparently fishy enough to kick me out every 5 to 20 minutes. And that meant starting from step 1 inside the VM again. So, never forget to plugin your network cable.
There's a special place in hell for this admin. And if there isn't, I'll PERSONALLY make the devil create one. Even now that I'm not even working on this any more.8 -
Customer: «We want all the users belonging to this organization share the same username and password»
[Editor's note: we are talking about 500 users, more or less half of the total in the system]
Customer, after some minutes: «It's very important for us having the web interface using HTTPS, because we care security a lot».
So, please, go fuck yourself. And die.6 -
Thank you Arch Linux community for saying that caring about security (i.e. expressing concerns about NSA's Speck being included as a module in Arch's distribution kernel) means that you're a tinfoil hat. Much trust, very wow! Nothing to hide, nothing to fear.. right?16
-
I don't know a lot of people in other market segments who have zero fear of losing their job. Since I discovered that my coding skills are marketable, I have not lost a night of sleep over job security.
I'm very happy with my current job, but the privilege of rarely having to feel uncertain about income is incredibly liberating.4 -
Currently working on the privacy site CMS REST API.
For the curious ones, building a custom thingy on top of the Slim framework.
As for the ones wondering about security, I'm thinking out a content filtering (as in, security/database compatibility) right now.
Once data enters the API, it will first go through the filtering system which will check filter based on data type, string length and so on and so on.
If that all checks out, it will be send into the data handling library which basically performs all database interactions.
If everything goes like I want it to go (very highly unlikely), I'll have some of the api actions done by tonight.
But I've got the whole weekend reserved for the privacy site!20 -
Some 'wk306' highlights from different people:
Walk around the office in his underwear, because he forgot he left his trousers in the bathroom
Run a red light outside the office due to not wearing his required glasses. When questioned by co-workers, replied "I don't follow those facist rules"
Asking if we work less will we get paid more, because the project will take longer to do (while in a startup with no funding trying to secure some)
Tell a senior dev to stop testing in his spare time, as we won't be able to release on time if he keeps finding critical security bugs
Telling me "your timezone is not my concern", when asking for help with new tooling so we don't have to be online at the same time
Blaming my team for requesting too much help, leading to his team missing deadlines, in a meeting with very senior managers. When the reason we were requesting help was the handover doc we were given was filled with lies about features being finished and "ready to ship" and lacking any unit tests
Being accused of bullying and harassment to the CEO, because someone asked "did you follow up with X about the partnership they emailed us about". The person who was responsible, forgot 4 times, and saw it as an "attack" to mention it in team meetings
Telling an entire office/building mid November they've secured funding for at least the next year, then announcing in January after the Christmas break that its cheaper to move to India, so they are closing the office in 30 days2 -
Hello devRanters! A little while ago some ranters and I who are all passionate about FOSS/Linux decided to get together in a chatroom. Slowly more people are coming in but just wanted to post this in case any foss/linux liking people would like to join! I am not even sure if this is allowed on devRant (posting something like this) so if not, my apologies and I will remove the rant!
Keep in mind that the chat exists for people who are very keen on FOSS/Linux/security/privacy so no offense but it probably isn't the best place for people who don't like/care about that stuff :).53 -
I'm fixing a security exploit, and it's a goddamn mountain of fuckups.
First, some idiot (read: the legendary dev himself) decided to use a gem to do some basic fucking searching instead of writing a simple fucking query.
Second, security ... didn't just drop the ball, they shit on it and flushed it down the toilet. The gem in question allows users to search by FUCKING EVERYTHING on EVERY FUCKING TABLE IN THE DB using really nice tools, actually, that let you do fancy things like traverse all the internal associations to find the users table, then list all users whose password reset hashes begin with "a" then "ab" then "abc" ... Want to steal an account? Hell, want to automate stealing all accounts? Only takes a few hundred requests apiece! Oooh, there's CC data, too, and its encryption keys!
Third, the gem does actually allow whitelisting associations, methods, etc. but ... well, the documentation actually recommends against it for whatever fucking reason, and that whitelisting is about as fine-grained as a club. You wanna restrict it to accessing the "name" column, but it needs to access both the "site" and "user" tables? Cool, users can now access site.name AND user.name... which is PII and totally leads to hefty fines. Thanks!
Fourth. If the gem can't access something thanks to the whitelist, it doesn't catch the exception and give you a useful error message or anything, no way. It just throws NoMethodErrors because fuck you. Good luck figuring out what they mean, especially if you have no idea you're even using the fucking thing.
Fifth. Thanks to the follower mentality prevalent in this hellhole, this shit is now used in a lot of places (and all indirectly!) so there's no searching for uses. Once I banhammer everything... well, loads of shit is going to break, and I won't have a fucking clue where because very few of these brainless sheep write decent test coverage (or even fucking write view tests), so I'll be doing tons of manual fucking testing. Oh, and I only have a week to finish everything, because fucking of course.
So, in summary. The stupid and lazy (and legendary!) dev fucked up. The stupid gem's author fucked up, and kept fucking up. The stupid devs followed the first fuckup's lead and repeated his fuck up, and fucked up on their own some more. It's fuckups all the fucking way down.rant security exploit root swears a lot actually root swears oh my stupid fucking people what the fuck fucking stupid fucking people20 -
Creating an anonymous analytics system for the security blog and privacy site together with @plusgut!
It's fun to see a very simple API come alive with querying some data :D.
Big thanks to @plusgut for doing the frontend/graphs side on this one!20 -
Sometimes I wonder how compromised my parents online security would be without my intervention.
My mom logged into her gmail and there was an red bar on top informing about Google preventing an attempted login from an unknown device.
Like typical parents / old people, that red bar didn't caught her attention but I noticed it immediately. I took over and looked into it. It showed an IP address and a location that was quite odd.
I went ahead with the Account security review and I was shocked to find that she had set her work email address as the recovery email!!
I explained her that work email accounts cannot be trusted and IT department of the workplace can easily snoop emails and other info on that email address and should not be related to personal accounts.
After fixing that issue, me being a typical skeptic and curious guy, I decided to find more info about that IP address.
I looked up the IP address on a lookup website and it showed an ISP that was related to the corporate office of her workplace. I noticed the location Google reported also matched with the corporate office location of her work.
Prior to this event, few days ago, I had made her change her gmail account password to a more secure one. ( Her previous password was her name followed by birth date!! ). This must have sent a notification to the recovery mail address.
All these events are connected. It is very obvious that someone at corporate office goes through employees email addresses and maybe even abuse those information.
My initial skeptism of someone snooping throguh work email addresses was right.
You're welcome mom!9 -
That feeling when your client connection is more stable than the connection of a fucking game server... Incompetent pieces of shit!!! BEING ABLE TO PUT A COUPLE OF SPRITES DOESN'T MAKE YOU A FUCKING SYSADMIN!!!
Oh and I sent those very incompetent fucks a mail earlier, because my mailers are blocking their servers as per my mailers' security policy. A rant from the old box - their mail servers self-identify a fucking .local!!! Those incompetent shitheads didn't even properly change the values from test into those from prod!! So I sent them an email telling them exactly how they should fix it, as I am running the same MTA on my mailers (Postfix), at some point had to fix my mailers against the exact same issue as well, and clearly noticed in-game that they have deliverability problems (they explicitly mention to unblock their domain). Guess why?! Because their server's shitty configuration triggers fucking security mechanisms that are built against rogue mailers that attempt to spoof themselves as an internal mailer, with that fucking .local! And they STILL DIDN'T CHANGE IT!!!! Your fucking domain has no issues whatsoever, it's your goddamn fucking mail servers that YOU ASOBIMO FUCKERS SHOULD JUST FIX ALREADY!!! MOTHERFUCKERS!!!!!rant hire a fucking sysadmin already incompetent pieces of shit piece of shit game dev doesn't make you a sysadmin2 -
!!oracle
I'm trying to install a minecraft modpack to play with a friend, and I'm super psyced about it. According to the modpack instructions, the first step is to download the java8 jre. Not sure if I actually need it or not, but it can download while I'm doing everything else, so I dutifully go to the download page and find the appropriate version. The download link does point to the file, but redirects to a login page instead. Apparently I need an oracle account to download anything on their site. stupid.
So I make an account. It requires my life story, or at least full name and address and phone number. stupid. So my name is now "fuck off" and I live in Hell, Michigan. My email is also "gofuckyourself" because I'm feeling spiteful. Also, for some reason every character takes about 3/4ths of a second to type, so it's very slow going. Passwords also cannot contain spaces, which makes me think they're doing some stupid "security" shenanigans like custom reversible encryption with some 5th grade math. or they're just stupid. Whatever, I make the stupid account.
Afterwards, I try to log in, but apparently my browser-saved credentials are wrong? I try a few more times, try enabling all of the javascripts, etc. No beans. Okay, maybe I can't use it until I verify the email? That actually makes some sense. Fine, I go check the throwaway inbox. No verification email. It's been like five minutes, but it's oracle so they probably just failed at it like everything else, so I try to have them resend the email. I find the resend link, and try it. Every time I enter my email address, though, it either gives me a validation error or a server error. I try a few mores times, and give up. I try to log in again; no dice. Giving up, I go do something else for awhile.
On a whim later, I check for the verification email again. Apparently it just takes bloody forever, but it did show up. Except instead of the first name "Fuck" I entered, I'm now "Andrew", apparently. okay.... whatever. I click the verify button anyway, and to my surprise it actually works, and says that I'm now allowed to use my account. Yay!
So, I go back to the login page (from the download link) and enter my credentials. A new error appears! I cannot use redirects, apparently, and "must type in the page address I want to visit manually." huh? okay, i go to the page directly, and see the same bloody error because of course i do because oracle fucking sucks. So I close the page, go back to the download list, click the link, wait for the login page redirect (which is so totally not allowed, apparently, except it works and manual navigation does not. yay backwards!), and try to log in.
Instead of being presented with an error because of the redirect, it lets me (try to) log in. But despite using prefilled creds (and also copy/pasting), it tells me they're invalid. I open a new tab container, clear the cache (just to be thorough), and repeat the above steps. This time it redirects me to a single signon server page (their concept of oauth), and presents me with a system error telling me to contact "the Administrator." -.- Any second attempts, refreshes, etc. just display the same error.
Further attempts to log in from the download page fail with the same invalid credentials error as before.
Fucking oracle and their reverse Midas touch.10 -
I've been away, lurking at the shadows (aka too lazy to actually log in) but a post from a new member intrigued me; this is dedicated to @devAstated . It is erratic, and VERY boring.
When I resigned from the Navy, I got a flood of questions from EVERY direction, from the lower rank personnel and the higher ups (for some reason, the higher-ups were very interested on what the resignation procedure was...). A very common question was, of course, why I resigned. This requires a bit of explaining (I'll be quick, I promise):
In my country, being in the Navy (or any public sector) means you have a VERY stable job position; you can't be fired unless you do a colossal fuck-up. Reduced to non-existent productivity? No problem. This was one of the reasons for my resignation, actually.
However, this is also used as a deterrent to keep you in, this fear of lack of stability and certainty. And this is the reason why so many asked me why I left, and what was I going to do, how was I going to be sure about my job security.
I have a simple system. It can be abused, but if you are careful, it may do you and your sanity good.
It all begins with your worth, as an employee (I assume you want to go this way, for now). Your worth is determined by the supply of your produced work, versus the demand for it. I work as a network and security engineer. While network engineers are somewhat more common, security engineers are kind of a rarity, and the "network AND security engineer" thing combined those two paths. This makes the supply of my work (network and security work from the same employee) quite limited, but the demand, to my surprise, is actually high.
Of course, this is not something easy to achieve, to be in the superior bargaining position - usually it requires great effort and many, many sleepless nights. Anyway....
Finding a field that has more demand than there is supply is just one part of the equation. You must also keep up with everything (especially with the tech industry, that changes with every second). The same rules apply when deciding on how to develop your skills: develop skills that are in short supply, but high demand. Usually, such skills tend to be very difficult to learn and master, hence the short supply.
You probably got asleep by now.... WAKE UP THIS IS IMPORTANT!
Now, to job security: if you produce, say, 1000$ of work, then know this:
YOU WILL BE PAID LESS THAN THAT. That is how the company makes profit. However, to maximize YOUR profit, and to have a measure of job security, you have to make sure that the value of your produced work is high. This is done by:
- Producing more work by working harder (hard method)
- Producing more work by working smarter (smart method)
- Making your work more valuable by acquiring high demand - low supply skills (economics method)
The hard method is the simplest, but also the most precarious - I'd advise the other two. Now, if you manage to produce, say, 3000$ worth of work, you can demand for 2000$ (numbers are random).
And here is the thing: any serious company wants employees that produce much more than they cost. The company will strive to pay them with as low a salary as it can get away with - after all, a company seeks to maximize its profit. However, if you have high demand - low supply skills, which means that you are more expensive to be replaced than you are to be paid, then guess what? You have unlocked god mode: the company needs you more than you need the company. Don't get me wrong: this is not an excuse to be unprofessional or unreasonable. However, you can look your boss in the eye. Believe me, most people out there can't.
Even if your company fails, an employee with valuable skills that brings profit tends to be snatched very quickly. If a company fires profitable employees, unless it hires more profitable employees to replace them, it has entered the spiral of death and will go bankrupt with mathematical certainty. Also, said fired employees tend to be absorbed quickly; after all, they bring profit, and companies are all about making the most profit.
It was a long post, and somewhat incoherent - the coffee buzz is almost gone, and the coffee crash is almost upon me. I'd like to hear the insight of the veterans; I estimate that it will be beneficial for the people that start out in this industry.2 -
Have a client that has a very, very large format printer (think billboards). It's on their network as just another printer, with no special security because everyone "knows" never to print to it....except the new employee who printed her direct-deposit info to it. Got about ten feet(!) into the job before someone realized it wasn't an authorized job.5
-
I think I ranted about this before but fuck it.
The love/hate relation I have with security in programming is funny. I am working as a cyber security engineer currently but I do loads of programming as well. Security is the most important factor for me while programming and I'd rather ship an application with less features than with more possibly vulnerable features.
But, sometimes I find it rather annoying when I want to write a new application (a web application where 90 percent of the application is the REST API), writing security checks takes up most of the time.
I'm working on a new (quick/fun) application right now and I've been at this for.... 3 hours I think and the first very simple functionality has finally been built, which took like 10 minutes. The rest of the 3 hours has been securing the application! And yes, I'm using a framework (my own) which has already loads of security features built-in but I need more and more specific security with this API.
Well, let's continue with securing this fucker!10 -
I need to make a confession about my terribly unprofessional project I made. Around two years ago I got thrown for the first time into back end development - I had to work on the project alone. As a very smart man I basically exposed our SMTP server as a nice and very flexible API.
Fortunately it was, by the design, a very short-lived project, taken down from the web completely and for good after around 2 months. I'm still happy I had more luck than brains and nobody used our server as a spam sending service in our name and I have learned a valuable and relatively cheap lesson in security this way.1 -
Pro security tip:
Use a very simple password because h4x0rs expect a difficult one so they can't cr4ck yours8 -
Taking IT classes in college. The school bought us all lynda and office365 accounts but we can't use them because the classroom's network has been severed from the Active Directory server that holds our credentials. Because "hackers." (The non-IT classrooms don't have this problem, but they also don't need lynda accounts. What gives?)
So, I got bored, and irritated, so I decided to see just how secure the classroom really was.
It wasn't.
So I created a text file with the following rant and put it on the desktop of the "locked" admin account. Cheers. :)
1. don't make a show of "beefing up security" because that only makes people curious.
I'm referring of course to isolating the network. This wouldn't be a problem except:
2. don't restrict the good guys. only the bad guys.
I can't access resources for THIS CLASS that I use in THIS CLASS. That's a hassle.
It also gives me legitimate motivation to try to break your security.
3. don't secure it if you don't care. that is ALSO a hassle.
I know you don't care because you left secure boot off, no BIOS password, and nothing
stopping someone from using a different OS with fewer restrictions, or USB tethering,
or some sort malware, probably, in addition to security practices that are
wildly inconsistent, which leads me to the final and largest grievance:
4. don't give admin priveledges to an account without a password.
seriously. why would you do this? I don't understand.
you at least bothered to secure the accounts that don't even matter,
albeit with weak and publicly known passwords (that are the same on all machines),
but then you went and left the LEAST secure account with the MOST priveledges?
I could understand if it were just a single-user machine. Auto login as admin.
Lots of people do that and have a reason for it. But... no. I just... why?
anyway, don't worry, all I did was install python so I could play with scripting
during class. if that bothers you, trust me, you have much bigger problems.
I mean you no malice. just trying to help.
For real. Don't kick me out of school for being helpful. That would be unproductive.
Plus, maybe I'd be a good candidate for your cybersec track. haven't decided yet.
-- a guy who isn't very good at this and didn't have to be
have a nice day <3
oh, and I fixed the clock. you're welcome.2 -
We got DDoS attacked by some spam bot crawler thing.
Higher ups called a meeting so that one of our seniors could present ways to mitigate these attacks.
- If a custom, "obscure" header is missing (from api endpoints), send back a basic HTTP challenge. Deny all credentials.
- Some basic implementation of rate limiting on the web server
We can't implement DDoS protection at the network level because "we don't even have the new load balancer yet and we've been waiting on that for what... Two years now?" (See: spineless managers don't make the lazy network guys do anything)
So now we implement security through obscurity and DDoS protection... Using the very same machines that are supposed to be protected from DDoS attacks.17 -
My CTO prefers to hire very expensive consultants than to trust on staff. It's funny, because he also decided that all technical teams should run on the absolute minimal amount of resources.
You can't imagine how shitty it felt this morning when he sent an email talking about a security consultant that we should hire, just because he thinks the guy could "take our expertise to the next level".
They will charge us 450/hour to run assessments, to find the exact same things my team discovered a year ago.rant consultant fucking moron my cto is a piece of shit we all know this cto should be fired overpriced4 -
My first job was actually nontechnical - I was 18 years old and sold premium office furniture for a small store in Munich.
I did code in my free time though (PHP/JS mostly, had a litte browsergame back then - those were the days), so when my boss approached me and asked me whether I liked to take over a coding project, I agreed to the idea.
Little did I know at the time: I was supposed to work with a web agency the boss had contracted to build their online shop. Only that he had no plan or anything, he basically told them "build me an online shop like abc(a major competitor of ours at the time)"
He employed another sales lady who was supposed to manage the shop (that didn't exist yet). In the end, I think 80% of her job was to keep me from killing my boss.
As you can imagine, with this huuuuge amout of planning and these exact visions of what was supposed to be, things went south fast and far. So far that I could visit my fellow flightless birds down in the Penguin's republic of Antarctica and still need to go further.
Well... When my boss started suing the web agency, I was... ahem, asked to take over. Dumb as I was, I did - I was a PHP kid and thought that Magento, being written in PHP, would be easy to master. If you know Magento, you know that was maybe the wrongest thing I ever said.
Fast forward 3 very exhausting months, the thing was online. Not all of it worked yet, but it was online and fairly secure.
I did next to everything myself, administrating the CentOS box the shop was running on, its (own) e-mail server, the web server, all the coding required for the shop (can you spell 12 hour day for 8 hour pay?)
3 further months later, my life basically was a wreck, I dragged myself to work, the only thing I looked forward being the motorcycle ride home. The system worked though.
Mind you, I was still, at the time, working with three major customers, doing deskside support and some admin (Win Server 2008R2 at the time) - because, to quote my boss, "We could not afford a full time developer and we don't need one".
I think i stopped coding in my free time, the one hobby I used to love more than anything on the world, somewhere Decemerish 2012. I dropped out of the open source projects I was in, quit working on my browser game and let everything slide.
I didn't even care to renew the domains and servers for it, I just let it die without notice.
The little free time I had, I spent playing video games and getting drunk/high.
December 2013, 1.5 years on the job, I reached my breaking point and just left, called in sick at least a week per month because I just could not see this fucking place anymore.
I looked for another job outside of ALL of what I did before. No more Magento, no more sales, no more PHP. I didn't have to look for long, despite what I thought of my skills.
In February 2014, I told my boss that I quit. It was still seven months until my new job started, but I wanted him to know early so we could migrate and find a replacement.
The search for said replacement started in June 2014. I had considerably less work in the months before, looks like he got the hint.
In August 2014, my replacement arrived and I got him started.
I found a job, which I am still in, and still happy about after almost half a decade, at a local, medium sized ISP as a software dev and IT security guy. Got a proper training with a certificate and everything now.
My replacement lasted two months, he was external and never really did his job - the site, which until I had quit, had a total of 3 days downtime for 3 YEARS (they were the hoster's fault, not mine), was down for an entire month and he could not even tell why.
HIS followup was kicked after taking two weeks to familiarize himself with the project. Well, I think that two weeks is not even barely enough to familiarize yourself with nearly three years of work, but my boss gave him two days.
In 2016, the shop was replaced with another one. Different shop system, different OS, different CI. I don't know why and I can't say I give a damn.
Almost all the people that worked at the company back with me have left for greener pastures, taking their customers (and revenue) with them.
As for my boss' comments, instructions and lines: THAT might not be safe for work. Or kids. Or humans in general. And there wouldn't be much left if you put it through a language filter...
Moral of the story: No, it's not a bad thing to leave a place if you're mistreated there. Don't mistake loyalty with stupidity!
And, to quote one of my favourite Bands: "Nothing matters when the pain is all but gone" (Tragedy + Time by Rise Against).8 -
😡😡😡 Who here thinks that great software can be build in a few hours?!?! My silly ass boss does. He haven't programmed in decades and think we're supposed to be able to build software that doesn't break, has the best security, no flaws, feature rich in VERY, VERY short amount of time!! 😡😡😡 Fuck out of here!! It pisses me off to my core.
Me: Just finished the required software. In a short amount of time with new stuff I've never worked with before.
Him: Well, it took u a week to do. I heard it should've only have taken u a few hours.
Then u build the shit then!!! Fuck out of here.
The Sr. Dev and I was talking about this on Friday. U won't good product...leave us the fuck alone and let us work!!! He don't think that there will be small issues that come up. He thinks we're supposed to already know those issues are gonna exists, like really u fuck tart!?
FUUUUUUCK!!!!8 -
I used to do audits for private companies with a team. Most of them where black box audits and we were allowed to physically manipulate certain machines in and around the building, as long as we could get to them unnoticed.
Usually when doing such jobs, you get a contract signed by the CEO or the head of security stating that if you're caught, and your actions were within the scope of the audit, no legal action will be taken against you.
There was this one time a company hired us to test their badge system, and our main objective was to scrape the data on the smartcards with a skimmer on the scanner at the front of the building.
It's easy to get to as it's outside and almost everyone has to scan their card there in order to enter the building. They used ISO 7816 cards so we didn't even really need specified tools or hardware.
Now, we get assigned this task. Seems easy enough. We receive the "Stay-out-of-jail"-contract signed by the CEO for Company xyz. We head to the address stated on the contract, place the skimmer etc etc all good.
One of our team gets caught fetching the data from the skimmer a week later (it had to be physically removed). Turns out: wrong Building, wrong company. This was a kind of "building park" (don't really know how to say it in English) where all the buildings looked very similar. The only difference between them was the streetnumber, painted on them in big. They gave us the wrong address.
I still have nightmares about this from time to time. In the end, because the collected data was never used and we could somewhat justify our actions because we had that contract and we had the calls and mails with the CEO of xyz. It never came to a lawsuit. We were, and still are pretty sure though that the CEO of xyz himself was very interesed in the data of that other company and sent us out to the wrong building on purpose.
I don't really know what his plan after that would have been though. We don't just give the data to anyone. We show them how they can protect it better and then we erase everything. They don't actually get to see the data.
I quit doing audits some time ago. It's very stressful and I felt like I either had no spare time at all (when having an active assignment) or had nothing but spare time (when not on an assignment). The pay also wasn't that great.
But some people just really are polished turds.4 -
Had a talk with my mentor and the CTO today.
They made very clear that they'd want to keep me employed after I finished my bachelor and briefly asked about my plans.
I am happy and this kind of gave me some more peace of mind concerning job security.
Thing is though, I don't know yet what I want to do in two years from now. There are some possibilities and of course I don't know how my private life will develop.
If I stay there, I could finish my bachelor and then do a master halftime, like I do now with my bachelor - or I could stop at my bachelor and start working full-time again.
I rather want to stay there - though I strongly dislike the 9 to 5 job model, the work would be in a field I'm interested in. My colleagues are a nice bunch of people and I respect them a lot, especially the team I work with.
On the other hand, I always thought about freelancing and was researching possibilities during the last year. My skills are not so easy to translate into a freelancing job, though, if I don't want to do at least 50% software development.
Or I could get a job somewhere else which would have the charms of starting from scratch. Many new experience, much new things, wow.
Maybe also a better salary though if I'd be doing the job for the money only, I'd probably have worked elsewhere.
...
I'm usually quite relaxed about my future plans but some of these things were on my mind for some time now, also, I'm not sure whether I can "define" my future just yet.
Also, I'm overthinking it, yes.
I will have another talk in about a month.
No pressure, right?7 -
DEAR CTOs, PLEASE ASK THE DEVELOPER OF THE SOFTWARE WHICH YOU ARE PLANNING TO BUY IN WHAT LANGUAGE AND WHAT VERSION THEY ARE WRITTEN IN.
Background: I worked a LONG time for a software company which developed a BIG crm software suite for a very niche sector. The softwary company was quite successfull and got many customers, even big companies bought our software. The thing is: The software is written in Ruby 1.8.7 and Rails 2. Even some customer servers are running debian squeeze... Yes, this setup is still in production use in 2022. (Rails 7 is the current version). I really don't get it why no one asked for the specific setup, they just bought it. We always told our boss, that we need time to upgrade. But he told every time, no one pays for an tech upgrade... So there it is, many TBs of customer data are in systems which are totally old, not updated and with possibly security issues.9 -
I need advice from my coding elders:
A bit of background:
So I'm a highschooler and I have made a program for my school called Passport. It's being implemented as we speak.
Take a look:
https://github.com/poster983/...
It is basically a program that helps to manage and distribute digital Library passes. (We used to go through stacks of paper passes).
It was sorta my first major project, so it is probably filled with bugs and other security vulnerabilities. Just FYI.
_______
So a guy approached me tonight and was acting very interested in what I did. (it's literally a fancy database). He wanted my to unopen-source it and sell it to a company. (Probably his or a friend of him). I politely declined because I feel this program is
1. Not up to my standards; so if I was to sell it, I would rewrite it is something more modern like node, or Python.
2. I love open source.
3. A way for my to give back to my school and maybe help other schools.
After hearing that, he started calling opensourse a failure, and he said that I will one day be wise and write code for money (which I know I will, just I want to sell GOOD code).
My question is, how do I deal with people who want my to dich the opensourse model in the future?7 -
NEW 6 Programming Language 2k16
1. Go
Golang Programming Language from Google
Let's start a list of six best new programming language and with Go or also known by the name of Golang, Go is an open source programming language and developed by three employees of Google and the launch in 2009, very cool just 3 people.
Go originated and developed from the popular programming languages such as C and Java, which offers the advantages of compact notation and aims to keep the code simple and easy to read / understand. Go language designers, Robert Griesemer, Rob Pike and Ken Thompson, revealed that the complexity of C ++ into their main motivation.
This simple programming language that we successfully completed the most tasks simply by librariesstandar luggage. Combining the speed of pemrogramandinamis languages such as Python and to handalan of C / C ++, Go be the best tools for building 'High Volume of distributed systems'.
You need to know also know, as expressed by the CTO Tokopedia namely Mas Leon, Tokopedia will switch to GO-lang as the main foundation of his system. Horrified not?
eh not watch? try deh see in the video below:
[Embedyt] http://youtube.com/watch/...]
2. Swift
Swift Programming Language from Apple
Apple launched a programming language Swift ago at WWDC 2014 as a successor to the Objective-C. Designed to be simple as it is, Swift focus on speed and security.
Furthermore, in December 2015, Swift Apple became open source under the Apache license. Since its launch, Swift won eye and the community is growing well and has become one of the programming languages 'hottest' in the world.
Learning Swift make sure you get a brighter future and provide the ability to develop applications for the iOS ecosystem Apple is so vast.
Also Read: What to do to become a full-stack Developer?
3. Rust
Rust Programming Language from Mozilla
Developed by Mozilla in 2014 and then, and in StackOverflow's 2016 survey to the developer, Rust was selected as the most preferred programming language.
Rust was developed as an alternative to C ++ for Mozilla itself, which is referred to as a programming language that focus on "performance, parallelisation, and memory safety".
Rust was created from scratch and implement a modern programming language design. Its own programming language supported very well by many developers out there and libraries.
4. Julia
Julia Programming Language
Julia programming language designed to help mathematicians and data scientist. Called "a complete high-level and dynamic programming solution for technical computing".
Julia is slowly but surely increasing in terms of users and the average growth doubles every nine months. In the future, she will be seen as one of the "most expensive skill" in the finance industry.
5. Hack
Hack Programming Language from Facebook
Hack is another programming language developed by Facebook in 2014.
Social networking giant Facebook Hack develop and gaungkan as the best of their success. Facebook even migrate the entire system developed with PHP to Hack
Facebook also released an open source version of the programming language as part of HHVM runtime platform.
6. Scala
Scala Programming Language
Scala programming termasukbahasa actually relatively long compared to other languages in our list now. While one view of this programming language is relatively difficult to learn, but from the time you invest to learn Scala will not end up sad and disappointing.
The features are so complex gives you the ability to perform better code structure and oriented performance. Based programming language OOP (Object oriented programming) and functional providing the ability to write code that is capable of evolving. Created with the goal to design a "better Java", Scala became one behasa programming that is so needed in large enterprises.3 -
iPhones are ridiculously picky when it comes to finding a mate- um charger. And knowing why doesn't really make it any easier to understand why. If anything it baffles me more.
So, let's start with appliances that are not phones. Think Bluetooth headsets, keyboards, earbuds, whatever. Those are simple devices. They see 5V on the VCC line and 0V on ground, and they will charge at whatever current they are meant to. Usually it will not exceed 200mA, and the USB 2.0 spec allows for up to 500mA from any USB outlet. So that's perfectly reasonable to be done without any fuss whatsoever.
Phones on the other hand are smarter.. some might say too smart for their own good. In this case I will only cover Android phones, because while they are smarter than they perhaps should be, they are still reasonable.
So if you connect an Android phone to the same 5V VCC and 0V ground, while leaving the data lines floating, the phone will charge at 500mA. This is exactly to be within USB 2.0 spec, as mentioned earlier. Without the data lines, the phone has no way to tell whether it *can* pull more, without *actually* trying to pull more (potentially frying a charger that's not rated for it). Now in an Android phone you can tell it to pull more, in a fairly straightforward way. You just short the data lines together, and the phone will recognize this as a simple charger that it can pull 1A from. Note that shorting data lines is not a bad thing, we do it all the time. It is just another term for making a connection between 2 points. Android does this right. Also note that shorted data lines cannot be used to send data. They are inherently pulled to the same voltage level, probably 0V but not sure.
And then the iPhones come in, Thinking Different. The iPhones require you to pull the data lines to some very specific voltage levels. And of course it's terribly documented because iSheep just trying to use their Apple original white nugget charger overseas and shit like that. I do not know which voltage levels they are (please let me know!), but it is certainly not a regular short. Now you connect the iPhone to, say, a laptop or something to charge. An Android phone would just charge while keeping data transmission disabled (because they can be left floating or shorted). This is for security reasons mostly, preventing e.g. a malicious computer from messing with it. An iPhone needs to be unlocked to just charge the damn thing. I'm fairly sure that that's because the data lines need to be pulled up, which could in theory enable a malicious computer to still get some information in or out of it. USB data transmission works at at least 200mV difference between the data lines. It could be more than that. So you need to unlock it.
Apple, how about you just short your goddamn data lines too like everyone else? And while you're at it, get rid of this Lightning connector. I get it, micro USB was too hard for your users. I guess they are blind pigs after all. But USB-C solved all of that and more. The only difference I can think of is that the Lightning connector can be a single board with pads on either side on the connector, while in USB-C that could be at the socket end (socket being less common to be replaced). And at the end of the day, that really doesn't matter with all the other things that will break first.
Think Different. Think Retarded. Such tiny batteries and you can't even fucking charge them properly.6 -
We had an obligatory training today about security of remote access to company resources.
We sat for an hour listening to some outdated advice regarding passwords and preparing a work environment at home. Finally the instructor said his goodbyes and left. The rest of us stayed in the call to pass some actual recommendations.
Then we received a join request from a waiting lobby. Everyone muted. I let the guy in. For the next 8 minutes we watched the unaware instructor eat his breakfast and sign some documents stamped with a logotype of our competition.
Then I cleared my throat very loudly. He will have to print some of those documents again.4 -
Long rant ahead.. 5k characters pretty much completely used. So feel free to have another cup of coffee and have a seat 🙂
So.. a while back this flash drive was stolen from me, right. Well it turns out that other than me, the other guy in that incident also got to the police 😃
Now, let me explain the smiley face. At the time of the incident I was completely at fault. I had no real reason to throw a punch at this guy and my only "excuse" would be that I was drunk as fuck - I've never drank so much as I did that day. Needless to say, not a very good excuse and I don't treat it as such.
But that guy and whoever else it was that he was with, that was the guy (or at least part of the group that did) that stole that flash drive from me.
Context: https://devrant.com/rants/2049733 and https://devrant.com/rants/2088970
So that's great! I thought that I'd lost this flash drive and most importantly the data on it forever. But just this Friday evening as I was meeting with my friend to buy some illicit electronics (high voltage, low frequency arc generators if you catch my drift), a policeman came along and told me about that other guy filing a report as well, with apparently much of the blame now lying on his side due to him having punched me right into the hospital.
So I told the cop, well most of the blame is on me really, I shouldn't have started that fight to begin with, and for that matter not have drunk that much, yada yada yada.. anyway he walked away (good grief, as I was having that friend on visit to purchase those electronics at that exact time!) and he said that this case could just be classified then. Maybe just come along next week to the police office to file a proper explanation but maybe even that won't be needed.
So yeah, great. But for me there's more in it of course - that other guy knows more about that flash drive and the data on it that I care about. So I figured, let's go to the police office and arrange an appointment with this guy. And I got thinking about the technicalities for if I see that drive back and want to recover its data.
So I've got 2 phones, 1 rooted but reliant on the other one that's unrooted for a data connection to my home (because Android Q, and no bootable TWRP available for it yet). And theoretically a laptop that I can put Arch on it no problem but its display backlight is cooked. So if I want to bring that one I'd have to rely on a display from them. Good luck getting that done. No option. And then there's a flash drive that I can bake up with a portable Arch install that I can sideload from one of their machines but on that.. even more so - good luck getting that done. So my phones are my only option.
Just to be clear, the technical challenge is to read that flash drive and get as much data off of it as possible. The drive is 32GB large and has about 16GB used. So I'll need at least that much on whatever I decide to store a copy on, assuming unchanged contents (unlikely). My Nexus 6P with a VPN profile to connect to my home network has 32GB of storage. So theoretically I could use dd and pipe it to gzip to compress the zeroes. That'd give me a resulting file that's close to the actual usage on the flash drive in size. But just in case.. my OnePlus 6T has 256GB of storage but it's got no root access.. so I don't have block access to an attached flash drive from it. Worst case I'd have to open a WiFi hotspot to it and get an sshd going for the Nexus to connect to.
And there we have it! A large storage device, no root access, that nonetheless can make use of something else that doesn't have the storage but satisfies the other requirements.
And then we have things like parted to read out the partition table (and if unchanged, cryptsetup to read out LUKS). Now, I don't know if Termux has these and frankly I don't care. What I need for that is a chroot. But I can't just install Arch x86_64 on a flash drive and plug it into my phone. Linux Deploy to the rescue! 😁
It can make chrooted installations of common distributions on arm64, and it comes extremely close to actual Linux. With some Linux magic I could make that able to read the block device from Android and do all the required sorcery with it. Just a USB-C to 3x USB-A hub required (which I have), with the target flash drive and one to store my chroot on, connected to my Nexus. And fixed!
Let's see if I can get that flash drive back!
P.S.: if you're into electronics and worried about getting stuff like this stolen, customize it. I happen to know one particular property of that flash drive that I can use for verification, although it wasn't explicitly customized. But for instance in that flash drive there was a decorative LED. Those are current limited by a resistor. Factory default can be say 200 ohm - replace it with one with a higher value. That way you can without any doubt verify it to be yours. Along with other extra security additions, this is one of the things I'll be adding to my "keychain v2".11 -
My Sunday Morning until afternoon. FML. So I was experiencing nightly reboots of my home server for three days now. Always at 3:12am strange thing. Sunday morning (10am ca) I thought I'd investigate because the reboots affected my backups as well. All the logs and the security mails said was that some processes received signal 11. Strange. Checked the periodics tasks and executed every task manually. Nothing special. Strange. Checked smart status for all disks. Two disks where having CRC errors. Not many but a couple. Oh well. Changing sata cables again 🙄. But those CRC errors cannot be the reason for the reboots at precisely the same time each night. I noticed that all my zpools got scrubbed except my root-pool which hasn't been scrubbed since the error first occured. Well, let's do it by hand: zpool scrub zroot....Freeze. dafuq. Walked over to the server and resetted. Waited 10 minutes. System not up yet. Fuuu...that was when I first guessed that Sunday won't be that sunny after all. Connected monitor. Reset. Black screen?!?! Disconnected all disks aso. Reset. Black screen. Oh c'moooon! CMOS reset. Black screen. Sigh. CMOS reset with a 5 minute battery removal. And new sata cable just in cable. Yes, boots again. Mood lightened... Now the system segfaults when importing zroot. Good damnit. Pulled out the FreeBSD bootstick. zpool import -R /tmp zroot...segfault. reboot. Read-only zroot import. Manually triggering checksum test with the zdb command. "Invalid blckptr type". Deep breath now. Destroyed pool, recreated it. Zfs send/recv from backup. Some more config. Reboot. Boots yeah ... Doesn't find files??? Reboot. Other error? Undefined symbols???? Now I need another coffee. Maybe I did something wrong during recovery? Not very likely but let's do it again...recover-recover. different but same horrible errors. What in the name...? Pulled out a really old disk. Put it in, boots fine. So it must be the disks. Walked around the house and searched for some new disks for a new 2 disk zfs root mirror to replace the obviously broken disks. Found some new ones even. Recovery boot, minimal FreeBSD Install for bootloader aso. Deleted and recreated zroot, zfs send/recv from backup. Set bootfs attribute, reboot........
It works again. Fuckit, now it is 6pm, I still haven't showered. Put both disks through extensive tests and checked every single block. These disks aren't faulty. But for some reason they froze my system in a way so that I had to reset my BIOS and they had really low level data errors....? I Wonder if those disks have a firmware problem? So that was most of my Sunday. Nice, isn't it? But hey: calm sea won't make a good sailor, right?3 -
I work in big data and security analytics... So naturally I am a very detail oriented and analytical person.... Something that I constantly get told off about for 'over analysing' every personal situation.... Especially by my wife!
Today she was chatting to our best friend on WhatsApp who's been travelling Europe for 6 months seeing how life is etc... At the end of the conversation I point out he never once told her where he was and avoided the questions.... And that I was sure he was gonna turn up tonight....
She tells me I'm over analysing and full of it as she's in Spain.... Not even an hour later he walked through our front door and we are in the pub having an awesome catch up!
Who said I'm over analytical! More like right!?4 -
Story time!
I worked at a company that was the HQ for a sizable organization for a while, until it was eventually bought out by another company, and then yet another company who was located in the valley.
We were kinda a forgotten office not being the HQ, like most places like that are.
No customers EVER visited our building, few if any people knew we existed even, even our own company. I visited HQ in the valley on a number of occasions and was stalked by the video monitoring system for hours before I was stopped by security and the cops called because nobody believed there as an office outside the valley when I explained why my badge looked different .... (San Jose cops were very nice about it and really pissed at the security team.) But that's another story...
One day people who were never at our office decided (after many meetings without talking to anyone at the office) ... they decided the beige walls at our office didn't match the company colors.
So they took all the generic wall coverings down and painted all the walls an almost imperceptible different color.
So now we had an office with all white(ish) walls and nothing on them. Due to the configuration of the building there were these huge monolithic white walls that looked pretty dumb.
This lasted quite a while so as a joke I printed up and framed (found an old frame, as a former HQ we had lots of stuff lying around) a sign that said:
"This space intentionally left blank."
When the "mediocre hotel room quality art" and posters were scheduled to go up the folks putting the art up skipped that wall thinking the sign was official.
Even the somewhat corporate drone directors, and one VP at our office thought it was so funny, they didn't say a word about it. Word has it back at HQ they assumed it "must be fire code or something" and told the folks hanging the crappy art to skip that wall.
It lasted on that wall for a decade until we moved out of that building. On the last day, everything was moved, but that sign remained. No idea if it is still there or not...1 -
Electric cars are not better for the environment. All petrol cars combined are only responsible for 7.9% of CO2 emissions. If your electric car is charged from a grid that is powered by a coal-burning power station, it contributes nothing to dealing with climate change. It only provides you with the false sense of security, and you can look cool telling your friends that “you know, I drive a Tesla, I’m environmentally conscious, your gas car is bad”.
Electric cars are lame. When I’m out of fuel, I can refuel fully in minutes. With electric car, I’ll have to wait at least five hours. Let’s be realistic, superchargers aren’t common, and will never be.
Gasoline is 46.4 MJ/kg, or 34.2 MJ/l. Li-Ion is 0.36–0.875. Let’s be generous and say it’s 0.9. To match 1 kg of petrol, I would need 51 kilos of batteries.
Average gas tank is 18 gallons, or 68 litres. To match that, my battery must have a weight of 2.5 metric tonnes. Bear in mind, empty battery and full battery has the same weight. Also, bear in mind, batteries perform worse in the winter.
As per energy density and practicality, things don’t get much better than petrol. Liquid hydrogen has higher energy density, but to store it, gas tank has to have very, very thick walls, to withstand the pressure. And, hydrogen is a bitch. It’s extremely dangerous. You can’t smell it until it’s too late. Hydrogen-air mixture will explode if you look at it the wrong way.
All that “electric cars good for climate” hype is merely Elon maintaining his stock bubble.23 -
Me: We need to allow the team in the newly acquired subsidiary to access our docker image repositories.
Sec Guy: Why?
Me: So they can run our very expensive AI models that we have prepared onto container images.
Sec Guy: There is a ban on sharing cloud resources with the acquired companies.
Me: So how we're supposed to share artifacts?!?
Sec Guy: Can't you just email them the docker files?
Me: Those images contain expensively trained AI models. You can't rebuild it from the docker files.
Sec Guy: Can't you email the images themselves?
Me: Those are a few gigabytes each. Won't fit in an email and won't even fit the Google drive / onedrive / Dropbox single file size limit.
Sec Guy: Can't you store them in a object storage like S3/GCS/Azure storage?
Me: Sure
Proceed to do that.
Can't give access to the storage for shit.
Call the sec guy
Me: I need to share this cloud storage directory.
Sec Guy (with aparent amnesia): Why?
Me: I just told you! So they can access our AI docker images!
Sec Guy: There is a ban on sharing cloud resources with the acquired companies.
Me: Goes insane
Is there a law or something that you must attempt several alternative methods before the sec people will realize that they are the problem?!?! I mean, frankly, one can get an executable artifact by fucking email and run it but can't pull it from a private docker registry? Why the fuck would their call it "security"?9 -
Making electronics more difficult to repair with security fasteners and ultrasonically welded plastic nightmares and what have you.. what's the point? The argument from manufacturers is that "users don't want to get in there anyway". But, it's not like even if they could, they'd want to, right? Which type of person that doesn't know electronics very well and has an interest in repairing it would go and look at a board, and say "this is how it works, this and that is broken and this is how it should be repaired"? Not many users can repair their own devices regardless. So why? To preserve IP? Not like the Chinese bootleggers care about that. To preserve sales? Users can't repair their stuff anyway. To keep those who want to peek inside out, just for the hell of it? Anyone determined enough will be willing to break it in the process anyway.6
-
watching the online course for CEH... dude used the Death Star as a tangible example of how exploits work.
IDK if I should love it for the nerdiness, or be slightly sad that someone needs that type of example of what a vulnerability vs an exploit is, when they're going for the Certified Ethical Hacker certification...
Might be better in an introduction to Network Security class?
Also, while discussing the security, usability, and functionality triangle, he reference the Staples "Easy Button" - does one thing, not very secure, and not very functional (in that it has more than one function)...1 -
I don't know if I'm being pranked or not, but I work with my boss and he has the strangest way of doing things.
- Only use PHP
- Keep error_reporting off (for development), Site cannot function if they are on.
- 20,000 lines of functions in a single file, 50% of which was unused, mostly repeated code that could have been reduced massively.
- Zero Code Comments
- Inconsistent variable names, function names, file names -- I was literally project searching for months to find things.
- There is nothing close to a normalized SQL Database, column ID names can't even stay consistent.
- Every query is done with a mysqli wrapper to use legacy mysql functions.
- Most used function is to escape stirngs
- Type-hinting is too strict for the code.
- Most files packed with Inline CSS, JavaScript and PHP - we don't want to use an external file otherwise we'd have to open two of them.
- Do not use a package manger composer because he doesn't have it installed.. Though I told him it's easy on any platform and I'll explain it.
- He downloads a few composer packages he likes and drag/drop them into random folder.
- Uses $_GET to set values and pass them around like a message contianer.
- One file is 6000 lines which is a giant if statement with somewhere close to 7 levels deep of recursion.
- Never removes his old code that bloats things.
- Has functions from a decade ago he would like to save to use some day. Just regular, plain old, PHP functions.
- Always wants to build things from scratch, and re-using a lot of his code that is honestly a weird way of doing almost everything.
- Using CodeIntel, Mess Detectors, Error Detectors is not good or useful.
- Would not deploy to production through any tool I setup, though I was told to. Instead he wrote bash scripts that still make me nervous.
- Often tells me to make something modern/great (reinventing a wheel) and then ends up saying, "I think I'd do it this way... Referes to his code 5 years ago".
- Using isset() breaks things.
- Tens of thousands of undefined variables exist because arrays are creates like $this[][][] = 5;
- Understanding the naming of functions required me to write several documents.
- I had to use #region tags to find places in the code quicker since a router was about 2000 lines of if else statements.
- I used Todo Bookmark extensions in VSCode to mark and flag everything that's a bug.
- Gets upset if I add anything to .gitignore; I tried to tell him it ignores files we don't want, he is though it deleted them for a while.
- He would rather explain every line of code in a mammoth project that follows no human known patterns, includes files that overwrite global scope variables and wants has me do the documentation.
- Open to ideas but when I bring them up such as - This is what most standards suggest, here's a literal example of exactly what you want but easier - He will passively decide against it and end up working on tedious things not very necessary for project release dates.
- On another project I try to write code but he wants to go over every single nook and cranny and stay on the phone the entire day as I watch his screen and Im trying to code.
I would like us all to do well but I do not consider him a programmer but a script-whippersnapper. I find myself trying to to debate the most basic of things (you shouldnt 777 every file), and I need all kinds of evidence before he will do something about it. We need "security" and all kinds of buzz words but I'm scared to death of this code. After several months its a nice place to work but I am convinced I'm being pranked or my boss has very little idea what he's doing. I've worked in a lot of disasters but nothing like this.
We are building an API, I could use something open source to help with anything from validations, routing, ACL but he ends up reinventing the wheel. I have never worked so slow, hindered and baffled at how I am supposed to build anything - nothing is stable, tested, and rarely logical. I suggested many things but he would rather have small talk and reason his way into using things he made.
I could fhave this project 50% done i a Node API i two weeks, pretty fast in a PHP or Python one, but we for reasons I have no idea would rather go slow and literally "build a framework". Two knuckleheads are going to build a PHP REST framework and compete with tested, tried and true open source tools by tens of millions?
I just wanted to rant because this drives me crazy. I have so much stress my neck and shoulder seems like a nerve is pinched. I don't understand what any of this means. I've never met someone who was wrong about so many things but believed they were right. I just don't know what to say so often on call I just say, 'uhh..'. It's like nothing anyone or any authority says matters, I don't know why he asks anything he's going to do things one way, a hard way, only that he can decipher. He's an owner, he's not worried about job security.13 -
I really enjoy my old Kindle Touch rather than reading long pdf's on a tablet or desktop. The Kindle is much easier on my eyes plus some of my pdf's are critical documents needed to recover business processes and systems. During a power outage a tablet might only last a couple of days even with backup power supplies, whereas my Kindle is good for at least 2 weeks of strong use.
Ok, to get a pdf on a Kindle is simple - just email the document to your Kindle email address listed in your Amazon –Settings – Digital Content – Devices - Email. It will be <<something>>@kindle.com.
But there is a major usability problem reading pdf's on a Kindle. The font size is super tiny and you do not have font control as you do with a .MOBI (Kindle) file. You can enlarge the document but the formatting will be off the small Kindle screen. Many people just advise to not read pdf's on a Kindle. devRanters never give up and fortunately there are some really cool solutions to make pdf's verrrrry readable and enjoyable on a Kindle
There are a few cloud pdf- to-.MOBI conversion solutions but I had no intention of using a third party site my security sensitive business content. Also, in my testing of sample pdf's the formatting of the .MOBI file was good but certainly not great.
So here are a couple option I discovered that I find useful:
Solution 1) Very easy. Simply email the pdf file to your Kindle and put 'convert' in the subject line. Amazon will convert the pdf to .MOBI and queue it up to synch the next time you are on wireless. The final e-book .MOBI version of the pdf is readable and has all of the .MOBI options available to you including the ability for you to resize fonts and maintain document flow to properly fit the Kindle screen. Unfortunately, for my requirements it did not measure-up to Solution 2 below which I found much more powerful.
Solution 2) Very Powerful. This solution takes under a minute to convert a pdf to .MOBI and the small effort provides incredible benefits to fine tune the final .MOBI book. You can even brand it with your company information and add custom search tags. In addition, it can be used for many additional input and output files including ePub which is used by many other e-reader devices including The Nook.
The free product I use is Calibre. Lots of options and fine control over documents. I download it from calibre-ebook.com. Nice UI. Very easy to import various types of documents and output to many other types of formats such as .MOBI, ePub, DocX, RTF, Zip and many more. It is a very powerful program. I played with various Calibre options and emailed the formatted .MOBI files to my Kindle. The new files automatically synched to the Kindle when I was wireless in seconds. Calibre did a great job!!
The formatting was 99.5% perfect for the great majority of pdf’s I converted and now happily read on my Kindle. Calibre even has a built-in heuristic option you can try that enables it to figure out how to improve the formatting of the raw pdf. By default it is not enabled. A few of the wider tables in my business continuity plans I have to scroll on the limited Kindle screen but I was able to minimize that by sizing the fonts and controlling the source document parameters.
Now any pdf or other types of documents can be enjoyed on a light, cheap, super power efficient e-reader. Let me know if this info helped you in any way.4 -
I have a few of these so I'll do a series.
(1 of 3) Public privates
We had a content manager that created a content type called "news item" on a Drupal site. There where two file fields on there. One called "attachments" and the other called "private attachments". The "private attachments" are only for members to see and may contain sensitive data. It was set to go trough Drupals security (instead of being directly hosted by the webserver) but because the permissions on the news items type where completely public everybody had access. So basically it was a slow public file field.
This might be attibuted to ow well Drupal is confusing. Howerver weeks earlier that same CM created a "private article". This actually had permissions on the content type correctly but had a file field that was set to public. So when a member posted the URL to a sensitive file trough unsafe means it got indexed by google and for all to read. When that happend I explained in detail how the system worked and documented it. It was even a website checklist item.
We had two very embarrassing data leaks :-(1 -
I really like my current job.
I work as an analyst developer looking after and sorting out people's old tech debt.
Once that's stable I get pretty free reign to do what I want.
It allows me to stretch from dev into graphic design, security, architecture and training on a very regular basis.
It allows me to keep an eye on tech trends, research and develop ideas using the latest shiny things.
Oh and if I say I need a thing, I can usually get it purchased.
All of the above comes with the "as long as it's for the benefit of the company" disclaimer, but when your direct managers see an IDE and think "okay he's working" the lines get a little blurry.
They keep asking me about my career goals and if I want to manage or move around. Fuck that noise, all of that noise.
Do wut I wawnt.6 -
I know folks do their best, but come on Apple, this can't be that hard. Bought an IPhone at an estate sale (elderly individual died suddenly, so no one had knowledge of the apple id, passwords, etc) and I've been trying to convince apple to clear the activation lock. (AS = Apple Support)
<after explaining the situation>
AS: "Have you tried putting the phone in recovery mode? That should clear the lock"
Me: "I've already done that. It prompts for the apple id and password, which I don't have"
AS: "You need to talk to the owner and get the information"
Me: "As I explained, I purchased the phone at an estate sale of someone who died. I have the bill of sale, serial number, the box, obituary. What else do you need?"
AS: "Have you tried contacting a family member? They might have have that information."
Me: "The family members at the sale told us this is all they had. This kind of thing has to happen. I can't believe Apple can't clear the activation lock."
AS: "Yes, we can, but I'm very sorry we take security seriously."
Me: "I understand, what do I do now?"
AS: "Did you log out of the phone? Go to settings ..."
Me: "Yes, I tried all those steps before calling. It prompts for the AppleID and password."
AS: "Did you try entering the password?"
Me: "No, I don't have it. I already explained there is no way to know"
AS: "Yes..yes...sorry...I'm just reading the information in front of me. I found something, have you tried submitting a activation lock removal request?"
Me: "Yes, it was denied, didn't tell me why, which is why I'm calling. What about taking this phone to an Apple store? I have all the paperwork."
AS: "Sure, you can try. You might need the death certificate. The family or the coroner will have a copy."
Me: "What!? Apple requires a death certificate to unlock a phone!? I'm pretty sure not even the family is going to give a total stranger a death certificate"
AS: "Sorry sir, I'm just reading what is in front of me. Without that certificate, there is no way to prove the person died. You can try the Apple store, but they will likely require it."
Me: "That's a lot of drama for unlocking a phone. A *phone*"
AS: "Yes sir, I understand. If there anything else we can do let us know and thank you for being an a apple customer."
Next stop, the Apple Store.12 -
A few days ago Aruba Cloud terminated my VPS's without notice (shortly after my previous rant about email spam). The reason behind it is rather mundane - while slightly tipsy I wanted to send some traffic back to those Chinese smtp-shop assholes.
Around half an hour later I found that e1.nixmagic.com had lost its network link. I logged into the admin panel at Aruba and connected to the recovery console. In the kernel log there was a mention of the main network link being unresponsive. Apparently Aruba Cloud's automated systems had cut it off.
Shortly afterwards I got an email about the suspension, requested that I get back to them within 72 hours.. despite the email being from a noreply address. Big brain right there.
Now one server wasn't yet a reason to consider this a major outage. I did have 3 edge nodes, all of which had equal duties and importance in the network. However an hour later I found that Aruba had also shut down the other 2 instances, despite those doing nothing wrong. Another hour later I found my account limited, unable to login to the admin panel. Oh and did I mention that for anything in that admin panel, you have to login to the customer area first? And that the account ID used to login there is more secure than the password? Yeah their password security is that good. Normally my passwords would be 64 random characters.. not there.
So with all my servers now gone, I immediately considered it an emergency. Aruba's employees had already left the office, and wouldn't get back to me until the next day (on-call be damned I guess?). So I had to immediately pull an all-nighter and deploy new servers elsewhere and move my DNS records to those ASAP. For that I chose Hetzner.
Now at Hetzner I was actually very pleasantly surprised at just how clean the interface was, how it puts the project front and center in everything, and just tells you "this is what this is and what it does", nothing else. Despite being a sysadmin myself, I find the hosting part of it insignificant. The project - the application that is to be hosted - that's what's important. Administration of a datacenter on the other hand is background stuff. Aruba's interface is very cluttered, on Hetzner it's super clean. Night and day difference.
Oh and the specs are better for the same price, the password security is actually decent, and the servers are already up despite me not having paid for anything yet. That's incredible if you ask me.. they actually trust a new customer to pay the bills afterwards. How about you Aruba Cloud? Oh yeah.. too much to ask for right. Even the network isn't something you can trust a long-time customer of yours with.
So everything has been set up again now, and there are some things I would like to stress about hosting providers.
You don't own the hardware. While you do have root access, you don't have hardware access at all. Remember that therefore you can't store anything on it that you can't afford to lose, have stolen, or otherwise compromised. This is something I kept in mind when I made my servers. The edge nodes do nothing but reverse proxying the services from my LXC containers at home. Therefore the edge nodes could go down, while the worker nodes still kept running. All that was necessary was a new set of reverse proxies. On the other hand, if e.g. my Gitea server were to be hosted directly on those VPS's, losing that would've been devastating. All my configs, projects, mirrors and shit are hosted there.
Also remember that your hosting provider can terminate you at any time, for any reason. Server redundancy is not enough. If you can afford multiple redundant servers, get them at different hosting providers. I've looked at Aruba Cloud's Terms of Use and this is indeed something they were legally allowed to do. Any reason, any time, no notice. They covered all their bases. Make sure you do too, and hope that you'll never need it.
Oh, right - this is a rant - Aruba Cloud you are a bunch of assholes. Kindly take a 1Gbps DDoS attack up your ass in exchange for that termination without notice, will you?5 -
Network Security at it's best at my school.
So firstly our school has only one wifi AP in the whole building and you can only access Internet from there or their PCs which have just like the AP restricted internet with mc afee Webgateway even though they didn't even restrict shuting down computers remotely with shutdown -i.
The next stupid thing is cmd is disabled but powershell isn't and you can execute cmd commands with batch files.
But back to internet access: the proxy with Mcafee is permanently added in these PCs and you don't havs admin rights to change them.
Although this can be bypassed by basically everone because everyone knows one or two teacher accounts, its still restricted right.
So I thought I could try to get around. My first first few tries failed until I found out that they apparently have a mac adress wthitelist for their lan.
Then I just copied a mac adress of one of their ARM terminals pc and set up a raspberry pi with a mac change at startup.
Finally I got an Ip with normal DHCP and internet but port 80 was blocked in contrast to others like 443. So I set up an tcp openvpn server on port 443 elsewhere on a server to mimic ssl traffic.
Then I set up my raspberry pi to change mac, connect to this vpn at startup and provide a wifi ap with an own ip address range and internet over vpn.
As a little extra feature I also added a script for it to act as Spotify connect speaker.
So basically I now have a raspberry pi which I can plugin into power and Ethernet and an aux cable of the always-on-speakers in every room.
My own portable 10mbit/s unrestricted AP with spotify connect speaker.
Last but not least I learnt very many things about networks, vpns and so on while exploiting my schools security as a 16 year old.8 -
Security startup...
'Which football team do you support?'
'Not sure how that is relevant.'
'It is very relevant'15 -
Alright lads here is the thing, have not been posting anything other than replies to things cuz I have been busy being miserable at school and dealing with work stuff.
Our manager left us back in February. Because she was leaving I decided that I wanted to try a different path and went on to become a programmer analyst for my institution, if anything I knew that it was going to be pretty boring work, but it came with nice monetary compensation and a foot in the door for other data science related jobs in the future. Thing is, the department head asked me to stay in the web technologies department because we had a lack of people there and hiring is hard as shit, we do not do remote jobs since our work usually requires a level of discretion and security. Thus I have been working in the web tech department since she left albeit with a different title since I aced the interview for the analyst position and the team there were more than happy to have me. I have done very few things for them, some reports here and there and mostly working directly with the DBA in some projects. One migration project would have costed my institution a total of 58k and we managed to save the cost by building the migration software ourselves.....honestly it was a fucking cake walk, if you had any doubts about the shaddyness of enterprise level applications regarding selling overpriced shit with different levels of complexity, keep them, enterprise is shaddy af indeed. But I digress.
I wrote the specification for the manager position along the previous manager, we had decided that the next candidate needed to be strong with development knowledge as well as other things as to properly understand and manage a software team, we made the academic requirement(fuck you, yes we did ask for academic requirements) to be either in the Computer Science/software engineering area or at least on the Business Administration side. We were willing to consider BA holders in exchange for having knowledge of the development process of different products and a complete understanding of what developers go through. NOT ONE SINGLE motherfucker was able to satisfy this, some of them were idiots that I knew from before that had ABSOLUTELY no business even considering applying to the position, the courage it took for some of these assholes to apply would have hurt their mothers, their God if they had one, and their country, they were just that fucking bad in their jobs as well as being overall shit people.
Then we had 1 candidate actually fall through the cracks enough to get an interview. My dude here was lying out of his ass through the interview process. According to him he had "lots of Laravel experience and experience managing Laravel projects" and mentioned repeatedly how it would be a technology that we should consider for our products. I was to interview him alongside the vice president of our institution due to the head of my department and the rest of the managers for I.T being on vacation leave all at the same bloody time.
Backstory before the interview:
Whilst I was going over the interview questions with the vice president literally offered me the job instead. I replied with honesty, reflecting how I did not originally wanted him but feeling that our institution was ready to settle on any candidate due to the lack of potentials. He was happy to do it since apparently both him and the HOD were expecting me to step up sooner or later. I was floored.
Regardless, out of kindness he wanted to go through the interview.
So, going back to the interview. As soon as the person in question referenced the framework I started to ask him about it, just simple questions, the first was "what are your thoughts on the Eloquent ORM? I am not too fond of it and want to know what you as a full time laravel dev think of it"
his reply: "I am sorry I am not too familiar with it, I don't know what that is" <--- I appreciated his honesty in this but thought it funny that someone would say that he was a Laravel developer whilst not knowing what an ORM was since you can't really get away from using it on the initial stages of learning about Laravel, maybe if one wanted to go through the hurdle of switching to something like doctrine...but even then, it was....odd.
So I met with the hod when he came back, he was stoked at the prospect of having me become the manager and I happily accepted the position. It will be hell, but I don't even need to hit the ground running since I have been the face of the department since ages. My team were ecstatic about it since we are all close friends and they have been following my directions without complaints(but the ocational eat a dick puto) for some time, we work well together and we are happy to finally have someone to stop the constant barrage that comes from people taking advantage of a missing manager.
Its gonna get good, its gonna get fun, and i am getting to see how shit goes.7 -
I'm halfway in on a six-month disaster contract where I'm converting a massive site written over 7~8 years to a new system. Manager has had us restart about 4 times and there are other departments who want to take over. The deadline is so tight that I've stuck with the original plan and kept my code flexible to be changed if the manager wants to go with the other teams' ideas. ("Okay, manager: here's a clone, tell the other team to prove that works") The lead dev, to my horror, didn't write any code and was let go in November.
Manager hired a new dev part-time whose commitment is on something entirely separate that is required in order for the deadline to be pushed to Summer. (new thing for old thing)
New dev has an attitude, basically wants to start over, and is already acting like I'm his subordinate, very patronizing, very dodgy when asked to explain a strong opinion (THIS IS A SECURITY PROBLEM!!!1). I really have no idea what my manager promised to him. Also found out that manager hired an agency to create a roadmap of the project (WHY?!!! WHY NOW?!). I've been burned once already with the previous lead, and I'm not wild about working with yet another person who wants to burn the whole thing to the ground and start completely over, especially not someone who wants to engage in a dick-measuring contest.
Do you guys have any advice? I mean, other than quitting? I'm going to see this through, but I'm burned out.3 -
I wish my boss would stop revoking my permissions. He's always saying how these slew of things need to be accomplished, yet, everytime I go to do them I'm at a wall because, despite having permissions for a very long time he decided to revoke them entirely.
It's not like I can't be trusted with them, it's been over 2 years with them, so why the sudden revoke?
I finally sent some snot mail to him informing him I'm unable to complete my tasks without the permissions granted to me (I'm a sysadmin, sec guy, boss is vp of tech), and instead of him granting them yet again he's going to run around and try to hack around the permission requirement so he can avoid giving me them.
Seriously? This is stupid. I was the one who wrote the security design and implementation document, and put all that work in. Now I'm being locked out of the system I designed, built and implemented?
Well, time to look for a new job. If you're a manager, please don't revoke your employees permissions without notice, at random, and try to hack around well-documented security policies. It won't end well!3 -
Because of some theft this year and even though we already have security cameras, my apartment building decided to check the front door locks so it's more secure.
This key looks very high tech... Only issue though is I never use the key anyway... I just entered the door code...
So what is the point of changing the locks? I'm going to guess whoever is stealing isn't picking the lock... People would notice... They must know the code.
Also it seems most of the apartment locks are digital key card/pins too. Wondering if this just means most owners are young or just are techies/devs...10 -
A classmate saw me using Firefox today and laughed at me saying Chrome is more secure. I'm not very knowledgeable about the security; I use Firefox because it uses less memory and it's more stable on my machine.
I doubt that info of his is current so can someone who actually knows about the security give me some counter-arguments for him? The more facts the better :D14 -
this just happened a few seconds ago and I am just laughing at the pathetic site that is Facebook. xD
4 years ago:
So I was quite a noobie gamer/hacker(sort of) back then and i had a habit of having multiple gmail/fb accounts, just for gaming, like accounts through which i can log in all at once in the same poker room, so 4/5 players in the game are me, or just some multiple accounts for clash of clans for donations.
I had 7-8 accounts back then. one had a name that translated to "may the dead remain in peace "@yahoomail.com . it was linked to fb using same initials. after sometime only this and 2 of my main accs were all i cared about.even today when i feel like playing, i sometimes use those accs.
2 years ago.
My dad is a simple man and was quite naive to modern techs and used to hang around with physical button nokia phones.But we had a business change, my father was now in a partnership in a restaurant where his daily work included a lot of sitting job and and casual working. So he bought a smartphone for some time pass.
He now wanted to download apps and me to teach him.I tried a lot to get him his own acc, but he couldn't remember his login credentials.
so at the end i added one of my own fake ID's(maythedead...) so he could install from playstore, watch vids on youtube and whatever.
The Actual Adventure starts now
Today, 1 hour ago:
I had completely forgot about this incident, since my parents are now quite modern in terms of tech.
But today out of nowhere i recieved an email that someone has JUST CHAINGED MY FB PASSWORD FOR ONE OF MY FAKE ACCS!?!??
what the hell, i know it was just a useless acc and i never even check my fb from any acc these days, but if someone could login into that acc, its not very difficult to track my main accs, id's, etc so i immediately opened this fb security portal and that's where the stupidity starts:
1)To recover your account they FUCKIN ASKS FOR A PHYSICAL ID. yeah, no email, no security question you have to scan your driving license or passport to get back to your account.And where would I get a license for some person named "may the dead remain in peace"? i simply went back.
2) tried another hack that i thought that will work.Closed fb help page, opened fb again , tried to login with my old credentials, it says" old password has been changed,please enter new password", i click forget password and they send an otp. i thought yes i won, because the number and recover mail id was mine only so i received it.
when i added the otp, i was first sent to a password change page (woohoo, i really won! :)) but then it sends me again to the same fuckin physical id verification page.FFFFFFFFFuck
3)I was sad and terrified that i got hacked.But 10 mins later a mail comes ,"Your Facebook password was reset using the email address on Tuesday, April 10, 2018 at 8:24pm (UTC+05:30)."
I tried clicking the links attached, hoping that the password i changed(point<2>) has actually done something to account.NADA, the account still needs a physical license to open:/
4) lost, i just login to my main account and lookup for my lost fake account. the fun part:my account has the display pic of my father?!!?!
So apparently, my father wanted to try facebook, he used the fake account i gave him to create one, fb showed him that this id already has an fb account attached to it and he accidently changed my password.MY FATHER WAS THE HACKER THE WHOLE TIME xD.
but response from fb?" well sir, if you want your virtually shitty account back , you first will have to provide us with all details of your bank transactions or your voter id card, maybe trump will like it" -
Anyone who's interested in cyber security, go follow Binni Shah (@binitamshah) on Twitter. The amount of tutorials and guides she retweets is crazy and very informative.
Also if you're not on Twitter you're missing out on a lot of content to learn from ✌️18 -
I'd never do anything "risky" in a prod environment if I considered it so at the time, but in retrospect there's *lots* of things considered risky now (both from a security and good practice viewpoint) that were standard practice not long ago:
- Not using any form of version control
- No tests (including no unit tests)
- Not considering XSS vulnerabilities
- Completely ignoring CSRF vulnerabilities
- Storing passwords as unsalted MD5 hashes (heck that was considered very *secure* in the days of plaintext password storage.)
...etc. I'm guilty of all of those previously. I daresay in the future there will be yet more things that may be standard practice now, but become taboos we look back on with similar disdain.1 -
So I enventually spent 2 years working for that company with a strong b2b market. Everything from the checkouts in their 6 b2c stores to the softwares used by the 30-people sales team was dependant on the main ERP shit home-built with this monstruosity we call Windev here in France. If you don't know it just google and have some laugh : this is a proprieteray FRENCH language. Not french like made by french people, well that too, but mostly french like the fucking language is un fucking french ! Instructions are on french, everything. Hey that's my natural language okay, but for code, really ?
The php website was using the ERP database too, even all the software/hardware of the massive logistic installation they had (like a tiny Amazon depot), and of course the emails of all employees. Everything was just handled by this unique shitty and so sloooooow fucking app. When there was to many clients on the website or even too many salespeople connected to the ERP at the same time, every-fuckin-piece of the company was slowing down, and even worse facing critical bugs. So they installed a monitor in the corner of a desk constantly showing the live report page of Google analytics and they started panic attacks everytime it was counting more than 30 sessions on the website. That was at the time fun and sad to observe.
The whole shit was created 12 years ago and is since maintened locally by one unique old-fashion-microsoft dev who also have to maintain all the hardware of all the fucking 150+ people business. You know, when the keyboard of anyone is "broken" cause it's unplugged... That's his job too. The poor guy was totally overstressed on a daily basis and his tech knowledge just saddly losts themeselves somewhere in the way. He was my n+1 in a tech team of 3 people : him, a young and inexperimented so-called "php developer" who was in charge of the website (btw full of security holes I discovered and dealed with when I first arrive at the job), and myself.
The database was a hell of 100+ tables of business and marketing data with a ton of specific logic added on-the-go during years. No consistent data model or naming. No utf8. Fucked up relations that ends with queries long enough to fill books. And that's not all, all the customers passwords was just stored there uncrypted. Several very big companies and administrations were some of these clients. I was insisting on the passwords point litterally all the time, that was an easy security fix and a good start... But no, in two years of discussions on the subject I never achieved to have them focusing on other considerations than "our customers like that we can remind them their password by a simple phone call if they lost it". What. The. Fuck. WHATTHEFUCK!
Eventually I ran myself out of this nightmare. I had a few bad jobs already, and worked on shitty software already. But that one really blows my mind (and motivation for a time too). Happy it's over.1 -
I find it hilarious the total misconception of hacking that the general public has. I tell people I know cyber security (Not as much as a lot of people around here) but it is a hobby of mine and I find it very useful/interesting.
But I can't stop but laugh when someone is like, can you get all the text messages my bf receives?
Can you hack this for me can you back that?
C'mon even if I knew how to do that without being caught you think I would even admit that to you. Do hackers just walk around with an index card pasted to their forehead of their skill? It's not even slightly reasonable to think this lol even for someone who doesn't know about the field -
A lot of larger companies seem to be a happy about forcing employees to change their password every three months or so. They do it for security measures so that it is more difficult to break through the system, however most people end up making the worst passwords.
Instead of forcing a very good password on them every year or two maybe, they all end up having passwords like: "Summer16", "Qwer1234", "London15".
I used to work for our national police, and this was the case there as well...7 -
I don't understand privacy advocators.
Am I the only one who wouldn't give up practicality in exchange for "potentially more secure"?
I don't understand so much what the deal is with people who avoid Facebook, or don't trust Google or Microsoft, just in the basis of "privacy" or "security".
Websites tracking you to serve ads? Well, it's pointless because I very rarely buy something from the internet or let myself be influenced, ads are waste of time, just use an adblocker.
I can pretty much upload my whole life or documents on Google drive, even if I made it public no one would really care or read it all. It's like that GitHub project you uploaded but never documented, so no one cares. I usually use alternative software not because of "privacy" but because it has features other software doesn't have.
In reality you realize people aren't that interested in your life more than their own life.24 -
Security fail here. I've just started a PPI claim and have been provided a link to a so called "very secure" client area.
There are no username or passwords and the screenshot is not a first time sign up screen.
All I need to login is a surname, postcode and DOB - all information easy enough to find online.
Pretty bad IMO, esp, so considering the effort required to add a proper login using a username/password combination.
I mean I'm logged in now and have no option to set an account password :|3 -
Impossible deadline experience?
A few, but this one is more recent (and not mine, yet)
Company has plans to build a x hundred thousand square feet facility (x = 300, 500, 800 depending on the day and the VP telling the story)
1. Land is purchased, but no infrastructure exists (its in a somewhat rural area, no water or sewage capable of supporting such a large facility)
2. No direct architectural plans (just a few random ideas about layout, floor plans, parking etc)
3. Already having software dev meetings in attempt to 'fix' all the current logistical software issues we have in the current warehouse and not knowing any of the details of the new facility.
One morning in our stand-up, the mgr says
Mgr: "Plans for the new warehouse are moving along. We hope to be in the new building by September."
Me: "September of 2022?"
<very puzzled look>
Mgr: "Um, no. Next year, 2021"
Me: "That's not going to happen."
Mgr: "I was just in a meeting with VP-Jack yesterday. He said everything is on schedule."
Me: "On schedule for what?"
<I lay out some of the known roadblocks from above, and new ones like the political mess we will very likely get into when the local zoning big shots get involved>
Mgr: "Oh, yea, those could be problems."
Me: "Swiiiiishhhhh"
Mgr: "What's that?"
Me: "That's the sound of a September 2021 date flying by."
Mgr: "Funny. Guess what? We've been tasked with designing the security system. Overhead RFID readers, tracking, badge scans, etc. Normally Dan's team takes care of facility security, but they are going to be busy for a few weeks for an audit. Better start reaching out to RFID vendors for quotes. Have a proposal ready in a couple of weeks."
Me: "Sure, why not."1 -
Team Meeting with Senior senior manager(SSM) from headquarters.
Post lunch break (casual talks)
SSM: You all people in this office live in luxury. Each and every door has a security guard to open and close the door for all of you. HQ doesn't have these.
Me: So, does it mean that there are no doors or no security guards at the HQ?
Everyone in my team with a very big facepalm. Manager telling me not to get high after having the lunch.
Footnote: All my colleagues and my manager often tells me that I get high just by eating food.4 -
Hmm...recently I've seen an increase in the idea of raising security awareness at a user level...but really now , it gets me thinking , why not raise security awareness at a coding level ? Just having one guy do encryption and encoding most certainly isn't enough for an app to be considered secure . In this day an age where most apps are web based and even open source some of them , I think that first of all it should be our duty to protect the customer/consumer rather than make him protect himself . Most of everyone knows how to get user input from the UI but how many out here actually think that the normal dummy user might actually type unintentional malicious code which would break the app or give him access to something he shouldn't be allowed into ? I've seen very few developers/software architects/engineers actually take the blame for insecure code . I've seen people build apps starting on an unacceptable idea security wise and then in the end thinking of patching in filters , encryptions , encodings , tokens and days before release realise that their app is half broken because they didn't start the whole project in a more secure way for the user .
Just my two cents...we as devs should be more aware of coding in a way that makes apps more secure from and for the user rather than saying that we had some epic mythical hackers pull all the user tables that also contained unhashed unencrypted passwords by using magix . It certainly isn't magic , it's just our bad coding that lets outside code interact with our own code . -
Haven't been on here in a while, but I had to rant about these security questions. I couldn't come up with legit answers for any of the very few options; most of which required you to be married....5
-
Oh boy I got a few. I could tell you stories about very stupid xss vectors like tracking IDs that get properly sanitized when they come through the url but as soon as you go to the next page and the backend returns them they are trusted and put into the Dom unsanitized or an error page for a wrong token / transaction id combo that accidentally set the same auth cookie as the valid combination but I guess the title "dumbest" would go to another one, if only for the management response to it.
Without being to precise let's just say our website contained a service to send a formally correct email or fax to your provider to cancel your mobile contract, nice thing really. You put in all your personal information and then you could hit a button to send your cancelation and get redirected to a page that also allows you to download a pdf with the sent cancelation (including all your personal data). That page was secured by a cancelation id and a (totally save) 16 characters long security token.
Now, a few months ago I tested a small change on the cancelation service and noticed a rather interesting detail : The same email always results in the same (totally save) security token...
So I tried again and sure, the token seemed to be generated from the email, well so much about "totally save". Of course this was a minor problem since our cancelation ids were strong uuids that would be incredibly hard to brute force, right? Well of course they weren't, they counted up. So at that point you could take an email, send a cancelation, get the token and just count down from your id until you hit a 200 and download the pdf with all that juicy user data, nice.
Well, of course now I raised a critical ticket and the issue was fixed as soon as possible, right?
Of course not. Well I raised the ticket, I made it critical and personally went to the ceo to make sure its prioritized. The next day I get an email from jira that the issue now was minor because "its in the code since 2017 and wasn't exploited".
Well, long story short, I argued a lot and in the end it came to the point where I, as QA, wrote a fix to create a proper token because management just "didn't see the need" to secure such a "hard to find problem". Well, before that I sent them a zip file containing 84 pdfs I scrapped in a night and the message that they can be happy I signed an NDA.2 -
Whelp. I started making a very simple website with a single-page design, which I intended to use for managing my own personal knowledge on a particular subject matter, with some basic categorization features and a simple rich text editor for entering data. Partly as an exercise in web development, and partly due to not being happy with existing options out there. All was going well...
...and then feature creep happened. Now I have implemented support for multiple users with different access levels; user profiles; encrypted login system (and encrypted cookies that contain no sensitive data lol) and session handling according to (perceived) best practices; secure password recovery; user-management interface for admins; public, private and group-based sections with multiple categories and posts in each category that can be sorted by sort order value or drag and drop; custom user-created groups where they can give other users access to their sections; notifications; context menus for everything; post & user flagging system, moderation queue and support system; post revisions with comparison between different revisions; support for mobile devices and touch/swipe gestures to open/close menus or navigate between posts; easily extendible css themes with two different dark themes and one ugly as heck light theme; lazy loading of images in posts that won't load until you actually open them; auto-saving of posts in case of browser crash or accidental navigation away from page; plus various other small stuff like syntax highlighting for code, internal post linking, favouriting of posts, free-text filter, no-javascript mode, invitation system, secure (yeah right) image uploading, post-locking...
On my TODO-list: Comment and/or upvote system, spoiler tag, GDPR compliance (if I ever launch it haha), data-limits, a simple user action log for admins/moderators, overall improved security measures, refactor various controllers, clean up the code...
It STILL uses a single-page design, and the amount of feature requests (and bugs) added to my Trello board increases exponentially with every passing week. No other living person has seen the website yet, and at the pace I'm going, humanity will have gone through at least one major extinction event before I consider it "done" enough to show anyone.
help4 -
So i am a diabetic and carry an insulin pump. Now being in India, the pump is not covered by insurance (for some god forsaken reason that I don’t know) and therefore is not a common sight here (contradictoraly India has a major diabetes problem). So I was at the metro station going through security check and the security personnel asks me what the pump was and asked me to show it to him. Now since insulin pumps are uncommon here I understood his concern and showed it to him. Now I like to carry the pump under my shirt with a clip pouch. So naturally I had to lift up my shirt to show it to him. But this isn’t the highlight of the story.
The guy behind me rised above and started peeking over my shoulder and constantly repeating like a 2 year old child what is this. And that too with my fucking abdomen exposed. I went into rage mode there and then like wtf dude, none of your business just step back a little.
Now my issue is that I do not understand that in their own curiosity, why do people forget to respect others privacy. And a very big problem with medical equipment manufacturing organisations (yeah you medtronic). Why are you only concerned with sales and why not awareness? I mean spreading awareness will only help your sales as more people will become aware about your product and it will be less awkward and concerning for people like me to wear your device out in the public5 -
At a previous job I bumped heads with the IT person a lot because he would spread misinformation about technology so the owners would never replace him. This was conversation with the VP:
VP: Hey I just got a new security setup at my house and I can monitor everything with my phone.
Me: That's cool.
VP: I'm rethinking it because [IT guy] said it was very dangerous to have, what do you think?
Me: ....? What did he say was dangerous about it?
VP: He said hackers could then gain access to cameras and plan the perfect time to rob me since it's in the cloud.
Me: I seriously doubt anyone is planning an Ocean's 11 heist to steal your TV.
VP: Yea I thought it sounded weird when he told me.3 -
Me : java is suck.
Friend : php is suck.
Friend2 : c++ is suck.
Friend3 : network is suck.
Friend4 : security is very suck!
All : I agree.5 -
So I had to update my OS to Ubuntu 22.04 to support some newer software. I had been running 18.04. One of the things I notice is Ubuntu restricting security updates to Ubuntu Pro users. WTF is this shit? I look into it a bit more:
https://flu0r1ne.net/logs/...
and a long discussion with people for and against:
https://lobste.rs/s/h2dszz/...
Okay, great, Ubuntu is employing some hostage style manipulation to get people to pay for using the OS. Probably an exaggeration, but feels very slimy. But that part is NOT what bothers me about this.
What bothers me the most about this is Ubuntu will now have a list of computers that have or do not have specific security patches. This is valuable information if someone wants to sell this to a third party. Maybe Ubuntu would not do that, but they can always get bought by someone who would do that. This feels dirty like something Microsoft or Google would do.
I probably don't know the complete story. But the misunderstanding still leads me to want to avoid Canonical.12 -
Who thought Lua was a good idea for extending gameplay functionality??
It's weakly typed, has no OOP functionality and no namespace rules. It has no interesting data structures and tables are a goddamn mystery. Somebody made the simplest language they could and now everybody who touches it is given the broadest possible tools to shoot themselves in the foot.
Lua's ease of embedding into C++ code is a fool's paradise. Warcraft 3's JASS scripting language had way more structure and produced much better games, whilst being much simpler to work with than Lua.
All the academics describing metatables as 'powerful extensionality' and a fill-in for OOP are digging the hole deeper. Using tables to implement classes doesn't work easily outside school. Hiding a self:reference to a function inside of syntactic sugar is just insanity.
Nobody expects to write a triple-A game in lua, but they are happy to fob it off to kids learning to program. WoW made the right choice limiting it to UI extensions.
Fighting the language so you can try and understand a poorly documented game engine and implement gameplay features as the dev's intend for 'modders', is just beyond the pale. It's very difficult to figure out what the standard for extending functionality is, when everybody is making it up as they go along and you don't have a strongly-typed and structured language to make it obvious what the devs intended.
If you want to give your players a coding sandbox, make the scripting language yourself like JASS. It will be way better fit for purpose, way easier to limit for security and to guarantee reasonable performance. Your players get a sane environment to work in and you just might get the next DOTA.
Repeatedly shooting yourself in the foot on invisible syntax errors and an incredibly broad language is wasted suffering for kids that could be learning the programming concepts that cross all languages way quicker and with way more satisfying results.
Lua is hot garbage for it's most popular application, I really don't get it. Just stop!24 -
By:Miss. Lucia Wright
Punchline : VERY IMPORTANT MESSAGE MY DEAR
Dearest Friend,
My greetings to you in the name of our Lord Jesus Christ. I am sister Lucia Wright I am married to Archdeacon. Collins Wright whom until his death served as an archdeacon in the St. Micheal's archdeacon in Ivory Coast for nine years before he died in the year 2005. We were married for eleven years without a child. My Husband died after a brief illness that lasted for only four days.
Before his death we were both born again Christian. After the death of my Husband I decided not to re-marry or get a child outside my matrimonial home which the Bible is against. When my late husband was alive he deposited the sum of $22. Million in a security and finance company in London for safe keeping.
Presently, my Doctor confirmed to me that I have serious sickness which is cancer problem. The one that disturbs me most is my stroke sickness. Haven known my condition I decided to donate this fund to a church or individual that will utilize this money the way I am going to instruct herein. I want a church that will use this fund for orphanages,helping the widows, propagating the word of God and to endeavor that the house of God is maintained. The Bible made us to understand that? Blessed is the hand that giveth'. I took this decision because I don't have any child that will inherit this money and my husband relatives are not Christians and I don't want my husband's efforts to be used by unbelievers. I don't want a situation where this money will be used in an ungodly way,
this is why I am taking this decision.
I am not afraid of death hence I know where I am going. I know that I am going to be in the bosom of the Lord. Exodus 14 VS 14 says That? the lord will fight my case and I shall hold my peace'. I don't need any telephone communication in this regard because of my health hence the presence of my husband's relatives around me always. I don't want them to know about this development. With God all things are possible.
As soon as I receive your reply I will give you the contact of the security and finance were the amount sum is deposited for you to contact them, I want you and the church to always pray for me because the lord is my shepherd. My happiness is that I lived a life of a worthy Christian. Whoever that Wants to serve the Lord must serve him in spirit and Truth. Please always be prayerful all through your life.
Any delay in your reply will give me room in sourcing another church or individual for this same purpose. Please assure me that you will act accordingly as I Stated herein. Hoping to receive your reply. Due to present condition of my health,I was warned by my doctor to avoid receiving or making any call. For that,I have submitted the information of the deposit to my lawyer, As soon as I hear from you I will forward to you the lawyer's contact.
Remain blessed in the Lord,
Miss. Lucia Wright.
Well ok... If you want me to, I can surely help you out 😈😈😈😈😈6 -
One thing that’s a shocker and frankly very weird for people who have always used Android, is that iPhone doesn’t show any progress notif for anything whatsoever. Like dude.. I want things to happen in background and see progress in notif bar. But no, not in iPhone. You either wait for things to finish in foreground or do it explicitly inside the relevant app.
For example, when you want to send a big video on WhatsApp via Photos, you have to wait on the Photos screen until it’s sent otherwise it fucking fails. Like dude.. wtf?! Why can’t that happen in background?
On top of this, things that can happen in background have so limited processing power to themselves (because iPhone doesn’t like things happening in background; we have already established that though) that they just crawl until done and sometimes fail.
Another thing is that there are no fucking loading indicators. You touch something and then the guessing games starts whether you touched it correctly or not. Like dude.. I know your phone got a superfast processor but sometimes things take time to happen. You gotta give some kind of indication that things are happening ffs!
I know security and all, but dude you gotta give me something! Don’t make me suffer for little things.
Dude.. fuck you!6 -
So this post by @Cyanide had me wondering, what does it take to be a senior developer, and what makes one more senior than the other?
You see, I started at my current company about three or four years ago. It was my first job, and I got it before even having started any real programming education. I'd say that at this point I was beyond doubt a junior. The thing is that the team I joined consisted of me and my colleague, who was only working 50%. Together we built a brand new system which today is the basis on which the company stands on.
Today I'm responsible for a bunch of consultants, handle contact during partnerships with other companies, and lead a lot of development work. I'm basically doing the exact same things as my colleague, and also security and server management. So except for the fact that he's significantly older than me the only things that I can think of that differentiates the seniority in the team are experience and code quality.
In terms of experience a longer life obviously means more opportunities to gather experiences. The thing is that my colleague seems to be very experienced in 10 year old technologies, but the current stuff is not his strong side. That leaves code quality, and if you've ever read my previous rants I think you know what I'm thinking...
So what in the world makes a person senior? If we hired a new colleague now I'm not sure it'd be instantly clear who should guide and teach them.5 -
Have you ever had the moment when you were left speechless because a software system was so fucked up and you just sat there and didn't know how to grasp it? I've seen some pretty bad code, products and services but yesterday I got to the next level.
A little background: I live in Europe and we have GDPR so we are required by law to protect our customer data. We need quite a bit to fulfill our services and it is stored in our ERP system which is developed by another company.
My job is to develop services that interact with that system and they provided me with a REST service to achieve that. Since I know how sensitive that data is, I took extra good care of how I processed the data, stored secrets and so on.
Yesterday, when I was developing a new feature, my first WTF moment happened: I was able to see the passwords of every user - in CLEAR TEXT!!
I sat there and was just shocked: We trust you with our most valuable data and you can't even hash our fuckn passwords?
But that was not the end: After I grabbed a coffee and digested what I just saw, I continued to think: OK, I'm logged in with my user and I have pretty massive rights to the system. Since I now knew all the passwords of my colleagues, I could just try it with a different account and see if that works out too.
I found a nice user "test" (guess the password), logged on to the service and tried the same query again. With the same result. You can guess how mad I was - I immediately changed my password to a pretty hard.
And it didn't even end there because obviously user "test" also had full write access to the system and was probably very happy when I made him admin before deleting him on his own credentials.
It never happened to me - I just sat there and didn't know if I should laugh or cry, I even had a small existential crisis because why the fuck do I put any effort in it when the people who are supposed to put a lot of effort in it don't give a shit?
It took them half a day to fix the security issues but now I have 0 trust in the company and the people working for it.
So why - if it only takes you half a day to do the job you are supposed (and requires by law) to do - would you just not do it? Because I was already mildly annoyed of your 2+ months delay at the initial setup (and had to break my own promises to my boss)?
By sharing this story, I want to encourage everyone to have a little thought on the consequences that bad software can have on your company, your customers and your fellow devs who have to use your services.
I'm not a security guy but I guess every developer should have a basic understanding of security, especially in a GDPR area.2 -
Other team lead: Hi DevOps Team, We need you to deploy this app to production. It's maintainers gave up on it in 2019, but we looked at it and it feels right.
Me: Uhm. That's not going to work. It'll fail the security scan before you can even finish the build in CI.
Other team lead: Yeah, this app is the right thing to do, and we needed it last week, but since that won't work, we'll just use this other very very infant technology that was just born yesterday. It's not stable in production, or on MySQL, or in AWS at all, but it's the other direction we can to go.
Me: What problem are you trying to solve in the first place?
Other team lead: Oh, we need access to the read from the production database.2 -
Fuck stupid managers.
My current agency tried to create a bundle of generic Microservices with the hope of save time and money on future projects. That was two years ago (i was working here from 4 months ago).
What they have now? well, a sort of distributed monolyth were if one service goes down, everything else fails, infinite technical debt, no security policies (yeah, all the apis are open!!!) Business rules on the frontend . . .
And what the stupid manager say? "Everything must be ok because i designed it very well, i research a lot for this"
Stupid boomer.
PD: Yeah, despite the fact he is judt a manager, he take the responsibility to design the full architecture, idk why no one srops him.4 -
Fucking mongodb... the name is really fitting "mongol db"..
I get that a NoSQL db can be very useful but holy crap mongodb is shit..
Even better is the security.. holy shit it's insecure..
"Just use the configuration to only allow 127.0.0.1" stfu that shit apparently doesn't work on fucking centos..
And yes my customer did get hacked
And yes they did blame me
And yes I did have a backup5 -
*leaning back in the story chair*
One night, a long time ago, I was playing computer games with my closest friends through the night. We would meet for a whole weekend extended through some holiday to excessively celebrate our collaborative and competitive gaming skills. In other words we would definitely kick our asses all the time. Laughing at each other for every kill we made and game we won. Crying for every kill received and game lost. A great fun that was.
Sleep level through the first 48 hours was around 0 hours. After some fresh air I thought it would be a very good idea to sit down, taking the time to eventually change all my accounts passwords including the password safe master password. Of course I also had to generate a new key file. You can't be too serious about security these days.
One additional 48 hours, including 13 hours of sleep, some good rounds Call of Duty, Counter Strike and Crashday plus an insane Star Wars Marathon in between later...
I woke up. A tiereing but fun weekend was over again. After I got the usual cereals for breakfast I set down to work on one of my theory magic decks. I opened the browser, navigated to the Web page and opened my password manager. I type in the password as usual.
Error: incorrect password.
I retry about 20 times. Each time getting more and more terrified.
WTF? Did I change my password or what?...
Fuck.
Ffuck fuck fuck FUCKK.
I've reset and now forgotten my master password. I completely lost memory of that moment. I'm screwed.
---
Disclaimer: sure it's in my brain, but it's still data right?
I remembered the situation but until today I can't remember which password I set.
Fun fact. I also could not remember the contents of episode 6 by the time we started the movie although I'd seen the movie about 10 - 15 times up to that point. Just brain afk. -
I've been interested in security for years but despite knowing the theory I've always had this disconnect with actually doing it, about two years ago I finally managed to find and exploit my first cross-site scripting vulnerability in my companies Product whilst doing some routine acceptance testing. It was a penny drop moment for me which has led to some very interesting projects and It was pretty badass.
-
***ILLEGAL***
so its IPL(cricket) season in india, there is a OTT service called hotstar (its like netflix of india), the cricket streams exclusively on hotstar..
so a quick google search reveals literally thousands of emails & passwords, found a pastebin containing 500 emails&passwords ...but those are leaked last year most of passwords are changed & many of them enabled 2FA.. after looking through them we can find some passwords are similar to their emails , some contains birth year like 1975,1997 etc, some passwords end with 123 ..so after trying a few different versions of the passwords like
1) password123 -> password@123, password1234
2) passwordyear -> password@year
2) for passwords similar to emails, we can add 123 ,1234, @ etc
created a quick python script for sending login requests
so after like 30-40 mins of work, i have 7 working accounts
*for those who have basic idea of security practices you can skip this part
lessons learnt
1) enable 2FA
2) use strong passwords, if you change your password , new password should be very different from the old one
there are several thousands of leaked plaintext passwords for services like netflix,spotify, hulu etc, are easily available using simple google search,
after looking through & analysing thousands of them you can find many common passwords , common patterns
they may not be as obvious as password ,password123 but they are easily guessable.
mainly this is because these type of entertainment services are used by the average joe, they dont care about strong passwords, 2FA etc6 -
I used to think our IT Support team is the most insufferable. I'm wrong and very sorry; if you guys are here to forgive me.
On the chart now is the security team.
The head of the security team doesn't simply understand that you can fucking not mix some programming languages in the same execution environment.
He is flipping making arguments on executing Javascript in a Java environment. He simply thinks Java is fucking Javascript. Yeah, I know you can make some drifts with GraalVM; sure not in our use-case.
Cross-Site Scripting has a fucking limit. You can't just pass any piece of code to mixed with a complied code and expect it to execute. Except if I'm wrong then I need someone here to show me how because he couldn't tell me how as he was just cynical in every damn way. moda sucker.4 -
TLDR; Default admin login on WEP encrypted WLAN router for getting free stuff at my hair stylist studio.
Free WLAN in my hair stylist studio: They had their WEP key laying around in the waiting area. Well, I am not very happy with WEP, thought that they never heard of security. Found the default GW address, typed it into my browser and pressed Enter, logged in with admin/1234 and voila, I was root on their ADSL router 😌 Even more annoyed now from such stupidity I decided to tell the manager. All I told him was: You use a default login on your router, you give the WiFi password for free, WEP is very very insecure and can be hacked in seconds, and do you know what criminals will do with your internet access? He really was shocked about that last question, blank horror, got very pale in just one sec. I felt a little bit sorry for my harsh statement, but I think he got the point 😉 Next problem was: he had no clue how to do a proper configuration (he even didn't knew the used ISP username or such things). Telled me that 'his brother' has installed it, and that he will call him as soon as possible. Told him about everything he should reconfigure now, and saw him writing down the stuff on a little post-it.
Well, he then asked me what he can pay me? Told him that I don't want anything, because I would be happy when he changes the security settings and that is pay enough. He still insisted for giving me something, so I agreed on one of a very good and expensive hairwax. Didn't used it once 😁
Some weeks later when I was coming back for another hair cut: Free WLAN, logged in with admin/1234, got access and repeated all I did the last time once more 😎
HOW CAN YOU NOT LEARN FROM FAILS??2 -
whenever i tell my dad about a technology that is going way beyond our imagination and tell him about the consequences of it and how we should worry about that
then he watches some random tv show about internet security/cyber security and various algorithms (very abstract) which are currently changing the world and how we should care about our data and what the consequences of X technology is...
he be like: "oh is that true? that's interesting, how does that work?"
i'm like😑 dad, i already told you about that😩
ever had similar experience?1 -
So for those of you keeping track, I've become a bit of a data munger of late, something that is both interesting and somewhat frustrating.
I work with a variety of enterprise data sources. Those of you who have done enterprise work will know what I mean. Forget lovely Web APIs with proper authentication and JSON fed by well-known open source libraries. No, I've got the output from an AS/400 to deal with (For the youngsters amongst you, AS/400 is a 1980s IBM mainframe-ish operating system that oriiganlly ran on 48-bit computers). I've got EDIFACT to deal with (for the youngsters amongst you: EDIFACT is the 1980s precursor to XML. It's all cryptic codes, + delimited fields and ' delimited lines) and I've got legacy databases to massage into newer formats, all for what is laughably called my "data warehouse".
But of course, the one system that actually gives me serious problems is the most modern one. It's web-based, on internal servers. It's got all the late-naughties buzzowrds in web development, such as AJAX and JQuery. And it now has a "Web Service" interface at the request of the bosses, that I have to use.
The programmers of this system have based it on that very well-known database: Intersystems Caché. This is an Object Database, and doesn't have an SQL driver by default, so I'm basically required to use this "Web Service".
Let's put aside the poor security. I basically pass a hard-coded human readable string as password in a password field in the GET parameters. This is a step up from no security, to be fair, though not much.
It's the fact that the thing lies. All the files it spits out start with that fateful string: '<?xml version="1.0" encoding="ISO-8859-1"?>' and it lies.
It's all UTF-8, which has made some of my parsers choke, when they're expecting latin-1.
But no, the real lie is the fact that IT IS NOT WELL-FORMED XML. Let alone Valid.
THERE IS NO ROOT ELEMENT!
So now, I have to waste my time writing a proxy for this "web service" that rewrites the XML encoding string on these files, and adds a root element, just so I can spit it at an XML parser. This means added infrastructure for my data munging, and more potential bugs introduced or points of failure.
Let's just say that the developers of this system don't really cope with people wanting to integrate with them. It's amazing that they manage to integrate with third parties at all...2 -
Ibwish I had remembered this when the weekly theme was office pranks.
In the first or second year of high school we covered basic internet security. Stuff like don't follow suspicious urls, don't open suspicious emails and such.
Our teacher let us play around with some sort of simulated desktop environment, where we could execute some hacks like ad popups and such on each other's environment, if we fell for the trap.
Anyways, one hack I found interesting was a hack, that lockes a user out of their virual desktop, until he enters a password, that will be displayed on his environment.
Yes, a very interesting hack, because it contains two obvious yet major design flaws, which I could exploit 😈
1. It's case sensitive
In itself not a problem, but combined with #2, it's fatal.
2. "IlIlllIlI"
Depending on your font, you probably have no idea what exactly I just typed.
Let's just say, the font displayed uppercase i and lowercase L completely undifferentiable.
Guess whom I let suffer.
It was our teacher, who had to demonstrate us some things and who was connected to the same network.
I swear, nothing beats that feeling when your tearcher has go come to you and embarrassingly ask you to "unhack" them, because they can't type it 😂1 -
Because I am very interested in cyber security and plan on doing my masters in it security I always try to stay up to date with the latest news and tools. However sometimes its a good idea to ask similar-minded people on how they approach these things, - and maybe I can learn a couple of things. So maybe people like @linuxxx have some advice :D Let's discuss :D
1) What's your goto OS? I currently use Antergos x64 and a Win10 Dualboot. Most likely you guys will recommend Linux, but if so what ditro, and why? I know that people like Snowden use QubesOS. What makes it much better then other distro? Would you use it for everyday tasks or is it overkill? What about Kali or Parrot-OS?
2) Your go-to privacy/security tools? Personally, I am always conencted to a VPN with openvpn (Killswitch on). In my browser (Firefox) I use UBlock and HttpsEverywhere. Used NoScript for a while but had more trouble then actual use with it (blocked too much). Search engine is DDG. All of my data is stored in VeraCrypt containers, so even if the system is compromised nobody is able to access any private data. Passwords are stored in KeePass. What other tools would you recommend?
3) What websites are you browsing for competent news reports in the it security scene? What websites can you recommend to find academic writeups/white papers about certain topics?
4) Google. Yeah a hate-love relationship, but its hard to completely avoid it. I do actually have a Google-Home device (dont kill me), which I use for calender entries, timers, alarms, reminders, and weather updates as well as IOT stuff such as turning my LED lights on and off. I wouldn"t mind switching to an open source solution which is equally good, however so far I couldnt find anything that would a good option. Suggestions?
5) What actions do you take to secure your phone and prevent things such as being tracked/spyed? Personally so far I havent really done much except for installing AdAway on my rooted device aswell as the same Firefox plugins I use on my desktop PC.
6) Are there ways to create mirror images of my entire linux system? Every now and then stuff breaks, that is tedious to fix and reinstalling the system takes a couple of hours. I remember from Windows that software such as Acronis or Paragon can create a full image of your system that you can backup and restore at any point to get a stable, healthy system back (without the need to install everything by hand).
7) Would you encrypt the boot partition of your system, even tho all data is already stored in encrypted containers?
8) Any other advice you can give :P ?12 -
Do you have any annoying you want to get rid off, but you can't because of reasons?
I do. They are 4, but for now I'll talk about the gold medal winner.
When we met about 8-9 ago, she had just come back to town due to some very bad personal experience (not her fault). Anyway, she is polite, but her major flaw is that she is pushy. REAL BAD! And she gets mad when other people (including me) try to do it on her. Another one is having calls during random inappropriate times, because she had fight #N with her boyfriend, and last but not least, she will call when needs something out of someone.
Lately, her project is finding us a job, since we're both unemployed. Any job. The sad part is when she sends me job ads for dev jobs I don't qualify, e.g. Company X is looking for a dev with Y year of experience, knowing A, B, C & D technologies. I've told her that I don't qualify for most of the dev jobs she sends me, but she insists I should send my CV anyway, cause of reasons. Also, for some reason, I should be accounted to her for all my current choices when what I would honestly say is "BUG OFF".
Her latest endeavour is getting me one of her friends (a psychologist) as a "client". Her friend wants to have a professional website with writing posts/articles as a side dish. I'm not registered as a freelancer, so everything will be done under the counter, and her friend is OK with that. I'm no web developer, but I didn't refuse because of her backlash and also that would be a positive experience for me. Now, the juicy part. She gave her my phone number without my permission and she told me straight away. Her plan was having the three of us meet, though I don't know why and I didn't want her being around. I asked her to call me immediately, which it didn't happen. After being pestered by my friend for a couple of weeks if her friend called me, she finally did it on Monday. She didn't say to me anything I didn't know, but at least I have her phone now.
What I can offer her is a website skeleton with the usabilities she's asking. What I can't offer her is graphics/banner and security. And now I have to come up with reasonable price. Teams here ask 400-600€ for a complete website the way she asks, including VAT. I'm thinking around 100€ and I don't know when I can deliver the project. I've had some experience with Ruby and Sinatra, so I'll go with that, and I'll learn CSS along the way.
Thanks for reading till the end! 😃4 -
Companies really need to re-evaluate what they ask as security questions.
If I know your name and your approximate date of birth (to the month) then, here in the UK at least, I have a very good chance of being able to find out your parents names, your mother's maiden name, your address, your parents address (i.e. probably where you grew up and what school you went to), your parents ages, when they got married, etc. - and all from publicly available info, not illegal crap you find on Tor or social media stalking.
This isn't hard to find if you know where to look - the problem is that people think that it's all private, and behave as such - and companies encourage it. The typical "internet safety courses" don't even touch on it, and even more tech savvy people I know often don't have a clue this is possible.2 -
FUCKING CHINESE SUPOSED IP CAMERAS...
First, they aren't Ip cameras, they are p2p cameras with different settings and more limited...
then took me 3 days to open 5 ports for 2 cameras, config the cameras, till they work.
YEY they finally work, can see them over the Internet (no default settings, even changed the Alias), have my Ip camera viewer on the Phone... but one doesn't activate on moviment.. in this 3 days only took 2 pictures with motion detection on and people passing in front of them... the other was working for like 5 minutes... giving black and white 7kb jpgs... after a few teeks... can't make it work again.
Now I have two cameras that I can see if my house is being robbed but no motion detection to warm me, or at least save some pictures on the server to serve as evidence (and maby finally get the team that is robbing one house a day, If they try to rob my house again...).
The cameras are very good as baby monitors or to play around, for 14$ and 20$... (love the 360º ball) , but as security cameras... Unless you have them connected to a security station and with a repeater close by... worthless...
Oh, and they may give me 1 good frame a second or lag to 10+seconds a frame...6 -
Honestly, school is useless for me as of right now. I know I should be well rounded and stuff, but do I honestly need to know the symptoms of cervix cancer while going into a tech career? My eyes have been set on tech for my whole life, ever since I left the womb, and I know that if I do switch careers, it'll be from comp sci to cyber security not from IT to med school...
I feel like I could really be devoting my time towards something better than writing a 5 page essay on a healthy food choice.
Every night I think to myself, "You know what, I'm going to lock myself in a room and write bash scripts all day" but then I wake up in the morning, and remember I have to take a quiz on reproductive systems, learn about the procedure of organ donations for driver's ed, write 2 paragraph definitions of vocab words, and read a book about communism.
The most useful thing I learned last year, was how to efficiently navigate the java API, and that's something you don't even learn, you just encounter it. Schools need to start having more specific specialties and stop enforcing knowledge of pointless topics.
I'm not saying to remove all core classes and stuff, I'm saying why waste space in our brains with something we won't use ever again? I get it, some people don't know what career they're looking for yet so you can't make them choose, but it honestly sucks some serious ass that I can't learn what I want to at school, and as a matter of fact, I can't even learn at home, because they're filling my schedule with pointless work because they feel that they have to fill our time somehow.
Point of this long ass rant is: Why lock yourself in a room and learn about something if it isn't something you want to learn about? The space in our brain is finite enough, why can't it be filled with things we're interested in rather than things that will only be used to get good grades in the future then overwritten with useful knowledge. Same thing with time. We have a very finite amount of time in a day, and now that I think of it, a lifetime. Why spend it on something that doesn't, and never will, make your life enjoyable?7 -
(Warning: This rant includes nonsense, nightposting, unstructured thoughts, a dissenting opinion, and a purposeless, stupid joke in the beginning. Reader discretion is advised.)
honestly the whole "ARM solves every x86 problem!" thing doesn't seem to work out in my head:
- Not all ARM chips are the same, nor are they perfectly compatible with each other. This could lead to issues for consumers, for developers or both. There are toolchains that work with almost all of them... though endianness is still an issue, and you KNOW there's not gonna be an enforced standard. (These toolchains also don't do the best job on optimization.)
- ARM has a lot of interesting features. Not a lot of them have been rigorously checked for security, as they aren't as common as x86 CPUs. That's a nightmare on its own.
- ARM or Thumb? I can already see some large company is going to INSIST AND ENFORCE everything used internally to 100% be a specific mode for some bullshit reason. That's already not fun on a higher level, i.e. what software can be used for dev work, etc.
- Backwards compatibility. Most companies either over-embrace change and nothing is guaranteed to work at any given time, or become so set in their ways they're still pulling Amigas and 386 machines out of their teeth to this day. The latter seems to be a larger portion of companies from what I see when people have issues working with said company, so x86 carryover is going to be required that is both relatively flawless AND fairly fast, which isn't really doable.
- The awkward adjustment period. Dear fuck, if you thought early UEFI and GPT implementations were rough, how do you think changing the hardware model will go? We don't even have a standard for the new model yet! What will we keep? What will we replace? What ARM version will we use? All the hardware we use is so dependent on knowing exactly what other hardware will do that changing out the processor has a high likelihood of not being enough.
I'm just waiting for another clusterfuck of multiple non-standard branching sets of PCs to happen over this. I know it has a decent chance of happening, we can't follow standards very well even now, and it's been 30+ years since they were widely accepted.5 -
Cant believe this shit happened in my country today
A mass school shooting where a 13 year old kid shot and killed 9 kids, teachers and a security guard. Several other kids wounded and one girl having brain surgery
All of this because he got an F in history class
He was a quiet kid, well behaved, got straight A's and very intelligent. But he was reportedly bullied and no one did shit about it
This the type of shit you see in america daily. But now Serbia marks #1 country in europe with a school shooting
The kid planned all of this attack for 1 whole month. He drew a sketch on the paper of the school's pathway so he can know where to go, from enter door to exit door. Even wrote the names of kids he planned to kill, sorted from high to low priority
Due to Serbia's law, no one under 14 will be held accountable or go to jail for any crime, and this 13 year old kid was so intelligent of knowing this dumbass law that he executed on this plan Now in May because he turns 14 in July this year
Ironically, his dad was a well known doctor, and now the dad is fucked. Dad's gonna go to jail. Because the kid stole his dad's gun with 5-6 clips of magazine
Very bizarre21 -
just found out a vulnerability in the website of the 3rd best high school in my country.
TL;DR: they had burried in some folders a c99 shell.
i am a begginer html/sql/php guy and really was looking into learning a bit here and there about them because i really like problem solving and found out ctfs mainly focus on this part of programming. i am a c++ programmer which does school contest like programming problems and i really enjoy them.
now back on topic.
with this urge to learn more web programming i said to myself what other method to learn better than real life sites! so i did just that. i first checked my school site. right click. inspect element. it seemed the site was made with wordpress. after looking more into the html code for the site i concluded all the images and files i could see on the site were from a folder on the server named 'wp-content/uploads'. i checked the folder. and here it got interesting. i did a get request on the site. saw the details. then i checked the site. bingo! there are 3 folders named '2017', '2018', '2019'. i said to myself: 'i am god.'
i could literally see all the announcements they have made from 2017-2019. and they were organised by month!!! my curiosity to see everything got me to the final destination.
with this adrenaline i thought about another site. in my city i have the 3rd most acclaimed high school in the country. what about checking their security?
so i typed the web address. looked around. again, right click, inspect element and looked around the source code. this time i was more lucky. this site is handmade!!! i was soooo happy because with my school's site i was restricted with what they have made with wordpress and i don't have much experience with it.
amd so i began looking what request the site made for the logos and other links. it seemed all the other links on the site were with this format: www.site.com/index.php?home. and i was very confused and still am. is this referencing some part of the site in the index.php file? is the whole site written inside the index.php file and with the question mark you just get to a part of the site? i don't really get it.
so nothing interesting inside the networking tab, just some stylesheets for the site's design i guess. i switched to the debugger tab and holy moly!! yes, it had that tree structure. very familiar. just like a project inside codeblocks or something familiar with it. and then it clicked me. there was the index.php file! and there was another folder from which i've seen nothing from the network tab. i finally got a lead!! i returned in the network tab, did a request to see the spgm folder and boooom a site appeared and i saw some files and folders from 2016. there was a spgm.js file and a spgm.php file. there was a contrib, flavors, gal and lang folders. then it once again clicked me! the lang folder was las updated this year in february. so i checked the folder and there were some files named lang with the extension named after their language and these files were last updated in 2016 so i left them alone. but there was this little snitch, this little 650K file named after the name of the school's site with the extension '.php' aaaaand it was last modified this year!!!! i was so excited! i thought i found a secret and different design of the site or something completely else! i clicked it and at first i was scared there was this black/red theme going on my screen and something was a little odd. there were no school announcements or event, nononoooo. this was still a tree structured view. at the top of the site it's written '!c99Shell v. 1.0...'
this was a big nono. i saw i could acces all kinds of folders. then i switched to the normal school website and tried to access a folder i have seen named userfiles and got a 403 forbidden error. wopsie. i then switched to the c99 shell website and tried to access the userfiles folder and my boy showed all of its contents. it was nakeeed naked. like very naked. and in the userfiles folder there were all, but i mean ALL files and folders they have on the server. there were a file with the salary of each job available in the school. some announcements. there was a list with all the students which failed classes. there were folders for contests they held. it was an absolute mess and i couldn't believe it.
i stopped and looked at the monitor. what have i done? just to learn some web programming i just leaked the server of the 3rd most famous high school in my country. image a black hat which would have seriously caused more damage. currently i am writing an email to the school to updrage their security because it is reaaaaly bad.
and the journy didn't end here. i 'hacked' the site 2 days ago and just now i thought about writing an email to the school. after i found i could access the WHOLE server i searched for the real attacker so if you want to knkw how this one went let me know in the comments.
sorry for the long post, but couldn't held it anymore13 -
Pentesting for undisclosed company. Let's call them X as to not get us into trouble.
We are students and are doing our first pentest at an actual company instead of assignments at school. So we're very anxious. But today was a good day.
We found some servers with open ports so we checked a few of them out. I had a set of them with a bunch of open ports like ftp and... 8080. Time to check this out.
"please install flash player"... Security risk 1 found!
System seemed to be some monitoring system. Trying to log in using admin admin... Fucking works. Group loses it cause the company was being all high and mighty about being secure af. Other shit is pretty tight though.
Able to see logs, change password, add new superuser, do some searches for USERS_LOGGEDIN_TODAY! I shit you not, the system even had SUGGESTIONS for usernames to search for. One of which had something to do with sftp and auth keys. Unfortunatly every search gave a SQL syntax error. Used sniffing tools to maybe intercept message so we could do some queries of our own but nothing. Query is probably not issued from the local machine.
Tried to decompile the flash file but no luck. Only for some weird lines and a few function names I presume. But decompressing it and opening it in a text editor allowed me to see and search text. No GET or POST found. No SQL queries or name checks or anything we could think of.
That's all I could do for today. So we'll have to think of stuff for next week. We've already planned xss so maybe we can do that on this server as well.
We also found some older network printers with open telnet. Servers with a specific SQL variant with a potential exploit to execute terminal commands and some ftp and smb servers we need to check out next week.
Hella excited about this!
If you guys have any suggestions let us know. We are utter noobs when it comes to this.6 -
Deciding whether to stick to being a web developer, or switch to something else
(thinking more like rocket software, or something with security (but maybe sticking with web), or some other cool sh#t
I don't know yet, what I do know is even when I'm creating an erp system, I find it very unsatisfying
"I helped create the software on that rocket"
Or
"that hospital uses the system I've helped to create"
Sounds a lot more satisfying than,
"that company uses my 'warehouse resources manager'/'webshop'/'planning system'
But then again I don't know, I now have a stable job, know what to do and know the language we use.1 -
Does someone know a site where i can get professional level help/guides/tutorials with system architecture questions? Like best practices for implementing common features? (Something like stackoverflow but where u actually get an answer instead of insults)
Googling for tutorials gives very basic/demo level results that might not be great for scale/security in prod env6 -
Salesforce lightning web components have such bullshit limitations that they claim is because of security but it's just because it's overengineered garbage.
Want to use web components? Nope.
Want to pass in a value to a function in a click listener expression? Nope.
Want to use scss? Nope, compile it to css yourself.
Want to use the fucking document object? Guess what it's overridden except for very specific third party frameworks.
Who in the fuck thought it was a good idea to override the document object? Your app isn't more secure, literally the entire internet uses the document object and it still becomes available in runtime anyway so what the fuck??
LWC is the biggest garbage I've ever seen, you know a framework's a big red flag when there are developers solely for the framework.
There is a new security release coming out that apparently removes some of these nuances (understatement) so there might be some light at the end of the tunnel.4 -
A very suspicious thing happened at work last Friday, security team told me to uninstall adblockplus and disconnect.me plugin 😟5
-
At the beginning of the last year of university a new flatmate arrived. His father dropped him at the apartment and then called me asking for the Wi-Fi password.
I told him I could not remember it on the spot and I would tell it to his son later.
I actually remembered it very well and I could say I didn’t tell him because of security reasons …
Actually I was embarrassed to say on phone: “PubesRule!”
The password was actually decided by a previous flatmate…😅3 -
!rant
I'm a computer engineering student.
I'm very much interested in Systems and networking.
That's why I was thinking of persuing cyber-security as a career option.
But I'm not quite sure if that is a good choice.
Also I don't know how to proceed in order to achieve excellence in cyber-security.
It would be a great help if you guys could help me.
Thanks :)20 -
I think the fact that even Apple can't unlock your phone if you forget your passcode proves that they use very naive encryption method.
Suppose my data is "Hey This is Some Data" and Passcode is 1234, I could just Jumble this data using that passcode and It will be difficult to decrypt without Passcode. And If data is huge, it will be fairly impossible to do so. But that doesn't make it a good encryption method.
Such encryption, though safe is not practical, Imagine if there was no "Forget Password" Option on any account, I usually forgot my password very often when I was a child.
Apple has been doing such things for years, Using Bad things as a selling point. Apple users are dumb anyways because they don't want to control their phone.
Reset Password is a weak point which might be exploited but in such cases, usability is more important than security. Any service which doesn't allow resetting Password is a shitty service and I would never use such a service, They are too naive.696 -
Hey fellas, especially you security nerds.
I've had asymmetric encryption explained to me a number of times but I can't get a handle on it because no example actually talks in human terms. They always say "two enormous prime numbers", which I understand, but I can't conceptualize.
Can someone walk me through an entire process, showing your math & work, using some very small, single- or double-digit primes? Such as if I were to encrypt the text "hello world" using prime numbers like 3, 5, and 710 -
I really don't understand this particular Government Department's IT Unit. They have a system and network to maintain except:
- They don't have a DBA
- They don't have a dedicated Network Engineer or Security Staff
- Zero documentation on all of the systems that they are taking care of (its all in each assigned particular staff's brain they said)
- Unsure and untested way of restoring a backup into a system
- Server passwords are too simple and only one person was holding this whole time and its to an Administrator account. No individual user account.
- System was developed by an in-house developer who is now retired and left very little documentation on its usage but nothing on how its setup.
But, the system has been up and operational for the past 20 years and no major issues whatsoever with the users using it. I mean its a super simple system setup from the looks of it.
1 App Server connected to 1 DB Server, to serve 20-30 users. But it contains millions of records (2GB worth of data dump). I'm trying to swing to them to get me on a part time work to fix these gaps.
God save them for another 20 years.3 -
In the spirit of week93:
If you haven’t read/heard about the attack on HB Gary Federal (a computer security company) in 2011 and you want a good read about a DDOS attack, social engineering, espionage, and the “infiltration of Anonymous” by a very punchable CEO you should check out this article:
https://arstechnica.com/tech-policy...
And the follow up by Anonymous:
https://arstechnica.com/tech-policy...1 -
My org (of which i'm basically CTO) has this administrative tool that a team uses to combat spam and scams, which is quite the problem for us.. the tool was written like 9 years ago, by my predecessor, very quick & dirty and unaesthetic and without input from those who would use it as far as interface or UX... it got modded a little a few years later by a kind of amateur coder who was at the time on the spam control team, and now there's this new maybe slightly less amateur coder guy on the team who has written this amateur tool that scrapes data off our site and massages it and stores it on his own server and then provides a better interface, or so they say.... this is all because for a couple of years people didnt want to "bother me" with a request to improve our internal tool, they thought I was "too busy" doing other things... so instead this outsider has built this stupid thing that lives on his own personal server and so now we have these problems to do with performance, security, privacy for user info, etc etc... someone please shoot me....1
-
Sus!
yesterday I bought a cool domain in namecheap, I was very lucky to find short and good one for my case.
Today (at weekends!!!!) I receive a letter:
>Hello **redacted name**,
>
>We are contacting you from the Namecheap Risk Management Team regarding your '**redacted name account**' account.
>
>Unfortunately, your Namecheap account was flagged by our fraud screening system as requiring verification and was locked.
>
>Please follow the instructions below to get your account verified:
>
>- take a color photo of the credit card used for the payment at **redacted link**
>
>Please make sure all of the edges of the credit card are visible, and that we can clearly see the card holder's name, expiration, and last four digits of the card number. The screenshots or images of the card cannot be accepted for verification. >If the submission does not meet these requirements, we can either request to submit the details again or permanently suspend your account.
>
>- provide a valid phone number and the best time to call you (within normal business hours, US Pacific time).
>
>If we do not hear back from you within 24 hours, we will be forced to cancel your orders.
>
>We apologize for any inconvenience that may result from this process. This extra verification is done for your security and to ensure that orders are legitimate. This industry, unfortunately, has a high rate of fraudulent orders, and this sort of >verification helps us drastically reduce fraud and ensure our customers remain secure. Such documents are used for verification only and are not provided to third parties in any way. Account verification is a one-time procedure, after your account >is verified, you will never face this issue again.
>
>Looking forward to your reply.
>
>---------------
>Dmitriy K.
>Risk Management
> Namecheap, Inc.
what if I did not notice it in 24 hours? It is the weekend for god's sake! People usually rest until monday.
They would what, cancel order and scalpel it to super high price?!
I have some doubts if the request is trully having anti fraudulent origins.
What if I used digital visa card? How was I supposed to photo it?
And the service they provided for photoing accepts only photos from web camera. I was lucky that I bought recently web camera with high enough amount of pixel power and manual focus. What if I did not?
That's all really SUS!
The person can not notice the letter within 24 hours time frame until the morning, when it would be already too late.10 -
Under the guise of being security conscious, our section had a informal "doughnut charter" whereby if you leave your computer unlocked and someone managed to send an email to the section (cc'ing you) shouting everyone doughnuts then you must comply with the "promise". I was referred to at the time as the "god of email" and everyone knew not to do it to me or I would retaliate. This is because it happened once before. In that case, I set up a secure hidden rule in the person's email so that if they received a doughnut email they would automatically send a doughnut email from them... this also meant it was possible to trigger it at any time. They quickly begged for it to be removed. From then on, no dared touch my unlocked computer. When we got a new boss he was informed of the charter and was repeatedly warned not to 'doughnut' me but one day he ignored the warnings. In his case I set up a rule so that if he sent any email, he also sent out a doughnut email as well. Over the next four days he sent sooo many doughnut emails... He went from happy, to frustrated, to angry and then simply desperate. No one dared tell him I was my doing... He eventually came out of his office and begged for it to stop... Seeing his desperation, I stopped it. He was very appreciative but never put two-and-two together (that his actions caused it). He didn't find out till three months later that I was the one who did it to him. That was the second and last time I was ever doughnut'd.
-
TLDR; WINE+me=system binaries gone. (HOWTHEFUCKDIDIDOTHAT) Kernel panic. Core program files gone. I'll never have it fixed right. Will backup, then install fedora tomorrow.
I really like games and I'm sure there are many of you who can relate. Imagine my perpetual pain, being on the job hunt, no money, and only my Linux laptop for games. (It's only Linux because of a stupid accident and a missing windows installation disk, partly explained in a previous rant). My stack of games my dad and I have played over the years, going back to populous and before, looked light enough for my laptop to run them smoothly. I wanted to see if I could get one to work. My eyes settled on simcity 4 and Sid Meier's railroad tycoon, 13 and 10 years old, respectively. Simcity didn't work as many times as I tried following online instructions. Disk 1 went fine. Disk 2 showed up as Disk 1. Didn't think much of it, so long as the computer could read the contents. I downloaded playonlinux as that could apparently do the complex stuff for me. Didn't work. I gave up with it after an hour and a half.
Next was railroads. Put the disk in aaaand it says SimCity disk 1 is in the tray. Fuck right off, thank you very much. Eject, put back, reject, eject, fiddle in wineconfig, eject, more of this, and voilà it read as railroads :) Ran autoplay.exe with wine, followed instructions, installed it, and it worked! Chose single player, then the map and setting, pressed play, and all the models of the buildings and track were floating in the air over a green plane, the UI is weird and the map doesn't represent anything but trains. All the fkin land is gone, laying track is gonna be a ballache.
I quit it and decided bedtime.
Ctrl+alt+t
sudo shutdown -h now
shutdown not found.
sudo reboot
reboot not found
Que?
Nope, I don't like this.
Force choked my laptop by the power button. Turned it on again.
Lines of text appear.
Saw a phrase I've only ever seen on Mr Robot.
Kernel panic.
Nooooo thanks, not today, this is fiction.
I turned it off and on. Same thing. I read the logs and some init files couldn't be found. I got the memory stick I used to install mint in the first place and booted from that. I checked the difference between my stick's bin and sbin and the laptop's, and it was indeed missing binaries. Fuck knows what else has happened, I only wanted to play games but now I don't know what is or isn't in my computer. How can I trust what's on it now?
I go downstairs and tell my dad. He says something about rpm, but this is Linux so it won't work. I learn that binaries can be copied over, so maybe I can fix it.
Go upstairs again, decide not to fix it. Fedora is light, has a good rep for security, and is even more difficult to get games on, which is my vice. There are more reasons, but the overriding one is that I'm spooked by the fact that something I did went into and removed system binaries, maybe even altered others, so I want something I'm less likely to do that with. Also my fellow cs students used to hate on it but my dad uses and recommended it so I want to try it.
Also, seriously, fuck wine/PlayOnLinux/my inability to follow instructions(?)/whatever demons haunt me. Take your pick, at least one if not more is to blame and I can't tell which, but it's prooooobably the third one.
It's going to be 16 hours before I touch my laptop again, comments before I backup then install fedora are welcome, especially if they persuade me to do differently.
P.S thanks for reading this mind dump of a post, I'm writing while it's fresh but I'm tired AF.6 -
I used to be a big security guy, not allowing stuff like most of the social media, not bringing my phone anywhere, carrying a RPi tablet for privacy reasons. Very Stallman stuff.
Recently I noticed that I don't care so much.. I see these things as opportunities, for instance Microsoft products could be benefitial for job opportunities, I have some workout sessions on my phone.
I could restrict myself... but is it worth it just to decline some capitalist/politician's row in a dataset for analysis?
But then again I feel as a society I think we should either do this or request this data to be distributed to us as well.
Should you be playing a game of cards, when the enemy can see your hand? What do u think?4 -
Much like traditional engineering I can see software engineering suddenly becoming very very regulated around the world. Different systems safety bodies will open up for things like embedded systems development where their is a risk of harm, mandatory security standards will be put in place etc.
Enjoy the cowboy days ladies/gents/others regulatory bodies are on their way!4 -
I am going to rant about this being the exam week, it being hot as hell, and us having had a messed up semester study-wise... And I still managed to do good-ish in subjects somehow... Good as in, relatively good. I am no 4.0 GPA person by any means and could never be one if I studied only (if that's even realistic at all). Recently I applied to a job at Andersen Lab for a Trainee position. Got turned down because I lack experience. A TRAINEE POSITION. I could retake the interview but I feel weird with how I got rated a whole level lower than my IELTS score and two levels lower than my score at Epam (which is the more recent one!) and the questions were mostly so easy I could answer while half asleep. Just yeah. Also, while I understand the whole knowledge required thing... I don't get the need for THREE whole interviews only to then proceed to turn me down. I am continuously applying and still seeing no results. If I'm "lucky", I guess, I will get training from a bank. And then get employed there... Mentally doing very bad right now, just barely wanting to MOVE. Which is basically me being this close to giving up. Today's exam is in Linux Security and I swear, this was such a waste of a good sounding subject... Imagine, I could have learnt how to set up a server at home and all that but instead we did... The more basic stuff in Linux. And for the whole semester outside of two or three cases I was the only one in attendance. Anyways, I have been feeling like I just can't program anymore and stuff... Even though we did a Python subject this semester. And in that subject I just felt like we were going way too quickly considering a lot of the students there come from non-IT or close to that background...
I may need to put effort into learning 3D Environmental art, I have this feeling I would like doing that as a job in game dev. Oh, and I also wanna design this house that I have in mind for me. It's shaped like an Amanita Muscaria and instead of the white dots it has windows that are round, as well as a spiral staircase connecting the lower and upper floors. Need to figure out how to model that in something like AutoCAD (I have a bit of experience with it and that's why I'd like to try there... But I may have to learn other programs to do it for free), but it will take me a long time to execute since I am not the most organised in how I learn...
Anyways, I will only sporadically be there, so I may not see things here. I am somewhat busy with exams and then this NGO I recently became a founding member of (and I have to say, I kinda don't wanna be there, but there are things that have to be done). Also filling the documents for a Canadian visitor's visa to go finally see the family over there and all that. But the latter will probably not happen until next year...
Finally, I am wishing you all a sound mental health and happiness. I hope you do well in whatever you are doing at the moment or are planning to. Until next time!3 -
I don't care about market cap. Stick your hype-driven business practices up your ass. Infinite growth doesn't exist. I won't read your fucking books and attend your fucking bootcamps and MBAs. You don't have a business model. Selling data is not a business model. Fuck your quick-flip venture capital schemes, and especially fuck your “ethics”.
I will be the first alt-tech CEO. I only care about revenue. The real money, not capitalization bubble vaporware. You don't need a huge fleet of engineers if you're smart about your technology, know how to do architecture, and you're not a feature creep. You don't need venture capital if you don't need a huge fleet of engineers. You don't need to sell data if you don't need venture capital. See? See the pattern here?
My experience allows me to build products on entirely my own. I am fully aware of the limitations of being alone, and they only inspire lean thinking and great architectural decisions. If you know throwing capacity at a problem is not an option, you start thinking differently. And if you don't need to hire anyone, it is very easy to turn a profit and make it sustainable.
If you don't follow the path of tech vaporware, you won't have the problems of tech vaporware, namely distrust of your user base, shitty updates that break everything, and of course “oops, they raised capital, time to leave before things go south”.
A friend of mine went the path I'm talking about, developed a product over the course of four years all alone, reached $10k MRR and sold for $0.8M. But I won't sell. I only care about revenue. If I get to $10k MRR, I will most likely stop doing new features and focus on fixing all the bugs there are and improving performance. This and security patches. Maybe an occasional facelift. That's it. Some products are valued because they don't change, like Sublime Text. The utility tool you can rely on. This is my scheme, this is what I want to do in life. A best-kept secret.
Imagine 100 million users that hate my product but use it because there are no alternatives, 100 people in data enrichment department alone, a billion dollars of evaluation (without being profitable), 10 million twitter followers, and ten VC firms telling me what to do and what data to sell.
Fuck that. I'd rather have one thousand loyal customers and $10k MRR. I'm different, some call it a mental illness, but the bottom line is, my goals are beyond their understanding. They call me crazy. I won't say it was never about the money, of course it was, but inflating your evaluation is not “money”. But the only thing they have is their terrible hustle culture lives and some VC street wisdom, meanwhile I HAVE products, it is on record on my PH. I have POTDs, I have a fucking Golden Kitty nomination on health and fitness for a product I made in one day. Fuck you.7 -
So first time here seems awesome I'm an aspiring cyber security expert I know very basic c++ and I'm looking for people to talk to about what I should be doing5
-
Friend: I have a idea that will make us millions!
Me: okay, what is it?
Friend: oh its very simple, what I need you to do is build a payment gateway that supports X billing platforms, Y security protocols, crash proof, blah blah blah... Should be done in a week right?1 -
Cybersecurity firm Sophos announced that it has open-sourced the Sandboxie Windows sandbox-based isolation utility. According to the reports of Bleeping Computer: Sandboxie was developed by Ronen Tzur and released on June 26, 2004, as a simple utility to help run Internet Explorer within a secure and isolated sandbox environment. Later, Tzur upgraded Sandboxie to also support sandboxing any other Windows applications that required a secure virtual sandbox.
Sophos Director of Product Marketing Seth Geftic said "We are thrilled to give the code to the community. The Sandboxie tool has been built on many years highly-skilled developer work and is an example of how to integrate with Windows at a very low level. The Sandboxie user base represents some of the most passionate, forward-thinking, and knowledgeable members of the security community, and we hope this announcement will spawn a fresh wave of ideas and use cases."
You can download Sandboxie and its source code here.
https://www.sandboxie.com/1 -
Few years ago I was asked to give advice on a project. There was an intern doing all the work and I even gave him almost ready code to use. And he didn't use it even properly.
And best part is that they thought at the time that it would be finished in couple of months.
After few months I took over and had to deal with the "intern code". Almost all of the code is rewritten.
Status of the project is now very good. We are implementing new features and it has even passed strict security audit done by other company.
Sadly I can't drop any names etc due to NDA.4 -
Mozilla has announced plans to remove support for the FTP protocol from Firefox. Users won't be able to download files via the FTP protocol and view the content of FTP folders inside the Firefox browser.
According to the report of ZDNet: Michal Novotny, a software engineer at the Mozilla Corporation said "We're doing this for security reasons, FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources. Also, a part of the FTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past." Novotny says Mozilla plans to disable support for the FTP protocol with the release of Firefox 77, scheduled for release in June this year.
Users will still be able to view and download files via FTP, but they'll have to re-enable FTP support via a preference inside the about:config page.13 -
Jesus christ I need my VP and CIO to get their hands out of Azure and GCP and just let me work.
Yes, governance and security and IAM are big deals. That's why you have infraops people like me to deal with that.
I'm literally working with one hand tied behind my back because just about every button press or CLI command I need to do my damn job as a professional cloud fluffer requires me to go bother an executive and ask permission to pretty please can I deploy a new container, can you go press the shiny button? No not that one, move your mouse up...up..now UP..ok over lef-no..can I have mouse control? Sigh fine, do you see where it says "Approvers", no that says "Release Pipeline"
Look I actually kinda like this job, I do, in as much as when I have something to do I get left the fuck alone to do it. Meetings are minimal, aside from the odd days when one of our app services decides to yeet itself into the river Styx, there's little distractions.
Yeah, developers do dumb shit but that's probably best left to the notion of job security and never talked about again less they go to HR and complain that the ops guy was very stern and direct and made the developer take some accountability for their work product.
AND YET
It's so intergalactically stupid that I have to go ask permission just to do ops tasks by the same people barging down my goddamn door asking why the ops task isn't done yet.
"Because you won't give me permissions in GCP to actually DO anything".
Okay. Rant over. Time for lunch. Good meeting, see you all at the holiday party.2 -
My company has a board on Blind (semi-anonymous social network for corporate employees). We're a startup and have had two layoffs in the past two years, with very few pay increases.
I voiced my thoughts about the future of the company. We're pulling in a lot of revenue (millions a month) but still have a crazy amount of costs.
Someone responded that a bunch of our revenue ops people left for other companies. Another person replied the director that left had a good opportunity, thought we'd get another round of funding and that the company has had some purchase offers (with valuation being the big sticking point).
If it's true, it should feel like some job security. I can't help but also wonder if anon is lying so people purchase more of their stock options to generate more runway.1 -
I really wanna get a keg of rum and start sailing across the globe...
Just to spank some devs / managers arses.
The last years were... very demanding regarding security and upgrades.
It hasn't gotten better.
Microsoft leaked it's security key thx to internal debugging and the tool to secure the debugging process so secure data gets filtered was buggy...
I'd guess I already have carpal tunnel after Redmond.
But the really really sad story is: This has become the gold standard.
https://lwn.net/Articles/943969/
Chrome selling the privacy mode for Ads, long topic ongoing for years... yeah they did it.
Apple... oh boy. I could write a Silmarillion about it and would still need an additional trilogy.
Amazon realizing that a Microservice architecture needs planning, cause yeah... just potting services in a data center doesn't end well.
It goes on and on and on....
Don't even get me started on the plethora of firmware / microcode updates cause there was either yet another CPU bug or another device pooped their pants cause the firmware is a mess and needed some dubious update without any background at all...
Serious question: Am I becoming a pepperidge farm uncle threatening to shoot everyone cause I'm getting old and cranky ....
Or is really everything in IT going down the drain the last few years?
It feels like every week is just another "we fucked it up" event.3 -
TIL indians live on the "satisfaction" plane hence saying yes to things they can't do to satisfy you, but also dissatisfy people as a form of attritional warfare, which is their specialty.
I was watching the trump v Kamala debate and was reminded of a bunch of tactics I've had used against me by an Indian lead dev, who I ignored the behaviour of and didn't think she was actually hostile to me until it was too late. but it made me feel so bad for him and I got an epiphany. it seems like the tactics are the same, so I got curious if there was an Indian art of war
Interestingly the AI said yes but directed me to the wrong book. I did find the right book eventually. it exists. the Chinese stole ideas from it to write their sun tzu art of war, but it's basically a Machiavellian manual before Machiavelli was alive. very cool
also turns out China is behind everything. I remember ages ago I got in a fight with a schizoid programmer friend of mine because he knew China was taking over everything and he wanted them to win, and I was rooting for team India because they were far less miserable than the Chinese. don't make a deal with the Chinese. guy was stupid. they treat people like irrelevant meat
China seems to be connected to everything that's going on right now.
- they're infiltrating Canadian politics, get international students to change Canadian election outcomes (200k/30m people who weren't citizens but got bussed to voting centers and just used proof of address to vote. they changed outcomes of 4 elected officials in one province, and local Chinese people are saying they get threats about their family back in China if they don't do what China tells them to -- but our elected government just keeps quiet on it and then goes to China for new orders during "climate conferences" and uselessly gives them a bunch of our fucking money)
- there was issues with the Chinese buying up real estate in Canada and just leaving them empty. it's probably still happening even though Canada eventually imposed a tax on leaving empty real estate around that you're not renting out. they're still buying up properties, and we have an increasing housing shortage as a result. one of my old apartments a white guy, who was suspicious and shifty, bought the unit and forced us to move out citing code violations (you can't kick someone out otherwise here because of very strong renter's protections). they never introduced who bought the place, but they did have 7 ALL CHINESE SPEAKING IN CHINESE people come in and measure everything at the apartment. so they're definitely still buying up real estate
- are behind the green agenda (our politicians seem to take orders from them under this guise)
- seem to strangely have had camps where they let migrants pass through the South Americas to get into united states, were very closed off and hostile to anyone snooping so it was up in the air what they were doing there. after people came to snoop the camps up and disappeared
- are who USA is competing with in the AI race, the whole AI narrative is literally a fight between the west and China
and there's a super smart systems guy who thinks they were behind the world economic forum and I'm increasingly starting to believe it
all electronics coming from China should be a concern. it isn't
there's tons of Chinese trying to enter open source software to install backdoors. they're nearly successful or successful often. same with that DDoS on DNS years ago
there's rumours they've been running Canada since the 80s, via infiltrating Canadian tech companies to steal their software and are the gatekeepers for a lot of underground stuff
I'm starting to believe even the COVID virus was on purpose. I didn't before. there was a number of labs that had that virus, a lab leak happened around Ukraine 6 months prior to the "Olympics outbreak" (seriously that was PERFECT timing for a lab leak if you wanted to do a bioweapon on purpose -- you would hit every country at once!), but there was also a lab in Canada that had it and some reporters were upset about it because the lab didn't seem to care about our national security and was letting suspicious Chinese nationals work at it, and for some reason there's been discovered a BUNCH of illegal makeshift Chinese labs in California with super vile stuff in them
and what the fuck was that Chinese spy balloon fiasco anyway. you can't shoot it down? I think that was a test to see how fast and readily the west would defend itself. or maybe they wanted to see the response procedures
and then on top of it many people think the opioid epidemic is all china. china makes the drugs. it would also fit perfectly, because in the 1800s or whatever the British empire had entirely decimated china for decades by getting them addicted to the opioid trade. eventually the British empire merged with USA and now USA is basically the head of the new British empire
I think we're at war with China and literally don't fucking know it16 -
Currently having very funny project lead, who gives on the spot estimates for 9 years old very pathetic quality code having Android app in security domain. Memory leaks, bad practices, typos, CVEs etc. you name it we have it in our source of the app.
Since 5-6 sprints of our project, almost 50% of user stories were incomplete due to under estimations.
Basically everyone in management were almost sleeping since last 7-8 years about code quality & now suddenly when new Dev & QA team is here they wanted us to fix everything ASAP.
Most humourous thing is product owner is aware about importance of unit test cases, but don't want to allocate user stories for that at the time of sprint planning as code is almost freezed according to him for current release.
Actually, since last release he had done the same thing for each sprint, around 18 months were passed still he hadn't spared single day for unit testing.
Recently app crash issue was found in version upgrade scenario as QAs were much tired by testing hundreds of basic trivial test cases manually & server side testing too, so they can't do actual needful testing & which is tougher to automate for Dev.
Recently when team's old Macbook Pros got expired higher management has allocated Intel Mac minis by saying that few people of organization are misusing Macbooks. So for just few people everyone has to suffer now as there is no flexibility in frequent changing between WFH & WFO. 1 out of those Mac minis faced overheating & in repair since 6 months.
Out of 4 Devs & 3 QAs, all 3 QAs & 2 Devs had left gradually.
I think it's time to say goodbye 😔4 -
Done it once or twice when finishing up a feature for a presentation/delivery the next day.
I'm leaning on the side of Not Worth It because I'd rather not be sleep deprived and dumb in brainy brain when interacting with the client and demoing my other stuff.
I guess it's usually when my perfectionism flares up that I'm likely to do stuff like that.
Will consider an all-nighter if it's reeeally necessary but there's few scenarios I can imagine where that is warranted. Maybe when working on a very serious security flaw or something of that nature. Most stuff can wait a couple of days...
Edit: goddamn I guess I committed the sin of not really answering the question. There's no story here. Boooo. Permission to hate myself, captain? -
Okay so, I’ve recently started going through our products’ security postures and their teams’ related practices and processes. I knew things were in a bad state, but I have to admit I’m a bit anxious at how bad things are… and it’s not like nobody cared or anything, quite the opposite; the teams are quite motivated about cyber sec. It’s just that they don’t know what the fuck to do and where to start even if they did.
Okay, that’s my job to figure out the roadmap to improving their security posture and processes and help them implement it. If it wasn’t bad enough that there’s half a dozen products whose cyber sec roadmaps I need to prioritise and manage somehow, I heard this week that due to some organisational rearrangements, the number of products under my stern guidance will nigh on double at some point very soon…
I need a team. Give me a team.2 -
My work product: Or why I learned to get twitchy around Java...
I maintain a Java based test system, that tests a raster image processor. The client is a Java swing project that contains CORBA bindings to the internal API of the raster image processor. It also has custom written UI elements and duplicated functionality that became available in later versions of Java, but because some of the third party tools we use don't work with later versions of Java for some reason, it's not possible to upgrade Java to gain things as simple as recursive directory deletion, yes the version of Java we have to use does not support something as simple as that and custom code had to be written to support it.
Because of the requirement to build the API bindings along with the client the whole application must be built with the raster image processor build chain, which is a heavily customised jam build system. So an ant task calls out to execute a jam task and jam does about 90% of the heavy lifting.
In addition to the Java code there's code for interpreting PostScript files, as these can be used to alter the behaviour of the raster image processor during testing.
As if that weren't enough, there's a beanshell interface to allow users to script the test system, but none of the users know Java well enough to feel confident writing interpreted Java scripts (and that's too close to JavaScript for my comfort). I once tried swapping this out for the Rhino JavaScript interpreter and got all the verbal support in the world but no developer time to design an API that'd work for all the departments.
The server isn't much better though. It's a tomcat based application that was written by someone who had never built a tomcat application before, or any web application for that matter and uses raw SQL strings instead of an orm, it doesn't use MVC in any way, and insane amount of functionality is dumped into the jsp files.
It too interacts with a raster image processor to create difference masks of the output, running PostScript as needed. It spawns off multiple threads and can spend days processing hundreds of gigabytes of image output (depending on the size of the tests).
We're stuck on Tomcat seven because we can't upgrade beyond Java 6, which brings a whole manner of security issues, but that eager little Java updated will break the tool chain if it gets its way.
Between these two components we have the Java RMI server (sometimes) working to help generate image data on the client side before all images are pulled across a UNC network path onto the server that processes test jobs (in PDF format), by reading into the xref table of said PDF, finding the embedded image data (for our server consumed test files are just flate encoded TIFF files wrapped around just enough PDF to make them valid) and uses a tool to create a difference mask of two images.
This tool is very error prone, it can't difference images of different sizes, colour spaces, orientations or pixel depths, but it's the best we have.
The tool is installed in both the client and server if the client can generate images it'll query from the server which ones it needs to and if it can't the server will use the tool itself.
Our shells have custom profiles for linking to a whole manner of third party tools and libraries, including a link to visual studio 2005 (more indirectly related build dependencies), the whole profile has to ensure that absolutely no operating system pollution gets into the shell, most of our apps are installed in our home directories and we have to ensure our paths are correct for every single application we add.
And... Fucking and!
Most of the tools are stored as source bundles in a version control system... Not got or mercurial, not perforce or svn, not even CVS... They use a custom built version control system that is built on top of RCS, it keeps a central database of locked files (using soft and hard locks along with write protecting the files in the file system) to ensure users can't get merge conflicts by preventing other users from writing to the files at all.
Branching is heavy weight and can take the best part of a day to create a new branch and populate the history.
Gathering the tools alone to build the Dev environment to build my project takes the best part of a week.
What should be a joy come hardware refresh year becomes a curse ("Well fuck, now I loose a week spending it setting up the Dev environment on ANOTHER machine").
Needless to say, I enjoy NOT working with Java. A lot of this isn't Javas fault, but there's a lot of things that Java (specifically the Java 6 version we're stuck on) does not make easy.
This is why I prefer to build my web apps in python or node, hell, I'd even take Lua... Just... Compiling web pages into executable Java classes, why? I mean I understand the implementation of how this happens, but why did my predecessor have to choose this? Why?2 -
Duck! this sloppy whiny winnfsd.
Yay! Let's use state of the art Docker with a VirtualBox VM on Windows10.
Don't get me wrong.
The Docker containers in this VM doing a great job on performance.
But in the very moment a Docker container uses a mounted folder via the windows network filesystem, all hell is breaking loose.
Building a vendor folder using a composer Docker image with 84 Packages takes about 15 seconds when cache has been warmed up.
The same Docker command pointing on a folder mounted to Windows Filesystem with warmed up cache takes about 10 Minutes!@&&@""+&
And what is the duckin' reason for this delay?
Because every transfer of a teeny tiny file has to establish a connection to fat ass Windows OS and has to pass it's glorious "security" layer.
DUCK it!
For real.
I currently working on a shell script which builds the whole vendor folder on a volume on Docker VM.
After completion, the shell script will compress the folder to one file.
This one file will be transferred over this god damned network filesystem.
Finally the script will unpack the compressed vendor folder in it's destination folder.
*sigh*
What year is it?!??3 -
This is not a rant. Not really. It's more expressing my own insecurity with a certain topic, which somehow upsets me sometimes (the insecurity, not the topic though).
I have nearly no knowledge about security/privacy stuff. I mean, yeah, I know how to choose secure passwords and don't make stupid DAU mistakes. The very basics you would expect someone to have after a CS bachelor's degree.
But other than that... Nothing. And I would like to get a bit into that stuff, but I have no clue where to start. First getting my head wrapped around low-level stuff like network layers? Or something completely else.
This topic is so intimidating to me as it seems huge, I have no idea where to start, and I feel that if you don't have "full" knowledge, you are going to make mistakes which you might not even notice.
I sometimes get really scared about having an account hijacked or similar. Also in our job it seems to become more and more of a topic we should know about.
Anybody got any advice?
I am looking for a way to improve my knowledge in security in general for professional reasons and my knowledge about privacy for private reasons.
It's just, every time I start reading something related it seems that I am lacking some other knowledge etc...10 -
Just dropping some current experience here.
Content security policies are big mess in both chrome and firefox.
Chrome has some 4 years old "bug" where you can't add hash of JS file to 'style-src' policy to permit inline-styles THAT would be set by this script (jQuery actually).
Firefox is beautifully unhelpful, it just pops of error "blocked ..something..", not even saying what it was.
EDIT:
And I am missing a pair of some steel balls to ask about this on SO because there is this much of very similar questions, nonetheless -if I did read them right- every one of them is talking about enabling style attribute, and that's something different.
EDIT2: Chrome currently generates 138 errors "jquery-3.4.0.min.js:2 Refused to apply inline style..." , this ain't hitting production.10 -
I started working for a forex company as a web developer, designer and also a online marketer, so when i was doing the designing part the boss of mine became very happy as he can see the results of my work.
But from few days I was doing the backend part and fixing some security flaws. Today i recieved a message saying that if you are not capable or free to do the work i will hire someone else for the work.
Working under people who doesn't know difference between http and https sucks.5 -
I have worked in a hosting or sysadmin role for at least 8 years out of my career and managed thousands of servers in very large environments. My team has been shopping around for a new hosting company and has yet to include me on the calls / advisement. The people shopping for a provider... Zero hosting experience. Zero sysadmin experience. Zero applicable experience. Not IT people, not technical. Well I guess it's job security for when things blow up in our faces that I'll need to fix it.1
-
Note: In this rant I will ask for advices, and confess some sins. I will tell my personal story- it will be long.
So basically it has been almost 2 years since I first entered the world of software development. It has been the biggest and most important quest of my life so far, but yet I feel like I missed a lot of my objectives, and lots of stuff did not go the way I wanted them to be, and it makes feel frustrated and it lowered my self esteem greatly. I feel confused and a bit depressed, and don't know what to do.
I'll start: I'm 23 years old. 2 years ago I was still a soldier(where I live there is a forced conscription law) in a sysadmin/security role. I grew tired of the ops world and got drawn more and more into programming. A tremendous passion became to burn in me, as I began to write small programs in Python and shell scripts. I wanted to level up more seriously so I started reading programming books and got myself into a 10 month Java course.
In the meanwhile I got released from army duty and got a job as a security sysadmin at a large local telco company. Job was boring and unchallenging but it payed well. I had worked there for 1 year and at the same time learned more and more stuff from 2 best friends who have been freelance developers for years. I have learned how to build full-stack mobile apps and some webdev, mainly Android and Node.js. However because I was very inexperienced and lacked discipline, all of my side projects failed horribly, and all attempts to work with my experienced friends have failed too- I feel they lost a lot of trust for me(they don't say it, but I feel it, maybe I'm wrong).
I began to realise I had to leave this job and seek a developer job in order to get better, and my wish came true 6 months ago when I finally got accepted into a startup as a fullstack webdev, for a bit lower wage but I felt it was worth it. I was overjoyed.
But now my old problems did not end, they just changed. My new job is a thousand times harder and more intensive than the old one. I feel like it sucks all the energy and motivation that was still left in me, and I have learned almost nothing in my free time, returning home exhausted. My bosses are not impressed from my work despite me being pretty junior level, and I feel like I'm in a vicious cycle that keeps me from advancing my abilities. My developer friends I mentioned earlier have jobs like I do and still manage to develop very impressive side projects and even make a nice sum of money from them, while I can't even concetrate on stupid toy projects and learning.
I don't know why It is like this. I feel pathetic and ashamed of my developer sins and lack of discipline. During that time I also gained some weight that I'm trying t lose now... I know not all of it is my fault but it makes me feel like crap.
Sorry for the long story. I just feel I need to spill it out and hope to get some advices from you guys who may or may not have similar experiences. Thanks in advance for reading this.2 -
So, I’ve been given the task of sorting the security out in an application plugging the holes and whatnot as to be honest it’s shocking haha. It doesn’t help that we automate security audits but that’s a different rant for another day.
We’re using devise for authentication (rails standard, ♥️ devise), we have no password resets through the login page, it has to be manually reset by ringing support, why who knows, even though it’s built into the gem and we allow the user to login using an username instead of an email because for whatever reason someone thought it was a bright idea to not have the email field mandatory.
So I hop onto a call with the BAs, basically I go that we need to implement password resets into the login page so the user can do it themselves and also to cut down support calls a ticket is already in place for it. So I go through the standardised workflow for resetting a password. My manager goes.
“I don’t think this will be very secure”
Wait.. what. Have you never reset a password before? It’s following the same protocol as every other app.
We go back and fourth and I said I’ll get it checked with security just to keep him happy.
The issue mainly is well we can’t implement password resets due to 100s of users not having an email on there account.. 🙃 so before we push this change we need to try and notice all users to set a unique email.
Updated the tickets. All dandy.
Looking at the PRs to see what security things have been done if any and turns out one of the devs in India has just written a migration to add the same default email to every user that doesn’t have an email present and yep it got merged. So I go revert the change but talk about taking a “we don’t care about security approach”.
Eventually we want to have the user reset their passwords and login using their email and someone goes a head and does that. Not to mention the security risk.
Jesus Christ I wonder why I bother sometimes.2 -
I have called for a meeting with my manager's manager expressing concerns and ask for a role change inside the company.
How should I approach this?
My current project is this some IoT stuff being built on the cloud.
The role that I was recruited for and the one I am currently doing is very different thanks to the TPTB who suddenly decided some other team in a different country (lets call them B ) take on that role.
I see a lot of trash work assigned to my team that is a consequence of lack of understanding of the cloud stuff by people upstream and not automating steps in the engineering process like build,test, deploy ( which was part of my initial role description ) and I'm not liking my current role. But my manager doesn't give a damn.
He is just happy to be involved in the project.
I feel like I am having leftovers from a fancy restaurant in spite of having enough money to dine well in the same hotel.
When I bring out the concerns like lack of automating, cost savings in the cloud, improved security configurations to my manager, he doesn't seem to care and not voicing them upstream. If I bring up these topics in any discussion where people outside my team are also there,then I am quickly sidelined.
The rest of my team also don't seem to care. They just don't want to stand up and take responsibility.1 -
DREAM 1
(my comments look like this)
A kikiland metro system. It's extradimensional and shapeshifting. When you enter it, it adapts to your needs. The people inside (they're probably just vinyl shells), the social circumstances, all generated for you.
When you enter it, it knows where you want to go. It spawns exactly one train just for you. It will be the first, it will be the last. You have to catch it to go where you need. If you miss it, there will be no more trains, and you have to wait till the metro station closes for the night and reopens.
It's always you entering, catching the train that arrives just in time, going to where you need to go and exiting.
Because of its extradimensional nature, you cannot agree to meet someone there — every person has their own personal metro generated just for them every time, with exactly one train going exactly to the station you need.
It's used by BLA as a form of control. When they don't want you to go somewhere, the train won't spawn. Or, it might diverge and get you to some other place. It isn't known whether the map can be altered on the fly or not. So far, the consensus is that the map is persistent and is a public knowledge, and it's just the metro itself that is extradimensional. But, no one ever saw the real metro in its real form, and not the top layer that protrudes into the three-dimensional world you can interact with. It might be the case that they can make people disappear by creating ad-hoc stations that don't intersect with the real world, trapping them in places that are nowhere in particular.
(it took seeing BLA once in one dream to make all the following dreams include them. Sigh.)
Kikiland also has a school, and it always had it. I befriended a chemistry teacher there. His classroom is small — exactly as deep as other classrooms, but really narrow. There are no desks there, just his desk and some bookshelves. Chemistry isn't a priority there — his class exists only because it should. No one attends it. This is why he was so pleased to meet me. Despite his classroom being located on a busy floor, its door is overlooked by students, and NO ONE ever enters it. He just sits there, waiting for students to arrive, but they never do.
He has a secret, though, because of course he does. In the game Control, if you complete the main storyline before you complete some side quests, one of the main characters will be sitting in the C-suit hall, doing her things, waiting for you to come and talk to her. But at the same time, she will be waiting for you deep down the oldest house's mines, again, just sitting there, waiting for you to take the quest. This teacher is the same.
If you have a good relationship with him, and you attend his class, the classroom will change to a tunnel entrance, with him being the security guard. He's your friend, he'll let you in. It looks like Fallout's vault entrance. THIS is how you enter the REAL kikiland metro. (Dream 1 ends here.)
Episode 2
Tiny waterborne rat puppies whose mouth is their entire face unfolding like a piece of paper with teeth covering it as a grid. (I wrote about them already, but here they are again.) They are _tiny_, a bit like tadpoles. Also, like tadpoles, they die if you touch them out of water. As I was flying over some mountain resort (I routinely fly in my dreams, but it feels more like a very low gravity falling I can control, like using a parachute in GTA San Andreas), I dumped them to a location that resembled the garden level of Prince of Persia: Warrior Within for my cat to eat. It didn't want to. -
I like the people I work with although they are very shit, I get paid a lot and I mostly enjoy the company but..
Our scrum implementation is incredibly fucked so much so that it is not even close to scrum but our scrum master doesn't know scrum and no one else cares so we do everything fucked.
Our prs are roughly 60 file hangers at a time, we only complete 50% of our work each sprint because the stories are so fucked up, we have no testers at all, team lead insists on creating sql table designs but doesn't understand normalisation so our tables often hold 3 or 4 sets of data types just jammed in.
Our software sits broken for months on end until someone notices (pre release), our architecture is garbage or practically non existent. Our front end apps that only I know the technology have approaches dictated by team lead that has no clue of the language or framework.
Our front end app is now about 50% tech debt because project management is so ineffectual and approaches are constantly changing. For instance we used to use view models for domain transfer objects... Now we use database entities, so there is no commonality between models but the system used to have shared features relying on that..sour roles and permissions are fucked since a role is a page regardless of the pages functionality so there is no ability to toggle features, but even though I know the design is fucked I still had to implement after hours of trying to convince team lead of it. Fast forward a few months and it's a huge cluster fuck to enforce.
We have no automated testing of any sort or manual testing in place.
I know of a few security vulnerabilities I can nuke our databases with but it got ignored.
Pr reviews are obviously a nightmare since they're so big.
I just tried to talk to scrum master again about story creation since any story involving front end ui as an aspect of it is crammed in under one pointed story as sub tasks, essentially throwing away any ability to calculate velocity. Been here a year now and the scrum master doesn't know what I mean by velocity... Her entire job is scrum master.
So anyway I am thinking about leaving because I like being a developer and it is slowly making me give up on doing things to a high standard and I have no chance of improving things, but at the same time the pay is great and I like the people. -
Question for all the security/privacy nerds here. What is your opinion of the social network called Minds that pays you for your information basically.
(This is a very brief probably inaccurate summary but yeah, it’s basically reverse Facebook)1 -
Yeah, so when you create an account just about anywhere nowadays, you need to choose a strong password. Fair enough. But then, some sites/services/systems require a second password, sort of a password hint as an extra security for retrieving your first password in case you forget it. Well OK...That hint question just becomes very *in*secure when you must choose from some extremely stupid presets like "In which town were you born?" or "What was your mother's maiden name?", all of which are trivia that for most people can be easily googled, or looked up on facebook ffs. And these "in which town did this or that happen?" questions? As there is only one town in my country it's not a long shot that I was born in Mariehamn, met my partner in Mariehamn and had my first job in Mariehamn. Security questions for imbecils.4
-
Hey ... Is it possible to figure out the clients path (f.e. C:\Users\...) to a file he uploaded to a website on the server side?
My boss thinks it could be done and wants me to programm it. But I think we'd need a zero day vulnerability in a specific (and probably very old) browser to do something like that... That would be a huge security issue...
Wouldn't it?
What do you think?13 -
One of our senior colleagues in my last project at TCS had brought a pen drive with him, not sure why! He worked on a client system, which he believed was not monitored by TCS. So what he did was, he plugged in the pen drive in his computer and tried to copy some files from his pen drive to the computer. However, he wasn’t able to copy the files.
We weren’t aware of this until our project manager, who sits at the farthest end of the ODC shouted at the top of his voice, calling out his name. In front of the entire ODC, he was scolded since the HR team had called the manager informing that the machine assigned under this employee’s name has detected a security breach.
He had to explain the reason; where he said he wanted to copy some codes that he had to office machine in order to reduce his manual effort, which was probably very silly of him! For the next few days I hardly saw him inside the ODC, probably had to visit people to show cause or other things and was harrassed by our manager, insulted every time he passed by him.
He was not suspended although, maybe the manager or someone else saved him, although normally such violations would have seen him terminated.3 -
You know what really grinds my gears? Products that have no right of linking your data to an online platform.
Case and point: Password Managers. Nearly all of them work only with an account on a given service, have the passwords stored on their servers and so on and so forth. There is 0 transparency and for that matter 0 security. I found my choice, though it infuriates me terribly.
Another thing are budget managers. The switch for YNAB from local to on servers really annoys me. They should have no business in storing my very private data on their server. I don't understand people using it either.1 -
I use to have a very slow computer so i google search how to speed it
It came with a .bat script that refresh the ram, after that i wanted to know how that script had work.
And 11ish years later is my life and career
And, yeah, at that time i didn't care about security and why you shouldn't run a script without know what does it do 😅
Also, that script get lost forever in my broken old computer -
I'm fucking tired of my computer having random
2 seconds latency on any basic action and being slow as fuck regardless of powerful processor, ssd and 32GB RAM. Music via bluetooth is basically unusable since every few seconds the music stops for a 0.2s then plays again. I installed this system (opensuse tumbleweed) in February this year and it's just sad that I have reinstall again (any ideas for distro) ?
I made a dummy mistake of buying a CPU without internal graphics and this resulted in having to buy a GPU. So I got myself Nvidia(another mistake) since i though i would be using CUDA on the university. Turnes out CUDA cannot be installed for some retarded reason.
With Nvidia GPU the screens on my two monitors are swapping every time I use a hdmi switch to use other computer. On AMD GPU this problem does not exist. AMD GPU pro drivers are impossible to install. Computers barely fucking work, change my mind. Shit is breaking all the time. Everything is so half assed.
The music player that i use sometimes swaps ui with whatever was below it like for example the desktop background and i need to kill the process and start again to use the program. WTF.
Bluetooth seems to hate me. I check the bluetooth connected devices on my computer, it says headphones connected. BULLSHIT. The headphones are fucking turned OFF. How the fuck can they be connected you dumbass motherfucker computer. So I turn on the headphones. And I cannot connect them since the system thinks that they are already connected. So I have to unpair them and pair them again. WTF. Who fucking invents this bullshit?
Let's say i have headphones connected to the computer. I want to connect them to phone. I click connect from the phone settings. Nothing happens. Bullshit non telling error "could not connect". So I have to unpair from computer to pair to phone. Which takes fucking minutes, because reasons. VERY fucking convenient technology.
The stupid bluetooth headphones have a loud EARRAPE voice when turning them on "POWER ON!!! PAIRING", "CONNECTED", "DISCONNECT". Loudness of this cannot be modified. The 3 navigation buttons are fucking unrecognizable so i always take few seconds to make sure i click the correct button.
Fucking keyboard sometimes forgets that I remapped esc key to caps lock and then both keys don't work so i need to reconnect the keyboard cable. At least it's not fucking bluetooth.
The only reason why hdmi switches exist is because monitor's navigation menus have terrible ui and/or infrared activated, non-mechanical buttons.
Imagine the world where monitors have a button for each of it's inputs. I click hdmi button it switches it's input to hdmi. I click display port button - it switches to display port. But nooo, you have to go through the OSD menu.
My ~ directory has hundred of files that I never put there. Doesn't feel like home, more like a crackhead crib.
My other laptop (also tumbleweed) I click on hibernate option and it shuts down. WTF. Or sometimes I open the lid and screen is black and when i click keyboard nothing happens so i have to hold power button and restart.
We've been having computers for 20 + years and they still are slow, unreliable and barely working.
Is there a cure? I'm starting to think the reason why everything is working so shitty and unreliable, is because the foundations are rotten. The systems that we use are built with c, ridden with cryptic abbreviated code, undefined behavior and security vulnerabilities. The more I've written c programs the more convinced I am, that we should have abandoned it for something better long ago. Why haven't we? And honestly what would be better? Everything fucking sucks. The rust seems to be light in the tunnel but I don't know if this is only hype or is it really better. I'm sure it can't be worse than c or c++. Either we do something with the foundations or we're doomed.22 -
I have participated in a hackathon this weekend and one of the theme of hackathon was blockchain and being a blockchain dev i have created a DApps which follows token standard and other security standard but our UI was kind of basic cause we didn't have any designer in our team but one participated team's UI was far better than us but has serious flaws in the smart contract and guess what they are the one being selected and that's not it there wasn't a single judge who has basic knowledge of blockchain.I was using DApp term very often while presenting our idea and one of a judge literally asked us what is dapp? I mean WTF? Now i am regretting why did i participated in this shitty hackathon? On top of all that they juat give a single sticker for whole team. Wtf we are supposed to do? Cut it ? If you are a blockchain dev don't forget to see this beautiful function i found in the token contract of the selected team from the github.1
-
TL;DR how much do I charge?
I'm freelancing for the first time; regularly, I get paid a salary.
I'm freelancing as a donation: the hours I put into this work directly translate to deductions in my tax. I don't get paid any money directly.
I'm doing some web-based enterprise software for an organization. Handling the whole process from writing responsive front-end code to setting up the server and domain for them and even managing myself. So full stack plus dev ops.
My normal salary is $31 an hour and at work I do less. I largely do maintenance for existing applications plus some very minor new systems design. I don't do any server management (different team) and I damn well didn't buy the domain names for my company. So I think it's safe to say I'm taking on a drastically larger role in this freelance gig.
My moral dilemma is the organization will basically say yes to any price - because they don't pay it, the government will (up until the point I pay 0 taxes, I suppose)
I've done some minor research on what other freelancers charge for somewhat similar things and I get pretty wildly varying results. I've seen as low as $20/hr but I really doubt the quality of such a service at that price.
I'm thinking around $50 USD an hour would be a fair price. For even further reference besides my actual salary, I will say that I am in a urban / suburban part of Florida, where developers are very hard to find locally.
Is $50 too high? Too low? This is a very complicated system with (frankly excessive) security practices and features. Before this they had a handful of excel spreadsheets in a OneDrive folder.7 -
// Rant 1
---
Im literally laughing and crying rn
I tried to deploy a backend on aws Fargate for the first time. Never used Fargate until now
After several days of brainwreck of trial and error
After Fucking around to find out
After Multiple failures to deploy the backend app on AWS Fargate
After Multiple times of deleting the whole infrastructure and redoing everything again
After trying to create the infrastructure through terraform, where 60% of it has worked but the remaining parts have failed
After then scraping off terraform and doing everything manually via AWS ui dashboard because im that much desperate now and just want to see my fucking backend work on aws and i dont care how it will be done anymore
I have finally deployed the backend, successfully
I am yet unsure of what the fuck is going on. I followed an article. Basically i deployed the backend using:
- RDS
- ECS
- ECR
- VPC
- ALB
You may wonder am i fucking retarded to fail this hard for just deploying a backend to aws?
No. Its much deeper than you think. I deployed it on a real world production ready app way.
- VPC with 2 public and 2 private subnets. Private subnets used only for RDS. Public for ALB.
- Everything is very well done and secure. 3 security groups: 1 for ALB (port 80), 1 for Fargate (port 8080, the one the backend is running on), 1 for RDS postgres (port 5432). Each one stacked on top and chained
- custom domain name + SSL certificate so i can have a clean version of the fully working backend such as https://api.shitstain.com
- custom ECS cluster
- custom target groups
- task definitions
Etc.
Right now im unsure how all of this is glued together. I have no idea why this works and why my backend is secure and reachable. Well i do know to some extent but not everything.
To know everything, I'll now ask some dumbass questions:
1. What is ECS used for?
2. What is a task definition and why do i need it?
3. What does Fargate do exactly? As far as i understood its a on-demand use of a backend. Almost like serverless backend? Like i get billed only when the backend is used by someone?
4. What is a target group and why do i need it?
5. Ive read somewhere theres a difference between using Fargate and... ECS (or is it something else)? Whats the difference?
Everything else i understand well enough.
In the meantime I'll now start analyzing researching and understanding deeply what happened here and why this works. I'll also turn all of this in terraform. I'll also build a custom gitlab CI/CD to automate all of this shit and deploy to fargate prod app
// Rant 2
---
Im pissing and shitting a lot today. I piss so much and i only drink coffee. But the bigger problem is i can barely manage to hold my piss. It feels like i need to piss asap or im gonna piss myself. I used to be able to easily hold it for hours now i can barely do it for seconds. While i was sleeping with my gf @retoor i woke up by pissing on myself on her bed right next to her! the heavy warmness of my piss woke me up. It was so embarrassing. But she was hardcore sleeping and didnt notice. I immediately got out of bed to take a shower like a walking dead. I thought i was dreaming. I was half conscious and could barely see only to find out it wasnt a dream and i really did piss on myself in her bed! What the fuck! Whats next, to uncontrollably shit on her bed while sleeping?! Hopefully i didnt get some infection. I feel healthy. But maybe all of this is one giant dream im having and all of u are not real9 -
Many times in life I experienced situations that are depressing to me yet I'm not partially or totally conscious about it.
I have a very good example that I'm actually experiencing right now: me reporting the progress of a task to my boss and getting no response from him.
He has gone on these "ignoring sprees" in the past already and for the current one, it's been like four consecutive ignores.
I guess it's depressing for two reasons:
1) I feel like my work has no importance or value, which drags me down.
2) Sometimes he also tries to rush which I consider pretty hypocritical of him. because I have to basically not complain about it to not endanger this job relationship my family dearly depends on, I have to shut up and feel frustrated. (keep in mind i'm a south am person working for a us company and I was very lucky to get this job).
For some reason I just don't notice as easily how awful it makes me feel, but I wished I could fucking tell this straight into his fucking face:
You wanna be a boss? Be a fucking boss and check on my fucking progress.
I'm considering getting into security and going for bug bounties online. -
!Dev
I'm looking to rent apartment and I'm baffled by this very weird potential scam.
The landlady wants me to pay the security deposit and the first month's rent using a recharge coupon of a prepaid cash card called Transcash. This is in France btw. But she tells me that she shall provide me the agreement and key on the spot of transfer of the coupon. She also asked me to click a picture of the coupon and send it to her when I buy it as a proof that I'm genuinely interested in renting the place and her trip (she claims to live in another city) will not be in vain. Looks clean but my instincts are screaming that this is a scam. But the only scenario I can think of is them beating me up and stealing the coupons from me instead of giving me the agreement and keys. If it is a scam, I really want to know how they plan to execute it.8 -
Approx. 24 hours ago I proceeded to use MEGA NZ to download a file It's something I've done before. I have an account with them.
This is part of the email I received from MEGA NZ following the dowload: "
zemenwambuis2015@gmail.com
YOUR MEGA ACCOUNT HAS BEEN LOCKED FOR YOUR SAFETY; WE SUSPECT THAT YOU ARE USING THE SAME PASSWORD FOR YOUR MEGA ACCOUNT AS FOR OTHER SERVICES, AND THAT AT LEAST ONE OF THESE OTHER SERVICES HAS SUFFERED A DATA BREACH.
While MEGA remains secure, many big players have suffered a data breach (e.g. yahoo.com, dropbox.com, linkedin.com, adobe.com, myspace.com, tumblr.com, last.fm, snapchat.com, ashleymadison.com - check haveibeenpwned.com/PwnedWebsites for details), exposing millions of users who have used the same password on multiple services to credential stuffers (https://en.wikipedia.org/wiki/...). Your password leaked and is now being used by bad actors to log into your accounts, including, but not limited to, your MEGA account.
To unlock your MEGA account, please follow the link below. You will be required to change your account password - please use a strong password that you have not used anywhere else. We also recommend you change the passwords you have used on other services to strong, unique passwords. Do not ever reuse a password.
Verify my email
Didn’t work? Copy the link below into your web browser:
https://mega.nz//...
To prevent this from happening in the future, use a strong and unique password. Please also make sure you do not lose your password, otherwise you will lose access to your data; MEGA strongly recommends the use of a password manager. For more info on best security practices see: https://mega.nz/security
Best regards,
— Team MEGA
Mega Limited 2020."
Who in their right mind is going to believe something like that that's worded so poorly.
Can anybody shed some light on this latest bit of MEGA's fuckery?
Thank you very much.4 -
Separation of duties.
I work in a fairly large IT department for a Healthcare company and for security reasons always having to involve application support or other teams even during development phase can be very aggravating when I have to ask for simple things like server log files. And the process to get to deploy in production is paved with bureaucracy and paperwork and emails that have little to do with anything other than just say, I approve, yet we are supposed to be trying to implement agile. -
Hey. I'm still very new to CloudFlare and I have a question.
Let's say that I have 4 sub domains: a.test.com, b.test.com, c.test.com, d.test.com. They're all under the same domain (test.com).
I have a page rule setup specifically for a.test.com, where "Disable security" is set to On. I did this as a temporary solution so that I can figure out the problems that a.test.com has when the security is enabled (had users complaints regarding not being able to send requests with CF security On), so that it is still accessible while I try to fix it..
By turning disabling security for a.test.com, do I put others (b, c, d) at risk? I had someone telling me that it is possible for attackers to make use of a.test.con (unprotected by CF) in order to attack the other sub-domains. "a.test.com has no protection so attackers can use it to send requests to other secured subdomains, cross-site attack" or something along that line.
I don't get this. I thought page rule is supposed to be active only for the domain where it's being set up and the rest will still be secured, and that if attacker manages to attack the other subdomain its due to the others not having secure applications inside of it.
Dunno if that person was telling the truth or tried to mess around with me with their joke!
Thanks!5 -
Well thanks a lot for the clarification of WHY I cannot sync my work (Office 365) mail using the mail client in Windows 10!
It's not that it's wrong; it's (probably) very much correct.
It's not that it's not precise; I don't think it could be anymore precise than a data dump like that.
It's not that trying to help me solve the problems; I'm sure it is.
But now that I have all the (debug) info about the security policies in place it would be great if it would show what violated which policy and maybe even what they mean and how to fix it?
The most concrete to go by is the error code, and judging by a google that has meant "your mail has problems" for at least three years...
...not even a single link was found to the (only) page detailing content, possible values, and dependencies between policies. -
I've come to my first real fork in my career. I currently work as a web developer for a medical software company. The pay is pretty abysmal but they're flexible and not super demanding. However, my formal education (take this with a grain of salt obviously) is in game development and I've been trying to build my portfolio and what not. I was offered a part-time internship, because I'm still in grad school, I haven't held a part time position since high school. But not only is the position a job I actually want, but the company is pretty great. I'd have to stay part time tell graduation (Next December). But they said they are already interested in transitioning me to full time once I graduate. Another note, I have to get some security clearance for the job, which is another reason they want me to start part time.
So I truly don't like web development and the company I'm at has been very up front that I'm going to stay at this pay rate for a while. But it's possible that they offer me a contract/part time position after I leave (mostly because I'm the one and only web developer and they're already on a hiring freeze). However, if they don't I'd have to scramble to find something else to pay bills for the next year.
Long rant. tl;Dr: should I stay or should I go?6 -
I'm looking for a project idea in cyber-security...
Any ideas?
I'm good with x86 assembly, c, c++, python and shell scripting.
I'm very well versed with Linux operating systems and basic networking stuff.
I'm willing to learn new concepts11 -
Persisterising derived values. Often a necessary evil for optimisation or privacy while conflicting with concerns such as auditing.
Password hashing is the common example of a case considered necessary to cover security concerns.
Also often a mistake to store derived values. Some times it can be annoying. Sometimes it can be data loss. Derived values often require careful maintenance otherwise the actual comments in your database for a page is 10 but the stored value for the page record is 9. This becomes very important when dealing with money where eventual consistency might not be enough.
Annoying is when given a and b then c = a + b only b and c are stored so you often have to run things backwards.
Given any processing pipeline such as A -> B -> C with A being original and C final then you technically only need C. This applies to anything.
However, not all steps stay or deflate. Sum of values is an example of deflate. Mapping values is an example of stay. Combining all possible value pairs is inflate, IE, N * N and tends to represent the true termination point for a pipeline as to what can be persisted.
I've quite often seen people exclude original. Some amount of lossy can be alright if it's genuine noise and one way if serving some purpose.
If A is O(N) and C reduces to O(1) then it can seem to make sense to store only C until someone also wants B -> D as well. Technically speaking A is all you ever need to persist to cater to all dependencies.
I've seen every kind of mess with processing chains. People persisting the inflations while still being lossy. Giant chains linear chains where instead items should rely on a common ancestor. Things being applied to only be unapplied. Yes ABCBDBEBCF etc then truncating A happens.
Extreme care needs to be taken with data and future proofing. Excess data you can remove. Missing code can be added. Data however once its gone its gone and your bug is forever.
This doesn't seem to enter the minds of many developers who don't reconcile their execution or processing graphs with entry points, exist points, edge direction, size, persistence, etc.2 -
9 Ways to Improve Your Website in 2020
Online customers are very picky these days. Plenty of quality sites and services tend to spoil them. Without leaving their homes, they can carefully probe your company and only then decide whether to deal with you or not. The first thing customers will look at is your website, so everything should be ideal there.
Not everyone succeeds in doing things perfectly well from the first try. For websites, this fact is particularly true. Besides, it is never too late to improve something and make it even better.
In this article, you will find the best recommendations on how to get a great website and win the hearts of online visitors.
Take care of security
It is unacceptable if customers who are looking for information or a product on your site find themselves infected with malware. Take measures to protect your site and visitors from new viruses, data breaches, and spam.
Take care of the SSL certificate. It should be monitored and updated if necessary.
Be sure to install all security updates for your CMS. A lot of sites get hacked through vulnerable plugins. Try to reduce their number and update regularly too.
Ride it quick
Webpage loading speed is what the visitor will notice right from the start. The war for milliseconds just begins. Speeding up a site is not so difficult. The first thing you can do is apply the old proven image compression. If that is not enough, work on caching or simplify your JavaScript and CSS code. Using CDN is another good advice.
Choose a quality hosting provider
In many respects, both the security and the speed of the website depend on your hosting provider. Do not get lost selecting the hosting provider. Other users share their experience with different providers on numerous discussion boards.
Content is king
Content is everything for the site. Content is blood, heart, brain, and soul of the website and it should be useful, interesting and concise. Selling texts are good, but do not chase only the number of clicks. An interesting article or useful instruction will increase customer loyalty, even if such content does not call to action.
Communication
Broadcasting should not be one-way. Make a convenient feedback form where your visitors do not have to fill out a million fields before sending a message. Do not forget about the phone, and what is even better, add online chat with a chatbot and\or live support reps.
Refrain from unpleasant surprises
Please mind, self-starting videos, especially with sound may irritate a lot of visitors and increase the bounce rate. The same is true about popups and sliders.
Next, do not be afraid of white space. Often site owners are literally obsessed with the desire to fill all the free space on the page with menus, banners and other stuff. Experiments with colors and fonts are rarely justified. Successful designs are usually brilliantly simple: white background + black text.
Mobile first
With such a dynamic pace of life, it is important to always keep up with trends, and the future belongs to mobile devices. We have already passed that line and mobile devices generate more traffic than desktop computers. This tendency will only increase, so adapt the layout and mind the mobile first and progressive advancement concepts.
Site navigation
Your visitors should be your priority. Use human-oriented terms and concepts to build navigation instead of search engine oriented phrases.
Do not let your visitors get stuck on your site. Always provide access to other pages, but be sure to mention which particular page will be opened so that the visitor understands exactly where and why he goes.
Technical audit
The site can be compared to a house - you always need to monitor the performance of all systems, and there is always a need to fix or improve something. Therefore, a technical audit of any project should be carried out regularly. It is always better if you are the first to notice the problem, and not your visitors or search engines.
As part of the audit, an analysis is carried out on such items as:
● Checking robots.txt / sitemap.xml files
● Checking duplicates and technical pages
● Checking the use of canonical URLs
● Monitoring 404 error page and redirects
There are many tools that help you monitor your website performance and run regular audits.
Conclusion
I hope these tips will help your site become even better. If you have questions or want to share useful lifehacks, feel free to comment below.
Resources:
https://networkworld.com/article/...
https://webopedia.com/TERM/C/...
https://searchenginewatch.com/2019/...
https://macsecurity.net/view/...