Client: We have a HUGE security problem.

Me: *thinks about any possible vulnerabilities* What is it?

Client: A user can take a picture of our website and steal our content.

I’m done for today.

This happened few hours ago.

Client: I received an email which says that I won 1 million dollars. They gave me a link in the email, when I entered my credit card details nothing happened.
Me: Wait what? You entered your credit card details.
Client: Yes
Me: That was a scam, you didn’t win anything. They stole your credit details. Contact your bank ASAP and let them know about this.
Client: You guys are handling our email servers, why can’t you guys keep it safe. What type of security do you guys provide.
Me: Wait what? We host your website application not email.
Client: Damn it. My son said the same thing, but I didn’t listen to him. Anyways Cheers.

"You should use Windows server!"

It was a high security project which needed to run very stable. Even the windows sysadmin looked at that guy like 'dude what the actual fuck'.

New Dutch (or european?) law requiring https for any website with a contact form or higher is going into effect very soon. Were contacting customers so they can still be on time with this, this is how most convo's go:

Collegue: *explains*
Client: Im sure my security is good enough...
Collegue: i'd really recommend it, we've got free options as well!
Client: its just a secure connection, whats the big deal...
Collegue: *more arguments*
Client: I just don't see the point, security.... well.... does it really matter that much...
Collegue: Google might place you lower in the search results if you don't get a secure connection.

Client: 😶😥😵 uhm so what were the https options again? 😅

I hope they all die a painful death 😠

Me wanting to board Plane,
Goes through security Check...
"Sorry sir Laptops are not allowed."
Me
"Why?"
Security
"It could be a modified bomb"
Me
"But this is a Tablet!"
Security
"No sir, it has a Keyboard and Trackpad attached to it, its also running Windows..."
Me
"Excuse me, but this is clearly a Tablet"
*Detatches Keyboard from Surface Book*
"See? Tablet."
Security,
"Sorry sir, but no. You cant board the plane with this, only Tablets and Smartphones"
Me
"WTF? you dont allow Laptops because they could be bombs but A FUCKING SMARTPHONE IS ALLOWED? AND TABLETS TOO?!"
Security
"Yes, because the Battery is not removable..."
Me
"But my Laptop Battery is also not Removable..."
Security
"I dont have anymore Time for an Argument"
Me
"So I can board the Plane?"
Security
"No, the Ticket will be refunded"

WHO THE FUCK CAME UP WITH THIS BULLSHIT? LIKE RLY? WHO!!
I MEAN WHAT THE FUCK IS ALLOWED?!

An incident which made a Security Researcher cry
--------------------------------------------------------
I was working on my laptop finishing up my code while waiting for the flight which was late . Meanwhile two guys (I'm gonna call them Fellas) in black suit and shades came to me

Fella : Sir you have to come with us .
Me : *goes along with them*
Fella : Sir please proceed *points towards the door . The room has a round table with some guys discussing something *
Fella 1 : Your passport please
Me : *Hands over the passport*
Fella 1 : Where are you traveling to sir?
Me : India
Fella 1 : Put your laptop in the desk sir.
Me : Sure thing
Fella 2 : What were you doing there? *Taps the power button*
Me : Just finishing up my work .
Fella 1 : Or hacking our systems?
Me : Seriously?
Fella 2 : The password please .
Me : Here you go
*5 minutes have passed and​ he still can't figure out how to use the machine*
Fella 2 : Which Windows is this?
Me : It's Linux
Fella 1 : So you are a hacker .
Me : Nope
Fella 1 : You are using Linux
Me : Does it matters?
Fella 1 : Where do you work?
Me : *I won't mention here but I told him*
Fella 2 : So what do you do there?
Me : I'm a Security Researcher
Fella 1 : What's your work?
Me : I find security holes in their systems .
Fella 1 : That means you are a hacker .
Me : Not at all .
Fella 2 : But they do the same and they use Linux .
Me : You can call me one .
*After 15 minutes of doo-laa-baa-dee-doo-ra-ba-doo amongst them I dunno what they were talking , they shutdown the computer and handed over it to me*
Fella 2 - So you are somewhat like a hacker .
Me - *A bit frustrated* Yes.

##And now the glorious question appeared like an angel from river ##

Can you hack Facebook?
Me - 😭😭😭

Me: how's your password security?

Them: of course we value security very highly, our passwords are all hashed before being stored.

Me: what hashing algorithm?

Them: oh we hash it with sha and then place that in a table indexed by the password.

Indexed. By. The fucking. Password.

!dev

It was late night after work I went into Macdonald's take-away:

Me: Can I have a Maharaja Mac Medium Meal with extra regular fries?

Guy: Yes sir, that will XX.XX amt.

Me: Gives him my card.

Guys: So what's the pin?

Me: What??

Guys: The Pin sir.

Me: Are you ok? Who the hell shares a pin with you?

Guy: Sir, we don't have a wireless swipe machine.

Me: So why is it a take-away if I have to come inside and drop my pin anyways?

*Guy looks awkwardly at other employees. :/

I had to finally get out of the vehicle and I took another 15 mins seperately explaining him why cards have a security pin and that the word security isn't a joke before the pin. With this, I might have also slipped in some GDPR cookie policy along with it. and why Microsoft bought GitHub. Good Lad. He will learn.

Definitely my security teacher. He actually expected us to actively learn the stuff and put effort into our education. He guided us through malware analysis and reverse engineering, simplifying it without insulting us.

We had students who thought they knew everything and he corrected them. We had arrogant students he put in place.

He treated us like adults and expected us to act like adults.

That's the only class I enjoyed studying for, because he would tell us exactly what wasn't on the exams (it was an intro course, didn't need to know the math). There were no trick questions.

I told him about the shitty teacher and he helped me through that confidence block. He helped me realize I *can* make it through the workforce as a female in security because I will work my ass off to be the best I can be. He reminded me why I love computers and why I want to go into forensics.

He's been a great mentor and role model and hiring him is one of the few things my department did right.

Holy mother of god, 100K!

Honestly what happened? Upvote sprees or something?!

I left devRant with 95K this morning 😱

I'll do a bigger rant later, just came out of work, most of the day went well but last hour was more stressful than anything so gonna go home (have a coffee on the way) now and prepare an emergency security blog article (something happened in the security/spy world).

Thanks peoples!

Guy: dot net dev (C#) on windows. (desktop + server)
Team(not his team, he just happened to sit next to us): php/frontend devs and Linux (server) people.

Team: starting a new project! We'll have to see what framework to use and what server :D
Guy: i know it's none of my business...... but I'd recommend dot net and windows server!
Me: respectfully, that hardly makes sense, you know our skillset/field... i understand that it works for you but it doesn't really for us :).
Next to that we'd rather not use windows for security reasons.

It's fine if that happens once.

When it happened for the 1748472823'th time, I had a real hard time controlling myself.

I ranted about this guy before who thought he was a security expert while hardly knowing what the word is probably. Today I met him again at a party.

Holy fucking shit, this guy.

"we use the best servers of the netherlands"
"we use a separate server for each website and finetune them"
"we always put clusters under servers, that way we have a fallback mechanism"
"companies mostly use bv ssl certificates"
"you're on call for a week? I'm full-time on call. Why I'm drinking alcohol then? Because fuck the clients hahaha"

😥🔫

Ranted about him before but this just came to my mind again.
The fucking windows (to the max) fanboy I had to deal with for too long.

Every time I mentioned something about what programming language to use in a project he was NOT part of:
"I know it's none of my business, BUT I think you should use .net"
(All backend JavaScript and php guys).

Every time I mentioned something about what server system to use:
"I know it's none of my business but I think you should use Windows server"
(All Linux guys)

Every time I'd say something positive about Linux he'd search as long as needed to prove that that was also a windows thing (didn't even come close sometimes)

Every time I told the devs there about a windows security issue (as in "guys they found this thing, install the next update to stay safe :)" - "ahhh will do, thanks for letting know man!") he'd search as long as needed to prove that Linux also had had security issues like that.
(Okay?!? I know?!? I'm just trying to notify people so their systems stay secure and they're genuinely happy with that so STFU)

MOTHERFUCKER.

A while ago (few months) I was on the train back home when I ran into an old classmate. I know that he's a designer/frontend/wordpress guy and I know that he'll bring anyone down in order to feel good. I also know that he knows jack shit about security/backend.
The convo went like this:

Me: gotta say though, wordpress and its security...
Him: yeah ikr it's bad. (me thinking 'dude you hardly know what the word cyber security means)
Me: yeah, I work at a hosting company now, most sites that get hacked are the wordpress ones.
Him: yeah man, same at my company. I made a security thing for wordpress though so we can't get hacked anymore.
Me; *he doesn't know any backend NOR security..... Let's ask him difficult stuff*
Oh! What language did you use?
Him: yeah it works great, we don't get hacked sites anymore now!
Me: ah yeah but what language did you use?
Him: oh it's not about what language you use, it's about whether it works or not! My system works great!
Me: *yeah.....right.* oh yeah but I'd like to know so I can learn something. What techniques did you use?
Him: well obviously firewalls and shit. It's not about what techniques/technology you use, it's about whether it works or not!

That's the moment I was done with it and steered the convo another way.

You don't know shit about backend or security, cocksucker.

What the actual fuck? Person (or people!) who devised this password policy, you are an idiot (or idiots - all of you). You are stupid and insane and have no idea about security or user experience.

After it was revealed that the Equifax hack was even bigger yet again, the US government said something that really made me say/think something in the trend of "WHAT the actual FUCK?!"

"This data is in the hands of cyber criminals anyways".

You run the biggest mass surveillance program in the world, sucking up more than a million terabytes every hour, then at least could you PRETEND to care/take interest when the personal data of about all your citizens appears on the Internet?!

Fucking hell.

Years ago we had a visit from a startup company developing a firewall and I got the chance to talk with one of their devs.

He explained the subtleties of security holes in websites and after I said something about our site being secure thanks to being behind a firewall he gently asked what would happen if he entered a specially crafted test into one of the text fields ... and he gave an example ...

I got a chill, went back to my seat and traced what it would do ...

That was when I learned about sql injection and his example would have killed the DB :/

Before going home I designed a way to secure the input which I then refined over a few days.

We still use that today after 17 years.

That one single sentence really showed to never be to proud of our security and I realized how vulnerable our site was.

Found a security hole....

A fast food delivery service had an ID for every order it Said
"example.com/order/9237" - i go 9236... finds another persons order, address, and phone number

So What should i do?

i thought of making a crawler and then make statistics on everyones orders and send Them a link 😂

Me: *enters password on phone (long PIN)*
Person next to me is looking at my phone WHILE I enter my password, and as I look at him, he doesn't even turn away and even has the nerve to say:
"Wow, why do you have such a long password!"
Μy answer: "Because of security reasons."
What I actually wanted to say:
"Because of pieces of SHIT like you who can't keep their eyes to themselves, even when PASSWORDS are involved, you FUCK! Guess why everytime I enter a password in public, I have to dim my screen and turn my screen sideways? Because of fuckheads like you, not knowing shit about privacy and security! Fuck you!"

I guess that is what you get for bringing up security issues on someones website.

Not like I could read, edit or delete customer or company data...

I mean what the shit... all I did was try to help and gives me THIS? I even offered to help... maybe he got angry cause I kind of threw it in his face that the whole fucking system is shit and that you can create admin accounts with ease. No it's not a framework or anything, just one big php file with GET parameters as distinction which function he should use. One fucking file where everything goes into.

It was fun to watch my entire high school (~1200 people) freak out when I ran "net send * Big brother is watching you..." on what I found to be an insecure computer in my high school's library. Every single computer in the building displayed the pop up message. The town's IT director even showed up to figure out what happened.

I was caught, but they were more happy it wasn't a hacker, and that I discovered that the IT firm the town hired totally botched properly implementing network security, so I was let off the hook.

!dev

A year or so ago (or more...?), Facebook started with text based 2FA. They promised not to use the phone numbers for anything else than the extra security.

I immediately said that they'd probs do that anyways and got into a few fights and people started calling me paranoid yet again.

Guess what was revealed a few days ago .____.

I don't even want to be right in these kinda cases :/

Got invited to a "roundtable", where we will discuss email security and the future and direction of where it is going.
Only 10 people in Sweden got a chair

I feel exclusive but also scared that they will find out what a noob I am lol

Today I was hired to pentest a company's framework. While getting directions on what needs to be tested I counted 4times the sentence:
"We are a multi-awarded company for our security, virtually nothing gets past our firewalls".

Most of the PCs had Win98

*knock knock*
SIR do you have a moment to talk about our lord and savior the WINDOWS UPDATE?
"uhm no sorry I'm busy"
*sees a bulldozer in the background*
"what the .."
SIR just let him in your heart and feel his security patches drive your vulnerabilities away!!
"but the rendering hasn't finished ye.."
TOO LATE SIR, green light fellas let's do this
*bulldozer destroys my house and i wake up, sweating*

*hugs laptop*
"Oooh Ubuntu my baby I've missed you soo much!"
*wayland crashes*

I have spent 20 minutes explaining to a contractor how to stage a file in git and what a filepath is.

It's moments like this where I stop worrying about my job security

Seriously fuck mandatory security questions, these are my options:

What year did you meet your spouse?
I'm single.
What is your favorite book as a child?
I didn't have a favorite book. (and still, don't)
In which city did you meet your spouse?
I'm single
What is the first name of the first person you went to prom with?
Didn't go to prom.
Which state did you first visit (outside of your birth state)?
I've been to about 43 states and can't remember when I started traveling, how the fuck am I supposed to know?
In which city was your spouse born?
Again I'm single.
In which city did your oldest sibling get married?
I don't have any siblings.

C'mon, at least let me create my own question because right now I have no choice but to make up random shit and write it down in LastPass as a note.

My wife was going to school for a business degree but likes what I do as an engineer. She spent a month or so debating engineering or information security.

Yesterday she changed to a degree in information security.

Today she opens a GitHub and starts learning to program and I'm in love all over again.

(The PM is pretty technical)
One day:
Me: Could you create this subdomain?
PM: Sure, just a sec.
Me: Ohh and could you add a letsencrypt cert? (one click thingy)
PM: Why would you need that on this kinda site...
Me: Well in general for security...
PM: Nahh.
*walks away*

Next day:
(referring to my internship manager/guider as Bob)
Bob: Hey... we have a new subdomain!
Me: Yup!
Bob: Wait why is there no letsencrypt certificate installed...?!?
Me: Well, the PM didn't find that neccesary...
Bob: (Oo) of course it is... are we going for security by default or what?
Me: Yup agreed.
Bob: *creates cert and sets everything up in under a minute*

It wasn't a high profile site (tiny side project) but why not add SSL when you can for free?

So this chick has been super nice to me for the past few months, and has been trying to push me towards a role in security. She said nothing but wonderful things about it. It’s easy, it’s not much work, it’s relaxing, etc.

I eventually decided I’m burned out enough that something, anything different would be good, and went for it. I’m now officially doing both dev and security. The day I started, she announced that she was leaving the security team and wouldn’t join any other calls. Just flat-out left.

She trained me on doing a security review of this release, which basically amounted to a zoom call where I did all of the work and she directed me on what to do next, ignored everything I said, and treated me like an idiot. It’s apparently an easy release. The work itself? Not difficult, but it’s very involved, very time consuming, and requires a lot of paper trail — copying the same crap to three different places, tagging lots of people, copying their responses and pasting them elsewhere, filing tickets, linking tickets, copying info back and forth to slack, signing off on things, tagging tickets in a specific way, writing up security notes in a very specific format etc. etc. etc. It’s apparently usually very hectic with lots of last-minute changes, devs who simply ignore security requests, etc.

I asked her at the end for a quick writeup because I’m not going to remember everything and we didn’t cover everything that might happen.

Her response: Just remember what you did here, and do it again!

I asked again for her to write up some notes. She said “I would recommend.. you watch the new release’s channel starting Thursday, and then review what we did here, and just do all that again. Oh, and if you have any questions, talk to <security boss> so you get in the habit of asking him instead of me. Okay, bye!”

Fucking what.
No handoff doc?
Not willing to answer questions after a day and a half of training?

A recap
• She was friendly.
• She pushed me towards security.
• She said the security role was easy and laid-back.
• I eventually accepted.
• She quit the same day.
• The “easy release” took a day and a half of work with her watching, and it has a two-day deadline.
• She treated (and still treats) me like a burden and ignores everything I said or asked.
• The work is anything but laid-back.
• She refuses to spend any extra time on this or write up any notes.
• She refuses to answer any further questions because (quote) “I should get in the habit of asking <security boss> instead of her”

So she smiled, lied, and stabbed me in the back. Now she’s treating me like an annoyance she just wants to go away.

I get that she’s burned out from this, but still, what a fucking bitch. I almost can’t believe she’s acting this way, but I’ve grown to expect it from everyone.

But hey, at least I’m doing something different now, which is what I wanted. The speed at which she showed her true colors, though, holy shit.

“I’m more of a personal motivator than anything,” she says, “and I’m first and foremost a supporter of women developers!” Exactly wrong, every single word of it.

God I hate people like this.

I'm seeing people defending clearly-injectable code and I'm just stunned.

And this person in particular is supposed to be responsible (at least partially) for finding security flaws.

I don't know what to say.

I now know another person's password without even wanting to.

He was sitting in the row in front of me, logging into our course page and then *brrrrraaaaapppp* - ran his index finger along the top number row and hit enter.

1234567890

I don't even know what to say.

Coding nightmare -> the guy who wrote this application I guess wanted job security? At the VERY least to be a pain in the ass to anyone else who touches his code....WHO NAMES THEIR VARIABLES PEOPLE NAMES?!?!? do I know what "Beth" or "Sarah" stand for? ummmm....no 😢

Me: So what you are doing in the IT field?
Him: I am hacking bank websites.
Me: OK, that's cool. It is good in free time. What is your actual job?
Him: I am seriously hacking the bank Web site!
Me: Trust me, if you seriously doing that you will never ever mentioned it...
Him: No, I am doing it legally... The bank hiring me to try to hack the website...
Me: OK, you mean that you are cyber security tester?
Him: That is almost the same...
Me: So you are tester?
Him: I am hacking bank's websites...
Me:....

!rant
*me logging into the demo system*
Me: so what is the login data?
Boss: we are a security company, what do you think?
Me: admin admin?
Boss: admin admin.

Following a conversation with a fellow devRanter this came to my mind ago, happened a year or two ago I think.

Was searching for an online note taking app which also provided open source end to end encryption.

After searching for a while I found something that looked alright (do not remember the URL/site too badly). They used pretty good open source JS crypto libraries so it seemed very good!

Then I noticed that the site itself did NOT ran SSL (putting the https:// in front of the site name resulted in site not found or something similar).

Went to the Q/A section because that's really weird.

Saw the answer to that question:

"Since the notes are end to end encrypted client side anyways, we don't see the point in adding SSL. It's secure enough this way".

😵

I emailed them right away explaing that any party inbetween their server(s) and the browser could do anything with the request (includingt the cryptographic JS code) so they should start going onto SSL very very fast.

Too badly I never received a reply.

People, if you ever work with client side crypto, ALWAYS use SSL. Also with valid certs!

The NSA for example has this thing known as the 'Quantum Insert' attack which they can deploy worldwide which basically is an attack where they detect requests being made to servers and reply quickly with their own version of that code which is very probably backdoored.

This attack cannot be performed if you use SSL! (of course only if they don't have your private keys but lets assume that for now)
Luckily Fox-IT (formerly Dutch cyber security company) wrote a Snort (Intrustion Detection System) module for detecting this attack.

Anyways, Always use SSL if you do anything at all with crypto/sensitive data! Actually, always use it but at the very LEAST really do it when you process the mentioned above!

Fucking crunchyroll hardcodes their access tokens in a Constants Class in their APK, technically that is a security issue.

What the actual fuck Crunchyroll!? No fucking wonder you got DNS Hijacked so quick, security is literally your second priority you dumbed down twats, get some real devs and some real QAs for fucking god sakes, you're tearing down your own system by inviting exploits.

Me: Browsing the security of a website.

Tell the website developer that they are using the SHA-1 hashing algorithm for encrypting the credentials of it's registered users.

Them: Yeah, so what?

Me: You shouldn't be using an algorithm which was exploited years ago in the age of 2016.

Them: Don't worry, nothing will happen.

Me: *facepalm*

Dropped my youngest off at the childminder today and her husband asked me what I'm doing for a job now
.. Explained its security and data science... His reply was to ask if I can setup a printer....

Had a discussion with a developer about security. His software transfers all user data (password and files) unencrypted, so anyone can grab them with wireshark. I told him that this is a severe issue. He said no its no problem because if you get hacked its your own fault, because you probably used an insecure network. NO ! YOU FUCKING MALADJUSTED SHEEP-MOLESTING OBJECT OF EXECRATION, YOU SHOULD ALWAYS ENCRYPT SENSITIVE USERDATA NO MATTER WHAT NETWORK YOU USE. FUCKING KILL ME ALREADY.
Not implementing encryption is one thing but then acting like its no problem is a fucking nother one. Why do people not understand that security of userdata is important???

* How other sites charge for a domain name
- The domain (abc.com) is available
---- Price => $14

* How AWS charges
- Your domain (abc.com) is available
--- Domain name => $18.99
--- DNS resolution => $17.88
--- Hosted zone (1) => $10.97
--- Route53 Interface => $45.67
--- Network ACL => $63.90
--- Security Group => $199.78
--- NAT Gateway (1) => $78.99
--- IP linking => $120.89
--- Peer Connection => $67.00
--- Reverve Endpoint => $120.44
--- DNS Propagation => $87.00
--- Egress Gateway => $98.34
--- DNS Queries (1m) => $0.40
--------------------------------
---- TOTAL => $2903.99
(Pay for what you use... learn more)
--------------------------------

Typical TSA (Airport Security)

Security: Please put all of your handheld objects and your outer clothes in this basket.
Me: (puts my bag, in flight luggage, and takes out laptop, bluetooth speaker, bluetooth mouse, bluetooth keyboard, tablet, android phone, dongle bag, and windows phone)
S: (stares at me as if I am a rich kid)
M: May I go through?
S: (nods)
M: (smirks, and goes through metal detector)
BeepBeepBeep!
M: (oh shit.)
Scanning Officer: Raise your hand!
M: Mmmhmm
S: (Hovers the detection stick around my body, but it doesn't ring, tells me to pass through the detector again. Still rings. Super confused. Asks me to do this 2-3 times more. Still same.)
M: Aha! I have my bluetooth earphones here! Sorry!
S: (stares at me, as if he is saying what a f****** weirdo)
My stuff comes out. I put my devices in the bag. The scanning officer stares at me.
M: (smirks)

To be continued....

Yesterday,
I was a bit drunk.
But I wanted to improve security of the company. So, I went in Azure and activated “Security defaults” which forces MFA for all users in the company. (Because RH always forget to enable MFA for new employees, and I actually care about security)
Then I went in office 365 management and instead of resetting MFA for all users (Forcing everyone to redo MFA setup), I (by mistake) clicked on reset all passwords.
I tested my own account it was fine and went to sleep.
Got a call from CEO at 7am, all 30 employees cannot login in, cannot work.
What a shit show I made…
I have a call with CEO in about 2 hours, I don’t even know how to justify myself…
So children: don’t activate company wide options while drunk. Ever.

Alright lets work on the security/privacy blog again.

Things I've got in the making right now: dark theme by default, font change and an rss feed!

Let me know what you'd like to see :)

I'll also reveal a new domain name soon!

Something I probably shouldn't talk about:

One of the projects at work has a specific path you can visit. The """security""" is that nobody should know the path. But I can guaran-fucking-tee you it's not difficult to guess.

On this page, ***without a login***, you can view some user information. Well, you can view all of it, but only certain fields.

And if you perform a specific action on this page, you can get their password, plaintext.

This project is not mine. But learning all of this made me super uneasy. I had to share it.

Merry Christmas devRanters! Because it's Christmas and I'm pretty much home alone all day I want to do two blog posts today/tomorrow.

Going to do a security one which will be about CSF.

Any ideas on what I could do for a privacy one? (the Firefox add-on thing will come along but not yet)

I'd love to hear ideas!

What is this ?
U call this wireless security??

Anyway what is the best way of securing hotspots in the airports , hotels , ... ?

Alright so the security blog is coming up soon (as in, days probably) and I'm working hard together with 404response on the privacy site.

I do want to gain some insight into visitor numbers and so on but OF COURSE, commercial/closed source options are a no-go for me!

I am thinking about maybe using Piwik with all the privacy options enabled Also self hosted obviously. What do you guys/gals think?

Made the mistake of mentioning ISO27001 security standard near management.

- "What?? Why don't we have that certificate?! Why are you not thinking about this?"
- "We don't need it."
- "Of course we do! we must have the highest standards!! Lets hire some lawyers and security consultants to help us get certified!"

A week later:
"Ok, turns out we don't need it."

Satan give me strength...

I'm fixing a security exploit, and it's a goddamn mountain of fuckups.

First, some idiot (read: the legendary dev himself) decided to use a gem to do some basic fucking searching instead of writing a simple fucking query.

Second, security ... didn't just drop the ball, they shit on it and flushed it down the toilet. The gem in question allows users to search by FUCKING EVERYTHING on EVERY FUCKING TABLE IN THE DB using really nice tools, actually, that let you do fancy things like traverse all the internal associations to find the users table, then list all users whose password reset hashes begin with "a" then "ab" then "abc" ... Want to steal an account? Hell, want to automate stealing all accounts? Only takes a few hundred requests apiece! Oooh, there's CC data, too, and its encryption keys!

Third, the gem does actually allow whitelisting associations, methods, etc. but ... well, the documentation actually recommends against it for whatever fucking reason, and that whitelisting is about as fine-grained as a club. You wanna restrict it to accessing the "name" column, but it needs to access both the "site" and "user" tables? Cool, users can now access site.name AND user.name... which is PII and totally leads to hefty fines. Thanks!

Fourth. If the gem can't access something thanks to the whitelist, it doesn't catch the exception and give you a useful error message or anything, no way. It just throws NoMethodErrors because fuck you. Good luck figuring out what they mean, especially if you have no idea you're even using the fucking thing.

Fifth. Thanks to the follower mentality prevalent in this hellhole, this shit is now used in a lot of places (and all indirectly!) so there's no searching for uses. Once I banhammer everything... well, loads of shit is going to break, and I won't have a fucking clue where because very few of these brainless sheep write decent test coverage (or even fucking write view tests), so I'll be doing tons of manual fucking testing. Oh, and I only have a week to finish everything, because fucking of course.

So, in summary. The stupid and lazy (and legendary!) dev fucked up. The stupid gem's author fucked up, and kept fucking up. The stupid devs followed the first fuckup's lead and repeated his fuck up, and fucked up on their own some more. It's fuckups all the fucking way down.

Just set a cron on a coworkers machine to play "What does the fox say" at max volume at 8 when he's the only one here.

May need to review the security footage in the morning.

Oh my fucking god... I am looking at this code written by a previous developer and he put the passwords in plain in an array in a PHP file, like WHAT WHERE YOU THINKING? (btw that's also how he checks the password, just check whether it's in the array)

c'mon pls

Because the RSS feed is still down, hereby.

The post about what I personally take for security and privacy measures is up.

Hopefully you can learn something from it or even email me some tips!

Just got a new TV, 4K... it’s one of those smart ones, by Samsung.

Anyone want to explain what the fuck “McAfee Security for TV” is, and why the fuck it is necessary!?

What kind, of absolute waster madman goes “I know what I’ma do today, write a virus for a tv”!?

Take that shit elsewhere McAfee.

Now accepting any links to known Smart TV 0-days and attacks...

And I had to sign in to 5 different fucking accounts to get to the fucking tv.

The world is broke as fuck. Roll on the apocalypse.

While writing up this quarter's performance review, I re-read last quarter's goals, and found one my boss edited and added a minimum to: "Release more features that customers want and enjoy using, prioritized by product; minimum 4 product feature/bug tickets this quarter."

... they then proceeded to give me, not four+ product tickets, but: three security tickets (two of which are big projects), a frontend ticket that should have been assigned to the designer, and a slow query performance ticket -- on top of my existing security tickets from Q3.

How the fuck was I supposed to meet this requirement if I wasn't given any product tickets? What, finish the monster tickets in a week instead of a month or more each and beg for new product tickets from the product manager who refuses to even talk to me?

Fuck these people, seriously.

TIL that TI has no goddamn chill

Texas Instruments released the TI-83+ calculator model in 1996. The Z80 was not at all stock and has the following features:

- 3 access levels (priveleged kernel, kernel, user)
- Locking Flash (R/O when locked for most pages, some pages protected and unreadable as well, only unlockable from protected Flash pages by reading a certain order of bits then setting a port)
- Locking hardware ports (lock state always the same as flash)
- Customizable execution whitelist range (via locked ports)
- Configurable hardware (Flash/RAM size changeable in software via locked ports, max RAM is 8MB which is fucking mental compared to the 64k in the thing)
- Userland virtualization (always-on)
- Reset on violation of security model
- Multithreading
- Software-overclockable CPU
- Hardware MD5 and cert handling

TI made a calculator in 1996 with security features PCs wouldn't see until like 2010 what the *actual* fuck

I'm the worst with color combinations and I want to enable dark mode on the privacy/security blog!

What color combinations (if you have hex codes or something, please share!) would you think would suit the blog?

Halp :P

What. The. Actual. Fuck.

My co-workers just tried to convince me that the following is a secure password:

"ThisIsASecurePassword2018"

Just... I mean... Why? *sigh*

Their argumentation is based on the new NIST guidelines.

If they've read these guidelines CAREFULLY though... (not only the appendix) it actually states "Don't use words from the dictionary". Passwords like these should even be rejected right away.

So my boss is staring a new security oriented product and he asked one of my colleagues to prepare a presentation about the possible attacks on the product.

During the presentation there was a section on DoS attacks. The boss didn't know what DoS was and after a brief explanation, he interrupted the presentation and said DDoS is not a threat because there is no data stolen. This is a webapp.

I opened a post starting with a "NO TOFU" logo and I was wondering what relationship existed between the SSH protocol and anti-vegan people.

After some paragraphs it explained that TOFU stands for Trust On First Use (a security anti-pattern).

I start with the features I want for sure and then i start looking at what data I really really need to store. Then I start looking at what data I don't have to store because of privacy reasons anyways.

Next stop is looking at the security.

When that all looks good, I simply start programming!

My friend coded a "secure" storage for text...

Text to store:
Mysupersecrettext

Storage file content:
password=Mysupersecretpassword
contentcount=1
content_1=Mysupersecrettext

In the application it asks for your password. It even shows a message for 5 seconds with "Decrypting your secure storage...". No more words needed...

Published a new blog article last weekend (finally) and had the idea to make a privacy/security Q&A one this weekend.

I'd make an email address for it to which you can email (a) question(s).

What do you people think?

"You've been working on this for 6 weeks, and I don't see any changes. What have you done?"
"I completely overhauled the backend, now everything makes more sense and we're using more modern APIs"
"But nothing's changed at all! The front-end looks exactly the same!!"
"*sigh* The new backend is also more secure.. "
"Oh, so it's a security upgrade, that's good, but why did it take six weeks?"
-_-

So...new intern , table paired to mine , get my hopes up that it's hopefully not another stuck up uni kiddo , hopes get ruined . He asked me my name and what I do , when I told him I do product security his reaction was 'oh so you're not a dev ?' . Go.eat.shit.and.choke.with.those.alienware.headphones. he didn't even listen to what I had to say about that , just put on his headphones and ignored me . Prick.

Who's at fault for the recent Wanna Cry virus: The companies affected or Microsoft/NSA?

Personally, I think it's the companies affected. This is what happens when you try and be cheap when it comes to cyber security​.

I live in zurich switzerland one of the most expensive places to live. And i work as a jack of all trades graphic ux/ui designer/copy writer/marketeer in IT security.
I earn about $3800 a month, but every salery calculator says I should earn above $7000. With a median salery of $9300. But this seems so much money and I suffer from low self esteem. So what should I do? (Quitting is not an option because I like it there)

Can https be decrypted easily?
(Or even by spending some time)
Plus what other security methods banks apply to prevent theft of sensible data?
Do they encrypt data using thair own private key thet is changed automatically?

Cyber security. Deep knowledge of cyber security and networks is what I wish I had. The math stuff that no one bothers with, specifically.

It's a new semester and the introductory class for a General Ed is going on.
Prof: What do you want to be when you are done with engineering?
Me: I'd like to be in the security domain but I'm still not sure.
Prof: Then why are you doing Computer Science? You can just get a job as a security personnel.
FML.

I am amazed how specific everyone is being about security vulnerabilities at their employers. Hopefully no one social engineers what company you work at.

Nope
Nope
Nope
Nope
Nope
Nope
Nope
Nope
Nope
Nope
Nope
Nope
Nope
Nope
Nope
Nope
Nope
Nope
Nope
Nope
Nope

I think that's the thread dump of my brain currently.

Anyone knows what date and time we have?

I'm so lost right now.

17 projects atm thanks to e.g. Microsofts Exchange Hell.

I. Hate. Everything.

Go spread your butt cheeks so I can give you two fists of love before you write a damn ticket regarding yet another (security-) problem in infrastructure.

who here has worked for a bank?

without naming names? what was the scariest thing they did, like, bad code, bad security, etc, that you had to fix

always wanted to be a fly on the wall of the devs office for a bank...

“Fullstack dev morphs into a security expert”

We have a simple user registration system. Get the user details, generate an OTP, save in Oracle, email the OTP. The SMTP host is configured to send emails only to people who have an existing @a_very_famous_bank.com email address.

As a part of an enhancement request, the other day, we were trying to register a non-bank email address. As expected, it failed.

Manager: Meeting... meeting... meeting

Me: (Explained the problem)

Fullstack dev: so the thing is.. it’s like.. (doesn’t falter to open with these lines)...what I can do is...I can send you an HTTP security header in the HTTP request. It’ll work!

Me: (I hope an adult giraffe fucks you in your belly button)

More to come!

I think what would help is to teach them these things:
- awareness for security in code
- how to use a fucking VCS like Git and how it works

Manager: You want a promotion? To senior? Ha. Well, build this web app from scratch, quickly, while still doing all your other duties, and maybe someone will notice and maybe they’ll think about giving you a promotion! It’ll give you great visibility within the company.

Your first project is adding SSO using this third party. It should take you a week.

Third party implementation details: extremely verbose, and assumes that you know how it works already and have most of it set up. 👌🏻

Alternative: missing half the details, and vastly different implementation from the above

Alternative: missing 80%; a patch for an unknown version of some other implementation, also vastly different.

FFS.
Okay, I roll my own auth, but need creds and a remote account added with the redirects and such, and ask security. “I’m building a new rails app and need to set up an SSO integration to allow employees to log in. I need <details> from <service>.” etc. easy request; what could go wrong?

Security: what’s a SSO integration do you need to log in maybe you don’t remember your email I can help you with that but what’s an integration what’s a client do you mean a merchant why do merchants need this

Security: oh are you talking about an integration I got confused because you said not SSO earlier let me do that for you I’ve never done it before hang on is this a web app

Security: okay I made the SSO app here you go let me share it hang on <sends …SSL certificate authority?>

Boss: so what’s taking so long? You should be about done now that you’ve had a day and a half to work on this.

Abajdgakshdg.

Fucking room temperature IQ “enterprise security admin.”
Fucking overworked.
Fucking overstressed.

I threw my work laptop across the room and stepped on it on my way out the door.
Fuck this shit.

Someone ask to me as a security engineer.

Bro : what do you think about most secure way to authenticate, i read news using fingerprint no longer safe?
Me : yes they can clone your fingerprint if you take a photo with your fingerprint to camera.
Bro : so what is the other way to authenticate more secure and other people can't see in picture ?
Me : D*ck authentication is more secure now, other people can't see your d*ck pattern right?

Today, the security department stopped our new project and told us to work on the last project instead because of a top-secret security flaw.

Problem is, they are not allowed to tell us what the problem is. FML

So I need to "fix" a false-positive security warning (mass-assignment of a foreign key). Do I "fix" it by...

A) Setting it manually and double-saving the object?
B) Rewriting the mass-assignment so the linter doesn't realize what I'm doing?

Both options suck.
But security is going to complain if I don't do it.

Guess what?
I'm not doing it.

SMD you ducks.

I was working in a manufacturing facility where I had hundreds of industrial computers and printers that were between 0 and 20 years old. They were running on their own clean network so that someone has to be in the manufacturing network to access them. The boss announced that the executives will be pushing a “zero trust” security model because they need IoT devices. I told him “A computer running Windows 98 can’t be on the same VLAN as office computers. We can’t harden most of the systems or patch the vulnerabilities. We also can’t reprogram all of the devices to communicate using TLS or encrypt communications.“ Executives got offended that I would even question the decision and be so vocal about it. They hired a team to remove the network hardware and told me that I was overreacting. All of our system support was contracted to India so I was going to be the on-site support person.

They moved all the manufacturing devices to the office network. Then the attacks started. Printers dumped thousands of pages of memes. Ransomware shut down manufacturing computers. Our central database had someone change a serial number for a product to “hello world” and that device got shipped to a customer. SharePoint was attacked in many many ways. VNC servers were running on most computers and occasionally I would see someone remotely poking around and I knew it wasn’t from our team because we were all there.

I bought a case of cheap consumer routers and used them in manufacturing cells to block port traffic. I used Kali on an old computer to scan and patch network vulnerabilities daily.

The worst part was executives didn’t “believe” that there were security incidents. You don’t believe in what you don’t understand right?

After 8 months of responding to security incident after security incident I quit to avoid burning out. This is a company that manufactures and sells devices to big companies like apple and google to install in their network. This isn’t an insignificant company. Security negligence on a level I get angry thinking about.

Send over the entire directory for a WordPress site we completely overhauled with new plugins, custom theme, redid content with visual composer, etc. I tell him to backup his site and then put everything I give you as fresh. He tells me he can't just wipe out his entire site that's unacceptable. I ask him what's the problem? he rambles on and says a lot of words that don't really mean anything then says security. so I call him out on it, what security issues do you have? well we have users and permissions setup he says. I explain That I copied his users table over when we did the redesign, so it's the exact same stuff. so I say again, why can't we just replace everything? well that's just not acceptable he says. I ask him again, what EXACTLY is your problem with replacing the site since I already addressed your security concern. he couldn't answer me so now we have another conference call tomorrow morning with more people from their team. I'll let you know how it goes.

tldr; clients are idiots, call them out for the dumb shit they say and have no response.

!rant but help?

I currently have Kali (for labs I'm working on to teach myself the things I didn't learn in school), Ubuntu (downloaded for school), and Fedora (downloaded for my database class)... other than Kali already having Metasploit in it, I don't see a difference between these and I know there are more versions of Linux.

What would be a good starting place for every day use, that'll support Citrix receiver (required for work no idea what its requirements are but I can find out, if i can't use it in Linux, I'll dual boot) and virtual box (or other virtual software, don't mind learning new systems), and that i can also have room to grow for security learning?

Reported an important security vulnerability inside our organization, right before getting off work. A security team member contacts me over chat asking for some details on my investigation. At the end, he tells me: "thanks, I will copy and paste this conversation on the ticket so that everyone can see".

What I imagined: he would copy and paste the conversation as is, so that every line written by me is prefixed with my name.

What he does: he writes a summary of our conversation, barely mentioning my name, making it look like that part of the investigation was done by him.

Now I have so much anger inside of me that my internal organs are boiling.

watching the online course for CEH... dude used the Death Star as a tangible example of how exploits work.
IDK if I should love it for the nerdiness, or be slightly sad that someone needs that type of example of what a vulnerability vs an exploit is, when they're going for the Certified Ethical Hacker certification...
Might be better in an introduction to Network Security class?

Also, while discussing the security, usability, and functionality triangle, he reference the Staples "Easy Button" - does one thing, not very secure, and not very functional (in that it has more than one function)...

Why do people like non typed languages like php or javascript? Besides from a giant pile of possible security problems what do you get out of it?

A coworker told me this a little while ago and I cringed.

"Coworker installs windows partition o n a Mac, not sure what utility he used but he's handled every IT issue, people in our company for years but googling and researching ways to do things.

Steve comes along to do a service on the Macs (apparently) and sees what my coworker did and says "get rid of that it's a security risk", coworker had a legitimate reason to use Windows, plugin for Excel only works in Windows, so Steve could have totally done checks to ensure security wasn't a risk, but he's a Mac elitist, what can you do :/, lucky coworker though gets to use a windows PC and never looked back xD."

Honestly scared of Steve doing that so called service seeing I have tons of things I need to use (source tree, Android studio, some tools to test push notifications) and just down right deleting them because of his reasons, that and the whole he does services after hours without much warning (last time it was a leave password on desk for the next "week" and Steve will come in and fix the Macs) I can't defend my argument of why I use something like Android studio (to develop the app for the company LOL)

Client: We need to deploy some Windows 2003 servers.

Us: Sure thing, Mr. Client. Your money is more important than the security and stability of our systems.

What we should have said: Sure, but you need to stop in our office, put your dick in a vice and we'll take turns cranking that bitch closed until you agree to use something more modern.

Concerning my last rant, some explanation:

In short:
Skype and security agencies spy on all the people.

More context:
To the extent, that Skype employees suffer mentally from excessive porn.
That's what large amounts of users did on this platform the last two decades.
So the affected had to bring their case to national, maybe even super national courts.
Which gave in to their claim.
Thus bringing the employees into another salary category, so, compensating the damage done.

What sounds like a unions topic reveals large scale mass surveillance of everybody without exception.

And describes some effort in machine led (picture) recognition.

This is not fucking security, it's obscurity! What the fuck is a memorable word without any context! It drives me up the fucking wall. This doesnt help anyone it just promotes people to put silly shit like password or something so they won't forget but it just makes their account weaker.

So this just happened. Some background before I begin: We're understaffed, my desk is in the back of the building, and there's no one really at the front to greet people. No security either...

Guy walks in wearing a flannel jacket (no shirt under it), pajama pants, and sandals. He looks like hell. Explains he was just released from a hospital and his apartment is locked. I let him use my phone to call his sister.

When I talk to his sister, she barely wants to speak with him. Tells me his apartment is locked for a reason and he's not allowed back. I'm just like: "So... what would you have us do for him?" At this point if his sister won't help, I was going to ask him to leave. Oh, and that hospital was a drug rehab.

So it ends with him waiting for a ride, but he ends up napping on the couch in the front of our office. CEO/Owner and his business partner walk right past and say nothing. They go into a meeting. I'm trying to figure out if I ask him to leave, wait outside for his ride... I'm a developer, this isn't my job.

A good 45-60 minutes later, after the guy walked outside and then came back in and laid back down on the couch, he leaves with his ride. Shortly after the owner walks out of his meeting, so I ask him what to do in this situation - more hoping he'd realize the need for more security.

If this story isn't crazy enough, the business partner pipes up - absolutely serious - and says he didn't say anything because he thought the guy was a developer.

So I've learned that we've got extremely low hygiene standards for developers here, with a relaxed dress code and are allowed nap times on the front couch.

Thankfully our CYBER security is better than our PHYSICAL security. :|

I submitted a security report some days ago.

It is well written, it explains what is happening and what is the impact providing an example. I give some advice about how to handle this situation, it's about concurrency issues and it's pretty tricky to debug.

Answer from the reviewer:
"Please, can you tell me what are the implications?"

...
...

FUCK.
IT'S LITERALLY FUCKING WRITTEN,
CAN U EVEN READ IT?
THERE ARE PICTURES DESCRIBING THE ISSUE, I EVEN ATTACHED A FILE YOU CAN USE TO DEBUG.

...

This is the last time I report vulnerabilities.

just saw a tweet praising a company because of their choice to use swiss servers and they had a pompous sentance in parenthesis like (upside to banking secret culture)

like, dude, at the end of the day, guaranteed their 'server' is just a linux box somewhere, just like anywhere else in the world just STFU

god i HATE ignorance, hype, and stupid tropes that managers just automatically subscribe to with their 2 brain cell NPC brain

Wow the security by captcha!

Guess what? IIT Kharagpur is considered one of the best institute in India to study Computer Science and its major in research include image processing

I wanna make you feel what you have brought into my house!!

I was working with security cameras once in a home automation project. One of those camera particularly stand out by offering a cgi without password request to view and change the current passwort and username.

Seriously wtf is wrong with you? I mean this thing automatically connects to an internet service offering everyone to connect to it with that passwort and username. And I know some of you might say "hey chill the cgi is only available on the wifi" - dammit no. Security is a lifestyle do it complete or get the fuck out. God knows what other mistakes there might be hidden in that thing screaming out to everyone to watch me taking a shit.

But that's not the end of it. My company arranged a call to the technical support of that camera so that I can explain the problem and a patch gets released. Those guys didn't give a shit about it and were even laughing at me. Fuck you!

So whoever is responsible - I will find you - and you will never see me coming.

Can you really trust the security features on your device?

Can you really verify that no one is looking at what you're doing all day, in your house or out and about?

What if I am the one looking at your naked ass right now?

Hello everyone.

I'm switching phones from Android to iPhone. Mostly because of stronger security policies, longer support for security updates and whatnot.

I would like to know what useful iOS apps you use. Does not have to be dev related. Just hit me with your best shot.

I know that there will be people screaming MUH ANDROID. I don't really care. You do you.

Windows 10: Please reboot, I want to update
Me: K, do it
Windows 10, after reboot: I could not update, what do?

I had this conversation with my laptop about 15 times in the past couple of months and SINCE THEN I DID NOT HAVE A SINGLE SUCCESSFUL UPDATE. WHEN A NEW WANNACRY ROLLS OUT I WILL BE THE FIRST VICTIM BECAUSE AT THIS POINT A POTATOE HAS MORE RECENT SECURITY UPDATES THAN I DO

FUCK!
After submitting a registration form I noticed the site is served over plain HTTP. Their marketing site is served encrypted, but login and register are not! What the fuck!!!

Fuck everyone who does this stupid fucking shit with disregard to basic security features! Their goddamn bullshit privacy policy is bragging about how it's top priority to protect their customers' information and shit like that. Get the fuck out, cunts!!

I contacted them so I might have a continuation to this rant if I'm not satisfied with their answers.

Goddamn it!

It amazes me how quickly give out their passwords. I ask for a person's user name and I swear at least 75% of the time they give me their password too!

Holy fcuk! Can anyone here help me understand how this domain is possible?

WARNING: obviously its a spam site. Take necessary security precautions if you are going to visit.

the following domain opens a cluster fuck domain name! >> secret.ɢoogle.com

That ɢ is not what it looks like. How is such domains possible to exist? Even more surprising, how is this sub domain -ception possible?

Hey there 👋

I am more or less throwing any burden (WhatsApp, Facebook, Google etc.) out of my life. Of course I will continue using the Google account for YouTube and some games that need it.

That's what it looks like right now:

Raspberry Pi 3B+
✅ webserver
- forum - complete (atm just for me)
- blog - no ideas and just installed october cms and nothing done yet
- nextcloud - complete and filled with my porn... eeh... data

✅ mailserver
(missing spamassassin, clam or sth. like this but it's working 😂)

✅ matrix-synapse
(as an additional alternative to messengers)

______________

Raspberry Pi 2
✅ catches dust
(any ideas?)

Of course, many more configurations and the like are necessary before everything is ready... but what then or what else is there?

At the moment I still use WhatsApp. Just wanna take time before sending everyone a message about changing the messenger and that it should be important for thinking about the own privacy, which alternatives there are bla...

Edit: For passwords I'm using Myki - didn't hear anything bad about it yet and it's very easy to use (Firefox add-on, Android app).
I love my passwords with 200 characters 😂
Maybe someone's knowing more about them?

Hope I didn't forget a thing... thanks in advance aaaaaaand... I'm gone. ☺

Sometimes your music app knows just the right song to play.

Story:
Production program was working (has been for a long time). But suddenly it starts failing. I spent a long ass time trying to see what went wrong.

Problem:
Security update on the server 🙃

Now I've got the client, his minions, and the users emailing me to fix this. But I didn't start this fire!

Song: We didn't start the fire, by Billy Joel

I freelanced for a startup one time, and found out they had ten of thousands of records stored in their DB about dental patients, inducing name, address, social security #, some medical history, etc. All in plain text. Worst part is they hired me after a 20 min phone call, and didn't even sign a NDA!

Makes me paranoid to use the Internet knowing what some of these companies do.

Fun Story: My first official project was related to system files security. In first meeting project manager was talking about Macros and OLE i had no idea what the heck he was saying.just kept noding
Took us 2 months to complete the project now it has been deployed and working perfectly
Told my manager about this during final one on one meeting and he couldnt believe me,he still laughs about it everytime we meet

"we have add a lot of cost partly due to currency exchange rate, but we also added some services and servers, we'll have a meeting and see what we can cancel or re-arrange."

So now....
- JIRA is gone
- SEO tools are gone
- budget for site security & SSL undecided
- Servers are too expensive.
$800 for twelve 2-24gb ram servers with backup, I call that bargain

Can't wait to see the websites falling apart. Now where are my popcorns?

Well, I have a friend working on a major bank in my city. Yesterday we went for a coffee when he told me that the wifi connection that the costumers can use is the same as the network they work in. Like, are you fucking me? Do they know what security means? Jesus Wallace, wake up!
And they have a fucking "web security guy" working there. Doing what? Installing ccleaner on pcs? This shit gets me mad. And that's why I don't trust banks.

Wtf? What kind of user agent header is that? Why don't you go ahead and insert my fucking social security number in there, Android? According to amiunique, this is literally a unique header ON ITS OWN.

Don't you just love it when an official Docker image suddenly switches from one base image to another, and they automatically update all existing tags? Oh you've had it locked to v1.2.3, guess what, v1.2.3 now behaves slightly differently because it's been compiled with OpenSSL 3. Yeah, we updated a legacy version of the software just to recompile it with the latest version of OpenSSL, even though the previous version of OpenSSL is still receiving security fixes.

I don't think it's the image maintainers or Docker's fault though. Docker images are expected to be self-contained, and updating the base image is necessary to get the latest security fixes. They had two options: to keep the old base image which has many outdated and vulnerable libraries, or to update the base image and recompile it with OpenSSL 3.

What really bothers me about the whole thing is that this is the exact fucking problem containers were supposed to solve. But even with all the work that goes into developing and maintaining container images, it still isn't possible to do anything about the fact that the entire Linux ecosystem gives exactly zero fucks about backwards compatibility or the ability to run legacy software.

Client doesn't want me to use internet, while connecting to their vpn to code. It's a security 'violation', it seems. Do they think I am Denise Richie to code without internet? And the catch is I code for OpenFlow with OpenNetworkLinux+OpenNIE. I mean, do they even understand what Open means in all these?

"Using MD5" !? What year are we in again?

NOTICE OF DATA BREACH

Dear Yahoo User,
We are writing to inform you about a data security issue that may involve your Yahoo account information. We have taken steps to secure your account and are working closely with law enforcement.
...
What Information Was Involved?

The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5)

IPAY88 is the worst payment integration. They parse html data and encoded it into xml for return the data, it is not even singlet or server to server communication , tey called it the ADVANCED BACKEND SYSTEM (My arse!) For security, they ENCODE THE STRING into BASE64 and called it ENCRYPTION ! WHAT THE FUCK?
Encoding is not encryption! I qas expecting they used diffie hellman or AES or RSA etc. THEY TOLD BE ENCODING IS ENCRYPTION? WHAT THE FUCK?

Every week in my intro to information security class we are asked about what security stuff has gone down in the past week. Equifax is making it incredibly easy to not have to do much research.

Many advantages of being a dev:
- You can work on multiple projects simultaneously.
- You solve problems for a living, how cool is that!
- Job security (Even if you get fired or something, you can still earn your bread with your skills)
- Even if you are bed ridden or get in an accident or get old, you can still work(kind of a pessimist).

But the best part is, you get to do what you love(for me its true).

Don't think I could love IT anymore then I do now! Currently and intern and was stressing a small bit about what I wanted to do after college (i.e. web development, mobile development, security) then came to the realisation that I can do whatever i want. I don't think any other profession has such a freedom within industry and that is why love IT so much. Looking forward to many more years of learning and developing my skills

My university has a internal developed system, where everything is managed from e-mails, exams to personal data.

What I'd like most about it, they talk all day about Internet Security and store our passwords in plain text and if you press the "I've forgott my Password button", they even send your password unencrypted, plaintext via e-mail. (Hello Wiresharks)

I don't know how to feel about this, it just hurts :(

When i was younger, lesser experienced and more naive than now; i got away with a lot of things. By lot of things i mean security flaws in my applications and overall architecture. I realise now i could've so easily been pawned.

Not that i claim to be totally secure even now, or would ever. It is a process, slow and painful one - Learning.

What i wish to point out is the role of favorable probability (non believers would call it luck). Security is so much about it. You get away with so many things for so long. And bang one day the roll of dice is unfavorable. On such rare occasions, just look back and wonder - damn i should've been breached long ago.

I started to work in the CreditCard / Bank business a year ago.
Now they stopped the hole server migration project, so I leave again. They could have had it all. Server 2016, SQL 2016, Citrix, Surface Books and so on.
But no, the new shitty projects are more important than security or on what technology the system is build on.

Seems like the FTP Server will run on Windows 2003 forever...

Speaking of.. What in your opinion would be an appropriate way to warn someone about security problems, like db passwords in git?

I once came across dozens of extremely sensitive services' infra accesses: alibaba/aliexpress, natuonal observatories, gov institutions, telecomms, etc. I had dozens [if not hundreds] routers' and firewalls' credentials along with addresses. I tried one to confirm validity - it worked. I wanted to warn them but did not want to get in trouble.

If it were servers, I'd set a motd or append some warning messages in .profile. But not sure how to do it for non-server devices

what would you do? How would you warn them?

P.S. Deleting that record was a smart move, buddy ;)

p.P.S. Sorry, wrong category... Can't edit now :(

Taking my security+ exam on Tuesday. Any advice on what to pay attention to?

I have 401 and 501 materials since I didn't know which I'd end up taking. I had to register for 501. I have friends who have passed 501 using 401 material.

Update on the bank I’m working for: their security is shit and the way they manage customer data and credentials is sickening. On top of it all, there’s about 10 windows XP computers still online not to mention the ATM is running Windows XP. What the flying fuck.

Why does email suck so much oh my god, I don't want a fucking lesson in the kinds of domain records, I can set a TXT to prove that I control the DNS record, I have a TLS certificate, what the fuck else would I possibly need to prove!? None of this is contributing anything to security! Just fucking figure it out, it's the internet, not an international border, jesus.

I was on a interview two weeks ago, got a mail today that I had been selected to the third round (government intel stuff)

I got clean sheet from the police and the "Security Service" in the country.

And now, in the mail. The recruiter wanted me to give contacts to my current boss. I am one of 4 and I dont want to sacrifice the trust that my boss have on me.

What the '''' should I do?

fuck my school. all i had to do was log in to see my grades and what do i get? the fucking stack trace. security? i think not. seriously though, why the fuck would my county want to make their own grading website when the one we had worked just fine? it looks like it was written terribly, the cause was just a bad socket connection and it even gave me the server name and version. i copied it to a google doc (it was already shortened) and it took up seven pages. jesus.

What the actual f. I just changed my password on uplay to a 30 character password which works fine on the web account manager. Apparantly some moron decided to limit password field in the uplay client where your actual games are stored to 17 or 18 characters.

And that while they want to "improve" security. Please ubisoft, fix your shit

It's been a year since I first entered the world of development.

Let's see what I have accomplished so far:

Learned:
Java, J2EE, Node.js, Python, Django, Android, Angular, html/css, Rxjs, RxJava, Linux, MySQL, Mongodb, Docker, Heroku, AWS

Projects:
All unfinished.

Job:
Still working in IT security goddammit.

Fucking hell. Why am I so good at learning but shit at working?

I don't know why is that everytime you guys find a security bug or a data leak or that someone is saving plain passwords on their database, you try to cover and censor the company name. Listen people, fuck the company and their name and their brand if someone's data might be in danger. Everybody should be aware of what is happening with their personal information.

Also, maybe would be great if devRant would let users to post anonymous rants for this kind of issues or a special thread with latest news about our online security.

I sent money to a scammer 😔
They said it is a security deposit and I didn't think twice. I thought I was smarter than this but clearly I am not.
I got too greedy, lazy and desperate for money.
This is what happens when you isolate yourself from reality.
I feel terrible. 😣

I've noticed looking at the card exit of a building that most people a) just carry their laptop without putting it in the backpack because the carpark is a jump away anyway, b) that stickers on said laptops can leak your infrastructure

No idea what made me interested in that, but if you take the average of people's laptop stickers (sadly not everybody had their laptop or maybe even a laptop at all, so I've got just 20) - you could probably tell what tools and what services the company is running.

Could be a funny coincidence and I was able to verify later by googling their company, but it's an interesting non trackable way to know what services and tools need to be exploited/emulated to possibly gain access to some high security network.

I feel like somebody had to have a talk/presentation about this, so I wonder, had anybody else seen something like that? or how far could this actually go?

Fuck stupid managers.

My current agency tried to create a bundle of generic Microservices with the hope of save time and money on future projects. That was two years ago (i was working here from 4 months ago).

What they have now? well, a sort of distributed monolyth were if one service goes down, everything else fails, infinite technical debt, no security policies (yeah, all the apis are open!!!) Business rules on the frontend . . .

And what the stupid manager say? "Everything must be ok because i designed it very well, i research a lot for this"

Stupid boomer.

PD: Yeah, despite the fact he is judt a manager, he take the responsibility to design the full architecture, idk why no one srops him.

Sigh OK, so, my friend we'll call him z has told me he's visiting the deep Web with tor. So I immediately start asking him about what security he uses (which is 3 VPNs tired through each other).

Like no z! You don't go to the deep Web, that's where the bad things happen! 😡

Question

What server monitoring do you use, both for statistics and security?

--------------------
tl;dr ends here

Ideally I would like to have one clean dashboard that shows me all the nodes I have, proxmox already offers a great range of stats - but it is a page per container etc. so not ideal, I thought of having datadoghq, but their per host pricing is huge, since I have more than 5 hosts to track.

Had this life not turned out the way it is. Had you not been a dev, what would you imagine you would have been?

I'll go first.. i would probably have been a librarian or a security guard. Someone with lot of time at hand to read.

Let's talk about the cargo cult of N-factor authentication. It's not some magic security dust you can just sprinkle onto your app "for security purposes".

I once had a client who had a client who I did server maintenance for. Every month I was scheduled to go to the site, stick my fingerprint in their scanner, which would then display my recorded face prominently on their screens, have my name and purpose verified by the contact person, and only then would the guards let me in.

HAHA no of course not. On top of all of that, they ask for a company ID and will not let me in without one.

Because after all, I can easily forge my face, fingerprints, on-site client contact, appointment, and approval. But printing out and laminating a company ID is impossible.

---

With apologies to my "first best friend" in High School, I've forgotten which of the dozens of canonicalisations of which of your nicknames I've put in as my answer to your security question. I've also forgotten if I actually listed you as my first best friend, or my dog - which would actually be more accurate - and actually which dog, as there are times in my High School life that there were more tails than humans in the house.

I have not forgotten these out of spite, but simply because I have also forgotten which of the dozen services of this prominent bullshit computer company I actually signed up for way back in college, which itself has been more than a decade ago. That I actually apparently already signed up for the service before actually eludes me, because in fact, I have no love for their myriad products.

What I have NOT forgotten is my "end of the universe"-grade password, or email, or full legal name and the ability to demonstrate a clear line of continuity of my identity from wherever that was to now.

Because of previous security screwups in the past, this prominent bullshit company has forced its users to activate its second, third, and Nth factors. A possibly decade-old security question; a phone number long lost; whatever - before you can use your account.

Note: not "view sensitive data" about the account, like full name, billing address, and contact info. Not "change settings" of the account, such as changing account info, email, etc. Apparently all those are the lowest tier of security meant to be protected by mere "end of the universe"-grade passwords and a second factor such as email, which itself is likely to be sold by a company that also cargo cults N-factor auth. For REAL hard info, let's ask the guy who we just showed the address to "What street he lived in" and a couple others.

Explaining this to the company's support hotline is an exercise in...

"It's for your security."

"It's not. You're just locking me out of my account. I can show you a government ID corroborating all the other account info."

"But we can't, for security."

"It's not security. Get me your boss."

...

"It's for security."

Big Brand Company

Wasted 2 days on induction about what to do and how to do.

After 2 days, Reach at workplace and called my line manager (LM). after 2 3 calls, he pick the phone and said please reach to 3.2L5

Now what the heck is this term how the hell I know what means by this magical number. It was never told in the induction that what building name is denoted with.

Called LM again and now LM annoyed at me and said to enter into building and ask for XYZ person ..I asked whom I need to ask..He said ask anybody..

When I enter I ask a security guard there and he was like numb...There are fucking 5000 people in the company.How someone will know by name..Is that guy is superstar or something?

Again called the LM, Now he yelled at me. ..Why you are asking the security guard ..I said he do not allow me to enter so what I need to do..I requst him to please guide me as I am new and nervous here..

Again no luck ..Asked already 4 to 5 people..

Finally one guy who also joined with me, helped me to reach the guy.

LM was actually running late and when he reach, I came near to him 2 greet ans he again shouted with loud voice " What are you doing man"

#firstDay

Security in defense is a joke.

New hire does not have accts set up told him over and over!

He decides to go into a classified area and just try. Common last name with first initial.

Guess what he was able to get in because no one changed the default password!

Yep now someone with an interim clearance got access to a machine that goes from unclass to secret and then top secret!

Because I am very interested in cyber security and plan on doing my masters in it security I always try to stay up to date with the latest news and tools. However sometimes its a good idea to ask similar-minded people on how they approach these things, - and maybe I can learn a couple of things. So maybe people like @linuxxx have some advice :D Let's discuss :D

1) What's your goto OS? I currently use Antergos x64 and a Win10 Dualboot. Most likely you guys will recommend Linux, but if so what ditro, and why? I know that people like Snowden use QubesOS. What makes it much better then other distro? Would you use it for everyday tasks or is it overkill? What about Kali or Parrot-OS?

2) Your go-to privacy/security tools? Personally, I am always conencted to a VPN with openvpn (Killswitch on). In my browser (Firefox) I use UBlock and HttpsEverywhere. Used NoScript for a while but had more trouble then actual use with it (blocked too much). Search engine is DDG. All of my data is stored in VeraCrypt containers, so even if the system is compromised nobody is able to access any private data. Passwords are stored in KeePass. What other tools would you recommend?

3) What websites are you browsing for competent news reports in the it security scene? What websites can you recommend to find academic writeups/white papers about certain topics?

4) Google. Yeah a hate-love relationship, but its hard to completely avoid it. I do actually have a Google-Home device (dont kill me), which I use for calender entries, timers, alarms, reminders, and weather updates as well as IOT stuff such as turning my LED lights on and off. I wouldn"t mind switching to an open source solution which is equally good, however so far I couldnt find anything that would a good option. Suggestions?

5) What actions do you take to secure your phone and prevent things such as being tracked/spyed? Personally so far I havent really done much except for installing AdAway on my rooted device aswell as the same Firefox plugins I use on my desktop PC.

6) Are there ways to create mirror images of my entire linux system? Every now and then stuff breaks, that is tedious to fix and reinstalling the system takes a couple of hours. I remember from Windows that software such as Acronis or Paragon can create a full image of your system that you can backup and restore at any point to get a stable, healthy system back (without the need to install everything by hand).

7) Would you encrypt the boot partition of your system, even tho all data is already stored in encrypted containers?

8) Any other advice you can give :P ?

Recently, one of my customers filed a ticket because some iFrame he got from another company wouldn't display after putting it into the content editor.
I told her it won't work because the (third-party) editor prohibits JavaScript inside iFrame tags and their attributes for security reasons.
She said ok. She said she'd understood the problem. And then, she reopened the ticket four (4!!!) times for the exact same reason, once because she tried to use a fixed iFrame tag the other company sent to her... still containing JavaScript, of course.

But, yeah... She understood what the problem was. Is clear.

whenever i tell my dad about a technology that is going way beyond our imagination and tell him about the consequences of it and how we should worry about that
then he watches some random tv show about internet security/cyber security and various algorithms (very abstract) which are currently changing the world and how we should care about our data and what the consequences of X technology is...
he be like: "oh is that true? that's interesting, how does that work?"
i'm like😑 dad, i already told you about that😩

ever had similar experience?

Deciding whether to stick to being a web developer, or switch to something else

(thinking more like rocket software, or something with security (but maybe sticking with web), or some other cool sh#t

I don't know yet, what I do know is even when I'm creating an erp system, I find it very unsatisfying

"I helped create the software on that rocket"
Or
"that hospital uses the system I've helped to create"

Sounds a lot more satisfying than,
"that company uses my 'warehouse resources manager'/'webshop'/'planning system'

But then again I don't know, I now have a stable job, know what to do and know the language we use.

Had to do a change tonight - not once but twice my server secure login account was locked. And server security don't answer their pages. I couldn't even reverse my changes if my changes break something else.

My account has not been locked in over a year but happens twice in a 90 minute window. What are the chances?

I really wish I had worked somewhere that was hacked, so as to know how it was done, how it was found out, and what measures were taken, from the inside.

The problem is that I worked at a lot, and big places. We were never successfully attacked or hacked as far as I know. Was our security so good, that nobody succeeded? Or was it so bad, that we didn't even notice?

My windows defender has gone out of the window.
Now whenever i open windows security app, it shows a blank page.
There's is no tray process running and I can't find any service too.
I know it's a huge virus attack.
Can anyone suggest some methods to know what is causing this problem?

This has happened once before. That time i used DISM and checked windows files integrity. It replaced corrupted ones and then windows worked fine.

This time i want to know the cause.
I wanna root it out and rip it apart.

If you have any project (personal or not, doesn't matter) that does not have proper code comments and documentation and you don't want to make one because of the effort (maybe even "wasted" effort), think again. When commenting on a wall of code to say what it does, you may find a better way of doing what you have to do, possibly increasing performance, or improving security.

I have been able to do better input sanitization for a method on a personal project of mine because of this.
Don't use the amount of effort for proper documentation as an excuse not to make one.

Asked to do overtime so I do. Everyone has gone home and now it's time for me to go home, so I go to leave the office to find the gate padlocked. I'm stuck. There is a side gate for cars that has a security code but I have no idea what that code is. So I end up waiting around and stalk the cleaners car out of the gate 'sigh'.

I have to add an endpoint to integrate an API and I want to vomit when I think about this major security issue they introduce.

What type of prehistoric dumbass thought GET requests with username and password in the query parameters is a good idea to burden your partner with.

For higher grade software development it should be mandatory to understand the big picture of problems...

If you are working for a online shop, you might want to ask marketing, what they want to sell, before they do it

You might want to ask billing, what customers buy, before you spend time on unnecessary features

You want to ask billing and legals, how they do fraud detection and you want to get the it security fellows on board too.

If marketing and billing knows, that maintenance needs time and money, they can calculate with that. If security knows, that some fails will be catched, no matter if you fix it in software or not they can adapt their priorities.

You might want to know something about process optimisation... Factories of car parts have spent years on such problems - learn from them.

Security : Each time I login, they ask me to type the email address I want my one-time-code emailed to. Really!? What security is provided by letting the user decide where to email the flippin token to?!?!

When in an application security talk put on by our cyber security department and one team (not mine) is being chastised for only doing client side validation, another dev asks so at what point can we trust the user? A few people nod and indicate they want an answer, and the speaker, said never, you never trust the user.

I can't believe people can graduate and get a job and keep a development job, especially in a highly government regulated company like where I work

Tomorrow I must present a summery of what the prof said in the first session of security+ within 20 min.
All he said was about the most important security certs and some definitions including CIA triangle.

Any idea how I can make my summery cooler or anything relative I can say in addition to those?

Salesforce lightning web components have such bullshit limitations that they claim is because of security but it's just because it's overengineered garbage.

Want to use web components? Nope.

Want to pass in a value to a function in a click listener expression? Nope.

Want to use scss? Nope, compile it to css yourself.

Want to use the fucking document object? Guess what it's overridden except for very specific third party frameworks.

Who in the fuck thought it was a good idea to override the document object? Your app isn't more secure, literally the entire internet uses the document object and it still becomes available in runtime anyway so what the fuck??

LWC is the biggest garbage I've ever seen, you know a framework's a big red flag when there are developers solely for the framework.

There is a new security release coming out that apparently removes some of these nuances (understatement) so there might be some light at the end of the tunnel.

On Friday afternoon, i got an e-mail from the IT manager of the company I'm working for.

"Due to security issues we have been forced to stop the server you deployed"

Today, on Monday morning, i got a message from the director saying LITERALLY NOBODY CAN ACCESS THE SYSTEM

I wonder what it could be.

got first assignment on my first meet on Network Security. it require to pentest one unsecured specified website. yet they don't tell me shit about anything just try it.
i need to :
1. Footprint
2. Scanning
3. Enumeration
4. Gaining Access (previledges raising?) (bonus)

suppose : <target-website> is x
i've done this:
1. whois x
2. got the ipaddress via :
host x
3. nmap -F ip.of.x

my head is already spinning, i need to know what BASICLY each of what i've done. i only get that 'whois' get the information about that domain, 'host' is used to know the target ip address and nmap to find what are the open ports. i don't know what else should i do. need help :(

Before getting my dev job, I taught myself some java and made a program to assist myself in the position I was working. It was borderline a keyloger, but it helped me with a lot of repetive tasks. Long story short, our security didn't dig that I installed something they didn't approve (I probably could have just not made it an exe and gotten away with it but my boss wanted it as an exe to run on other computers) they didn't know exactly what it was. I totally understood the security concerns though but they sure gave me a fucking heart attack right before my interview for my first dev job! Was seriously worried I was going to be fired and miss my big chance to make it in with out a degree.

>>Server sind für mich "Neuland".<<

I want to switch to a new server with my website. I have a bunch of questions and hope you beautiful people will help me out.

1. I've decided to switch from shared hosting to an virtual server. Therefore I am going to rent the cheapest VS from hetzner.de. is this a good choice?

2. What do I have to care about and what stuff there is to be done in the beginning?

3. The reasons I want to switch are more root accessibility and I want to switch to https. What about that? Is let's encrypt enough?

4. How do I move the server from a to b?

5. What OS should I choose?

6. What about security?

7. Any further advice from experienced people is welcome!

Sry for those noob questions, but I've never been in touch with server work...

When I say I'm in "DevOps" what I really mean is that I'm a full-stack engineer, DBA, system administrator, security engineer, auditor, cloud custodian, cost optimization expert, and everything else that doesn't get its own dedicated staff member here. Pretty much the catch all between developers and customer.

Some Devs need to be better about sharing info. Like, I don't want to play 20Qs just to learn how to configure a system I never used. You have job security, don't worry! Other people are allowed to know what ya know; you don't need to impress anyone!

Is there a way to sign code for free (or atleast not need to pay over £200 for it)? Im a student and cant really afford much but I have been working on a website and made an electron build for it, however downloading the installer prompts the user to discard it in chrome, then running the installer prompts the user to select do not run in the windows security thingy as its from another computer.

What would be the best way around this if I cant get a certificate for it?

Hello everyone !
I am a self taught programmer. Currently in last semester in electronics engineering. I want to become a software developer but can't decide the right career path for me to take. I like back end, Android, Data structures and algorithm, Parallel programming, Machine learning and computer vision, and even security. I am afraid I will remain the jack off all trades and won't be the master of any. This way I won't be doing any good in my career. Any advice as what to do ?

I just said "bye" to all my Whatsapp groups, and finally got rid of that service ! (meaning deleting my account as well, not just uninstalling the app).
It's so hard to make people understand what is happening and what I think about security/privacy... Guess I'll have to wait for people to finally come to Signal or Keybase if they want to reach me more efficiently :)

Any professional pentesters or someone working in cybersecurity as a profession? I need some advice. The company I intern with right now wants me to test their web applications for security (they really don't care so much about security). I just wanted to know is there a standard set of procedures or a checklist that is usually followed? I know automated testing is not all that effective against web applications but what are the steps you usually take?
As of now, I have run tests and am now performing a code review but it's in PHP and I'm not really good with it. I'd like to know what more is done as a standard please.