Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜
Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.
First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.
Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.
Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.
Dealing with attacks and getting hacked.
Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.
linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)
How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!
One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)
Dealing with different kinds of attacks:
Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.
So yah, hereby :P39 -
To those that think they can't make it.
To those that are put down by those that don't understand you.
And to those that have never had a dream come true.
Not a rant, but the story of how I got into programming
I've always been into tech/electronics. I remember being told once that when I was 3, I used to take plug sockets to pieces. When I was 7, I built a computer with my dad.
There isn't a thing in my room that hasn't been dismantled and put back together again. Except for the things that weren't put back together again ;)
When I was 15, I got a phone for Christmas. It was a pretty crappy phone, the LG P350 (optimus ME). But I loved it all the same.
However I knew it could do a lot more. It ran a bloated, slow version of Android 2.2.
So I went searching, how can I make it faster, how to make it do more. And I found a huge community around Android ROMs. Obviously the first thing I did was flashed this ROM. Sure, there were bugs, but I was instantly in love with it. My phone was freed.
From there I went on to exploring what else can be done.
I wanted to learn how to script, so over the weekend I wrote a 1000 line batch (Windows cmd) script that would root the phone and flash a recovery environment onto it. Pretty basic. Lots of switch statements, but I was proud of it. I'd achieved something. It wasn't new to the world, but it was my first experience at programming.
But it wasn't enough, I needed more.
So I set out to actually building the roms. I installed Linux. I wanted to learn how to utilise Linux better, so I rewrote my script in bash.
By this time, I'd joined a team for developing on similar spec'd phones. Without the funds to by new devices, we began working on more radical projects.
Between us, we ported newer kernels to our devices. We rebased much of the chipset drivers onto newer equivalents to add new features.
And then..
Well, it was exam season. I was suffering from personal issues (which I will not detail), and that, with the work on Android, I ended up failing the exams.
I still passed, but not to the level I expected.
So I gave up on school, and went head first into a new kind of development. "continue doing what you love. You'll make it" is what I told myself.
I found python by contributing to an IRC bot. I learnt it by reading the codebase. Anything I didn't understand, I researched. Anything I wanted to do, google was there to help me through it.
Then it was exam season again. Even though I'd given up on school, I was still going. It was easier to stay in than do anything about it.
A few weeks before the exams, I had a panic attack. I was behind on coursework, and I knew I would do poorly on exams.
So I dropped out.
I was disappointed, my family was disappointed.
So I did the only thing I felt I could do. I set out to get a job as a developer.
At this stage, I'd not done anything special. So I started aiming bigger. Contributing to projects maintained by Sony and Google, learning from them. Building my own projects to assist with my old Android friends.
I managed to land a contract, however due to the stresses at home, I had to drop it after a month.
Everything was going well, I felt ready to get a full time job as a developer, after 2 years of experience in the community.
Then I had to wake up.
Unfortunately, my advisors (I was a job seeker at the time) didn't understand the potential of learning to be a developer. With them, it's "university for a skilled job".
They see the word "computer" on a CV, they instantly say "tech support".
I played ball, I did what I could for them. But they'd always put me down, saying I wasn't good enough, that I'd never get a job.
I hated them. I'd row with them every other day.
By God, I would prove them wrong.
And then I found them. Or, to be more precise, they found me. A startup in London got in contact with me. They seemed like decent people. I spoke with their developers, and they knew their stuff, these were people that I can learn from.
I travelled 4 hours to go for an interview, then 4 hours back.
When I got the email saying they'd move me to London, I was over the moon.
I did exactly what everyone was telling me I couldn't do.
1.5 years later, I'm still working with them. We all respect each other, and we all learn from each other.
I'm ever grateful to them for taking a shot with me. I had no professional experience, and I was by no means the most skilled individual they interviewed.
Many people have a dream. I won't lie, I once dreamed of working at Google. But after the journey I've been through, I wouldn't have where I am now any other way. Though, in time, I wish to share this dream with another.
I hope that all of you reach your dreams too.
Sorry for the long post. The details are brief, but there are only 5k characters ;)23 -
tldr; Windows security sucks. You as a org-admin cant do anything about it. Encrypt your device. Disable USB Live boot in the bios and protect it with a STRONG password.
First of i just want to say that i DO NOT want to start the good ol' Linux VS Windows debate. I'm just ranting about Windows Security here...
Second, here's why i did all of this. I did all of this mainly becuase i wanted to install some programs on my laptop but also to prove that you can't lock down a Windows pc. I don't recomend doing this since this is against the contract i signed.
So when i got my Laptop from my school i wanted to install some programs on it, sush as VS Code and Spotify. They were not avalible in the 'Software Center' so i had to find another way. Since this was when we still used Windows 7 it was quite easy to turn sticky keys in to a command prompt. I did it this way (https://github.com/olback/...). I decided to write a tutorial while i was at it becuase i didn't find any online using this exact method. I couldn't boot from a USB cause it's disabled in the bios wich is protected by a password. Okey, Sticky keys are now CMD. So let's spam SHIFT 5 times before i log in? Yeah, thanks for the command promt. Running 'whoami' returned 'NT SYSTEM'. Apparantly NT System has domain administator rights wich allowed me to make me an Administrator on the machine. So i installed Everything i wanted, Everything was fine untill it was time to migrate to a new domain. It failed of course. So i handed my Laptop to the IT retards (No offense to people working in IT and managing orgs) and got it back the day after, With Windows 10. Windows 10 is not really a problem, i don't mind it. The thing is, i can't use any of the usual Sticky keys to CMD methods since they're all fixed in W10. So what did i do? Moved the Laptop disk to my main PC and copied cmd.exe to sethc.exe. And there we go again. CMD running as NT System on Windows 10. Made myself admin again, installed Everything i needed. Then i wanted to change my wallpaper and lockscreen, had to turn to PowerShell for this since ALL settings are managed by my School. After some messing arround everything is as i want it now.
'Oh this isnt a problem bla bla bla'. Yes, this is a problem. If someone gets physical access your PC/Laptop they can gain access to Everything on it. They can change your password on it since the command promt is running as NT SYSTEM. So please, protect your data and other private information you have on your pc. Encypt your machine and disable USB Live boot.
Have a good wekend!
*With exceptions for spelling errors and horrible grammar.4 -
I think that two criterias are important:
- don't block my productivity
- author should have his userbase in mind
1) Some simple anti examples:
- Windows popping up a big fat blue screen screaming for updates. Like... Go suck some donkey balls you stupid shit that's totally irritating you arsehole.
- Graphical tools having no UI concept. E.g. Adobes PDF reader - which was minimalized in it's UI and it became just unbearable pain. When the concept is to castrate the user in it's abilities and call the concept intuitive, it's not a concept it's shit. Other examples are e.g. GEdit - which was severely massacred in Gnome 3 if I remember correctly (never touched Gnome ever again. I was really put off because their concept just alienated me)
- Having an UI concept but no consistency. Eg. looking at a lot of large web apps, especially Atlassian software.
Too many times I had e.g. a simple HTML form. In menu 1 you could use enter. In menu 2 Enter does not work. in another menu Enter works, but it doesn't submit the form it instead submits the whole page... Which can end in clusterfuck.
Yaaayyyy.
- Keyboard usage not possible at all.
It becomes a sad majority.... Pressing tab, not switching between form fields. Looking for keyboard shortcuts, not finding any. Yes, it's a graphical interface. But the charm of 16 bit interfaces (YES. I'm praising DOS interfaces) was that once you memorized the necessary keyboard strokes... You were faster than lightning. Ever seen e.g. a good pharmacist, receptionist or warehouse clerk... most of the software is completely based on short keyboard strokes, eg. for a receptionist at a doctor for the ICD code / pharmaceutical search et cetera.
- don't poop rainbows. I mean it.
I love colors. When they make sense. but when I use some software, e.g. netdata, I think an epilepsy warning would be fair. Too. Many. Neon. Colors. -.-
2) It should be obvious... But it's become a burden.
E.g. when asked for a release as there were some fixes... Don't point to the install from master script. Maybe you like it rolling release style - but don't enforce it please. It's hard to use SHA256 hash as a version number and shortening the hash might be a bad idea.
Don't start experiments. If it works - don't throw everything over board without good reasons. E.g. my previous example of GEdit: Turning a valuable text editor into a minimalistic unusable piece of crap and calling it a genius idea for the sake of simplicity... Nope. You murdered a successful product.
Gnome 3 felt like a complete experiment and judging from the last years of changes in the news it was an rather unsuccessful one... As they gave up quite a few of their ideas.
When doing design stuff or other big changes make it a community event or at least put a poll up on the github page. Even If it's an small user base, listen to them instead of just randomly fucking them over.
--
One of my favorite projects is a texteditor called Kate from KDE.
It has a ton of features, could even be seen as a small IDE. The reason I love it because one of the original authors still cares for his creation and ... It never failed me. I use Kate since over 20 years now I think... Oo
Another example is the git cli. It's simple and yet powerful. git add -i is e.g. a thing I really really really love. (memorize the keyboard shortcuts and you'll chunk up large commits faster than flash.
Curl. Yes. The (http) download tool. It's author still cares. It's another tool I use since 20 years. And it has given me a deep insight of how HTTP worked, new protocols and again. It never failed me. It is such a fucking versatile thing. TLS debugging / performance measurements / what the frigging fuck is going on here. Take curl. Find it out.
My worst enemies....
Git based clients. I just hate them. Mostly because they fill the niche of explaining things (good) but completely nuke the learning of git (very bad). You can do any git action without understanding what you do and even worse... They encourage bad workflows.
I've seen great devs completely fucking up git and crying because they had really no fucking clue what git actually does. The UI lead them on the worst and darkest path imaginable. :(
Atlassian products. On the one hand... They're not total shit. But the mass of bugs and the complete lack of interest of Atlassian towards their customers and the cloud movement.... Ouch. Just ouch.
I had to deal with a lot of completely borked up instances and could trace it back to a bug tracking entry / atlassian, 2 - 3 years old with the comment: vote for this, we'll work on a Bugfix. Go fuck yourself you pisswads.
Microsoft Office / Windows. Oh boy.
I could fill entire days of monologues.
It's bad, hmkay?
XEN.
This is not bad.
This is more like kill it before it lays eggs.
The deeper I got into XEN, the more I wanted to lay in a bathtub full of acid to scrub of the feelings of shame... How could anyone call this good?!?????4 -
Windows is weird. Flagging a fully functioning game application as (Not Responding). It's not even lagging or freezing. It's just. Working. Perfectly.
15 -
Probably had my worst half-week ever this week.
Customer's CRM system, the read and edit masks just...stopped existing on last week friday. CRM fell back on some default masks for the dataset. No way to create new masks directly without putting the whole system upside down.
We couldn't do anything anyway because they reported the issue literally as we all were about to leave for weekend and our boss was like "Ah nah, well do it next week."
Our brains were already fried anyway...
I mail the reporter that we've registered their issue, will investigate and report back ASAP once we've got news.
Monday rolls around, I'm whacking my head against their system trying to figure the fuck out, what went wrong and how to solve it, I come up empty; Not that terrible since the masks only stopped existing in the webclient version of the system and they can still use the windows client, so they can still work.
Tuesday rolls around, I'm at an on site training for an ERP system with my boss at a remote company. Get an email in midst of the training, I was doing protocol.
Guy from the afflicted company goes and tells me that the issue has somehow spread to his colleague and him...IN THE WINDOWS CLIENT.
I'm fucking flabbergasted, so to speak, since the masks for the windows client and the web client are totally isolated from one another.
After we're back at our company, I investigate, less efficiently this time because my brain got fried at the training. I come up empty again.
NOW TODAY: Discuss further proceedings with my boss, he's not pissed at me or anything, just to say, but we're both worried, obviously.
Then at 10:20, a guy from the afflicted company mails me in an annoyed tone that the masks are still broken.
11:00, we figure out a workaround so the windows client users can at least work again, albeit limited.
11:10, I mail the guy, telling him that although we're still not able to fully work everything out and are still investigating, we've made a workaround so they can at least work again.
11:20, the guy mails me in a pissed tone around the lines of "This is very very important and must be fixed ASAP or else we'll not be able to work at all [...]"
And I think like "Dude I literally just told you like 8 minutes ago that there's are workaround so you'll be able to at least work again..."
Forward the mail to boss, we meet up quickly to discuss how in God's name we can deescalate this mfer.
11:31, the guy mails me again, all apologetically this time "Stop! All is good, I just now fully read you mail, thanks for implementing the workaround, nothing will come to a standstill [...]"
BRUH CAN YOU NOT FUCKING READ BEFORE ESCALATING SHIT
Fuck customers. Dumb fucking cretins unable to fucking read.
The issue is still unresolved. Support of the CRM software lets us sit on our collective asses and wait.
There is no such thing as stable software, it's a myth.
Every corporate software is like an ever-decaying semi-corpse of a brain dead patient slowly getting worse and worse but not fucking dying.
Rant over. -
I've always liked Windows more than MacOS, but known deep in my heart that MacOS is more polished. More shiny, attractive, makes more sense, is easier to use, etc. Windows was never that far behind (however, they were probably furthest behind in Vista and 8), but they were always behind.
Looking at the new MacOS, I genuinely think that Microsoft offers a better experience now. While Android and iOS are still firmly battling, Windows just beats the living shit out of MacOS.
Windows is an OS built for either touch or mouse. If you use touch controls, the OS automatically adapts to it (larger context menus if you press and hold, smaller ones if you right click). You can enter tablet mode. The start menu has a good interface for both touch and mouse.
MacOS is an operating system designed for touch input on a device which famously has none.
It has fallen victim to a very common design error: too much fucking spacing. Every little thing, even items in a list, has a ton of pixels between them, and they all have rounded corners. Again, this is common for touch displays where you don't wanna fat finger stuff. But they don't offer a touch screen Mac and have expressed no interest in ever doing so.
Now they're going ARM on custom silicon. This is a good move in the long run, but it's going to be a rough couple of years. Apple admits two. You can probably reliably double that.
Is Apple killing the Mac on purpose or by accident?5 -
I've spent a lot of time messing around with C, having struggled with object-oriented programming (due to not really knowing how best to structure things, not knowing when to apply certain design patterns).
When writing C code, I'd write OOP-esque code (pass around a struct to routines to do things with it) and enjoyed just making things happen without having to think too much about the overall design. But then I'd crave being able to use namespaces, and think about how the code would be tidier if I used exceptions instead of having every routine return an error code...
Working with Python and Node over the past couple of years has allowed me to easily get into OOP (no separate declaration/definition, loose typing etc.) and from that I've made some fairly good design decisions. I'd implemented a few design patterns without even realising which patterns they were - later reading up on them and thinking "hey, that's what I used earlier!"
I've also had a bit of an obsession with small executable files - using templates and other features of C++ add some bloat (on Windows at least) compared to C. There were other gripes I had with C++, mostly to do with making things modular (dynamic linking etc.) but really it's irrelevant/unreasonable.
And yes, for someone who doesn't like code bloat, working with Node is somewhat ironic... (hello, node_modules...)
So today I decided to revisit C++ and dust off my old copy of C++ in a Nutshell, and try to see if I could write some code to do things that I struggled with before. One nice thing is that this book was printed in 2003, yet all of its content is still relevant. Of course, there are newer C++ standards, but I can happily just hack away and avoid using anything that has been deprecated.
One thing I've always avoided is dynamic_cast because every time I read about it, I read that "it's slow". So I just tried to work around it when really if it's the right tool for the job, I might as well use it... It's really useful!
Anyway, now I've typed all this positivity about C++ I will probably find a little later on that I hit a wall with what I'm doing and give up again... :p
7 -
I know "windows 10 bad" rants already have been done enough and are kinda redundant at this point.
But it's so frustrating for me when doing event stuff.
like yesterday during a quieter part I wanted to pull a USB thing. I knew I've turned of system sounds at least two times one this machine last year and sureley it didn't turn them on again, that'd be silly ...
"de dung"
shit!
And today I did some stuff and realized somehow the energy settings are at "balanced".
In the past I had went through every neccessary box to go Full Power, checked every neccessary box, but nOOooOo - lets randomly be balanced again. WTF?
And it's not like shit didn' work already - I remember the times when bluetooth actually was intuitive to use and settings didn't randomly change - is that what they think " progress" means?4 -
TL;DR I just recently started my apprenticeship, it's horrible so far, I want to quit, but don't know what to do next...
Okay, first of all, hey there! My name is Cave and I haven't been on here for a while, so I hope the majority of you is doing rather okay. I'm programming for 6 years now, have some work experience already, since I used to volunteer for a company for half a year, in which I discovered my love for integrations and stuff. These background information will probably be necessary to understand my agony in full extend.
So, okay, this is about my apprenticeship. Generally speaking, I was expecting to work, and to learn something, gaining experience. So far, it only involved me, reading through horrible code, fixing and replacing stuff for them, I didn't learn a thing yet, and we are already a month in.
When I said the code is horrible, well, it is the worst I have ever seen since I started programming. Little documentation - if any -, everywhere you look there is deprecated code, which may or may not been commented out, often loops or simply methods seem to be foreign for them, as the code is cluttered with copy paste code everywhere and on top of that all, the code is slow as heck, like wtf.
I spent my past month with reading their code, trying to understand what most of this nonsense is for, and then just deleting and rewriting it entirely. My code suddenly is only 5% or their size and about 1000 times faster. Did I mention I am new to this programming language yet? That I have absolutely no experience in that programming language? Because well I am new and don't have any experience, yet, I have little to no struggle doing it better.
Okay, so, imagine, you started programming like 20 years ago, you were able to found your own business, you are getting paid a decent amount of money, sounds alright, right? Here comes the twist: you have been neglecting every advancement made in developing software for the past 20 years, yup, that's what it feels like to work here.
At this point I don't even know, like is this normal? Did git, VSCode and co. spoil me? Am I supposed to use ancient software with ancient programming languages to make my life hell? Is programming supposed to be like this? I have no clue, you tell me, I always thought I was doing stuff right.
Well, this company is not using git, infact, they have every of their project in a single folder and deleting it by accident is not that hard, I almost did once, that was scary. I started out working locally, just copying files, so shit like that won't happen, they told me to work directly in the source. They said it's fine, that's why you can see 20 copies of the folder, in the same folder... Yes, right, whatever.
I work using a remote desktop, the server I work on is Windows server 2008, you want to make icons using gimp? Too bad, Gimp doesn't support windows server 2008, I don't think anything does anymore, at least I haven't found anything, lol.
They asked me to integrate Google Maps into their projects, I thought it is gonna be fun, well, turns out their software uses internet explorer 9.. and Google maps api does not support internet explorer 9... I ended up somehow installing CEF3 on that shit and wrote an API for it in JS. Writing the API was actually kind of fun, but integrating it in their software sucked and they told me I will never integrate stuff ever again, since they usually don't do that. I mean, they don't have a Backend as far as I can tell, it looks like stuff directly connects with their database, so I believe them, but you know... I love integrating stuff..
So at this point you might be thinking, then why don't you just quit? Well I would, definitely. I'm lucky that till December I can quit without prior notice, just need a resignation as far as I can tell, but when I quit, what do I do next? Like, I volunteered for a company for half a year and I'd argue I did a good job, but with this apprenticeship it only adds up to about 7 months of actual work experience. Would anybody hire somebody with this much actual work experience? I also consider doing freelancing, making a living out of just integrating stuff, but would people pay for that? And then again, would they hire somebody with this much experience? I don't want to quit without a plan on what to do next, but I have no clue.
Am I just spoiled, is programming really just like that, using ancient tools and stuff? Let me know. Advice is welcomed as well, because I'm at a loss. Thanks for reading.10
Top Tags
Weekly Rant
View