Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "windows is doing it's thing again"
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜
Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.
First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.
Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.
Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.
Dealing with attacks and getting hacked.
Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.
linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)
How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!
One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)
Dealing with different kinds of attacks:
Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.
So yah, hereby :P38
To those that think they can't make it.
To those that are put down by those that don't understand you.
And to those that have never had a dream come true.
Not a rant, but the story of how I got into programming
I've always been into tech/electronics. I remember being told once that when I was 3, I used to take plug sockets to pieces. When I was 7, I built a computer with my dad.
There isn't a thing in my room that hasn't been dismantled and put back together again. Except for the things that weren't put back together again ;)
When I was 15, I got a phone for Christmas. It was a pretty crappy phone, the LG P350 (optimus ME). But I loved it all the same.
However I knew it could do a lot more. It ran a bloated, slow version of Android 2.2.
So I went searching, how can I make it faster, how to make it do more. And I found a huge community around Android ROMs. Obviously the first thing I did was flashed this ROM. Sure, there were bugs, but I was instantly in love with it. My phone was freed.
From there I went on to exploring what else can be done.
I wanted to learn how to script, so over the weekend I wrote a 1000 line batch (Windows cmd) script that would root the phone and flash a recovery environment onto it. Pretty basic. Lots of switch statements, but I was proud of it. I'd achieved something. It wasn't new to the world, but it was my first experience at programming.
But it wasn't enough, I needed more.
So I set out to actually building the roms. I installed Linux. I wanted to learn how to utilise Linux better, so I rewrote my script in bash.
By this time, I'd joined a team for developing on similar spec'd phones. Without the funds to by new devices, we began working on more radical projects.
Between us, we ported newer kernels to our devices. We rebased much of the chipset drivers onto newer equivalents to add new features.
Well, it was exam season. I was suffering from personal issues (which I will not detail), and that, with the work on Android, I ended up failing the exams.
I still passed, but not to the level I expected.
So I gave up on school, and went head first into a new kind of development. "continue doing what you love. You'll make it" is what I told myself.
I found python by contributing to an IRC bot. I learnt it by reading the codebase. Anything I didn't understand, I researched. Anything I wanted to do, google was there to help me through it.
Then it was exam season again. Even though I'd given up on school, I was still going. It was easier to stay in than do anything about it.
A few weeks before the exams, I had a panic attack. I was behind on coursework, and I knew I would do poorly on exams.
So I dropped out.
I was disappointed, my family was disappointed.
So I did the only thing I felt I could do. I set out to get a job as a developer.
At this stage, I'd not done anything special. So I started aiming bigger. Contributing to projects maintained by Sony and Google, learning from them. Building my own projects to assist with my old Android friends.
I managed to land a contract, however due to the stresses at home, I had to drop it after a month.
Everything was going well, I felt ready to get a full time job as a developer, after 2 years of experience in the community.
Then I had to wake up.
Unfortunately, my advisors (I was a job seeker at the time) didn't understand the potential of learning to be a developer. With them, it's "university for a skilled job".
They see the word "computer" on a CV, they instantly say "tech support".
I played ball, I did what I could for them. But they'd always put me down, saying I wasn't good enough, that I'd never get a job.
I hated them. I'd row with them every other day.
By God, I would prove them wrong.
And then I found them. Or, to be more precise, they found me. A startup in London got in contact with me. They seemed like decent people. I spoke with their developers, and they knew their stuff, these were people that I can learn from.
I travelled 4 hours to go for an interview, then 4 hours back.
When I got the email saying they'd move me to London, I was over the moon.
I did exactly what everyone was telling me I couldn't do.
1.5 years later, I'm still working with them. We all respect each other, and we all learn from each other.
I'm ever grateful to them for taking a shot with me. I had no professional experience, and I was by no means the most skilled individual they interviewed.
Many people have a dream. I won't lie, I once dreamed of working at Google. But after the journey I've been through, I wouldn't have where I am now any other way. Though, in time, I wish to share this dream with another.
I hope that all of you reach your dreams too.
Sorry for the long post. The details are brief, but there are only 5k characters ;)23
tldr; Windows security sucks. You as a org-admin cant do anything about it. Encrypt your device. Disable USB Live boot in the bios and protect it with a STRONG password.
First of i just want to say that i DO NOT want to start the good ol' Linux VS Windows debate. I'm just ranting about Windows Security here...
Second, here's why i did all of this. I did all of this mainly becuase i wanted to install some programs on my laptop but also to prove that you can't lock down a Windows pc. I don't recomend doing this since this is against the contract i signed.
So when i got my Laptop from my school i wanted to install some programs on it, sush as VS Code and Spotify. They were not avalible in the 'Software Center' so i had to find another way. Since this was when we still used Windows 7 it was quite easy to turn sticky keys in to a command prompt. I did it this way (https://github.com/olback/...). I decided to write a tutorial while i was at it becuase i didn't find any online using this exact method. I couldn't boot from a USB cause it's disabled in the bios wich is protected by a password. Okey, Sticky keys are now CMD. So let's spam SHIFT 5 times before i log in? Yeah, thanks for the command promt. Running 'whoami' returned 'NT SYSTEM'. Apparantly NT System has domain administator rights wich allowed me to make me an Administrator on the machine. So i installed Everything i wanted, Everything was fine untill it was time to migrate to a new domain. It failed of course. So i handed my Laptop to the IT retards (No offense to people working in IT and managing orgs) and got it back the day after, With Windows 10. Windows 10 is not really a problem, i don't mind it. The thing is, i can't use any of the usual Sticky keys to CMD methods since they're all fixed in W10. So what did i do? Moved the Laptop disk to my main PC and copied cmd.exe to sethc.exe. And there we go again. CMD running as NT System on Windows 10. Made myself admin again, installed Everything i needed. Then i wanted to change my wallpaper and lockscreen, had to turn to PowerShell for this since ALL settings are managed by my School. After some messing arround everything is as i want it now.
'Oh this isnt a problem bla bla bla'. Yes, this is a problem. If someone gets physical access your PC/Laptop they can gain access to Everything on it. They can change your password on it since the command promt is running as NT SYSTEM. So please, protect your data and other private information you have on your pc. Encypt your machine and disable USB Live boot.
Have a good wekend!
*With exceptions for spelling errors and horrible grammar.4
Windows is weird. Flagging a fully functioning game application as (Not Responding). It's not even lagging or freezing. It's just. Working. Perfectly.16
I've always liked Windows more than MacOS, but known deep in my heart that MacOS is more polished. More shiny, attractive, makes more sense, is easier to use, etc. Windows was never that far behind (however, they were probably furthest behind in Vista and 8), but they were always behind.
Looking at the new MacOS, I genuinely think that Microsoft offers a better experience now. While Android and iOS are still firmly battling, Windows just beats the living shit out of MacOS.
Windows is an OS built for either touch or mouse. If you use touch controls, the OS automatically adapts to it (larger context menus if you press and hold, smaller ones if you right click). You can enter tablet mode. The start menu has a good interface for both touch and mouse.
MacOS is an operating system designed for touch input on a device which famously has none.
It has fallen victim to a very common design error: too much fucking spacing. Every little thing, even items in a list, has a ton of pixels between them, and they all have rounded corners. Again, this is common for touch displays where you don't wanna fat finger stuff. But they don't offer a touch screen Mac and have expressed no interest in ever doing so.
Now they're going ARM on custom silicon. This is a good move in the long run, but it's going to be a rough couple of years. Apple admits two. You can probably reliably double that.
Is Apple killing the Mac on purpose or by accident?5
I've spent a lot of time messing around with C, having struggled with object-oriented programming (due to not really knowing how best to structure things, not knowing when to apply certain design patterns).
When writing C code, I'd write OOP-esque code (pass around a struct to routines to do things with it) and enjoyed just making things happen without having to think too much about the overall design. But then I'd crave being able to use namespaces, and think about how the code would be tidier if I used exceptions instead of having every routine return an error code...
Working with Python and Node over the past couple of years has allowed me to easily get into OOP (no separate declaration/definition, loose typing etc.) and from that I've made some fairly good design decisions. I'd implemented a few design patterns without even realising which patterns they were - later reading up on them and thinking "hey, that's what I used earlier!"
I've also had a bit of an obsession with small executable files - using templates and other features of C++ add some bloat (on Windows at least) compared to C. There were other gripes I had with C++, mostly to do with making things modular (dynamic linking etc.) but really it's irrelevant/unreasonable.
And yes, for someone who doesn't like code bloat, working with Node is somewhat ironic... (hello, node_modules...)
So today I decided to revisit C++ and dust off my old copy of C++ in a Nutshell, and try to see if I could write some code to do things that I struggled with before. One nice thing is that this book was printed in 2003, yet all of its content is still relevant. Of course, there are newer C++ standards, but I can happily just hack away and avoid using anything that has been deprecated.
One thing I've always avoided is dynamic_cast because every time I read about it, I read that "it's slow". So I just tried to work around it when really if it's the right tool for the job, I might as well use it... It's really useful!
Anyway, now I've typed all this positivity about C++ I will probably find a little later on that I hit a wall with what I'm doing and give up again... :p7
TL;DR I just recently started my apprenticeship, it's horrible so far, I want to quit, but don't know what to do next...
Okay, first of all, hey there! My name is Cave and I haven't been on here for a while, so I hope the majority of you is doing rather okay. I'm programming for 6 years now, have some work experience already, since I used to volunteer for a company for half a year, in which I discovered my love for integrations and stuff. These background information will probably be necessary to understand my agony in full extend.
So, okay, this is about my apprenticeship. Generally speaking, I was expecting to work, and to learn something, gaining experience. So far, it only involved me, reading through horrible code, fixing and replacing stuff for them, I didn't learn a thing yet, and we are already a month in.
When I said the code is horrible, well, it is the worst I have ever seen since I started programming. Little documentation - if any -, everywhere you look there is deprecated code, which may or may not been commented out, often loops or simply methods seem to be foreign for them, as the code is cluttered with copy paste code everywhere and on top of that all, the code is slow as heck, like wtf.
I spent my past month with reading their code, trying to understand what most of this nonsense is for, and then just deleting and rewriting it entirely. My code suddenly is only 5% or their size and about 1000 times faster. Did I mention I am new to this programming language yet? That I have absolutely no experience in that programming language? Because well I am new and don't have any experience, yet, I have little to no struggle doing it better.
Okay, so, imagine, you started programming like 20 years ago, you were able to found your own business, you are getting paid a decent amount of money, sounds alright, right? Here comes the twist: you have been neglecting every advancement made in developing software for the past 20 years, yup, that's what it feels like to work here.
At this point I don't even know, like is this normal? Did git, VSCode and co. spoil me? Am I supposed to use ancient software with ancient programming languages to make my life hell? Is programming supposed to be like this? I have no clue, you tell me, I always thought I was doing stuff right.
Well, this company is not using git, infact, they have every of their project in a single folder and deleting it by accident is not that hard, I almost did once, that was scary. I started out working locally, just copying files, so shit like that won't happen, they told me to work directly in the source. They said it's fine, that's why you can see 20 copies of the folder, in the same folder... Yes, right, whatever.
I work using a remote desktop, the server I work on is Windows server 2008, you want to make icons using gimp? Too bad, Gimp doesn't support windows server 2008, I don't think anything does anymore, at least I haven't found anything, lol.
They asked me to integrate Google Maps into their projects, I thought it is gonna be fun, well, turns out their software uses internet explorer 9.. and Google maps api does not support internet explorer 9... I ended up somehow installing CEF3 on that shit and wrote an API for it in JS. Writing the API was actually kind of fun, but integrating it in their software sucked and they told me I will never integrate stuff ever again, since they usually don't do that. I mean, they don't have a Backend as far as I can tell, it looks like stuff directly connects with their database, so I believe them, but you know... I love integrating stuff..
So at this point you might be thinking, then why don't you just quit? Well I would, definitely. I'm lucky that till December I can quit without prior notice, just need a resignation as far as I can tell, but when I quit, what do I do next? Like, I volunteered for a company for half a year and I'd argue I did a good job, but with this apprenticeship it only adds up to about 7 months of actual work experience. Would anybody hire somebody with this much actual work experience? I also consider doing freelancing, making a living out of just integrating stuff, but would people pay for that? And then again, would they hire somebody with this much experience? I don't want to quit without a plan on what to do next, but I have no clue.
Am I just spoiled, is programming really just like that, using ancient tools and stuff? Let me know. Advice is welcomed as well, because I'm at a loss. Thanks for reading.10