Hello!
I'm a member of an international hacker group.

As you could probably have guessed, your account [cozyplanes@tuta.io] was hacked, because I sent message you from it.

Now I have access to you accounts!
For example, your password for [cozyplanes@tuta.io] is [RANDOM_ALPHABET_HERE]

Within a period from July 7, 2018 to September 23, 2018, you were infected by the virus we've created, through an adult website you've visited.
So far, we have access to your messages, social media accounts, and messengers.
Moreover, we've gotten full damps of these data.

We are aware of your little and big secrets...yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..

But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!
I think you are not interested show this video to your friends, relatives, and your intimate one...

Transfer $700 to our Bitcoin wallet: 13DAd45ARMJW6th1cBuY1FwB9beVSzW77R
If you don't know about Bitcoin please input in Google "buy BTC". It's really easy.

I guarantee that after that, we'll erase all your "data" :)

A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.

Your data will be erased once the money are transferred.
If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.

You should always think about your security.
We hope this case will teach you to keep secrets.
Take care of yourself.

>> RE >>
Well f### you, thanks for telling my password which is obviously fake. I have sent your details to the local police department, shall rest in peace. Don't earn money by this kind of action. STUPID!

Well, here's the OS rant I promised. Also apologies for no blog posts the past few weeks, working on one but I want to have all the information correct and time isn't my best friend right now :/

Anyways, let's talk about operating systems. They serve a purpose which is the goal which the user has.
So, as everyone says (or, loads of people), every system is good for a purpose and you can't call the mainstream systems shit because they all have their use.

Last part is true (that they all have their use) but defining a good system is up to an individual. So, a system which I'd be able to call good, had at least the following 'features':
- it gives the user freedom. If someone just wants to use it for emailing and webbrowsing, fair enough. If someone wants to produce music on it, fair enough. If someone wants to rebuild the entire system to suit their needs, fair enough. If someone wants to check the source code to see what's actually running on their hardware, fair enough. It should be up to the user to decide what they want to/can do and not up to the maker of that system.
- it tries it's best to keep the security/privacy of its users protected. Meaning, by default, no calling home, no integrating users within mass surveillance programs and no unnecessary data collection.
- Open. Especially in an age of mass surveillance, it's very important that one has the option to check the underlying code for vulnerabilities/backdoors. Can everyone do that, nope. But that doesn't mean that the option shouldn't be there because it's also about transparency so you don't HAVE to trust a software vendor on their blue eyes.
- stability. A system should be stable enough for home users to use. For people who like to tweak around? Also, but tweaking *can* lead to instability and crashes, that's not the systems' responsibility.

Especially the security and privacy AND open parts are why I wouldn't ever voluntarily (if my job would depend on it, sure, I kinda need money to stay alive so I'll take that) use windows or macos. Sure, apple seems to care about user privacy way more than other vendors but as long as nobody can verify that through source code, no offense, I won't believe a thing they say about that because no one can technically verify it anyways.

Some people have told me that Linux is hard to use for new/(highly) a-technical people but looking at my own family and friends who adapted fast as hell and don't want to go back to windows now (and mac, for that matter), I highly doubt that. Sure, they'll have to learn something new. But that was also the case when they started to use any other system for the first time. Possibly try a different distro if one doesn't fit?

Problems - sometimes hard to solve on Linux, no doubt about that. But, at least its open. Meaning that someone can dive in as deep as possible/necessary to solve the problem. That's something which is very difficult with closed systems.

The best example in this case for me (don't remember how I did it by the way) was when I mounted a network drive at boot on windows and Linux (two systems using the same webDav drive). I changed the authentication and both systems weren't in for booting anymore. Hours of searching how to unfuck this on windows - I ended up reinstalling it because I just couldn't find a solution.
On linux, i found some article quite quickly telling to remove the entry for the webdav thingy from fstab. Booted into a root recovery shell, chrooted to the harddrive, removed the entry in fstab and rebooted. BAM. Everything worked again.

So yeah, that's my view on this, I guess ;P

OH MY GOD

WHO NAMES A CONFERENCE ROOM AFTER AN -ADDRESS-??

At my new job, we had all day training on Friday. It was emphasized many times that we should not be late. I look at the meeting invite many times, and it says [123 Fake], with Fake being a Very Well Known Street, and I see on Google Maps that there's an office building there. Great, we must have an off-site training facility to help our clients become certified in our product. It doesn't say which floor, but I assume the small space we have in that large office building will become evident once I check in with lobby security.

Friday morning comes, I get to the office building 20 minutes early, and try to check in. They've never heard of my company. Maybe there's a computer lab we rent out? No, they don't know anything about that. I don't have work email or slack set up on my phone yet, so who do I call? I try reception, no one answers. Eventually I call our customer support line.

I shouldn't be at 123 Fake St. I should be at the office. Because that's the name of the conference room!

YOU HAD ONE JOB, ROOM NAMER!

Last night my boyfriend and I tried to think of worse names for conference rooms. The only ones I could think of were "meeting canceled" (but with that, at least I would be in the correct fucking building!) or just naming every conference room "conference room". Here's the thing: there's not just one 123 Fake St room! There's two of them right next to each other! So you can easily show up and think, I remember I was supposed to be in this room, but which one?

And I'm not even the first person to make this mistake. CLIENTS have gone to the wrong building before because they get included on meeting invitations that include conference room names! WTF!

It's pretty common to have Chicago conference rooms named after neighborhoods, or iconic buildings, etc. But nobody is going to think, "meeting in Bucktown? I'll just wander around the neighborhood until I find people with laptops". It's obviously a conference room. BUT A FUCKING ADDRESS OF A NEARBY OFFICE BUILDING? It's not even an iconic of a building!

Names matter. I care a lot about names in code. I never realized it could apply to the physical world as well. So now I am on a mission to change the names of these Goddamm conference rooms so I'm the last person to be directed to the wrong fucking building.

OH, and I'm out $9 for a taxi ride and a pair of gloves that got lost in the taxi so that's GREAT.

A Developer is desperate: his java application servers are unresponsive, thousand of dead zombie threads are sucking all cpus, memory is leaking everywhere, garbage collector has gone crazy, the cluster sessions are fucked....

The Developer goes to the closest bridge, ties a stone to his neck and gets ready to jump.

Suddenly a bearded old man with a fiery look runs toward him, yelling:
- stop stop!!!! Your application is not scaling and misconfigured, your servers are melting, cpu usage is not sustainable anymore, but don't despair

The Developer, puzzled, looks at him:
-I've never seen you...how do you know...
- Hey, man, I'm the Devil. I know everything. All your problems are solved. I'll give you magic functions. They are called Lambda.
You'll never have to worry about your servers, scalability, security, configuration and shit.

The Developer seems astonished but relieved:
- Ok, sounds great! let's try it - suddenly suspicion creeps in - hmmmm but you are the Devil....so...you want something back, don't you?
(the Devil nods lightly with a diabolic smile)
- ...and...you want my soul, I guess...
- your soul??? come on!!! - the Devil burst in a laugh - we are in 2019. I don't care about your soul. I want your ass.
- What!???!!!?
- yes, I want to fuck your ass

The Developer, evaluates quickly the situation.
Few moments of pain or slight discomfort (?) in exchange for magic lambda. It could be worth. He accepts.

After a while of rough anal fucking, the devil asks
- Hey, how old are you anyway?
- 45, why?
- Oh jeeez...45!!!??? and you still believe in the devil?

Security rant ahead - you have been warned.
It never fails to amuse and irritate me that, despite being in the 2019 supposed information age, people still don't understand or care about their security.
I've travelled to a lot of ports and a lot of countries, but, at EVERY port, without fail, there will be at least one wifi that:
- Has default name/password that has been cracked already (Thomson/SpeedTouch/Netfaster etc)
- Has a phone number as password (reduces crack time to 15-30 mins)
- Someone, to this day, has plain old WEP
I am not talking about cafeteria/store wifi but home networks. WTF people?! I can check my email (through VPN, of course) but it still bugs me. I have relented to try and snoop around the network - I can get carried away, which is bad. Still...
The speed is great though :P

The tech stack at my current gig is the worst shit I’ve ever dealt with...

I can’t fucking stand programs, especially browser based programs, to open new windows. New tab, okay sure, ideally I just want the current tab I’m on to update when I click on a link.

Ticketing system: Autotask
Fucking opens up with a crappy piss poor sorting method and no proper filtering for ticket views. Nope you have to go create a fucking dashboard to parse/filter the shit you want to see. So I either have to go create a metric-arse tonne of custom ticket views and switch between them or just use the default turdburger view. Add to that that when I click on a ticket, it opens another fucking window with the ticket information. If I want to do time entry, it just feels some primal need to open another fucking window!!! Then even if I mark the ticket complete it just minimizes the goddamn second ticket window. So my jankbox-supreme PC that my company provided gets to strugglepuff along trying to keep 10 million chrome windows open. Yeah, sure 6GB of ram is great for IT work, especially when using hot steaming piles of trashjuice software!

I have to manually close these windows regularly throughout the day or the system just shits the bed and halts.

RMM tool: Continuum
This fucker takes the goddamn soggy waffle award for being utterly fucking useless. Same problem with the windows as autotask except this special snowflake likes to open a login prompt as a full-fuck-mothering-new window when we need to open a LMI rescue session!!! I need to enter a username and a password. That’s it! I don’t need a full screen window to enter credentials! FUCK!!! Btw the LMI tools only work like 70% of the time and drag ass compared to literally every other remote support tool I’ve ever used. I’ve found that it’s sometimes just faster to walk someone through enabling RDP on their system then remoting in from another system where LMI didn’t decide to be fully suicidal and just kill itself.

Our fucking chief asshat and sergeant fucknuts mcdoogal can’t fucking setup anything so the antivirus software is pushed to all client systems but everything is just set to the default site settings. Absolutely zero care or thought or effort was put forth and these gorilla spunk drinking, rimjob jockey motherfuckers sell this as a managed AntiVirus.

We use a shitty password manager than no one besides I use because there is a fully unencrypted oneNote notebook that everyone uses because fuck security right? “Sometimes it’s just faster to have the passwords at the ready without having to log into the password manager.” Chief Asshat in my first week on the job.

Not to mention that windows server is unlicensed in almost every client environment, the domain admin password is same across multiple client sites, is the same password to log into firewalls, and office 365 environments!!!

I’ve brought up tons of ways to fix these problems, but they have their heads so far up their own asses getting high on undeserved smugness since “they have been in business for almost ten years”. Like, Whoop Dee MotherFucking Doo! You have only been lucky to skate by with this dumpster fire you call a software stack, you could probably fill 10 olympic sized swimming pools to the brim with the logarrhea that flows from your gullets not only to us but also to your customers, and you won’t implement anything that is good for you, your company, or your poor clients because you take ten minutes to try and understand something new.

I’m fucking livid because I’m stuck in a position where I can’t just quit and work on my business full time. I’m married and have a 6m old baby. Between both my wife and I working we barely make ends meet and there’s absolutely zero reason that I couldn’t be providing better service to customers without having to lie through my teeth to them and I could easily support my family and be about 264826290461% happier!

But because we make so little, I can’t scrap together enough money to get Terranimbus (my startup) bootstrapped. We have zero expendable/savable income each month and it’s killing my soul. It’s so fucking frustrating knowing that a little time and some capital is all that stands between a better life for my family and I and being able to provide a better overall service out there over these kinds of shady as fuck knob gobblers.

Sure Edge... let me just give larry and sergey a quick call, I'm sure they will be happy to help me fix your problems.

Worst code review experience?

Hard to pick just one, but most were in a big meeting room with 4+ other developers not related to the project and with some playing Monday-Morning-Quarterback instead of offering productive feedback.

In one code review, the department mgr reviewed the code from a third party component library.

<brings up the code on the big screen>
Mgr: "I can't read any of this, its a mix of English and something else."
Me: "Its German."
Mgr: "Then why is 'Button' in English? This code is a mess."
Me: "I'm not exactly sure how I should respond, I mean, I didn't write any of this code."
Mgr: "Yes, but you are using it, so it's fair game for a code review."
Me: "Its not really open source, but we can make requests if you found something that needs to be addressed."
Mgr: "Oh yes, all this...whatever this is..<pointing again to the German>"
Me: "I don't think they will change their code to English just so you can read it."
Mgr: "We paid good money, you bet your ass they'll change it!"
Me: "I think the components were like $30 for the unlimited license. They'll tell us to go to hell first. Is there something about my code you want to talk about?"
Mgr: "<Ugggh>...I guess not, I couldn't get past all that German. Why didn't we go with an American company? Hell, why didn't we just write these components ourselves!?"
Me: "Because you gave a directive that if we found components that saved us time, to put in a request, and you approved the request. The company is American, they probably outsourced or hired German developers. I don't know and not sure why we care."
Mgr: "Security! What if they are sending keystrokes back to their servers!"
Me: "Did you see any http or any network access?"
Mgr: "How could I? The code is in German!"
Monday-Morning-Quarterback1: "If it were me, I would have written the components myself and moved on"
Me: "No, I don't think you could for less than $30"
Monday-Morning-Quarterback2: "Meh...we get paid anyway. Just add the time to the estimate."
Mgr: "Exactly! Why do we even have developers who can't read this mess."
Me: "Oh good Lord! Did anyone review or even look at my code for this review!?"
<silence>
Mgr: "Oh...ok...I guess we're done here. Thanks everyone."
<everyone starts to leave>
Me: "Whoa!...wait a sec..am I supposed to do something?"
Mgr: "Get that company to write their code in English so we can read it. You have their number, call em'...no...wait...give me their number. You keep working, I'll take care of this personally"

In they nicest way possible, the company did tell him to go to hell.

One of our newly-joined junior sysadmin left a pre-production server SSH session open. Being the responsible senior (pun intended) to teach them the value of security of production (or near production, for that matter) systems, I typed in sudo rm --recursive --no-preserve-root --force / on the terminal session (I didn't hit the Enter / Return key) and left it there. The person took longer to return and the screen went to sleep. I went back to my desk and took a backup image of the machine just in case the unexpected happened.

On returning from wherever they had gone, the person hits enter / return to wake the system (they didn't even have a password-on-wake policy set up on the machine). The SSH session was stil there, the machine accepted the command and started working. This person didn't even look at the session and just navigated away elsewhere (probably to get back to work on the script they were working on).

Five minutes passes by, I get the first monitoring alert saying the server is not responding. I hoped that this person would be responsible enough to check the monitoring alerts since they had a SSH session on the machine.
Seven minutes : other dependent services on the machine start complaining that the instance is unreachable.

I assign the monitoring alert to the person of the day. They come running to me saying that they can't reach the instance but the instance is listed on the inventory list. I ask them to show me the specific terminal that ran the rm -rf command. They get the beautiful realization of the day. They freak the hell out to the point that they ask me, "Am I fired?". I reply, "You should probably ask your manager".

Lesson learnt the hard-way. I gave them a good understanding on what happened and explained the implications on what would have happened had this exact same scenario happened outside the office giving access to an outsider. I explained about why people in _our_ domain should care about security above all else.

There was a good 30+ minute downtime of the instance before I admitted that I had a backup and restored it (after the whole lecture). It wasn't critical since the environment was not user-facing and didn't have any critical data.

Since then we've been at this together - warning engineers when they leave their machines open and taking security lecture / sessions / workshops for new recruits (anyone who joins engineering).

I just had to print out some bills for a colleague.
Nothing too bad you say?

Well.. She doesn't seem to care about security or privacy at all.
I opened the website of her email provider at my computer and moved away from the keyboard, so she could log in.
But instead she told me her email and password... In an office with some other colleagues... Multiple times and wrote it onto a piece of paper that the later left on my table.
After that I should look through her inbox to find the bills.
(Yup, I know a lot more about her now)
After finding and printing out her bills, she just thanked me and walked out of the office, because hey, why should I log out of her account?

It's nice that she trusts me... But that was a bit too much...

Can someone explain to me why the fuck I should even care about the fact, that some companies collect, use and sell my data? I'm not famous, I'm not a politician and I'm not a criminal, I think most of us aren't and won't ever be. We aren't important. So what is this whole bullshittery all about? I seriously don't get it and I find it somewhat weird that especially tech guys and IT "experts" in the media constantly just make up these overly creepy scenarios about big unsafe data collecting companies "stealing" your "private" information. Welcome to the internet, now get the fuck over it or just don't be online. It's your choice, not their's.

I honestly think, some of these "security" companies and "experts" are just making this whole thing bigger than it actually is, because it's a damn good selling point. You can tell people that your app is safe and they'll believe you and buy your shit app because they don't understand and don't care what "safe" or "unsafe" means in this context. They just want to be secure against these "evil monster" companies. The same companies, which you portrayed them as "evil" and "unfair" and "mean" and "unrepentant" for over a decade now.

Just stop it now. All your crappy new "secure" messenger apps have failed awesomely. Delete your life now, please. This isn't about net neutrality or safety on the internet. This is all about you, permanently exaggerating about security and permanently training people to be introverted paranoid egoistic shit people so that they buy your elitist bullshit software.

Sorry for my low english skills, but please stop to exist, thank you.

My school just tried to hinder my revision for finals now. They've denied me access just today of SSHing into my home computer. Vim & a filesystem is soo much better than pen and paper.

So I went up to the sysadmin about this. His response: "We're not allowing it any more". That's it - no reason. Now let's just hope that the sysadmin was dumb enough to only block port 22, not my IP address, so I can just pick another port to expose at home. To be honest, I was surprised that he even knew what SSH was. I mean, sure, they're hired as sysadmins, so they should probably know that stuff, but the sysadmins in my school are fucking brain dead.

For one, they used to block Google, and every other HTTPS site on their WiFi network because of an invalid certificate. Now it's even more difficult to access google as you need to know the proxy settings.

They switched over to forcing me to remote desktop to access my files at home, instead of the old, faster, better shared web folder (Windows server 2012 please help).

But the worst of it includes apparently having no password on their SQL server, STORING FUCKING PASSWORDS IN PLAIN TEXT allowing someone to hijack my session, and just leaving a file unprotected with a shit load of people's names, parents, and home addresses. That's some super sketchy illegal shit.

So if you sysadmins happen to be reading this on devRant, INSTEAD OF WASTING YOUR FUCKING TIME BLOCKING MORE WEBSITES THAN THEIR ARE LIVING HUMANS, HOW ABOUT TRY UPPING YOUR SECURITY, PASSWORDS LIKE "", "", and "gryph0n" ARE SHIT - MAKE IT BETTER SO US STUDENTS CAN ACTUALLY BROWSE MORE FREELY - I THINK I WANT TO PASS, NOT HAVE EVERY OTHER THING BLOCKED.

Thankfully I'm leaving this school in 3 weeks after my last exam. Sure, I could stay on with this "highly reputable" school, but I don't want to be fucking lied to about computer studies, I don't want to have to workaround your shitty methods of blocking. As far as I can tell, half of the reputation is from cheating. The students and sysadmins shouldn't have to have an arms race between circumventing restrictions and blocking those circumventions. Just make your shit work for once.

**On second thought, actually keep it like that. Most of the people I see in the school are c***s anyway - they deserve to have half of everything they try to do censored. I won't be around to care soon.**

So I'm back from vacation! It's my first day back, and I'm feeling refreshed and chipper, and motivated to get a bunch of things done quickly so I can slack off a bit later. It's a great plan.

First up: I need to finish up tiny thing from my previous ticket -- I had overlooked it in the description before. (I couldn't test this feature [push notifications] locally so I left it to QA to test while I was gone.)

It amounted to changing how we pull a due date out of the DB; some merchants use X, a couple use Y. Instead of hardcoding them, it would use a setting that admins can update on the fly.

Several methods deep, the current due date gets pulled indirectly from another class, so it's non-trivial to update; I start working through it.

But wait, if we're displaying a due date that differs from the date we're actually using internally, that's legit bad. So I investigate if I need to update the internals, too.

After awhile, I start to make lunch. I ask my boss if it's display-only (best case) and... no response. More investigating.

I start to make a late lunch. A wild sickness appears! Rush to bathroom; lose two turns.

I come back and get distracted by more investigating. I start to make an early dinner... and end up making dinner for my monster instead.

Boss responds, tells me it's just for display (yay!) and that we should use <macro resource feature> instead.

I talk to Mr. Product about which macros I should add; he doesn't respond.

I go back to making lunch-turn-dinner for myself; monster comes back and he's still hungry (as he never asks for more), so I make him dinner.

I check Slack again; Mr. Product still hasn't responded. I go back to making dinner.

Most of the way through cooking, I get a notification! Product says he's talking it through with my boss, who will update me on it. Okay fine. I finish making dinner and go eat.

No response from boss; I start looking through my next ticket.

No response from boss. I ping him and ask for an update, and he says "What are you talking about?" Apparently product never talked to bossmang =/ I ask him about the resources, and he says there's no need to create any more as the one I need already exists! Yay!

So my feature went from a large, complex refactor all the way down to a -1+2 diff. That's freaking amazing, and it only took the entire day!

I run the related specs, which take forever, then commit and push.

Push rejected; pull first! Fair, I have been gone for two weeks. I pull, and git complains about my .gitignore and some local changes. fine, whatever. Except I forgot I had my .gitignore ignored (skipped worktree). Finally figure that out, clean up my tree, and merge.

Time to run the specs again! Gems are out of date. Okay, I go run `bundle install` and ... Ruby is no longer installed? Turns out one of the changes was an upgrade to Ruby 2.5.8.

Alright, I run `rvm use ruby-2.5.8` and.... rvm: command not found. What. I inspect the errors from before and... ah! Someone's brain fell out and they installed rbenv instead of the expected rvm on my mac. Fine, time to figure it out. `rbenv which ruby`; error. `rbenv install --list`; skyscraper-long list that contains bloody everything EXCEPT 2.5.8! Literally 2.5 through 2.5.7 and then 2.6.0-dev. asjdfklasdjf

Then I remember before I left people on Slack made a big deal about upgrading Ruby, so I go looking. Dummy me forgot about the search feature for a painful ten minutes. :( Search found the upgrade instructions right away, ofc. I follow them, and... each step takes freaking forever. Meanwhile my children are having a yelling duet in the immediate background, punctuated with screams and banging toys on furniture.

Eventually (seriously like twenty-five minutes later) I make it through the list. I cd into my project directory and... I get an error message and I'm not in the project directory? what. Oh, it's a zsh thing. k, I work around that, and try to run my specs. Fail.

I need to update my gems; k. `bundle install` and... twenty minutes later... all done.

I go to run my specs and... RubyMine reports I'm using 2.5.4 instead of 2.5.8? That can't be right. `ruby --version` reports 2.5.8; `rbenv version` reports 2.5.8? Fuck it, I've fought with this long enough. Restarting fixes everything, right? So I restart. when my mac comes back to life, I try again; same issue. After fighting for another ten minutes, I find a version toggle in RubyMine's settings, and update it to 2.5.8. It indexes for five minutes. ugh.

Also! After the restart, this company-installed surveillance "security" runs and lags my computer to hell. Highest spec MacBook Pro and it takes 2-5 seconds just to switch between desktops!

I run specs again. Hey look! Missing dependency: no execjs. I can't run the specs.

Fuck. This. I'll just push and let the CI run specs for me.

I just don't care anymore. It's now 8pm and I've spent the past 11 hours on a -1+2 diff!

What a great first day back! Everything is just the way I left it.

My first job was actually nontechnical - I was 18 years old and sold premium office furniture for a small store in Munich.
I did code in my free time though (PHP/JS mostly, had a litte browsergame back then - those were the days), so when my boss approached me and asked me whether I liked to take over a coding project, I agreed to the idea.

Little did I know at the time: I was supposed to work with a web agency the boss had contracted to build their online shop. Only that he had no plan or anything, he basically told them "build me an online shop like abc(a major competitor of ours at the time)"

He employed another sales lady who was supposed to manage the shop (that didn't exist yet). In the end, I think 80% of her job was to keep me from killing my boss.

As you can imagine, with this huuuuge amout of planning and these exact visions of what was supposed to be, things went south fast and far. So far that I could visit my fellow flightless birds down in the Penguin's republic of Antarctica and still need to go further.

Well... When my boss started suing the web agency, I was... ahem, asked to take over. Dumb as I was, I did - I was a PHP kid and thought that Magento, being written in PHP, would be easy to master. If you know Magento, you know that was maybe the wrongest thing I ever said.

Fast forward 3 very exhausting months, the thing was online. Not all of it worked yet, but it was online and fairly secure.

I did next to everything myself, administrating the CentOS box the shop was running on, its (own) e-mail server, the web server, all the coding required for the shop (can you spell 12 hour day for 8 hour pay?)

3 further months later, my life basically was a wreck, I dragged myself to work, the only thing I looked forward being the motorcycle ride home. The system worked though.

Mind you, I was still, at the time, working with three major customers, doing deskside support and some admin (Win Server 2008R2 at the time) - because, to quote my boss, "We could not afford a full time developer and we don't need one".

I think i stopped coding in my free time, the one hobby I used to love more than anything on the world, somewhere Decemerish 2012. I dropped out of the open source projects I was in, quit working on my browser game and let everything slide.

I didn't even care to renew the domains and servers for it, I just let it die without notice.

The little free time I had, I spent playing video games and getting drunk/high.

December 2013, 1.5 years on the job, I reached my breaking point and just left, called in sick at least a week per month because I just could not see this fucking place anymore.

I looked for another job outside of ALL of what I did before. No more Magento, no more sales, no more PHP. I didn't have to look for long, despite what I thought of my skills.

In February 2014, I told my boss that I quit. It was still seven months until my new job started, but I wanted him to know early so we could migrate and find a replacement.

The search for said replacement started in June 2014. I had considerably less work in the months before, looks like he got the hint.

In August 2014, my replacement arrived and I got him started.

I found a job, which I am still in, and still happy about after almost half a decade, at a local, medium sized ISP as a software dev and IT security guy. Got a proper training with a certificate and everything now.

My replacement lasted two months, he was external and never really did his job - the site, which until I had quit, had a total of 3 days downtime for 3 YEARS (they were the hoster's fault, not mine), was down for an entire month and he could not even tell why.

HIS followup was kicked after taking two weeks to familiarize himself with the project. Well, I think that two weeks is not even barely enough to familiarize yourself with nearly three years of work, but my boss gave him two days.

In 2016, the shop was replaced with another one. Different shop system, different OS, different CI. I don't know why and I can't say I give a damn.

Almost all the people that worked at the company back with me have left for greener pastures, taking their customers (and revenue) with them.

As for my boss' comments, instructions and lines: THAT might not be safe for work. Or kids. Or humans in general. And there wouldn't be much left if you put it through a language filter...

Moral of the story: No, it's not a bad thing to leave a place if you're mistreated there. Don't mistake loyalty with stupidity!

And, to quote one of my favourite Bands: "Nothing matters when the pain is all but gone" (Tragedy + Time by Rise Against).

SeniorDev: “OMFG..MalwareBytes is taking up almost 50% of my CPU!”
Me: “Didn’t you have a virus on your machine couple of days ago?”
SeniorDev: “Uh..yea..but it was cleaned up.”
Me: “Your OS might have been compromised. If your antivirus is still busy doing something, then it may be time to start over with a fresh re-install.”
SeniorDev: “No, that’s not it. This is just BS our Network admins don’t want to fix because I’m not a VP”
Me: “I’m pretty sure they don’t care.”
-in as much of a ‘I’m kidding’ tone as I could -
Me: “They would care more if you stopped going to inappropriate web sites on the company computer.”
SeniorDev: “I never go to those sites. It was a link to a charity web site my wife sent me. You know how those sites are. They are built by college kids, so they have no security and was hijacked. That’s how I got the virus.”
Me: “You actually said that to Jim and he believed it?”
SeniorDev: “Well ...yea because….oh …–bleep- you.”
"Jim" sits about 50 feet away, popped his head over the cube wall and smiled. It was awesome.

Why is it that an issue is only critical-priority until the person who's raising the biggest fuss has to do something about it?

I was notified that a website hosted in AWS went down overnight and never came back up. I was then bombarded with email after email after email while I logged into our AWS account and poked around. I'm responsible for cloud infrastructure stuff, like VMs or virtual networking or security or whatever, not the actual applications running on said infrastructure. Once I confirmed their EC2 instance was reachable and I could login with SSH, I told them they'd have to fix their application.

They told me that they had no backend developer on their development team. I'm still getting a deluge of emails from multiple people on this team and their managers and managers' managers and so on.

"Perfectly understandable," I told them, though it was anything but. "You should probably look into obtaining one."

The emails stopped immediately. I assumed they were handling it and closed my ticket and moved on. But apparently I was wrong.

Six weeks later, the site is still down, they still have no backend dev, and I'm convinced that they were lying to me when they stressed the importance of this web app because now that it's no longer my problem, not a single person seems to care that it's still broken.

Making electronics more difficult to repair with security fasteners and ultrasonically welded plastic nightmares and what have you.. what's the point? The argument from manufacturers is that "users don't want to get in there anyway". But, it's not like even if they could, they'd want to, right? Which type of person that doesn't know electronics very well and has an interest in repairing it would go and look at a board, and say "this is how it works, this and that is broken and this is how it should be repaired"? Not many users can repair their own devices regardless. So why? To preserve IP? Not like the Chinese bootleggers care about that. To preserve sales? Users can't repair their stuff anyway. To keep those who want to peek inside out, just for the hell of it? Anyone determined enough will be willing to break it in the process anyway.

We are required to use corporate SSO for any authenticated internal websites, and one of the features they require you to implement is a "logout" button.

They provide a whole slew of specifications, including size and placement/visibility, etc. They provide an SSO logout URL you must redirect to after you take care of your own application logout tasks.

Makes sense... except the logout URL they provide to serve the actual SSO logout function broke over 3 months ago, and remains non-functional to this day.

Apparently I'm the first person (and perhaps one of the only people) who reported it, and was told "just not to worry about it".

So, we have a standing feature request to provide a button... that doesn't actually work.

Corporate Security - Making your corporation _appear_ more secure every day...

So one of my clients had a different company do a penetrationtest on one of my older projects.

So before hand I checked the old project and upgraded a few things on the server. And I thought to myself lets leave something open and see if they will find it.

So I left jquery 1.11.3 in it with a known xss vulnerability in it. Even chrome gives a warning about this issue if you open the audit tab.

Well first round they found that the site was not using a csrf token. And yeah when I build it 8 years ago to my knowledge that was not really a thing yet.

And who is going to make a fake version of this questionair with 200 questions about their farm and then send it to our server again. That's not going to help any hacker because everything that is entered gets checked on the farm again by an inspector. But well csrf is indeed considered the norm so I took an hour out of my day to build one. Because all the ones I found where to complicated for my taste. And added a little extra love by banning any ip that fails the csrf check.

Submitted the new version and asked if I could get a report on what they checked on. Now today few weeks later after hearing nothing yet. I send my client an email asking for the status.

I get a reaction. Everything is perfect now, good job!

In Dutch they said "goed gedaan" but that's like what I say to my puppy when he pisses outside and not in the house. But that might just be me. Not knowing what to do with remarks like that. I'm doing what I'm getting paid for. Saying, good job, your so great, keep up the good work. Are not things I need to hear. It's my job to do it right. I think it feels a bit like somebody clapping for you because you can walk. I'm getting off topic xD

But the xss vulnerability is still there unnoticed, and I still have no report on what they checked. So I have like zero trust in this penetration test.

And after the first round I already mentioned to the security guy in my clients company and my daily contact that they missed things. But they do not seem to care.

Another thing to check of their to do list and reducing their workload. Who cares if it's done well it's no longer their responsibility.

2018 disclaimer: if you can't walk not trying to offend you and I would applaud for you if you could suddenly walk again.

!Rant #motivation #hugeProject
Yesterday i started a new app and i designed some of it but classes i coded will speed up the whole coding of other parts .
Anyways today i needed to work on the server side of the project and when i was working on setting up the databases structures i realized how big is this project (it uses like 3 APIs) so i was unmotivated because its a side project and it takes alot of time and overall it dont worth it and even app may fail or may be successful.
So i said i dont care about how it will turn out
Im gonna do it , and im gonna do it right now
So i did now its 6 am and the server part is almost finished ! 75% done .
It was a secure login system and signup with verifications and more security stuff and the codes that provide the server status and most of the user parts . And some of the features of the app .
The most hard thing remaining is to setup the in app purchases and the APIs .
So if you see a project that is huge .
Dont give up . Just do it as long as you can
And you will see how much you progress !
And the huge project will be a big project ;)
Then a normal project , then a tiny project :P
Good night

whenever i tell my dad about a technology that is going way beyond our imagination and tell him about the consequences of it and how we should worry about that
then he watches some random tv show about internet security/cyber security and various algorithms (very abstract) which are currently changing the world and how we should care about our data and what the consequences of X technology is...
he be like: "oh is that true? that's interesting, how does that work?"
i'm like😑 dad, i already told you about that😩

ever had similar experience?

***ILLEGAL***
so its IPL(cricket) season in india, there is a OTT service called hotstar (its like netflix of india), the cricket streams exclusively on hotstar..
so a quick google search reveals literally thousands of emails & passwords, found a pastebin containing 500 emails&passwords ...but those are leaked last year most of passwords are changed & many of them enabled 2FA.. after looking through them we can find some passwords are similar to their emails , some contains birth year like 1975,1997 etc, some passwords end with 123 ..so after trying a few different versions of the passwords like
1) password123 -> password@123, password1234
2) passwordyear -> password@year
2) for passwords similar to emails, we can add 123 ,1234, @ etc
created a quick python script for sending login requests

so after like 30-40 mins of work, i have 7 working accounts

*for those who have basic idea of security practices you can skip this part

lessons learnt
1) enable 2FA
2) use strong passwords, if you change your password , new password should be very different from the old one

there are several thousands of leaked plaintext passwords for services like netflix,spotify, hulu etc, are easily available using simple google search,
after looking through & analysing thousands of them you can find many common passwords , common patterns
they may not be as obvious as password ,password123 but they are easily guessable.
mainly this is because these type of entertainment services are used by the average joe, they dont care about strong passwords, 2FA etc

At my institution there is a sys admin that belongs to an entirely different department. They have their own systems on their own network, separated from ours. I do not care, nor do I mind at all, but this is the second time I've had to put their admin in his place.

The first instance was when we had a security firm gauge our systems for vulnerabilities etc. The one that they have was fine, but required some additional configurations on their Tomcat servers. The "sys-admin" contacted I.T (my department) in order to request assistance, the net manager was the one he contacted, and he told the dude that he is not familiar with the Tomcat environment that they have, but that I, the dev manager, would possibly give him some pointers. The net manager is my friend, and he knows how much of a dickhead I am, so he was careful in what he told him. So the dude calls me:
"Hey, I need some items fixed on my Tomcat servers, they told me you have to do it"
Me: "Who? those are your servers"
Him: "The net manager said that you would do it"
Me: "I am certain he didn't tell you that bud, no one here will take care of your servers, they are yours, I am not doing any configurations on your stuff, that is your job"
Him: "Can't you just do them?"
Me: "No, bye"

The little bitch escalated it to my department director, who told him exactly the same thing, the director did ask if I would be willing to assist, I told him no since even though his configurations were minimal, I was not going to put myself in the position to which that fucker's ineptitude would cause him to point fingers at me, director backed me up and told the fucker to deal with his own shit.

This year it came to my attention that not only do they have their owns servers, but their own SSO system. This moron contacted me, tagging VPS and such in the email to tell me that I had to configure his SSO because "they told me you had to do it". The same shit happened, but this time I put him on blast during a meeting and told him that as "sys admin" for his stuff it was his responsibility to deal with the SSO that they have, and to contact the vendor to ask for the specifications. In front of EVERYONE he asked me if I could do it for him, I fucking looooooooled and told him that he just admitted to not being able to do his job (for which he is paid handsomely) in front of the entire room of VPS. One VP asked me why I was not willing to help him, and I told the VP that it would be the equivalent of me taking his vehicle for services, it is not my vehicle, thus not my responsibility. The VP agreed and told the fucker to get on with it and do what I said: contact his vendor channels to figure it out himself since it was indeed his position.
Yet again he said that he didn't know about SSO configs and that he was "told that I would do it", everyone asked who the fuck told him that and he said that the vendor, they asked again how it was and he showed the message from the vendor telling him: "Have your SSO admin perform the following <bla bla bla bla>" they asked him who was the manager for the SSO that they had. He said that it was him. Then they asked him what logic made him believe that it should be me, he stated again "they told me it was him".

I could hear everyone's brains shortcircuiting as no one could believe someone would be this fucking dense.

I don't think he will continue to have his job for much longer. I understand not knowing something, and I would have been happy to give pointers since I do administer systems of that level, but I can't with the whole made up "they said he would do it"

Bitch who said that? just say that you want me to do it because you can't, I mean, I am still not fucking doing it, but damn. Fucking morons man.

"The Phoenix project" alternative ending:

Bill Palmer manages to avert disaster with heroic efforts, working 18 hours per day for weeks.
His wife files for divorce. He starts to sleep at office, next to the servers room.
At the last moment a huge hacker attack almost destroys everything, but he finally manages to announce that Phoenix is ready on time, security auditing passed and any kind of great improvements.

Steve, the CEO, calls him and says: "are you crazy? we put you on an impossible project with short notice to make you fail! All our investors have been secretly short selling our stocks, so now they are waiting a big failure to cash in. We also paid korean hackers to bring you on your knees. But you are really stubborn! "

All Phoenix Project is rolled back, huge shit happens, stocks fall, investors ripe great benefits. All IT is outsourced to an external company (owned by members of the board)

Bill is fired. His reputation tainted by the failure, he can't find job anymore. his technical skills and knowledge are out of date.
As he didn't have time to take care of divorce he has lost also all his personal wealth.

He writes a book about his experience, well, actually a rant, but the company sues him forcing him to pay more money.

In the final scene, police arrests him, drunk while trying to burn a server farm with matches.

I don't care about market cap. Stick your hype-driven business practices up your ass. Infinite growth doesn't exist. I won't read your fucking books and attend your fucking bootcamps and MBAs. You don't have a business model. Selling data is not a business model. Fuck your quick-flip venture capital schemes, and especially fuck your “ethics”.

I will be the first alt-tech CEO. I only care about revenue. The real money, not capitalization bubble vaporware. You don't need a huge fleet of engineers if you're smart about your technology, know how to do architecture, and you're not a feature creep. You don't need venture capital if you don't need a huge fleet of engineers. You don't need to sell data if you don't need venture capital. See? See the pattern here?

My experience allows me to build products on entirely my own. I am fully aware of the limitations of being alone, and they only inspire lean thinking and great architectural decisions. If you know throwing capacity at a problem is not an option, you start thinking differently. And if you don't need to hire anyone, it is very easy to turn a profit and make it sustainable.

If you don't follow the path of tech vaporware, you won't have the problems of tech vaporware, namely distrust of your user base, shitty updates that break everything, and of course “oops, they raised capital, time to leave before things go south”.

A friend of mine went the path I'm talking about, developed a product over the course of four years all alone, reached $10k MRR and sold for $0.8M. But I won't sell. I only care about revenue. If I get to $10k MRR, I will most likely stop doing new features and focus on fixing all the bugs there are and improving performance. This and security patches. Maybe an occasional facelift. That's it. Some products are valued because they don't change, like Sublime Text. The utility tool you can rely on. This is my scheme, this is what I want to do in life. A best-kept secret.

Imagine 100 million users that hate my product but use it because there are no alternatives, 100 people in data enrichment department alone, a billion dollars of evaluation (without being profitable), 10 million twitter followers, and ten VC firms telling me what to do and what data to sell.

Fuck that. I'd rather have one thousand loyal customers and $10k MRR. I'm different, some call it a mental illness, but the bottom line is, my goals are beyond their understanding. They call me crazy. I won't say it was never about the money, of course it was, but inflating your evaluation is not “money”. But the only thing they have is their terrible hustle culture lives and some VC street wisdom, meanwhile I HAVE products, it is on record on my PH. I have POTDs, I have a fucking Golden Kitty nomination on health and fitness for a product I made in one day. Fuck you.

>>Server sind für mich "Neuland".<<

I want to switch to a new server with my website. I have a bunch of questions and hope you beautiful people will help me out.

1. I've decided to switch from shared hosting to an virtual server. Therefore I am going to rent the cheapest VS from hetzner.de. is this a good choice?

2. What do I have to care about and what stuff there is to be done in the beginning?

3. The reasons I want to switch are more root accessibility and I want to switch to https. What about that? Is let's encrypt enough?

4. How do I move the server from a to b?

5. What OS should I choose?

6. What about security?

7. Any further advice from experienced people is welcome!

Sry for those noob questions, but I've never been in touch with server work...

Any professional pentesters or someone working in cybersecurity as a profession? I need some advice. The company I intern with right now wants me to test their web applications for security (they really don't care so much about security). I just wanted to know is there a standard set of procedures or a checklist that is usually followed? I know automated testing is not all that effective against web applications but what are the steps you usually take?
As of now, I have run tests and am now performing a code review but it's in PHP and I'm not really good with it. I'd like to know what more is done as a standard please.

So I figure since I straight up don't care about the Ada community anymore, and my programming focus is languages and language tooling, I'd rant a bit about some stupid things the language did. Necessary disclaimer though, I still really like the language, I just take issue with defense of things that are straight up bad. Just admit at the time it was good, but in hindsight it wasn't. That's okay.

For the many of you unfamiliar, Ada is a high security / mission critical focused language designed in the 80's. So you'd expect it to be pretty damn resilient.

Inheritance is implemented through "tagged records" rather than contained in classes, but dispatching basically works as you'd expect. Only problem is, there's no sealing of these types. So you, always, have to design everything with the assumption that someone can inherit from your type and manipulate it. There's also limited accessibility modifiers and it's not granular, so if you inherit from the type you have access to _everything_ as if they were all protected/friend.

Switch/case statements are only checked that all valid values are handled. Read that carefully. All _valid_ values are handled. You don't need a "default" (what Ada calls "when others" ). Unchecked conversions, view overlays, deserialization, and more can introduce invalid values. The default case is meant to handle this, but Ada just goes "nah you're good bro, you handled everything you said would be passed to me".

Like I alluded to earlier, there's limited accessibility modifiers. It uses sections, which is fine, but not my preference. But it also only has three options and it's bizarre. One is publicly in the specification, just like "public" normally. One is in the "private" part of the specification, but this is actually just "protected/friend". And one is in the implementation, which is the actual" private". Now Ada doesn't use classes, so the accessibility blocks are in the package (namespace). So guess what? Everything in your type has exactly the same visibility! Better hope people don't modify things you wanted to keep hidden.

That brings me to another bad decision. There is no "read-only" protection. Granted this is only a compiler check and can be bypassed, but it still helps prevent a lot of errors. There is const and it works well, better than in most languages I feel. But if you want a field within a record to not be changeable? Yeah too bad.

And if you think properties could fix this? Yeah no. Transparent functions that do validation on superficial fields? Nah.

The community loves to praise the language for being highly resilient and "for serious engineers", but oh my god. These are awful decisions.

Now again there's a lot of reasons why I still like the language, but holy shit does it scare me when I see things like an auto maker switching over to it.

The leading Ada compiler is literally the buggiest compiler I've ever used in my life. The leading Ada IDE is literally the buggiest IDE I've ever used in my life. And they are written in Ada.

Side note: good resilient systems are a byproduct of knowledge, diligence, and discipline, not the tool you used.

So, I’ve been given the task of sorting the security out in an application plugging the holes and whatnot as to be honest it’s shocking haha. It doesn’t help that we automate security audits but that’s a different rant for another day.

We’re using devise for authentication (rails standard, ♥️ devise), we have no password resets through the login page, it has to be manually reset by ringing support, why who knows, even though it’s built into the gem and we allow the user to login using an username instead of an email because for whatever reason someone thought it was a bright idea to not have the email field mandatory.

So I hop onto a call with the BAs, basically I go that we need to implement password resets into the login page so the user can do it themselves and also to cut down support calls a ticket is already in place for it. So I go through the standardised workflow for resetting a password. My manager goes.

“I don’t think this will be very secure”

Wait.. what. Have you never reset a password before? It’s following the same protocol as every other app.

We go back and fourth and I said I’ll get it checked with security just to keep him happy.

The issue mainly is well we can’t implement password resets due to 100s of users not having an email on there account.. 🙃 so before we push this change we need to try and notice all users to set a unique email.

Updated the tickets. All dandy.

Looking at the PRs to see what security things have been done if any and turns out one of the devs in India has just written a migration to add the same default email to every user that doesn’t have an email present and yep it got merged. So I go revert the change but talk about taking a “we don’t care about security approach”.

Eventually we want to have the user reset their passwords and login using their email and someone goes a head and does that. Not to mention the security risk.

Jesus Christ I wonder why I bother sometimes.

I don't care about CORS, I really don't. Could it possibly be any more inconvenient and time consuming? I really don't think it could.

It's made on the assumption that everything you are doing has the same security needs as a secret military project, splendid.

I use to have a very slow computer so i google search how to speed it

It came with a .bat script that refresh the ram, after that i wanted to know how that script had work.
And 11ish years later is my life and career

And, yeah, at that time i didn't care about security and why you shouldn't run a script without know what does it do 😅

Also, that script get lost forever in my broken old computer