AboutCoder, Pentester, flightless Bird, Motorbiker, volunteer firepenguin, trained security guard.
SkillsRuby, Rails, JS, Go, C++, Python plus some old shit from the 90s. And I can do a funny waddle.
Joined devRant on 5/17/2018
Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Best : I moved on from Dev to SecOps and got a well paid job in a small company closer to my home. With three office dogs.
Really, the dogs are the main thing there. The money is just an additional benefit.
Worst : my Dev life keeps getting less and less relevant for me. In the last two years, I started volunteering a lot (local volunteer fire department and then some), investing into several side businesses that start paying off now, generally doing as much non-dev stuff as possible.
I wanted to do this since I was a kid, I'm good at it, but I keep finding other things to do, because they're more interesting and more of a challenge.
Honestly, the one thing that keeps me in IT is sunk cost fallacy.
Hell, I'm thinking about becoming a paramedic or something, at least I'll be helping people instead of entertaining managers.4
Time spent getting to grips with your OS is usually time spent well. While you're not operations, it really helps being able to solve general problems yourself without calling support.
Oh, and: Set up a good bashrc, and put it on the servers you're working with.4
Did it when You l was a kid. Got good through a decade of learning before I even started working as one.
Don't want to waste all those years of learning, probably the only good thing about my childhood...
So yes, it's mostly sunk-cost-fallacy at this time. But it brings food to the table.1
So... I've got a confession to make.
I'm no longer a Dev. After the disaster that was my last commercial gig, I went and got a sec Ops role... And I love it. It's just technical problem solving and explaining all the way.
Don't get me wrong, I still love to code. But that's exactly the thing. As a commercial developer employed by corporations, I spent close to 80 % of my time not coding, but in useless meetings, or trying to figure out just what my colleagues thought was "common sense", reverse engineering their work and documenting how to get it running, etc. Basically, fixing shit for braindead academics with next to no real world experience.
Now, when I code, I get to do it on my own terms, with my own stack and as much comments and docs as I want to have. I own my time, and the only ones that are allowed to interrupt me is the local fire department.
I can do what I'm fucking passionate about and leave the rest for the useless people.5
Augustiner, Tegernseer, Coffee, and at one time, White Widow.
And we don't talk about the time with the white widow.
I moved from a no-dogs-allowed company to an office with three dogs in.
Forget the better salary, the more freedoms, the nicer boss I have now.
The main benefit is that I get to pet dogs every day now!9
So... did I mention I sometimes hate banks?
But I'll start at the beginning.
In the beginning, the big bang created the universe and evolution created humans, penguins, polar bea... oh well, fuck it, a couple million years fast forward...
Your trusted, local flightless bird walks into a bank to open an account. This, on its own, was a mistake, but opening an online bank account as a minor (which I was before I turned 18, because that was how things worked) was not that easy at the time.
So, yours truly of course signs a contract, binding me to follow the BSI Grundschutz (A basic security standard in Germany, it's not a law, but part of some contracts. It contains basic security advice like "don't run unknown software, install antivirus/firewall, use strong passwords", so it's just a basic prototype for a security policy).
The copy provided with my contract states a minimum password length of 8 (somewhat reasonable if you don't limit yourself to alphanumeric, include the entire UTF 8 standard and so on).
The bank's online banking password length is limited to 5 characters. So... fuck the contract, huh?
Calling support, they claimed that it is a "technical neccessity" (I never state my job when calling a support line. The more skilled people on the other hand notice it sooner or later, the others - why bother telling them) and that it is "stored encrypted". Why they use a nonstandard way of storing and encrypting it and making it that easy to brute-force it... no idea.
However, after three login attempts, the account is blocked, so a brute force attack turns into a DOS attack.
And since the only way to unblock it is to physically appear in a branch, you just would need to hit a couple thousand accounts in a neighbourhood (not a lot if you use bots and know a thing or two about the syntax of IBAN numbers) and fill up all the branches with lots of potential hostages for your planned heist or terrorist attack. Quite useful.
So, after getting nowhere with the support - After suggesting to change my username to something cryptic and insisting that their homegrown, 2FA would prevent attacks. Unless someone would login (which worked without 2FA because the 2FA only is used when moving money), report the card missing, request a new one to a different address and log in with that. Which, you know, is quite likely to happen and be blamed on the customer.
So... I went to cancel my account there - seeing as I could not fulfill my contract as a customer. I've signed to use a minimum password length of 8. I can only use a password length of 5.
Contract void. Sometimes, I love dealing with idiots.
And these people are in charge of billions of money, stock and assets. I think I'll move to... idk, Antarctica?4
I'm currently pentesting a web app on a Mac Mini with 8 Gigs of RAM and a i5-4620 using OWASP ZAP. Third time the fuzzer got stuck, the RAM's full an the CPU's permanently at 100 %.
Before starting this job, I always said that pentesting on this POS is like bringing a knife to a gunfight.
When I kicked off two fuzzers at once, I started feeling like bringing a cocktail sword to a thermonuclear war.
It's not even 10 here and I already wish for some booze. Damn, I gotta start making moonshine or something.5
Call me old-fashioned, but... I kinda liked it back in the day, when Microsoft made proprietary software, the Community made free software and everyone's "cui bono" was quite easy to answer - even those corporations involved in FLOSS did have a clear way to finance themselves.
Now, we have Microsoft coming into open source, seemingly making projects better and offering more and more "free" stuff.
"Free" Windows 10.
"Free" SaaS Office.
"Free" "Private" Repos on Github.
In general - what happened to clear and concise "I give you money, you give me stuff" capitalism like we had it in the 2000s?
I'd rather pay 20 bucks for a game on Steam than get it "free" and with ads or microtransactions - yet, many games, especially mobile, don't even offer me that option. It wouldn't be that hard now, would it?
The same goes for software. That Canonical would need to fuck their users over after Ubuntu One went to shit was obvious - they didn't offer the kind of commercial/enterprise OS'es that Redhat or SuSE sell.
What people seem to forget is that everyone needs to make a profit somehow. You don't get "free" stuff. Even the volunteers in the Open Source Community get something out of it - an opportunity to pad their CV at least, if nothing else.
Nowadays, software manufacturers have the same legitimacy as the "free" financial "advisors" you find at banks - and who could be dumb enough to trust them? Oh yeah: Almost the entire fucking society is who.
But then again, sell something and noone will want it - because they all want it for free, with annoying, privacy-invading ads or with equally annoying microtransactions, or financing based on commission - so you don't only pay ONCE, you pay until you realize you got fucked over and quit.
Capitalism used to work until all those idiots stepped in. How the fuck don't people realize that there's no free lunch in life? When have we stopped being functional people and turned into idiots.
Even worse: Those idiots think that they're entitled to something! They, who volunteered to become merchandise instead of customers, think that they have rights! Do cattle have rights? Nope. They get their "free" hay everyday and I get to buy beef, that's how it works. Moo!
Hell, they are surprised when they get fucked over by bank salespeople or their data stolen by corporations, intelligence agencies or something... What did they expect, goodwill?
Can we please make Adam Smith mandatory reading in school?! I mean, give people a chance to understand capitalism? The nonexistent "goodwill" of traders in general?9
1. It's gonna be more and more specialized - to the point where we'll equal or even outdo the medical profession. Even today, you can put 100 techs/devs into a room and not find two doing the same job - that number will rise with the advent of even more new fields, languages and frameworks.
2. As most end users enjoy ignoring all security instructions, software and hardware will be locked down. This will be the disadvantage of developers, makers and hackers equally. The importance of social engineering means the platform development will focus on protecting the users from themselves, locking out legitimate tinkerers in the process.
3. With the EU getting into the backdoor game with eTLS (only 20 years after everyone else realized it's shit), informational security will reach an all-time low as criminals exploit the vulnerabilities that the standard will certainly have.
4. While good old-fashioned police work still applies to the internet, people will accept more and more mass surveillance as the voices of reason will be silenced. Devs will probably hear more and more about implementing these or joining the resistance.
5. We'll see major leaks, both as a consequence of mass-surveillance (done incompetently and thus, insecurely) and as activist retaliation.
6. As the political correctness morons continue invading our communities and projects, productivity will drop. A small group of more assertive devs will form - not pretty or presentable, but they - we - get shit done for the rest.
7. With IT becoming more and more public, pseudo-knowledge, FUD and sales bullshit will take over and, much like we're already seeing it in the financial sector, drown out any attempt of useful education. There will be a new silver-bullet, it will be useless. Like the rest. Stick to brass (as in IDS/IPS, Firewall, AV, Education), less expensive and more effective.
8. With the internet becoming a part of the real life without most people realizing it and/or acting accordingly, security issues will have more financial damages and potentially lethal consequences. We've already seen insulin pumps being hacked remotely and pacemakers' firmware being replaced without proper authentication. This will reach other areas.
9. After marijuana is legalized, dev productivity will either plummet or skyrocket. Or be entirely unaffected. Who cares, I'll roll the next one.
10. There will be new JS frameworks. The world will turn, it will rain.1
Geez... Got woken up by a catastrophe alert.
Check phone, could be someone shooting up the neighborhood or something else to excuse myself from a social event.
Someone thought that 40 km/h wind and 20 cm of snow are a catastrophe.
Fuck this country.20
1. Extend my infosec knowledge further and try getting more work in that area (and less as a dev).
2. Specialize more, dabble less.
3. Learn more !dev skills (military/political history mostly)
On the first day of Christmas, the bossman gave to me: The fact that my new computer purchase order needs to be OKed by the CEO and I need to continue working on a 2014 Mac Mini (i5-4260U, 8 Gig RAM, GPU shot by an ESD on the case long ago) for the next year.
On the second day of Christmas, my family gave to me... a good reason to get shitfaced
On the third day of Christmas, getting shitfaced gave to me: A hangover and some urgent plastic welding job that had to be done with a soldering iron. FML, I've had a headache before breathing in pure hydro-cyano-whatthefuckyougetwhenyoumeltplastics
On the fourth day of Christmas, my team gave to me: A legacy, age-old Rails 2 project that was written by an intern and never reviewed, went to prod in 2014 and can't be changed anymore, but needs to be changed after the fact that it has zero test coverage and needs 100 % now to prevent issues and costly manual testing.
On the fifth day of Christmas, devrant gave to me: The Idea that making fun of Christmas songs to get over the sheer amount of dicks that working over the twelve days of Christmas sucks.
To be continued...2
My smart watch just reminded me to get my lazy ass out of my chair and move some.
I picked up my coffee cup, drank a sip.
That satisfied it.
Lazyness : 1 - Technology: 06
If there's something wrong in the server room
Who you gonna blame? (the intern)
If the hard drive's grilled
And it don't look good
Who you gonna blame? (the intern)
If you're seeing keys in your'r github's HEAD
Who you gonna blame? (the intern)
Your PC's on fire
and the website's dead
Who you gonna blame? (the intern)
Disclaimer: My internship was a pretty cool time actually... :)
My lessons both come from my current side project (I will share it with you in a week or two, the website isn't finished yet):
1. Every project comes to the point where it hurts to continue. Keep pushing, the result is worth it.
2. You aren't as good as you thought you were when you started, but you'll be better than you ever were when you finish.
3. Sometimes, there's more points to a list than you'd expect.
4. One hour per day is easier than five hours a week.
Well. I started out my project knowing some C#, but Jack shit about unity. I know most of what I might build will end up being shit I'm gonna regret, refactor and recycle later. But I don't give a fuck. Doing it is better than planning it.
It sometimes hurts to get rid of a carefully planned algorithm that took hours to build because it fails in practice. But it's the right thing to do.
Never plan too much. If I'd have planned this project out, I wouldn't even have started with what I'm good at: write code, break shit and experiment.
It's easier to progress slowly but steady. Look at some awesome games that have been worked on for ages while the public had their say (RimWorld, Project Zomboid, Dwarf Fortress...) as opposed to those that are developed behind closed doors and rushed to the market before Christmas or some other major event (Mafia 3, Fallout 76, Fallout 4 VR...). Progress slowly, deploy early, push often. And the one hour per day approach is a good way to do this.
You'll be surprised, but it's Microsoft for me.
When I started out, windows(95, yes I'm old, thanks for noticing) was the shit for me and I was quite a fanboy of it.
However, when a friend of mine introduced me to Linux, I quickly changed my mind because so many small things were way better. Then, when Vista came out, I switched completely.
That, on its own, was an adventure, but that's another rant for another time(Me and my pal were the only Linux users in the town we lived in, so without online shopping, perusing the local hardware vendors was like meeting a Neolithic tribe. It's definitely rantworthy on its own, if only for nostalgia).
The more I learned about Free Software and what Corporations could do with their power, the more I came to despise the companies I used to advocate for.
Now, it's 2018 and people bitch about what Facebook, Microsoft and their equally evil buddies do. Yet, 2013, when PRISM hit the fan, they once again ran to their arms instead of fixing the problem properly. That's about when I lost the last bit of respect for people.
And now I'm sitting here playing the world's tiniest open source violin, singing "won't get fooled again" by The Who.6
So... I had some money left over and added a 3d printer to my terrorist workshop (some of you might remember the picture I posted a while ago. A friend of mine gave it the name after the police stormed a hackerspace in Nuremberg and I wondered when they would kick down my door. )...
That's how far I got in two hours (from cutting open the package), and I don't really fancy myself dexterous... Not anymore at least.
I suppose this will be a weeklong project 😂.2
So... Some fake accounts on Twitter claimed to be Elon Musk and to give shitloads of Bitcoin to those who sent a little amount first. They stole... Wait for it... 180 grand.
That's basically your everyday 419 scam. Existing since before the internet, done with the names of Gates, Buffet, Bush, Obama...
They say "the big bad evil criminals and the poor little innocent victims" I say natural selection. Sorry, in those lion vs gazelle scenarios I always thought that it was fair, no matter how it went.
Just when did humanity get so brainless? Have we always been, is the internet just a catalyst for stupidity?
Just why the fuck must I be an infosec sheepdog instead of a wolf? Man, I could live the life, drink beer and smoke herb while working... Get up at 12, don't give a shit, no boss, no taxes, no social security payments that I don't see jack shit from, and the pay would be better to.
I made a bit of a tradition of building a list of hardware that's superior to whatever Crapple is releasing whenever Crapple releases something - and for the first time, I decided to make it public instead of just sharing it with some coworkers.
Making it public however took some time (luckily, yesterday was a holiday here, so I got it done now) - at least, making it looking "not like shit" took some time.
So enjoy my (very basic) bootstrap templated, yet possibly useful list of builds superior to the Crapple Rag Mini (which is a completely fictional entity not resembling any existing company in the world. Promise. Totally. Penguin's swear.)
The list can be found here - expect to see an update anytime Crapple pushes new shit to the market:
(possibly not safe for work, children, catholics and SJWs). Yeah, no SSL cert, currently. Hell, it's a private server, it doesn't process any of your info and it doesn't offer downloads... I might add one in the future.
I hope you can forgive my shameless self-promotion, it's not a commercial site, there are no ads/shitcoin miners on it and i don't get a share/cut/whatever - just a small humorous joke project. For now.
BTW: I didn't attempt to build any of those. It should work, but please don't sue me if it doesn't.5
So... After reading up on the theoretical stuff earlier, I decided to make a real AI that can identify handguns and decide whether it's a revolver or a semiautomatic with 95 percent accuracy...
Well, basically, I been browsing my local gun store's online store for four hours for training data, killed a Mac mini while first training the system and I think I ended on the domestic terrorism watch list... Was that black sedan always there?
Anyway... It's working fairly accurate, my monkey wrench is a revolver by the way.
Isn't AI development a wonderful excuse for all kinds of shit?
"why do you have 5000 pictures of guns on your computer?" - "AI development"
"why did you wave around a gun in front of your web cam" - "AI development"
"why is there a 50 gram bag in your desk?" - "AI development"
Hmm... yeah well... I think it might work. I could have picked a less weird testing project, but... No.7
I mistyped cap (from Capistrano) so often that I made an alias for it. Now bash history is full of... Crap. Literally.
My boss seen it once.... Luckily, he's already seen so many of my shenanigans that he didn't even care...
So yeah, I made an alias that changed one single character so I don't need to learn how to type.
crap staging deploy2
Some of the penguin's finest insults (Some are by me, some are by others):
Disclaimer: We all make mistakes and I typically don't give people that kind of treatment, but sometimes, when someone is really thick, arrogant or just plain stupid, the aid of the verbal sledgehammer is neccessary.
"Yeah, you do that. And once you fucked it up, you'll go get me a coffee while I fix your shit again."
"Don't add me on Facebook or anything... Because if any of your shitty code is leaked, ever, I want to be able to plausibly deny knowing you instead of doing Seppuku."
"Yep, and that's the point where some dumbass script kiddie will come, see your fuckup and turn your nice little shop into a less nice but probably rather popular porn/phishing/malware source. I'll keep some of it for you if it's good."
"I really love working with professionals. But what the fuck are YOU doing here?"
"I have NO idea what your code intended to do - but that's the first time I saw RCE and SQLi in the same piece of SHIT! Thanks for saving me the hassle."
"If you think XSS is a feature, maybe you should be cleaning our shitter instead of writing our code?"
"Dude, do I look like I have blue hair, overweight and a tumblr account? If you want someone who'd rather lie to your face than insult you, go see HR or the catholics or something."
"The only reason for me NOT to support you getting fired would be if I was getting paid per bug found!"
"Go fdisk yourself!"
"You know, I doubt the one braincell you have can ping localhost and get a response." (That one's inspired by the BOFH).
"I say we move you to the blockchain. I'd volunteer to do the cutting." (A marketing dweeb suggested to move all our (confidential) customer data to the "blockchain").
"Look, I don't say you suck as a developer, but if you were this competent as a gardener, I'd be the first one to give you a hedgetrimmer and some space and just let evolution do its thing."
"Yeah, go fetch me a unicorn while you're chasing pink elephants."
"Can you please get as high as you were when this time estimate come up? I'd love to see you overdose."
"Fuck you all, I'm a creationist from now on. This guy's so dumb, there's literally no explanation how he could evolve. Sorry Darwin."
"You know, just ignore the bloodstain that I'll put on the wall by banging my head against it once you're gone."2
Yay.... Missed the last train because for some reason, the city's public transit thinks it's not in the 21st century and in the third-largest town in an industry state and can just say fuck customers, drop it like it's 1990 at 1:30 o'clock...
Well, time for an all-nighter. Prepare for some nice rants tonight...
Hope my boss considers the hours.11
The Penguin's den 😅
(that is after cleaning up BTW)
Monitors are a full HD TV and a 12 years old 5:4 for legacy stuff.5
Most of my private code is created in the evening hours and after one to two beers, so I got that covered pretty well - though if you want to see what happens if you code literally shitfaced, just go play Mafia 3. That deterred me from trying.
The one thing I did at a party was fix a computer after (I think) 4 beers. Apparently I got it together because the sounds worked after that, but don't ask me how. Besides, it had OSX, I usually avoid that thing like the plague. I guess getting drunk means I can handle even that shit.
1-2 Beers is the max I still can code (or properly think) with. Any more and I can't get a single line out.
Worst thing I tried was coding high. I was on a short trip to Amsterdam and a friend of mine brought on some White Widow...
Yeah, I could focus alright... The code worked and the program was done in two hours (It was an exploit for... well, lets not get into details here).
When I reread the code while not high anymore, it might as well have been binary (it was Python). I could, for the life of me, not figure out what the hell I had been writing there or how/why it worked - but it did its job.
Never again. I mean, WW is my favourite and I hear a lot of artists use it to enhance their "flow" when creating art...
I guess it makes sense to code on that, but I generally try to avoid flow when coding - it makes you produce unreadable and unmaintainable code.1
I'm officially convinced that my computer is cursed by now:
I get a Oculus Touch Bundle. Connect it to the computer, both sensors through USB 2, HMD too. One of them on an extension cord, experimental 360 degree setup (and yes, I'm covering the lenses when not playing).
Works great for a couple weeks, then I start getting 8603 and 8609 errors (USB connection bad or too little bandwidth. Usually happens when you do something else on the same USB controller).
Trying all of the setups that comply with the setup manual, none works...
... Thinking "fuck it, can't get any worse now", I connect both sensors to the USB 3 ports on my board (A big thou shalt not according to the manual).
Works perfectly. No lag, no loss of tracking.
Well, I guess if something applies to 99.9% of all computers in the world, mine is among the 0.1%. I'm a living corner case, 🤣
Guess I'll move to the Netherlands and become a Ganja farmer.2