AboutCoder, Pentester, flightless Bird, Motorbiker
SkillsRuby, Rails, JS, Go, C++, Python plus some old shit from the 90s
Joined devRant on 5/17/2018
Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
So... did I mention I sometimes hate banks?
But I'll start at the beginning.
In the beginning, the big bang created the universe and evolution created humans, penguins, polar bea... oh well, fuck it, a couple million years fast forward...
Your trusted, local flightless bird walks into a bank to open an account. This, on its own, was a mistake, but opening an online bank account as a minor (which I was before I turned 18, because that was how things worked) was not that easy at the time.
So, yours truly of course signs a contract, binding me to follow the BSI Grundschutz (A basic security standard in Germany, it's not a law, but part of some contracts. It contains basic security advice like "don't run unknown software, install antivirus/firewall, use strong passwords", so it's just a basic prototype for a security policy).
The copy provided with my contract states a minimum password length of 8 (somewhat reasonable if you don't limit yourself to alphanumeric, include the entire UTF 8 standard and so on).
The bank's online banking password length is limited to 5 characters. So... fuck the contract, huh?
Calling support, they claimed that it is a "technical neccessity" (I never state my job when calling a support line. The more skilled people on the other hand notice it sooner or later, the others - why bother telling them) and that it is "stored encrypted". Why they use a nonstandard way of storing and encrypting it and making it that easy to brute-force it... no idea.
However, after three login attempts, the account is blocked, so a brute force attack turns into a DOS attack.
And since the only way to unblock it is to physically appear in a branch, you just would need to hit a couple thousand accounts in a neighbourhood (not a lot if you use bots and know a thing or two about the syntax of IBAN numbers) and fill up all the branches with lots of potential hostages for your planned heist or terrorist attack. Quite useful.
So, after getting nowhere with the support - After suggesting to change my username to something cryptic and insisting that their homegrown, 2FA would prevent attacks. Unless someone would login (which worked without 2FA because the 2FA only is used when moving money), report the card missing, request a new one to a different address and log in with that. Which, you know, is quite likely to happen and be blamed on the customer.
So... I went to cancel my account there - seeing as I could not fulfill my contract as a customer. I've signed to use a minimum password length of 8. I can only use a password length of 5.
Contract void. Sometimes, I love dealing with idiots.
And these people are in charge of billions of money, stock and assets. I think I'll move to... idk, Antarctica?4
I'm currently pentesting a web app on a Mac Mini with 8 Gigs of RAM and a i5-4620 using OWASP ZAP. Third time the fuzzer got stuck, the RAM's full an the CPU's permanently at 100 %.
Before starting this job, I always said that pentesting on this POS is like bringing a knife to a gunfight.
When I kicked off two fuzzers at once, I started feeling like bringing a cocktail sword to a thermonuclear war.
It's not even 10 here and I already wish for some booze. Damn, I gotta start making moonshine or something.5
Call me old-fashioned, but... I kinda liked it back in the day, when Microsoft made proprietary software, the Community made free software and everyone's "cui bono" was quite easy to answer - even those corporations involved in FLOSS did have a clear way to finance themselves.
Now, we have Microsoft coming into open source, seemingly making projects better and offering more and more "free" stuff.
"Free" Windows 10.
"Free" SaaS Office.
"Free" "Private" Repos on Github.
In general - what happened to clear and concise "I give you money, you give me stuff" capitalism like we had it in the 2000s?
I'd rather pay 20 bucks for a game on Steam than get it "free" and with ads or microtransactions - yet, many games, especially mobile, don't even offer me that option. It wouldn't be that hard now, would it?
The same goes for software. That Canonical would need to fuck their users over after Ubuntu One went to shit was obvious - they didn't offer the kind of commercial/enterprise OS'es that Redhat or SuSE sell.
What people seem to forget is that everyone needs to make a profit somehow. You don't get "free" stuff. Even the volunteers in the Open Source Community get something out of it - an opportunity to pad their CV at least, if nothing else.
Nowadays, software manufacturers have the same legitimacy as the "free" financial "advisors" you find at banks - and who could be dumb enough to trust them? Oh yeah: Almost the entire fucking society is who.
But then again, sell something and noone will want it - because they all want it for free, with annoying, privacy-invading ads or with equally annoying microtransactions, or financing based on commission - so you don't only pay ONCE, you pay until you realize you got fucked over and quit.
Capitalism used to work until all those idiots stepped in. How the fuck don't people realize that there's no free lunch in life? When have we stopped being functional people and turned into idiots.
Even worse: Those idiots think that they're entitled to something! They, who volunteered to become merchandise instead of customers, think that they have rights! Do cattle have rights? Nope. They get their "free" hay everyday and I get to buy beef, that's how it works. Moo!
Hell, they are surprised when they get fucked over by bank salespeople or their data stolen by corporations, intelligence agencies or something... What did they expect, goodwill?
Can we please make Adam Smith mandatory reading in school?! I mean, give people a chance to understand capitalism? The nonexistent "goodwill" of traders in general?9
1. It's gonna be more and more specialized - to the point where we'll equal or even outdo the medical profession. Even today, you can put 100 techs/devs into a room and not find two doing the same job - that number will rise with the advent of even more new fields, languages and frameworks.
2. As most end users enjoy ignoring all security instructions, software and hardware will be locked down. This will be the disadvantage of developers, makers and hackers equally. The importance of social engineering means the platform development will focus on protecting the users from themselves, locking out legitimate tinkerers in the process.
3. With the EU getting into the backdoor game with eTLS (only 20 years after everyone else realized it's shit), informational security will reach an all-time low as criminals exploit the vulnerabilities that the standard will certainly have.
4. While good old-fashioned police work still applies to the internet, people will accept more and more mass surveillance as the voices of reason will be silenced. Devs will probably hear more and more about implementing these or joining the resistance.
5. We'll see major leaks, both as a consequence of mass-surveillance (done incompetently and thus, insecurely) and as activist retaliation.
6. As the political correctness morons continue invading our communities and projects, productivity will drop. A small group of more assertive devs will form - not pretty or presentable, but they - we - get shit done for the rest.
7. With IT becoming more and more public, pseudo-knowledge, FUD and sales bullshit will take over and, much like we're already seeing it in the financial sector, drown out any attempt of useful education. There will be a new silver-bullet, it will be useless. Like the rest. Stick to brass (as in IDS/IPS, Firewall, AV, Education), less expensive and more effective.
8. With the internet becoming a part of the real life without most people realizing it and/or acting accordingly, security issues will have more financial damages and potentially lethal consequences. We've already seen insulin pumps being hacked remotely and pacemakers' firmware being replaced without proper authentication. This will reach other areas.
9. After marijuana is legalized, dev productivity will either plummet or skyrocket. Or be entirely unaffected. Who cares, I'll roll the next one.
10. There will be new JS frameworks. The world will turn, it will rain.1
Geez... Got woken up by a catastrophe alert.
Check phone, could be someone shooting up the neighborhood or something else to excuse myself from a social event.
Someone thought that 40 km/h wind and 20 cm of snow are a catastrophe.
Fuck this country.20
1. Extend my infosec knowledge further and try getting more work in that area (and less as a dev).
2. Specialize more, dabble less.
3. Learn more !dev skills (military/political history mostly)
On the first day of Christmas, the bossman gave to me: The fact that my new computer purchase order needs to be OKed by the CEO and I need to continue working on a 2014 Mac Mini (i5-4260U, 8 Gig RAM, GPU shot by an ESD on the case long ago) for the next year.
On the second day of Christmas, my family gave to me... a good reason to get shitfaced
On the third day of Christmas, getting shitfaced gave to me: A hangover and some urgent plastic welding job that had to be done with a soldering iron. FML, I've had a headache before breathing in pure hydro-cyano-whatthefuckyougetwhenyoumeltplastics
On the fourth day of Christmas, my team gave to me: A legacy, age-old Rails 2 project that was written by an intern and never reviewed, went to prod in 2014 and can't be changed anymore, but needs to be changed after the fact that it has zero test coverage and needs 100 % now to prevent issues and costly manual testing.
On the fifth day of Christmas, devrant gave to me: The Idea that making fun of Christmas songs to get over the sheer amount of dicks that working over the twelve days of Christmas sucks.
To be continued...2
My smart watch just reminded me to get my lazy ass out of my chair and move some.
I picked up my coffee cup, drank a sip.
That satisfied it.
Lazyness : 1 - Technology: 06
If there's something wrong in the server room
Who you gonna blame? (the intern)
If the hard drive's grilled
And it don't look good
Who you gonna blame? (the intern)
If you're seeing keys in your'r github's HEAD
Who you gonna blame? (the intern)
Your PC's on fire
and the website's dead
Who you gonna blame? (the intern)
Disclaimer: My internship was a pretty cool time actually... :)
My lessons both come from my current side project (I will share it with you in a week or two, the website isn't finished yet):
1. Every project comes to the point where it hurts to continue. Keep pushing, the result is worth it.
2. You aren't as good as you thought you were when you started, but you'll be better than you ever were when you finish.
3. Sometimes, there's more points to a list than you'd expect.
4. One hour per day is easier than five hours a week.
Well. I started out my project knowing some C#, but Jack shit about unity. I know most of what I might build will end up being shit I'm gonna regret, refactor and recycle later. But I don't give a fuck. Doing it is better than planning it.
It sometimes hurts to get rid of a carefully planned algorithm that took hours to build because it fails in practice. But it's the right thing to do.
Never plan too much. If I'd have planned this project out, I wouldn't even have started with what I'm good at: write code, break shit and experiment.
It's easier to progress slowly but steady. Look at some awesome games that have been worked on for ages while the public had their say (RimWorld, Project Zomboid, Dwarf Fortress...) as opposed to those that are developed behind closed doors and rushed to the market before Christmas or some other major event (Mafia 3, Fallout 76, Fallout 4 VR...). Progress slowly, deploy early, push often. And the one hour per day approach is a good way to do this.1
You'll be surprised, but it's Microsoft for me.
When I started out, windows(95, yes I'm old, thanks for noticing) was the shit for me and I was quite a fanboy of it.
However, when a friend of mine introduced me to Linux, I quickly changed my mind because so many small things were way better. Then, when Vista came out, I switched completely.
That, on its own, was an adventure, but that's another rant for another time(Me and my pal were the only Linux users in the town we lived in, so without online shopping, perusing the local hardware vendors was like meeting a Neolithic tribe. It's definitely rantworthy on its own, if only for nostalgia).
The more I learned about Free Software and what Corporations could do with their power, the more I came to despise the companies I used to advocate for.
Now, it's 2018 and people bitch about what Facebook, Microsoft and their equally evil buddies do. Yet, 2013, when PRISM hit the fan, they once again ran to their arms instead of fixing the problem properly. That's about when I lost the last bit of respect for people.
And now I'm sitting here playing the world's tiniest open source violin, singing "won't get fooled again" by The Who.6
So... I had some money left over and added a 3d printer to my terrorist workshop (some of you might remember the picture I posted a while ago. A friend of mine gave it the name after the police stormed a hackerspace in Nuremberg and I wondered when they would kick down my door. )...
That's how far I got in two hours (from cutting open the package), and I don't really fancy myself dexterous... Not anymore at least.
I suppose this will be a weeklong project 😂.3
So... Some fake accounts on Twitter claimed to be Elon Musk and to give shitloads of Bitcoin to those who sent a little amount first. They stole... Wait for it... 180 grand.
That's basically your everyday 419 scam. Existing since before the internet, done with the names of Gates, Buffet, Bush, Obama...
They say "the big bad evil criminals and the poor little innocent victims" I say natural selection. Sorry, in those lion vs gazelle scenarios I always thought that it was fair, no matter how it went.
Just when did humanity get so brainless? Have we always been, is the internet just a catalyst for stupidity?
Just why the fuck must I be an infosec sheepdog instead of a wolf? Man, I could live the life, drink beer and smoke herb while working... Get up at 12, don't give a shit, no boss, no taxes, no social security payments that I don't see jack shit from, and the pay would be better to.
I made a bit of a tradition of building a list of hardware that's superior to whatever Crapple is releasing whenever Crapple releases something - and for the first time, I decided to make it public instead of just sharing it with some coworkers.
Making it public however took some time (luckily, yesterday was a holiday here, so I got it done now) - at least, making it looking "not like shit" took some time.
So enjoy my (very basic) bootstrap templated, yet possibly useful list of builds superior to the Crapple Rag Mini (which is a completely fictional entity not resembling any existing company in the world. Promise. Totally. Penguin's swear.)
The list can be found here - expect to see an update anytime Crapple pushes new shit to the market:
(possibly not safe for work, children, catholics and SJWs). Yeah, no SSL cert, currently. Hell, it's a private server, it doesn't process any of your info and it doesn't offer downloads... I might add one in the future.
I hope you can forgive my shameless self-promotion, it's not a commercial site, there are no ads/shitcoin miners on it and i don't get a share/cut/whatever - just a small humorous joke project. For now.
BTW: I didn't attempt to build any of those. It should work, but please don't sue me if it doesn't.5
So... After reading up on the theoretical stuff earlier, I decided to make a real AI that can identify handguns and decide whether it's a revolver or a semiautomatic with 95 percent accuracy...
Well, basically, I been browsing my local gun store's online store for four hours for training data, killed a Mac mini while first training the system and I think I ended on the domestic terrorism watch list... Was that black sedan always there?
Anyway... It's working fairly accurate, my monkey wrench is a revolver by the way.
Isn't AI development a wonderful excuse for all kinds of shit?
"why do you have 5000 pictures of guns on your computer?" - "AI development"
"why did you wave around a gun in front of your web cam" - "AI development"
"why is there a 50 gram bag in your desk?" - "AI development"
Hmm... yeah well... I think it might work. I could have picked a less weird testing project, but... No.7
I mistyped cap (from Capistrano) so often that I made an alias for it. Now bash history is full of... Crap. Literally.
My boss seen it once.... Luckily, he's already seen so many of my shenanigans that he didn't even care...
So yeah, I made an alias that changed one single character so I don't need to learn how to type.
crap staging deploy2
Some of the penguin's finest insults (Some are by me, some are by others):
Disclaimer: We all make mistakes and I typically don't give people that kind of treatment, but sometimes, when someone is really thick, arrogant or just plain stupid, the aid of the verbal sledgehammer is neccessary.
"Yeah, you do that. And once you fucked it up, you'll go get me a coffee while I fix your shit again."
"Don't add me on Facebook or anything... Because if any of your shitty code is leaked, ever, I want to be able to plausibly deny knowing you instead of doing Seppuku."
"Yep, and that's the point where some dumbass script kiddie will come, see your fuckup and turn your nice little shop into a less nice but probably rather popular porn/phishing/malware source. I'll keep some of it for you if it's good."
"I really love working with professionals. But what the fuck are YOU doing here?"
"I have NO idea what your code intended to do - but that's the first time I saw RCE and SQLi in the same piece of SHIT! Thanks for saving me the hassle."
"If you think XSS is a feature, maybe you should be cleaning our shitter instead of writing our code?"
"Dude, do I look like I have blue hair, overweight and a tumblr account? If you want someone who'd rather lie to your face than insult you, go see HR or the catholics or something."
"The only reason for me NOT to support you getting fired would be if I was getting paid per bug found!"
"Go fdisk yourself!"
"You know, I doubt the one braincell you have can ping localhost and get a response." (That one's inspired by the BOFH).
"I say we move you to the blockchain. I'd volunteer to do the cutting." (A marketing dweeb suggested to move all our (confidential) customer data to the "blockchain").
"Look, I don't say you suck as a developer, but if you were this competent as a gardener, I'd be the first one to give you a hedgetrimmer and some space and just let evolution do its thing."
"Yeah, go fetch me a unicorn while you're chasing pink elephants."
"Can you please get as high as you were when this time estimate come up? I'd love to see you overdose."
"Fuck you all, I'm a creationist from now on. This guy's so dumb, there's literally no explanation how he could evolve. Sorry Darwin."
"You know, just ignore the bloodstain that I'll put on the wall by banging my head against it once you're gone."2
Yay.... Missed the last train because for some reason, the city's public transit thinks it's not in the 21st century and in the third-largest town in an industry state and can just say fuck customers, drop it like it's 1990 at 1:30 o'clock...
Well, time for an all-nighter. Prepare for some nice rants tonight...
Hope my boss considers the hours.11
The Penguin's den 😅
(that is after cleaning up BTW)
Monitors are a full HD TV and a 12 years old 5:4 for legacy stuff.5
Most of my private code is created in the evening hours and after one to two beers, so I got that covered pretty well - though if you want to see what happens if you code literally shitfaced, just go play Mafia 3. That deterred me from trying.
The one thing I did at a party was fix a computer after (I think) 4 beers. Apparently I got it together because the sounds worked after that, but don't ask me how. Besides, it had OSX, I usually avoid that thing like the plague. I guess getting drunk means I can handle even that shit.
1-2 Beers is the max I still can code (or properly think) with. Any more and I can't get a single line out.
Worst thing I tried was coding high. I was on a short trip to Amsterdam and a friend of mine brought on some White Widow...
Yeah, I could focus alright... The code worked and the program was done in two hours (It was an exploit for... well, lets not get into details here).
When I reread the code while not high anymore, it might as well have been binary (it was Python). I could, for the life of me, not figure out what the hell I had been writing there or how/why it worked - but it did its job.
Never again. I mean, WW is my favourite and I hear a lot of artists use it to enhance their "flow" when creating art...
I guess it makes sense to code on that, but I generally try to avoid flow when coding - it makes you produce unreadable and unmaintainable code.1
I'm officially convinced that my computer is cursed by now:
I get a Oculus Touch Bundle. Connect it to the computer, both sensors through USB 2, HMD too. One of them on an extension cord, experimental 360 degree setup (and yes, I'm covering the lenses when not playing).
Works great for a couple weeks, then I start getting 8603 and 8609 errors (USB connection bad or too little bandwidth. Usually happens when you do something else on the same USB controller).
Trying all of the setups that comply with the setup manual, none works...
... Thinking "fuck it, can't get any worse now", I connect both sensors to the USB 3 ports on my board (A big thou shalt not according to the manual).
Works perfectly. No lag, no loss of tracking.
Well, I guess if something applies to 99.9% of all computers in the world, mine is among the 0.1%. I'm a living corner case, 🤣
Guess I'll move to the Netherlands and become a Ganja farmer.2
!rant / Joke
RoR dev (Me): Damn, I gotta learn more about that routing DSL... Shit's powerful.
Networker: That sentence made zero sense... Did you just use technobabble? Go to marketing you dweeb.
Well, Matz really trolled the networkers there...
DSL(Ruby) = Domain Specific Language.
Routing (Rails) = Defining URL Patterns and assigning them to controllers.
Networks(As far as I understand, I only know the absolute basics there):
DSL = Digital Subscriber Line
Routing = The act of passing a packet through another network
"Oh, you can't help that," said the Cat: "WE'RE ALL MAD HERE. I'm mad. You're mad."
And the weird penguin building a rails app is mad too I guess.1
I hate Mondays...
So, Yours truly, the multilingual flightless bird leaves his apartment... Locks door... Fucking key gets stuck in lock (had some attempted home invasion attempt last year, left a few things bent).
The last thing I can use today, important project to work on with a deadline close enough to worry about.
I would say that's a classic Error 500 on login kinda situation.
The irony? I fancy myself a pretty good lock picker(A must have for an aspiring pentester) .
Luckily, a quick squirt of gun oil resolved that one... Seriously, how do people manage without a supply of tools and stuff?3
Shout out to the storm that left me with a spotty internet connection since the weekend... Fuck this...
Also shout out to my ISP who can still get this fixed within the week despite the weather conditions in this whole country...
And now, even public transit is down and I can't ride to work with my damn bike because of the fucking weather... Some construction job that fucked things up... Well, shout out to that guy too for smoking Crack or whatever on the job. 😠
Fuck, if this day gets any worse I will probably end up in the hospital, jail or the morgue.2
My first job was actually nontechnical - I was 18 years old and sold premium office furniture for a small store in Munich.
I did code in my free time though (PHP/JS mostly, had a litte browsergame back then - those were the days), so when my boss approached me and asked me whether I liked to take over a coding project, I agreed to the idea.
Little did I know at the time: I was supposed to work with a web agency the boss had contracted to build their online shop. Only that he had no plan or anything, he basically told them "build me an online shop like abc(a major competitor of ours at the time)"
He employed another sales lady who was supposed to manage the shop (that didn't exist yet). In the end, I think 80% of her job was to keep me from killing my boss.
As you can imagine, with this huuuuge amout of planning and these exact visions of what was supposed to be, things went south fast and far. So far that I could visit my fellow flightless birds down in the Penguin's republic of Antarctica and still need to go further.
Well... When my boss started suing the web agency, I was... ahem, asked to take over. Dumb as I was, I did - I was a PHP kid and thought that Magento, being written in PHP, would be easy to master. If you know Magento, you know that was maybe the wrongest thing I ever said.
Fast forward 3 very exhausting months, the thing was online. Not all of it worked yet, but it was online and fairly secure.
I did next to everything myself, administrating the CentOS box the shop was running on, its (own) e-mail server, the web server, all the coding required for the shop (can you spell 12 hour day for 8 hour pay?)
3 further months later, my life basically was a wreck, I dragged myself to work, the only thing I looked forward being the motorcycle ride home. The system worked though.
Mind you, I was still, at the time, working with three major customers, doing deskside support and some admin (Win Server 2008R2 at the time) - because, to quote my boss, "We could not afford a full time developer and we don't need one".
I think i stopped coding in my free time, the one hobby I used to love more than anything on the world, somewhere Decemerish 2012. I dropped out of the open source projects I was in, quit working on my browser game and let everything slide.
I didn't even care to renew the domains and servers for it, I just let it die without notice.
The little free time I had, I spent playing video games and getting drunk/high.
December 2013, 1.5 years on the job, I reached my breaking point and just left, called in sick at least a week per month because I just could not see this fucking place anymore.
I looked for another job outside of ALL of what I did before. No more Magento, no more sales, no more PHP. I didn't have to look for long, despite what I thought of my skills.
In February 2014, I told my boss that I quit. It was still seven months until my new job started, but I wanted him to know early so we could migrate and find a replacement.
The search for said replacement started in June 2014. I had considerably less work in the months before, looks like he got the hint.
In August 2014, my replacement arrived and I got him started.
I found a job, which I am still in, and still happy about after almost half a decade, at a local, medium sized ISP as a software dev and IT security guy. Got a proper training with a certificate and everything now.
My replacement lasted two months, he was external and never really did his job - the site, which until I had quit, had a total of 3 days downtime for 3 YEARS (they were the hoster's fault, not mine), was down for an entire month and he could not even tell why.
HIS followup was kicked after taking two weeks to familiarize himself with the project. Well, I think that two weeks is not even barely enough to familiarize yourself with nearly three years of work, but my boss gave him two days.
In 2016, the shop was replaced with another one. Different shop system, different OS, different CI. I don't know why and I can't say I give a damn.
Almost all the people that worked at the company back with me have left for greener pastures, taking their customers (and revenue) with them.
As for my boss' comments, instructions and lines: THAT might not be safe for work. Or kids. Or humans in general. And there wouldn't be much left if you put it through a language filter...
Moral of the story: No, it's not a bad thing to leave a place if you're mistreated there. Don't mistake loyalty with stupidity!
And, to quote one of my favourite Bands: "Nothing matters when the pain is all but gone" (Tragedy + Time by Rise Against).8