Aboutdev, physicist, rantee
Joined devRant on 6/12/2016
Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
One of biggest epiphanies came through this fundamental critique in SICP of the assignment operator. Through years of imperative programming it seems so innocent, doesn't it? But that you lose referential transparency, run into the alias problem and fundamental difficulty to determine object equality (or of their instances) - that was kind of eye opening considering all the pain I had already experienced with state in concurrency.
(It led me so far to think it's an ontological issue, that even in the discrete computing universe we have not come so much further than Zenon's paradoxa on change.)7
The "AH"-moment when as a boy discovered that with this instructions in QBasic I could literally let the thing do *anything*.
The "HA"-moment only little afterwards that I'll probably never have a clue what a worthwhile thing to make it do would be.
Hackerman strikes back. Always thought the new knowledge about stego tools, reversing, enumeration, privesc were just my private amusement. But could now use it, hopefully resolving a severe crash by dropping our binary into radare2 (cutter) and ghidra, identifying some dangerous code.
Also it gives you new angles to look at things. E.g. the vectors your code might expose...4
The worst of Agile and Sc(r)um: All those people knowing the right way(™) to do it. Endless discussion about useless tooling: the proper use of the custom workflow in Jira, on when and how to create sub tickets. The hour-less meta-discussions on what should be discussed where and when (what's subject of the backlog refinement, retro, etc), the roles: the PO's, what he should do, cannot, the PM's. Who is allowed to pull a ticket to the sprint or not. How many reviewers need to acknowledge a pull request. To and fro. Pointless, but fought with heart and blood, full of sound and fury, signifying nothing.
And everywhere I hear: "In my previous company, we did Scrum like.. and it worked perfectly!"
Some of you might remember my rants on Mr. Gitmaster, with whom I thought I'd made my peace. Guess what? He's now a team member and turning into Mr. Agile - a more severe reincarnation! As our company starts flogging that dead horse of Agility, he seems to feel strong tailwind. Our team lead would constantly cut his monologues, but he's now on holiday, so we have no escape from the never ending: "In my previous company..."
If it was so great, why didn't you stay?
We are not allowed to pull a ticket to the sprint unless every team member is notified? I don't fucking care. If our software fails on customer's machines and I can fix it, I will do if there is a ticket, if it's in the sprint or not. Screw Scrum, if it is getting in the way of it. You can waste your hours discussing horseshit, I want to sit at my desk, deep in the test-compile loop and ship some fucking code.3
Because he gave us Psychobitch (https://youtube.com/watch/...)
His British humor,... just watch some talks..1
Agile my ass.
What has become of: "Individuals and interactions over processes and tools"?
A fuckton of rules and processes to do it the 'right' way: tickets, estimations, hours of sprint planning. Yeah, we're so professional we no longer have time to write code.
Note: manifest was mainly full of fluffy business buzzword bullshit (effective sustainable excellence), but one thing resonated:
>Simplicity--the art of maximizing the amount of work not done--is essential.
(I cherish every line of code deleted or unwritten, so it needn't be maintained)6
git commit -m "The test core dumps, I go home" && git push
(OpenSSL is like running a marathon: It's just some month away and you already forgot how much fucking pain it was. Nah, can't have been that bad. Shit, it is.)
Crypto. I've seen some horrible RC4 thrown around and heard of 3DES also being used, but luckily didn't lay my eyes upon it.
Now to my current crypto adventure.
Rule no.1: Never roll your own crypto.
So let's encrypt a file for upload. OK, there doesn't seem to be a clear standard, but ya'know combine asymmetric cipher to crypt the key with a symmetric. Should be easy. Take RSA and whatnot from some libraries. But let's obfuscate it a bit so nobody can reuse it. - Until today I thought the crypto was alright, but then there was something off. On two layers there were added hashes, timestamps or length fields, which enlarges the data to encrypt. Now it doesn't add up any more: Through padding and hash verification RSA from OpenSSL throws an error, because the data is too long (about 240 bytes possible, but 264 pumped in). Probably the lib used just didn't notify, silently truncating stuff or resorting to other means. Still investigation needed. - but apart from that: why the fuck add own hash verification, with weak non-cryptographic hashes(!) if the chosen RSA variant already has that with SHA-256. Why this sick generation of key material with some md5 artistic stunts - is there no cryptographically safe random source on Windows? Why directly pump some structs (with no padding and magic numbers) into the file? Just so it's a bit more fucked up?
Thanks, that worked.3
From a little bit heated discussion I want to extract this: One big pain in the ass is the human to computer interface. Maybe it's the natural vs. formal language divide, but there's a mismatch deeper than between object and relational models that no ORM can failingly fix.
The whole point of the discussion was on such a point where some wanted an interface more human friendly and I stubbornly insisted on the way it is simple for the computer system. Like not too much human messiness should invade machine. One argument sounded as if human words were like unicode code points which meaning doesn't depend on its representation.
That's raising red flags to me: Nonono, natural language is too messy, keep it out. This poor machine could have been so clean and well designed and we already stacked up so much entropy we still dare to call OS,..
Dunno, what's your stance? Still hoping that your shell one day will be able to process our poor standard English? Or do you think, like me, all those failed attempts show there's a gap you should not even touch?6
I should run a daily cron job for my Mac rants. Today it was just this: I connected to some other iMac over network discovery, but from within in the GUI it is impossible for me to get the IP or any information of that machine. All information it displays you see below. Thanks very helpful. (Only lastly I found the information by pinging administrators-iMac.local)3
macOS fuckup continued. Today I used a camelcase name for some new file and a directory. Later I didn't like it and wanted to change to lowercase. Pushed it to bitbucket: now I had both versions! Hold my goji berries, what's going on? Maybe some git config screw up? After a bit of fiddling I remembered an old Linus' rant on Apple's file system when they wanted to adopt case insensitivity. So wait, did they actually do that shit? I thought I was on a unixoid, bastardized BSDish system, that apart from all the oddities that Apple bestowed on it, that there was still some sanity left... But, no there isn't. AFP really defaults to case insensitivity.
I have no words.
So switched to my Debian, where I resolved the duplication in two secs. Now Linux feels even much more comfy and home.33
What a delight to have to work on macOS. Not.
Took me two days to notarize our app bundle. The ultimate issue was a dead symlink inside the bundle which would make the codesign verify (with strict option!) fail, while verification of signing operation itself passed.
Notarization would just give generic error: not properly signes.
So to give you a feel for what evil, clusterfuck code it was in: this projects largest part was coded by a maniac, witty physicist confined in the factory for a month, intended as a 'provisional' solution of course it ran for years. The style was like C with a bit of classes.. and a big chunk of shared memory as a global mud of storage, communication and catastrophe. Optimistic or no locking of the memory between process barriers, arrays with self implemented boundary checks that would give you the zeroth element on failure and write an error log of which there were often dozens in the log. But if that sounds terrifying already, it is only baseline uneasyness which was largely surpassed by the shear mass of code, special units, undocumented madness. And I had like three month to write a simulator of the physical factory and sensors to feed that behemoth with the 'right' inputs. Still I don't know how I stood it through, but I resigned little time afterwards.
Well, lastly to the bug: there was some central map in that shared memory that hold like view of the central customer data. And somehow - maybe not that surprisingly giving the surrounding codebase - it sometimes got corrupted. Once in a month or two times a day. Tried to put in logging, more checks - but never really could pinpoint the problem... Till today I still get the haunting feeling of a luring memory corruption beneath my feet, if I get closer to the metal core of pure C.1
Fuck me! Fuck VSCode!
Wasted nearly a whole day of entire team by breaking a core functionalty.
Don't know if others also hate it so much when you want to add a bracket and VSCode detecting a closing bracket or whatever nullifies your attempt leaving the number of brackets constant.
Not exactly sure today's defect was caused by this, but I strongly suspect it because it was caused by just a misplaced bracket.5
(mostly !dev) Fuck humans! Really: what a scum bag race. All that shit talk about human dignity, the highest values are just sugar coating the low base motives we mostly live by. Like people have such fine antennas for your income, social status, the power or lack thereof you exert over other. They know it before you open your mouth, that they can pick on you, harass you, because you're the one on the receiving end, the one that bows away. The bullies feel that. On an overcrowded chicken yard you'll find more dignity than in human society.
Everybody drooling over that polished photoshop life on facetubeinsta: materialistic, consumeristic, masturbatic wastage. At least we now say it openly: that if we were the winners, we'd also take it all, live that empty luxury, life of fame. But 99,99% of us, we aren't in that position, just working off our arse to only keep afloat. And for the stars, those fake images, we're just rats to click on ads to better train Google.
No wonder that software, as a picture of human communication is such a shitfest of arbitrary, entropic conventions and endemic epidemic of quirks, bugs and evil trap doors. As a whole: an insults to reason, a challenge to sanity. (...Conway's law)
And I'm still a bit pissed at our profession, that, you know, as engineers, scientists, physicists, we still see us in the lineage of that "great" age of enlightenment and reason,.. while it's all just a cover up. Sure science and their ideas are nice as long as you serve a purpose or make some money. Sure democracy and free speech are great achievements, but in the end some elites and monopolies rule the world at their gusto - and will not stop destroying the world unless we're already one feet in the abyss (like 1962, be we ain't had enough of that shit, hadn't we?)9
Upgraded our internal samba fileshare. Was getting too old. So updating the apt sources list and push the dist-upgrade: what could possibly go wrong?
Somehow the locale went astray, updating the manpages gave too many errors and now finally everything's fucked up, because it somehow deleted the sudo binary and root is locked or we don't have password.
But samba was updated and it's still serving our files.7
My wife: Oh, hacking is so cool. Can you show me?
Me: Sure. So there I needed to upload the php file, while my netcat was sitting here in the terminal waiting for incoming...
My wife: Boring, BORING.
(At least my 5yr son appreciates the terminal more than she: typing 'sl' or watching star wars in ASCII art.)7
"Linux is more secure." Put on your tin-foil hats. As you can:
>Root over 50% of linux servers you encounter in the wild with two easy scripts,
Linux_Exploit_Suggester , and unix-privesc-check .
(sauce: Phineas Phisher - http://pastebin.com/raw/cRYvK4jb)17
Watched some documentary about Russian hackers. Journalist: I need to learn their language. - starts programming/hacking course, sees a shell and a python: runs away. 'That ain't for me.'
At least he tried tho.
Later he finds some Ukrainian hackers. One had a strangely familiar logo on his laptop. Rewind a bit: its hackthebox.
Just had my first blood there. So.. I'm a hacker, too? Good enough for Arte doc's?6
So I thought I had a basic, high level understanding of C++ STL strings, pointers, copy constructors and stuff. In comes a dirname, a -D_GLIBCXX_USE_CXX11_ABI=0 and... Toto, I've a feeling we're not in Kansas anymore.
So what is happening? I copy a string expecting a deep copy, but then I do the dirname or manipulation on the copy and it messes up *both* strings. gcc/C++ I know you're a beast, but what's going on there? Thing is only possible if I cast away const from c_str - which of course is a doubtful operation - but there also seems to be some strange copy on write logic that the data pointers initially point to same memory location and only with first manipulation on the copy they start to point to different addresses.
I had no clue. And still don't have.4
1. When we struggled for month with using OpenSSL, fixing our server, then bit of Sqlite3 fuck ups. Was it even right to use those libs, not write shit ourselves, if it is such a hassle to use them, or is it only us being too stupid to read the docs? Project seemed 'finished' for over a year. Really wore us out to get it out there.
2 Our board constantly announcing the success and striving of our pentester department. Makes me feel I am at the wrong place. No dynamics, growth, just too much stupid work to plow through.
3 Starting a bit with CTF's. Realizing I am hardly at the entrance of the rabbit hole. (And also is it even the right thing going down there? My Luddite tendencies also shining through...) Not mastering all this tools.
Let's face it: I am and will always be a tinkerer. Yes, I know my ways around, I can sneak into legacy code bases easily and throw new stuff in there, I've seen software stacks. But scarcely sound design, really modular. Even from the cleverer, experienced ones. They can master more complexity, so they can handle more spaghetti. Some essay from the 80's had this grand idea to organically 'grow' software. That's how it looks like most of the times: cancerous, parasitic super fungi (armillaria). Yeah, we all know have to fight bit-rot and entropy, but it was all lost before already. We'll never get rid of legacy protocols, legacy code.
And even when we go green field, start a fresh. Yeah, take a great design, make everything new, after some months of throwing features and outer constraints at the thing, it's the same old mud again.
But we can still dream on: some day I will design great APIs, I will have great test coverage, documentation, UML design, autometed tests, fuzzing, memchecking, I'll work professionally, clean coder style.
Pfft forget it. Maybe change for consulting, because we'll continue to dream of the 'clean' code, so you can sell the next 'recipe', development method. It's like diets. As effective. For the one selling.2
Why avoid? Maybe it's part of the experience. Lets you appreciate a good company even more.
(That said my first employer was a bit.. twisted. Small, workaholic family, hands on. Lots of pressure. Probably drove some into depression or burn out. Learnt a ton though, and maybe made me a bit more thick-skinned)