As a long-time iPhone user, I am really sorry to say it but I think Apple has completed their transition to being a company that is incompetent when it comes to software development and software development processes.

I’ve grown tired of hearing some developers tell me about Apple’s scale and how software development is hard and how bugs should be expected. All of those are true, but like most rules of law, incompetence and gross negligence trumps all of that.

I’m writing this because of the telugu “bug”/massive, massive security issue in iOS 11.2.5. I personally think it’s one of the worst security issues in the history of modern devices/software in terms of its ease of exploitation, vast reach, and devastating impact if used strategically. But, as a software developer, I would have been able to see past all of that, but Apple has shown their true incompetence on this issue and this isn’t about a bug.

It’s about a company that has a catastrophic bug in their desktop and mobile platforms and haven’t been able to, or cared to, patch it in the 3 or so days it’s been known about. It’s about a company, who as of a view days ago, hasn’t followed the basic software development process of removing an update (11.2.5) that was found to be flawed and broken. Bugs happen, but that kind of incompetence is cultural and isn’t a mistake and it certainly isn’t something that people should try to justify.

This has also shown Apple’s gross incompetence in terms of software QA. This isn’t the first time a non-standard character has crashed iOS. Why would a competent software company implement a step in their QA, after the previous incident(s), to specifically test for issues like this? While Android has its issues too and I know some here don’t like Google, no one can deny that Google at least has a solid and far superior QA process compared to Apple.

Why am I writing this? Because I’m fed up. Apple has completely lost its way. devRant was inaccessible to iOS users a couple of times because of this bug and I know many, many other apps and websites that feature user-generated content experienced the same thing. It’s catastrophic. Many times we get sidetracked and really into security issues, like meltdown/spectre that are exponentially harder to take advantage of than this one. This issue can be exploited by a 3 year old. I bet no one can produce a case where a security issue was this exploitable yet this ignored on a whole.

Alas, here we are, days later, and the incompetent leadership at Apple has still not patched one of the worst security bugs the world has ever seen.

Me wanting to board Plane,
Goes through security Check...
"Sorry sir Laptops are not allowed."
Me
"Why?"
Security
"It could be a modified bomb"
Me
"But this is a Tablet!"
Security
"No sir, it has a Keyboard and Trackpad attached to it, its also running Windows..."
Me
"Excuse me, but this is clearly a Tablet"
*Detatches Keyboard from Surface Book*
"See? Tablet."
Security,
"Sorry sir, but no. You cant board the plane with this, only Tablets and Smartphones"
Me
"WTF? you dont allow Laptops because they could be bombs but A FUCKING SMARTPHONE IS ALLOWED? AND TABLETS TOO?!"
Security
"Yes, because the Battery is not removable..."
Me
"But my Laptop Battery is also not Removable..."
Security
"I dont have anymore Time for an Argument"
Me
"So I can board the Plane?"
Security
"No, the Ticket will be refunded"

WHO THE FUCK CAME UP WITH THIS BULLSHIT? LIKE RLY? WHO!!
I MEAN WHAT THE FUCK IS ALLOWED?!

Definitely my security teacher. He actually expected us to actively learn the stuff and put effort into our education. He guided us through malware analysis and reverse engineering, simplifying it without insulting us.

We had students who thought they knew everything and he corrected them. We had arrogant students he put in place.

He treated us like adults and expected us to act like adults.

That's the only class I enjoyed studying for, because he would tell us exactly what wasn't on the exams (it was an intro course, didn't need to know the math). There were no trick questions.

I told him about the shitty teacher and he helped me through that confidence block. He helped me realize I *can* make it through the workforce as a female in security because I will work my ass off to be the best I can be. He reminded me why I love computers and why I want to go into forensics.

He's been a great mentor and role model and hiring him is one of the few things my department did right.

At the airport.

Security: Please put all your electronics in the bin, including your watch.

Me: No problem

<goes through scanner>

Me: there was an Apple Watch in here and now it is gone.

Security: Oh, you lost your Apple Watch?

Me: No! I put my Apple Watch in the bin like you instructed and YOU lost my Apple Watch.

Security: It must be in the spinners.

Me: So my $500 Watch is in the spinners being run over by bins?

Security: you have to put the small things on the bottom.

Me: It was on the bottom and I did as you asked, this is entirely on you. Do not try to shift the blame to me again please.

Security: As I said...

Me: As I said, Do not try to shift the blame to me again. This is entirely your responsibility once you separate me from my electronics so you can perform security theatre. Have a nice day.

—————

Fuck this god damn security theatre. Fuck the dumbasses they hire. Fuck your country. Fuck your god damn feeling of insecurity. Fuck Your ineffective security theatre.

Sick my fucking dick until you choke and gag you worthless pieces of shit. Homeless people the street provide more security than you incompetent, under-educated assholes. Fuck you

And yes, I have 2 fucking laptops. I have a real fucking job where I provide actual value and for that I need a work laptop. I don’t come to work in a stupid looking outfit with a chip on my shoulder looking to inconvenience people. I come to work to provide real value to someone.

Fuck you and your worthless bullshit

I love starting my day by finding things like this in a production environment...

Another story on the spirit of wk93. TL;DR I DOS'd the whole campus network for some beers.

In highschool teachers had this blackboard system (a sort of moodle) and we used to have really lazy teachers who only read the PowerPoint presentations and made us take notes. One day I was fed up with their bullshit and figured these lazy ass professors wouldn't "teach" crap as soon as there was no internet connection...so the race was on...

10 minutes before the bell rang a friend and I managed to break in into a computer lab, I booted up Kali and searched for the access points, 3 routers through the building all with CISCO OS.

I figured they had all the default configs, time was running out so I decided to Smurf the three access points with the lab's IP range, scheduled an automatic shutdown in 2 hours and blocked the PC. The bell rang and as predicted, no internet, no class, my friends and I used that free time to go to a bar (on a Monday afternoon).

Funny side note, since the 3 routers were down the whole network collapsed, no cameras, no access control, no faculty network or any network. We kept doing it and every time we did campus security would be desperately searching for someone with a black hoodie.

Tldr :
Office Building : 1
Population: 5000
Number of PC users: 5000
No of Spare mice: 0

Day 1:
Training period commences.
My mouse laser sensor doesn't work.

Solution: Use this mouse to log in to your system.
Open the company portal.
Connect to vpn.
Enter username password.
Create a ticket for mouse replacement.
Done.

Day 3
I bring my own mouse.
Confiscated at security.
Becomes a security violation.

Day 9
I get a call from helpdesk.
Agent- what is the problem?
Me- my mouse is not working.
Agent- why?
Me- what do you mean? Something is wrong with the sensor.
Agent- clean the sensor.
Disconnects call.
Marks ticket as resolved.
Me- WTF just happened!

Naturally, I escalate the issue.

Day 15
Level 2 Agent- what happened? Why have you escalated the issue?
Me- I need a mouse, waiting since 2 weeks.
Him- No mouse is available
Me- you don't have a single spare mouse available in an office with 5000 PC users?
Him- no they're out of stock.
Me- when will it be back in stock?
Him- we will 'soon' launch a tender for quotations from sellers.
Me- time?
Him- 1 week.

Day 34

I email the head of supplies for the city office. Next day I get a used super small mouse, which doesn't have a left button. Anyways, I've given up hope now.

Day 45
I become a master at keyboard shortcuts.
Finish my training.
Get transferred to another city.
No mouse till date.

Surprisingly, this was one of the top recruiters in my country. Never knew, MNCs can be so so inefficient for such simple tasks.
Start-ups are way better in this regard. Latest tech, small community, minimal bureaucracy and a lot of respect and things to learn.

No matter how good your security is, you'll still have users...

A fellow intern recommended the use of windows server for security and speed reasons.

Few details about the situation: windows server got hacked due to a vulnerability which had no patch released yet and this had happened multiple times that year. Also, the company was migrating everything to Linux (servers).

The senior/lead programmer literally gave him a GTFO face and pointed at the door.

Everyone was giving him the GTFO face by the way, he didn't know how fast he had to get out 🤣

Got my new workstation.
Isn't it a beauty?

Rocking a Pentium II 366 MHz processor.
6 GB HDD.
64 MB SDRAM.
1 minute of battery life.
Resolution up to SXGA (1280x1024)
Removable CD-Rom drive.
1 USB port (we like to use dongles, right?)

Also it has state of the art security:
- No webcam
- No Mic
- Removable WiFi
- I forgot the password

And best of all:
It as a nipple to play with!!

First internship (ranted about it before).

- Had to google translate their entire internal crm.
- pointed out major security flaws and got a speech saying that "I shouldn't think so high of myself and I didn't have the fucking right to criticize their products"
- every time the boss came to the office after a failed sales presentation, we (interns) got called the most nasty stuff. Yes. We didn't have anything to do with that at all.
- I had "hygiene issues": window to the south with 35-40 degrees (Celsius) feeling temperature and no airco. Deo didn't really make a difference but wasn't allowed to use it there anyways. Details: I have a transpiration issue so I sweat shitloads more than other people, that didn't help at all.
- nearly got fired because I had to to to the doctor in company time for a serious health issue.
- was (no kidding) REQUIRES to use internet explorer and we were monitored constantly.

Self esteem dropped through the fucking ground there.

Fuck Microsoft.

No, not in any relation to windows this time.

Dear Microsoft, why on earth did you put us on your spam blacklist? There haven't been any spam attacks from our side, our servers have nearly the highest 'reputation' that email servers can get, we comply to all security standards and yet you're blacklisting us.

If for some reason you think something is wrong at our side anyways, we've tried to contact you and we either get ignored or get a very late response saying that we'll get delisted again within a day/week or whatsoever.

Microsoft, please go fuck yourself.

What the actual fuck? Person (or people!) who devised this password policy, you are an idiot (or idiots - all of you). You are stupid and insane and have no idea about security or user experience.

A conversation with our network/system admin.

Me : Can I install linux on my computer, windows is slow and terrible.

Him : No, if you use anything but Windows in this company, you will be fired for bypassing our security protocols. Its written in your contract.

Me : *boots up my Macbook*

"The customer reports that port 21 is closed on our FTP site. They said that port 443 is open, and wonder if they can use that instead."

"They are entering the wrong server name. Our FTP server is ONLY an FTP server. Port 443 is not open on our FTP server.

Please verify that they are entering `ftp.xxxxxx.com`

Our FTP site supports FTP/SSL if they are concerned about security."

"Customer responds that they would rather use port 443 to send files."

"I'm sure they would. I'd also like to enter our building on the west side when the temperature is below 10º, but there are no doors on the west side, so that's not going to happen, is it?"

Security tester: Injects XSS into a rich text editor and flags it for a vulnerability.

"Oh that's fine, let's just disable right click on our page so no one can inspect the page and inject anything."

...

My boss ladies and gentlemen.

I guess that is what you get for bringing up security issues on someones website.

Not like I could read, edit or delete customer or company data...

I mean what the shit... all I did was try to help and gives me THIS? I even offered to help... maybe he got angry cause I kind of threw it in his face that the whole fucking system is shit and that you can create admin accounts with ease. No it's not a framework or anything, just one big php file with GET parameters as distinction which function he should use. One fucking file where everything goes into.

Newspaper: This CEO is one of the top entrepreneurs in the country, a true tech visionary shaping the future.

--- 3 months previous ---

Lead dev: O2 have said they are will pre-install the app on all their Androids but they need documentation from us.

CEO: documentation? on what?

Lead dev: Our unit test coverage, bugs found / fixed, security scan results, performance assessment, if and where its storing any data etc.

CEO: Ah were not doing any of that crap, bloody unit tests, its not necessary, tell them no.

lead dev: ..... eh ok

O2: *approved*

... true visionary, well done to everyone involved.

Ex-boss (who boasted 20 years of programming exp.) Would not let us work on a web project saying we didn't have enough experience and said he'd do it alone... Fast forward to 3 days before presenting to client, we get to check the log in interface and immediately find that there's no actual security, no validation... Just 2 text boxes with hard coded users and no way to add more without creating them in db... And if you knew the next page's URL you can actually skip the login... Needless to say he was removed from the project that instant and we (interns at the time) had to do everything from scratch. A 3 months project done in 2 days. Never been more stressed in my life :'(

I recently found a company that used employee social security numbers as their login username and their MMDDYYYY as their password (which could not be changed) also their entire network was using a router with no wifi password set. :/

*knock knock*
SIR do you have a moment to talk about our lord and savior the WINDOWS UPDATE?
"uhm no sorry I'm busy"
*sees a bulldozer in the background*
"what the .."
SIR just let him in your heart and feel his security patches drive your vulnerabilities away!!
"but the rendering hasn't finished ye.."
TOO LATE SIR, green light fellas let's do this
*bulldozer destroys my house and i wake up, sweating*

*hugs laptop*
"Oooh Ubuntu my baby I've missed you soo much!"
*wayland crashes*

Privacy & security violations piss me off. Not to the point that I'll write on devRant about it, but to the point that coworkers get afraid from the bloodthirsty look in my eyes.

I know all startups proclaim this, but the one I work at is kind of industry-disrupting. Think Uber vs taxi drivers... so we have real, malicious enemies.

Yet there's still this mindset of "it won't happen to us" when it comes to data leaks or corporate spying.

Me: "I noticed we are tracking our end users without their consent, and store not just the color of their balls, but also their favorite soup flavor and how often they've cheated on their partner, as plain text in the system for every employee to read"

Various C-randomletter-Os: "Oh wow indubitably most serious indeed! Let's put 2 scrumbag masters on the issue, we will tackle this in a most agile manner! We shall use AI blockchains in the elastic cloud to encrypt those ball-colors!"

NO WHAT I MEANT WAS WHY THE FUCK DO WE EVEN STORE THAT INFORMATION. IT DOES IN NO WAY RELATE TO OUR BUSINESS!

"No reason, just future requirements for our data scientists"

I'M GRABBING A HARDDRIVE SHREDDER, THE DB SERVER GOES FIRST AND YOUR PENIS RIGHT AFTER THAT!

(if it's unclear, ball color was an optimistic euphemism for what boiled down to an analytics value which might as well have been "nigger: yes/no")

(The PM is pretty technical)
One day:
Me: Could you create this subdomain?
PM: Sure, just a sec.
Me: Ohh and could you add a letsencrypt cert? (one click thingy)
PM: Why would you need that on this kinda site...
Me: Well in general for security...
PM: Nahh.
*walks away*

Next day:
(referring to my internship manager/guider as Bob)
Bob: Hey... we have a new subdomain!
Me: Yup!
Bob: Wait why is there no letsencrypt certificate installed...?!?
Me: Well, the PM didn't find that neccesary...
Bob: (Oo) of course it is... are we going for security by default or what?
Me: Yup agreed.
Bob: *creates cert and sets everything up in under a minute*

It wasn't a high profile site (tiny side project) but why not add SSL when you can for free?

So this chick has been super nice to me for the past few months, and has been trying to push me towards a role in security. She said nothing but wonderful things about it. It’s easy, it’s not much work, it’s relaxing, etc.

I eventually decided I’m burned out enough that something, anything different would be good, and went for it. I’m now officially doing both dev and security. The day I started, she announced that she was leaving the security team and wouldn’t join any other calls. Just flat-out left.

She trained me on doing a security review of this release, which basically amounted to a zoom call where I did all of the work and she directed me on what to do next, ignored everything I said, and treated me like an idiot. It’s apparently an easy release. The work itself? Not difficult, but it’s very involved, very time consuming, and requires a lot of paper trail — copying the same crap to three different places, tagging lots of people, copying their responses and pasting them elsewhere, filing tickets, linking tickets, copying info back and forth to slack, signing off on things, tagging tickets in a specific way, writing up security notes in a very specific format etc. etc. etc. It’s apparently usually very hectic with lots of last-minute changes, devs who simply ignore security requests, etc.

I asked her at the end for a quick writeup because I’m not going to remember everything and we didn’t cover everything that might happen.

Her response: Just remember what you did here, and do it again!

I asked again for her to write up some notes. She said “I would recommend.. you watch the new release’s channel starting Thursday, and then review what we did here, and just do all that again. Oh, and if you have any questions, talk to <security boss> so you get in the habit of asking him instead of me. Okay, bye!”

Fucking what.
No handoff doc?
Not willing to answer questions after a day and a half of training?

A recap
• She was friendly.
• She pushed me towards security.
• She said the security role was easy and laid-back.
• I eventually accepted.
• She quit the same day.
• The “easy release” took a day and a half of work with her watching, and it has a two-day deadline.
• She treated (and still treats) me like a burden and ignores everything I said or asked.
• The work is anything but laid-back.
• She refuses to spend any extra time on this or write up any notes.
• She refuses to answer any further questions because (quote) “I should get in the habit of asking <security boss> instead of her”

So she smiled, lied, and stabbed me in the back. Now she’s treating me like an annoyance she just wants to go away.

I get that she’s burned out from this, but still, what a fucking bitch. I almost can’t believe she’s acting this way, but I’ve grown to expect it from everyone.

But hey, at least I’m doing something different now, which is what I wanted. The speed at which she showed her true colors, though, holy shit.

“I’m more of a personal motivator than anything,” she says, “and I’m first and foremost a supporter of women developers!” Exactly wrong, every single word of it.

God I hate people like this.

I was talking in class. Teacher saw me. She asked me to explain the topic she was going to explain. It was Network Security. I started explaining how we can prevent tracking of our online activities by using VPN and all.

Teacher (to class): Do you all know about VPN?
Whole Class: No.
Teacher (to me): They don't know about VPN. Now, how will you explain?
Me: I won't.

*Cyanide out*

- I'm forced to do dev on Windows with no admin because security
- We receive patches to critical systems from outside company on FTP secured with password "asd123" and install them without reading because fuck security

No amount of backend code is seen as progress by client.

Have a web store app project that is running and looking beautifully and is currently connected to nothing.

Got scolded this week for not having any new deliverables.

Spent 15 hours on security updates and database architecture.

Coding nightmare -> the guy who wrote this application I guess wanted job security? At the VERY least to be a pain in the ass to anyone else who touches his code....WHO NAMES THEIR VARIABLES PEOPLE NAMES?!?!? do I know what "Beth" or "Sarah" stand for? ummmm....no 😢

Just looked at the anonymous analytics I collect on the security/privacy blog.

No SQL Injection attacks yet (would be useless anyways as I don't use MySQL/MariaDB for the databasing.

Directory Traversal attacks. Really? 🤣

Nice try, guys.

Fucking crunchyroll hardcodes their access tokens in a Constants Class in their APK, technically that is a security issue.

What the actual fuck Crunchyroll!? No fucking wonder you got DNS Hijacked so quick, security is literally your second priority you dumbed down twats, get some real devs and some real QAs for fucking god sakes, you're tearing down your own system by inviting exploits.

Me: So what you are doing in the IT field?
Him: I am hacking bank websites.
Me: OK, that's cool. It is good in free time. What is your actual job?
Him: I am seriously hacking the bank Web site!
Me: Trust me, if you seriously doing that you will never ever mentioned it...
Him: No, I am doing it legally... The bank hiring me to try to hack the website...
Me: OK, you mean that you are cyber security tester?
Him: That is almost the same...
Me: So you are tester?
Him: I am hacking bank's websites...
Me:....

No, MD5 hash is not a safe way to store our users' passwords. I don't care if its been written in the past and still works. I've demonstrated how easy it is to reverse engineer and rainbow attack. I've told you your own password for the site! Now please let me fix it before someone else forces you to. We're too busy with other projects right now? Oh, ok then, I'll just be quiet and ignore our poor security. Whilst I'm busy getting on with my other work, could you figure out what we're gonna do with the tatters of our client's business (in which our company owns a stake) in the aftermath of the attack?

I hate people... I hate stupid people even more...

A person asked on slack about where download a Programming Language server called Railo. The official site is no longer up because the software was forked and acquired by a new company.

I suggested just to download that fork since it's more stable. They said no, they needed to mimic their production environment. Makes sense, so I left it alone since I couldn't help further.

Another person on slack asked which version of Railo they need. The OPs response was, "Oh whatever version you have."

My response was... "WTF... the latest version of Railo is 4.3 and the fork is 4.5... the only difference is the new name and a couple of security fixes. If you want to mimic production then you need the exact copy.. otherwise, the fork will be your best bet."

Nope.. I need Railo... any version. They say again.

!dev
> Get on Deutsche Bahn train
> Train delayed
> Miss Eurostar connection (not just me, many people did too), get the next one
> Building works in Brussels Station
> Maps inaccurate
> Get lost
> Find Eurostar terminal
> Electricity failure
> Check-in suspended
> After 40min, announcement
> This train cancelled, get the next one
> Electricity fixed
> Check in, finally
> Now 2½ trains worth of people need to get on this one
> Somehow fit on train
> Lose table because family needs it (fair, but annoying)
> Train departs
> More delays due to scheduling conflict
> Arrive in Lille Europe
> Stop for 10 minutes for no reason
> Announcement: "there is an illegal passenger on board, everyone and their luggage needs to get off"
> Get off train, stand on platform for a decade
> "Who has left an orange bag on coach 18?"
> Nobody
> They bring the bag out
> It's red, not orange
> "Oh it's mine, sorry" - some woman
> Wait around for ages
> "Everybody go downstairs and go through security again"
> Go through security and passport control
> Get back on train
> Arrive at St. Pancreas
> Last train to where I live has gone
> Woohoo, I get to pay for an expensive hotel in London
> Get rail replacement bus service home
> Home 😒

Currently trying to write a dark theme solution for the security blog in pure JavaScript (no jquery).

This is way easier than I thought!

I thought this launch (security/privacy blog) would go smooth:
- analytics fell, except for one thing, apart for yet unknown reasons
- MySQL came with a very weird error which took me like half an hour of research before I hacked my way past it.
- the firewall started to fuck around for no reason, works now though.

Nginx worked without issues though, as well as NetData 😅

Yeah, didn't go as planned :P

left a company over 3 years ago because they wanted me to dumb my code down so that the other devs could understand it. they wouldn't allow me to use classes in my code lol. anyway, 3+ years later figured I would try to log in to some of the admin panels... passwords still the same. MySQL dbs... passwords the same... cpanel... passwords the same. smh. even if I still worked there the passwords should be changed every so often. top notch security right there. funniest part is they don't even do backups or use VCS for the code. sad sad company. glad I'm no longer there. my personal projects have more security, redundancy and fail over lol

@JoshBent suggested that I'd make a blog about security.

Nice idea, fair enough!

*registers domain at provider with discounts at the moment*
*tries to find whois protection option*

"You can add WHOIS protection to your account as an upgrade"

*requests authorization token*

*logs into usual domain name provider account*

*transfers domain name*

*anonymizes WHOIS details within two seconds*

I could've stayed and ask them about the cost etc but the fact that they even HAVE a price for protecting WHOIS data is a no-go for me.

Fuck domain name resellers which ask money for protecting ones WHOIS information (where possible).

Alright, the blog seems to be running again and its not breaking yet which is a good sign :P.

Although nothing has changed on the front end yet, the backend has been partly rewritten to be more efficient and of course, post sorting based on posting date!

I'm aware of most of the front end issues so no need to tell me all of them again, I'll look at that tomorrow as I need sleep right now :(

If you'd find any bugs/security issues, please, don't exploit them but report them instead! I take security very seriously and will try to patch any security bug as soon as I can :)

"fuck security, no one will hack us"

Had a discussion with a developer about security. His software transfers all user data (password and files) unencrypted, so anyone can grab them with wireshark. I told him that this is a severe issue. He said no its no problem because if you get hacked its your own fault, because you probably used an insecure network. NO ! YOU FUCKING MALADJUSTED SHEEP-MOLESTING OBJECT OF EXECRATION, YOU SHOULD ALWAYS ENCRYPT SENSITIVE USERDATA NO MATTER WHAT NETWORK YOU USE. FUCKING KILL ME ALREADY.
Not implementing encryption is one thing but then acting like its no problem is a fucking nother one. Why do people not understand that security of userdata is important???

Just came from a one week holiday, only to come and see that zesty security and some other repositories are no longer supported on my 17.04 ubuntu...

Updating to 17.10 now..

Havent even booted up my windows laptop yet.. God please give me strength..

Client: I want you to build me a website.
Then makes an order on freelancing website.

Me: Okay, Sir. Can you send me your specifications, please?

No reply.

2 days later

Me: Hello, sir....are you still interested?

A week later
Me: Sir.

Me: Sir.....

No reply

2 Weeks later
Me: Sir......

No reply

Client: Oh, sorry.(Then gives some lame excuse) Okay I will send you the specifications.

Me: It's Okay. Waiting for it.

A week later
Me: Sir, you forgot to send me your specifications.

No response.

#Life of a freelancer.....No stability or security or decent clients.

Security tips guys :
use iptables -A INPUT -j DROP to secure your servers.
NO ONE can access your servers now... NO ONE...

So my marketing dept request us to perform a SQL injection to someone's bank account. I refuse to do it.

1. Most bank no longer use Relational Database , they use something like NoSQL Database.

2. Even if the bank Use Relational Database system, I assume their security must be high, validating my session maybe...

3. I am not going to do shit like this for illegal purposes, well this task sounds super illegal to me

4. Hacking is not a part of my job description. I was hired to be a Senior Fullstack Mobile App Developer.

This is screwed up !

Hello devRanters! A little while ago some ranters and I who are all passionate about FOSS/Linux decided to get together in a chatroom. Slowly more people are coming in but just wanted to post this in case any foss/linux liking people would like to join! I am not even sure if this is allowed on devRant (posting something like this) so if not, my apologies and I will remove the rant!

Keep in mind that the chat exists for people who are very keen on FOSS/Linux/security/privacy so no offense but it probably isn't the best place for people who don't like/care about that stuff :).

Alright so the security blog is coming up soon (as in, days probably) and I'm working hard together with 404response on the privacy site.

I do want to gain some insight into visitor numbers and so on but OF COURSE, commercial/closed source options are a no-go for me!

I am thinking about maybe using Piwik with all the privacy options enabled Also self hosted obviously. What do you guys/gals think?

Damn, credit cards are so fucking secure these days that you hardly can BUY shit with them!
I need some special electronics that I only can get from a vendor in the US, which is overseas. Click click, buy, done. Well no, credit card refused. WTF? Click retry link. No, still refused. FUCK.
Called up the 24/7 hotline of my CC company. Oh yeah, that got blocked by the security system, somehow. We disable that for 20 minutes, just retry. Clicked retry link at the vendor. No failure mail. Hmmm, too good to be true?! Called up the electronics vendor. Yeah should work, stuff is in the warehouse stage. 40 minutes later: credit card declined. FUCK.
Called up the CC company again. Ok, disable blocker for one hour. Nice advice from them, tell the vendor it's only 45 minutes so that there's some buffer. Clicked retry link at the vendor and called them up to make sure that they retry before the time runs out.
LO AND BEHOLD, I could finally pay the shit!!

We recently took over development of an app. Upon inspection the API had no security, and passwords were stored in plain text. While the manager was slightly concerned, it wasn't a big deal....

That was until, using only a browser, I found the bosses account and personal email address.

Minutes later I was in his gmail, Facebook and credit cards account.

Improving security is now concern #1, and my boss is "suffering" 2 factor authy on everything.

CLIENT "So my nephew who does stuff with computers built it and we are ok with how it all works so don't worry about changing that. "

DEV "so like you have a public form with no input filtering, spam mitigation let alone sanitization or remote concern for security. Basically you have a Json flat file that is 34mbs of links to, viagra, replica watches, nock off name brands and one real estate company. It is getting about 15 submissions an hour. Since you don't want me changing how it works are you happy to just leave all that ?"

CLIENT "no no we don't want all that but we have no route to delete it, can you just stop all the spam and let us continue on?"

DEV "ok so back to my first question can we rebuild all of this properly, or do you really want to just leave it all"

:/ FML

That feeling when your client connection is more stable than the connection of a fucking game server... Incompetent pieces of shit!!! BEING ABLE TO PUT A COUPLE OF SPRITES DOESN'T MAKE YOU A FUCKING SYSADMIN!!!

Oh and I sent those very incompetent fucks a mail earlier, because my mailers are blocking their servers as per my mailers' security policy. A rant from the old box - their mail servers self-identify a fucking .local!!! Those incompetent shitheads didn't even properly change the values from test into those from prod!! So I sent them an email telling them exactly how they should fix it, as I am running the same MTA on my mailers (Postfix), at some point had to fix my mailers against the exact same issue as well, and clearly noticed in-game that they have deliverability problems (they explicitly mention to unblock their domain). Guess why?! Because their server's shitty configuration triggers fucking security mechanisms that are built against rogue mailers that attempt to spoof themselves as an internal mailer, with that fucking .local! And they STILL DIDN'T CHANGE IT!!!! Your fucking domain has no issues whatsoever, it's your goddamn fucking mail servers that YOU ASOBIMO FUCKERS SHOULD JUST FIX ALREADY!!! MOTHERFUCKERS!!!!!

The worst project is the one I am currently working on. I didn’t build it but have to manage it, because... Reasons.

The projects is made on Core PHP(red flag right there).
But when I dig in I get to see there is no authentication used in any of the REST service. Yup. What's the fucking point of login if you are just going to update profiles based on user_id you Twat! The querying used is simply mysql_query (I have to say I expected that).
No relationships defined in the Mysql table structure. No migrations.
There is an upload feature which is forcing the image to be saved as jpeg, therby corrupting the images being saved on the server.
No security, terrible logic, no classes, terrible architecture.

And I am the chosen one to maintain this shit!

Truely, FML!!!

A store in Russia was robbed for 30k$ using ArtMoney.

ArtMoney is a Game cheating program that is used in games that have no AntiCheat system or it is insanely horrible(Cookie clicker as an example for a game that had no anticheat and ArtMoney is used in it)

The robbers placed orders for tech(like phones and laptops) and then used the program to change the prices from thousands of dollars down to 5$.

The cheat program is insanely easy to defend against or detect its changes.

This is a good reminder to check your security if youre adminstating things like online shops or other stuff thag can be targeted at a similar fashion.

--- iOS-Jailbreak-AppStore "Cydia" shuts down ---

This Friday, Jay Freeman, the maintainer of the iOS-Jailbreak-AppStore "Cydia", announced that he will shut-down his services.
"Cydia" is a app store for people that jailbreaked their iPhones and allows them to buy and download apps. Apple's AppStore doesn't allow jailbreaked apps, that's the reason it was created in 2009.

Jay Freeman, also known as "Saurik", explained that he wanted to shut down the service at the end of 2018 anyways.
Now, a recent security issue, threatening the data of all users, caused that the store no longer existed with immediate effect.
In addition to the security issue, "Cydia" was said to be no more profitable.
To calm you breakers down: Previous purchases can still be downloaded!

The software itself will continue to exist, but without a back-end for payments and stuff like that. Users are still able to do payments through third-party repositories, which already happened anyway, so that lowers the impact of the shut-down.

Just like "Cydia", other services are shutting down too.
One of the three big Cydia-repositories, ModMyi, said they wont allow any new apps and archived all existing ones.
ZodTTD and MacCiti will also be discontinued.
"Bigboss" is the only repository remaining.

Jailbreaks just lost their popularity over the last years. There's still no jailbreak for iOS 11! This shows that Apple is getting better and better at preventing jailbreaks.
On the other hand, it shows that the need for jailbreaks is not quite as high anymore and therefore the developers don't spend too much energy for breaking up iOS anymore.

Did you use Cydia, or any of the other services? Write us in the comments!

Thanks for reading!

Have a client that has a very, very large format printer (think billboards). It's on their network as just another printer, with no special security because everyone "knows" never to print to it....except the new employee who printed her direct-deposit info to it. Got about ten feet(!) into the job before someone realized it wasn't an authorized job.

Company email sent around last night that 'for security' we need to use the latest software, fine. But we are also told only to develop in Edge as it's the newest and most secure browser, therefore is the only one we can use. There no way I'm using Edge to develop.

Fuck you, Mr Consultant, you've taken the company for a ride.

devRant_swear_count++;

This happened via mail thread today.

Boss: we need this new brilliant feature I just made up and running asap! Top priority, it has to be done well, for my reputation is on the line!

Me: *looks at the specifics* 'kay, looks easy enough, this evening max and it will be ready. I just nees some extra info about what kind of data validations (I speak no accountant) are needed, and some other details (a total of 3 questiona).

B: Sure! Remember, it needs to be perfect, as my reputation is at stake. Call me on the phone and I'll give you the details!

M: Can't you answer via mail? Thua way both me and the other devs will have clewr guidelines

B: Just call me! Why do you need it to be written down? It's faster this way!

...Fine. I'll keep asking until you're ready to give me a written answer to my questions. No way I'll take security details via phone for something you want in production this evening. No chance in Hell I'll take responsibility for "misunderstanding" what you said on the phone. Why does it always has to be like that?

TIL that TI has no goddamn chill

Texas Instruments released the TI-83+ calculator model in 1996. The Z80 was not at all stock and has the following features:

- 3 access levels (priveleged kernel, kernel, user)
- Locking Flash (R/O when locked for most pages, some pages protected and unreadable as well, only unlockable from protected Flash pages by reading a certain order of bits then setting a port)
- Locking hardware ports (lock state always the same as flash)
- Customizable execution whitelist range (via locked ports)
- Configurable hardware (Flash/RAM size changeable in software via locked ports, max RAM is 8MB which is fucking mental compared to the 64k in the thing)
- Userland virtualization (always-on)
- Reset on violation of security model
- Multithreading
- Software-overclockable CPU
- Hardware MD5 and cert handling

TI made a calculator in 1996 with security features PCs wouldn't see until like 2010 what the *actual* fuck

Worst security issue : being able to make a money transfer with no auth and changing freely the bank account in the POST params...

Dev excuse : "I didn't know my job was also to take care about security."

So... Some fake accounts on Twitter claimed to be Elon Musk and to give shitloads of Bitcoin to those who sent a little amount first. They stole... Wait for it... 180 grand.

That's basically your everyday 419 scam. Existing since before the internet, done with the names of Gates, Buffet, Bush, Obama...

They say "the big bad evil criminals and the poor little innocent victims" I say natural selection. Sorry, in those lion vs gazelle scenarios I always thought that it was fair, no matter how it went.

Just when did humanity get so brainless? Have we always been, is the internet just a catalyst for stupidity?

Just why the fuck must I be an infosec sheepdog instead of a wolf? Man, I could live the life, drink beer and smoke herb while working... Get up at 12, don't give a shit, no boss, no taxes, no social security payments that I don't see jack shit from, and the pay would be better to.

Damn.

When someone says they are a 'HACKER' whereas all they do is watch videos of 'How to hack a GMail account' on YouTube and read 'Learn to hack in 24 hours' , while having no knowledge of networking, security protocols and ports.

So here's the story about a big Fuck up by a TRAI chief in India

He posted an open challenge on twitter:
"Here's my 12 digit Aadhar card (social security no for Indians) number. Show me if you can do any harm to me. "

And Twitter obliged, a French hacker aliased @fs0c131y (Elliot Alderson) took the challenge and he started posting his phone number, email, and other personal stuff on twitter.

Still the official thinks he's safe and no harm has been done to him! He openly says, "Even if you get my bank account no what can you do?"

Ten Immutable Laws Of Security

Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.

"Hey, I've noticed that when I run this script, I get an error message. It says it has failed to do step x"

A: "Have you tried running it with sudo"

"Yeah, that works"

B: "NO WAY YOU SHOULD NEVER USE SUDO THAT'S A MAJOR SECURITY RISK, ARE YOU RETARDED RUNNING THINGS WITH SUDO IS EVIL"

"Do you have an alternative solution?"

*trjirp trjirp* 🦗🦗🦗

So my boss is staring a new security oriented product and he asked one of my colleagues to prepare a presentation about the possible attacks on the product.

During the presentation there was a section on DoS attacks. The boss didn't know what DoS was and after a brief explanation, he interrupted the presentation and said DDoS is not a threat because there is no data stolen. This is a webapp.

Taking IT classes in college. The school bought us all lynda and office365 accounts but we can't use them because the classroom's network has been severed from the Active Directory server that holds our credentials. Because "hackers." (The non-IT classrooms don't have this problem, but they also don't need lynda accounts. What gives?)

So, I got bored, and irritated, so I decided to see just how secure the classroom really was.

It wasn't.

So I created a text file with the following rant and put it on the desktop of the "locked" admin account. Cheers. :)

1. don't make a show of "beefing up security" because that only makes people curious.
I'm referring of course to isolating the network. This wouldn't be a problem except:

2. don't restrict the good guys. only the bad guys.
I can't access resources for THIS CLASS that I use in THIS CLASS. That's a hassle.
It also gives me legitimate motivation to try to break your security.

3. don't secure it if you don't care. that is ALSO a hassle.
I know you don't care because you left secure boot off, no BIOS password, and nothing
stopping someone from using a different OS with fewer restrictions, or USB tethering,
or some sort malware, probably, in addition to security practices that are
wildly inconsistent, which leads me to the final and largest grievance:

4. don't give admin priveledges to an account without a password.

seriously. why would you do this? I don't understand.
you at least bothered to secure the accounts that don't even matter,
albeit with weak and publicly known passwords (that are the same on all machines),
but then you went and left the LEAST secure account with the MOST priveledges?
I could understand if it were just a single-user machine. Auto login as admin.
Lots of people do that and have a reason for it. But... no. I just... why?

anyway, don't worry, all I did was install python so I could play with scripting
during class. if that bothers you, trust me, you have much bigger problems.

I mean you no malice. just trying to help.

For real. Don't kick me out of school for being helpful. That would be unproductive.
Plus, maybe I'd be a good candidate for your cybersec track. haven't decided yet.

-- a guy who isn't very good at this and didn't have to be
have a nice day <3

oh, and I fixed the clock. you're welcome.

I opened a post starting with a "NO TOFU" logo and I was wondering what relationship existed between the SSH protocol and anti-vegan people.

After some paragraphs it explained that TOFU stands for Trust On First Use (a security anti-pattern).

CR: "Add x here (to y) so it fits our code standards"
> No other Y has an X. None.

CR: "Don't ever use .html_safe"
> ... Can't render html without it. Also, it's already been sanitized, literally by sanitize(), written by the security team.

CR: "Haven't seen the code yet; does X change when resetting the password?"
> The feature doesn't have or reference passwords. It doesn't touch anything even tangentially related to passwords.
> Also: GO READ THE CODE! THAT'S YOUR BLOODY JOB!

CR: "Add an 'expired?' method that returns '!active'?"
> Inactive doesn't mean expired. Yellow doesn't mean sour. There's already an 'is_expired?' method.

CR: "For logging, always use json so we can parse it. Doesn't matter if we can't read it; tools can."
CR: "For logging, never link log entries to user-readable code references; it's a security concern."
CR: "Make sure logging is human-readable and text-searchable and points back to the code."
> Confused asian guy, his hands raised.

CR: "Move this data formatting from the view into the model."
> No. Views are for formatting.

CR: "Use .html() here since you're working with html"
> .html() does not support html. It converts arrays into html.

NONE OF THIS IS USEFUL! WHY ARE YOU WASTING MY TIME IF YOU HAVEN'T EVEN READ MY CODE!?

dfjasklfagjklewrjakfljasdf

GIT LOG VERSION 101
----------------
75fed18 pay no attention to the man behind the curtain
56772ff added security.
6374fdd needs more cow bell
6b27de9 Committing fixes in the dark, seriously, who killed my power!?
bffce8a giggle.
7e93977 Refactored configuration.
e66c495 pgsql is more strict, increase the hackiness up to 11
5690dd9 Revert "just testing, remember to revert"
daa84ba Still can't get this right...
097f164 this should fix it
367f271 GIT :/
f46d735 bump to 0.0.3-dev:wq
b893721 ¯\_(ツ)_/¯
24be0d9 ...
f014a0c ALL SORTS OF THINGS
e648b80 added super-widget 2.0.
3a71628 perfect...
e2a8cb1 Fucking templates.
b08e489 pgsql is more strict, increase the hackiness up to 11

My girlfriend configuring her e-mail account in the app because her phone had to be reset to factory :
-I can't figure out how to do these setting, annoying...
-Oh yeah the imap and smtp servers can be tricky, let me put that
(I Google the settings for her mail provider and put them in)
-It still doesn't work.
-Uuuh, maybe with another security setting, try it.
-This shit still doesn't work, seriously my phone is broken.
-Have you verified the e-mail address and carefully typed the password?
-Yes of course, I've tried it several time
(I take the phone and check all the parameters... During a looooong time... Until it hits me.)
-Hmm... Can you read the e-mail you've entered?
-Yeah, it's my mail, blabla@hotmail.com.
-No can you read it again please?
-It's blabla, why?
-No, can you *spell* your e-mail?
-Yeah it's B-L-A-B-L-A-@-H-O-M-A... Ow shit...
- ¯\_(ツ)_/¯

So at work with the Macs we use, we have some guy come in after hours to service the Macs, and that means the security risk of leaving our passwords on our desks.

Not being a fan of this I tell my boss, he knows it's a risk and despite that he doesn't want this guy coming in while we're here.

Though my main problem is the Mac guy Steve is arrogant and thinks he's a know it all, and with the software I have on the Mac may end up deleting something important, I have git repo and all but I feel off just letting someone touch my computer without me being there.

I tell my boss about the software and stuff he just says contact Steve and tell him about it, to ignore the software and such, I say alright, I write up an email telling him not to touch the software listed and the folders of software documents (again it's all backed up).

No reply, I tell my boss and he says call him, I call him and he hangs up on me on the second ring!

Not sure if he's busy, but I left him a message, asking if he got my email, no reply and it's coming close to the end of the day (going to service Macs in the weekend)

I'm just not going to leave my info because if this guy can't check emails or even get back to someone why should I bother with this bullshit of risking my work.

From all the info I hear about him and my previous rants he's an arrogant prick who loves Macs.

Can't wait to leave this company, pretty sure leaving my password on my desk is a breach of our own security policy, and since 8-9 people are doing it, it's a major risk.

But he's friends with the CEO so apparently it's fuck our own security policy.

Sooo I've been working on an ancient php 5.6 project that did not have any documentation and was a homemade "framework" created 7 years ago. The original creator is long gone and no one else knows a lot about this project.

When I first looked into it I almost immediately noticed the security flaws...

Old outdated libraries
a "development" feature to easily turn dev mode on/off
BY A GET PARAMETER!

it spits out full sql queries and php warnings -.-

Oh and did I mention that the site is a webshop.... and has a backdoor password?
AND THAT THE CUSTOMER REQUESTED THAT?

Watch out for these fucking bug bounty idiots.

Some time back I got an email from one shortly after making a website live. Didn't find anything major and just ran a simple tool that can suggest security improvements simply loading the landing page for the site.

Might be useful for some people but not so much for me.

It's the same kind of security tool you can search for, run it and it mostly just checks things like HTTP headers. A harmless surface test. Was nice, polite and didn't demand anything but linked to their profile where you can give them some rep on a system that gamifies security bug hunting.

It's rendering services without being asked like when someone washes your windscreen while stopped at traffic but no demands and no real harm done. Spammed.

I had another one recently though that was a total disgrace.

"I'm a web security Analyst. My Job is to do penetration testing in websites to make them secure."
"While testing your site I found some critical vulnerabilities (bugs) in your site which need to be mitigated."
"If you have a bug bounty program, kindly let me know where I should report those issues."
"Waiting for response."

It immediately stands out that this person is asking for pay before disclosing vulnerabilities but this ends up being stupid on so many other levels.

The second thing that stands out is that he says he's doing a penetration test. This is illegal in most major countries. Even attempting to penetrate a system without consent is illegal.

In many cases if it's trivial or safe no harm no foul but in this case I take a look at what he's sending and he's really trying to hack the site. Sending all kinds of junk data and sending things to try to inject that if they did get through could cause damage or provide sensitive data such as trying SQL injects to get user data.

It doesn't matter the intent it's breaking criminal law and when there's the potential for damages that's serious.

It cannot be understated how unprofessional this is. Irrespective of intent, being a self proclaimed "whitehat" or "ethical hacker" if they test this on a site and some of the commands they sent my way had worked then that would have been a data breach.

These weren't commands to see if something was possible, they were commands to extract data. If some random person from Pakistan extracts sensitive data then that's a breach that has to be reported and disclosed to users with the potential for fines and other consequences.

The sad thing is looking at the logs he's doing it all manually. Copying and pasting extremely specific snippets into all the input boxes of hacked with nothing to do with the stack in use. He can't get that many hits that way.

DEAR CTOs, PLEASE ASK THE DEVELOPER OF THE SOFTWARE WHICH YOU ARE PLANNING TO BUY IN WHAT LANGUAGE AND WHAT VERSION THEY ARE WRITTEN IN.

Background: I worked a LONG time for a software company which developed a BIG crm software suite for a very niche sector. The softwary company was quite successfull and got many customers, even big companies bought our software. The thing is: The software is written in Ruby 1.8.7 and Rails 2. Even some customer servers are running debian squeeze... Yes, this setup is still in production use in 2022. (Rails 7 is the current version). I really don't get it why no one asked for the specific setup, they just bought it. We always told our boss, that we need time to upgrade. But he told every time, no one pays for an tech upgrade... So there it is, many TBs of customer data are in systems which are totally old, not updated and with possibly security issues.

Cyber security. Deep knowledge of cyber security and networks is what I wish I had. The math stuff that no one bothers with, specifically.

Found that out that one of our company's internal API (I hope it's only internal) is exposing some personal data. After finally getting the right people involved they said they'd fix it 'immediately'.

5 days later I check and now there is more personal data exposed...which includes personal security questions and the hashed answers to said questions.

And of course they are using a secure hashing mechanism...right? Wrong. md5, no salt

Sigh...

WTF!!!!! I officially have someone trying to extort me just had this in my email box this morning!

--------

Hello,

My name is [name removed], I'm an IT security expert and I found a security issue on your website.
This email is personal and in no way related to any of my employers.

I was able to access to a lot of files which contains sensitive data.
I attached a screenshot of the files I found to this email.

I would be happy to give you the method I used to access these files in order to let you fix it.
Would be a monetary compensation possible?

Please forward this email to the right person, if your are not responsible for the security of the website.

Best Regards,
[name removed]

---

He can basically see the contents of my wp-config.php. How has he managed this?

I am amazed how specific everyone is being about security vulnerabilities at their employers. Hopefully no one social engineers what company you work at.

This is a server in my school and I was wondering... Is it okay to have a server everyone can access? There's no key or other security need to the room needed.

I should just quit. I am not paid enough to deal with this pissing contest.
Reviewer:
Need to add instructions (on readme) for installing pnmp, or if possible, have the top-level npm i install it (lol).
Also, it looks like we are no longer using lerna? If that's right, let's remove the dependency; its dependencies give some security audit messages at install.
Me:
it's good enough for now. Added a new ticket to resolve package manager confusions. (Migrate to pnpm workspaces)
Reviewer:
I will probably be responsible for automating deployment of this (I deployed the webapp on cloudflare pages and there is no work that needs to be done. "automating deployment" literally means replacing npm with pnpm). I disagree that it's good enough for now.

Imagine all readmes on github document how to install yarn/pnpm.

Lesson learned:
If you think an OOP static site developer can't handle modern JS framework, you are probably right.

Someone ask to me as a security engineer.

Bro : what do you think about most secure way to authenticate, i read news using fingerprint no longer safe?
Me : yes they can clone your fingerprint if you take a photo with your fingerprint to camera.
Bro : so what is the other way to authenticate more secure and other people can't see in picture ?
Me : D*ck authentication is more secure now, other people can't see your d*ck pattern right?

auto.self.whatever.rant()

A few years ago, we had a lesson on git and stuff, and we had to create our first repository and push something on it to get familiar with the thing.

Our teacher jokingly said at the end "And always remember, no password in a repository!", and I thought to myself "who can be dumb enough to do actually do something like that?"

Now, guess which piece of shit had to reinstall two of his fucking servers because of security issues coming from not one but github repositories?

Why I love Salesforce 👀

- Run a test method
- failure: no field found

- checks test, queries field
- checks field security (access permissions) visible to user

- runs test again
- failure: no field found
- adds debug log of queried field

- runs test again
- succes

Thanks, thanks for fucking with me today 🥲

Microsoft seriously hates security, first they do enforce an numer, upper and lowercase combined with a special character.
But then they allow no passwords longer than 16 characters....
After that they complain that "FuckMicrosoft!1" is a password they've seen to often, gee thanks for the brute force tips.

To add insult to injury the first displayed "tip" take a look at the attached image.

Users and Bosses.

I honestly don't know who is worse, the end user or the boss.

The boss thinks all you do is click a button and everything just works, so everything should take 30 minutes to complete, why on earth would it take a week to do something?

The user seems to think every tiny idea is the most important thing ever to add, so they tell said boss it must be added, and boss normally agrees.

I get it, Marge (Fake name), adding in a copy button because you're too dumb to press ctrl + c is way more important than updating the security after a Ransomware attack.

No boss, I can't add in 30 new things and make sure the security protocols are updated all before the meeting in 15 minutes.

If you think it's all so easy and just pressing buttons, why did you hire me? Anyone who can read and press a button should be able to do it....

And I thought dealing with recruiters couldn't get worse..

Applied for a job, get a call back a short while later. Recruiter guy has zero details about the job, but needs some background info. Then says he needs a few more things, it'll come in an email. Calls me 5 minutes later asking why I haven't replied yet, told him im not home.

Get home, check my mail.. please send full address, social security number and a copy of both sides of my photo ID.

Nooooooooooooope. Email back, say no can do.. no replies, job listing deleted a few hours later.

Send over the entire directory for a WordPress site we completely overhauled with new plugins, custom theme, redid content with visual composer, etc. I tell him to backup his site and then put everything I give you as fresh. He tells me he can't just wipe out his entire site that's unacceptable. I ask him what's the problem? he rambles on and says a lot of words that don't really mean anything then says security. so I call him out on it, what security issues do you have? well we have users and permissions setup he says. I explain That I copied his users table over when we did the redesign, so it's the exact same stuff. so I say again, why can't we just replace everything? well that's just not acceptable he says. I ask him again, what EXACTLY is your problem with replacing the site since I already addressed your security concern. he couldn't answer me so now we have another conference call tomorrow morning with more people from their team. I'll let you know how it goes.

tldr; clients are idiots, call them out for the dumb shit they say and have no response.

My job feels (and acts) like a soulless void.

Wow, that sounds like lyrics to an emo song for adults. screw that.

But it's still pretty accurate: While I have quite a few coworkers, and they're at least somewhat chatty, they never seem to respond to me, or even notice me. I see them talking, but anything I do or say gets ignored. It goes into the void and disappears.

I talk in the off-topic channels. People talk around me.
I make comments on releases. No responses.
I talk about music I've been addicted to. No responses.
I talk about food and cooking -- a popular topic at work. No responses.
I respond to an invitation to join the security team. No responses. (well, an empty deferral)
I release various features, some both my boss and a coworker described as "soul-crushing." No thanks, priase, appreciation; honestly, no one even seemed to notice.
I build useful utilities and functions for other devs to use. Nothing.
I optimize the scripts everyone uses on a daily basis, and mention it to others. Still nothing.

The void eats my efforts, and occasionally spits out parcels of work for me to do. The only responses I recieve from the void are when I ask about its parcels of work. When I send them back completed, nothing happens -- unless they need more work. If they do not... nothing.

My previous job was friendly and nice and rewarding.
The job before that was Hell.
This one feels like Purgatory, but ... somehow emptier.

Does anyone else get that surreal feeling where you actually realise you're paid to sit and write a language which most of the world doesnt understand, no one can speak it, and the those who may have the capability to write it don't really want to understand?

I mean, I'm pretty sure that a book written in Latin wouldn't sell well enough to pay the author year-on-year.

Pretty much job security through obscurity.

Surreal.

Recruiter: I have an open position for lead DevSecOps role.

Me: Tell me more

Recruiter: It’s an AI company , where the AI is making clinical medical decisions. It’s really cool. They need somebody to help them pass government audits and you’d be solely responsible for the systems security, AWS accounts, and also all of DevOps, which they’ve never heard of before but I told them they needed and they though it was cool.

Also, they use AWS but not sure what services inside AWS, they think it’s AWS storage and AWS servers or something like that .

Me: That’s a big hell no. 👎 Got any other positions though ?

!rant but help?

I currently have Kali (for labs I'm working on to teach myself the things I didn't learn in school), Ubuntu (downloaded for school), and Fedora (downloaded for my database class)... other than Kali already having Metasploit in it, I don't see a difference between these and I know there are more versions of Linux.

What would be a good starting place for every day use, that'll support Citrix receiver (required for work no idea what its requirements are but I can find out, if i can't use it in Linux, I'll dual boot) and virtual box (or other virtual software, don't mind learning new systems), and that i can also have room to grow for security learning?

So our teacher just has us sign up for a learning site called Gizmos with a ton of students information. A lot of students forgot their password as always and some didn't register with an email so I expected the teacher to reset them..

Then the teacher had students come up to the front of the f****** class and SHOWED THEM THEIR PASSWORD IN PLAIN TEXT. WHAT THE HELL

So today I found a way to break into any Apple Mac (provided the exploit hasn't been fixed by the owner) and access all private files, as long as I have physical access to it, in less than 5 minutes.

After finding this, a quick Google on the method reveals this has been a workaround for years.

And to think I once praised Apple for their security standards.

Edit: this was done to an in-house Mac that my company own, and had been password locked by a member of staff who had been fired, but held important company documents on the computer. It was in no way a breach of privacy.

Boss: We need to disable CSRF and any other form of security, because that shitty, insignificant client has a website that is abomination anyone's eyes, can't pay because of the iframe thingy.

Me: I'd advice against it. This is a significant security issue that just screams to be exploited and there has to be a solution, but idk much about this situation.

Boss: Idk we need to kiss every clients ass till they come. Remove all the security

Me: *Just wants to get home, last one in the office besides the boss* fine
*removes it, deploys and gets the fuck home*

...2 weeks later

Payment gateway: Yeah, we blocked your account, because someone was trying to purchase 30k product in a span of 1h

I'm not even mad about that, but rather about the fact I fucking called it.

* Achievement unlocked: Targeted by scammers

P.s. no major damages, cause the guys from the payment gate understand shit about security.

Got a job as a database manager, they wanted me to update their sql server and some of their .net apps. Turns out their sql server had no databases and all their data was stored in an ms access 2003 applications that was using windows for workgroups security!!! It also had no interface, hundreds of tables and queries and there were multiple access db it was connected to. To make things worse the person who built all this stuff used acronyms for everything he did, table names, variables, queries and even bloody window folders!!! It was hard as hell to figure out what anything ment. Oh and the .net apps were asp sites that heavily used dll for storing his code and no one knows where the original source code for them are. Did I also mention there were no comments for any of the code, no database dictionary, no notes or anything.

So apparently I'll be rebuilding everything from scratch and transferring over the data to sql server. AND NO MORE F**KING ACRONYMS!!!!!!!

The security on my school computers is a joke.
The standard student accounts have no user rights, but the "guest" account has admin rights???
The teachers private data is not secured, it's just hidden from explorer, so if you manually type in the folder location into the explorer bar, you can access the teacher's data. Not to mention everything is running on Windows 7 machines from 10 years ago.

Installs Ubuntu 16.04
Try to put my favorite software installed.
Reboot failed, drops to BusyBox shell.
Me thinking : I fucked up.
Friend walks by, couldn't read shit.
Friend: Look at his kid, he's trying to hack into someone's computer.
Me: (Agrees just for reputation) Yeah, damn teachers been giving me bad grades.
Friend: Could you help me too?
Me: (Don't have hacking experience, making shit up) NO, because your not my best friend. And school security is hard to crack.

Got away safely

I wanna make you feel what you have brought into my house!!

I was working with security cameras once in a home automation project. One of those camera particularly stand out by offering a cgi without password request to view and change the current passwort and username.

Seriously wtf is wrong with you? I mean this thing automatically connects to an internet service offering everyone to connect to it with that passwort and username. And I know some of you might say "hey chill the cgi is only available on the wifi" - dammit no. Security is a lifestyle do it complete or get the fuck out. God knows what other mistakes there might be hidden in that thing screaming out to everyone to watch me taking a shit.

But that's not the end of it. My company arranged a call to the technical support of that camera so that I can explain the problem and a patch gets released. Those guys didn't give a shit about it and were even laughing at me. Fuck you!

So whoever is responsible - I will find you - and you will never see me coming.

Php code without any class. Every page is a separate php file in project root folder.

Everything is all over the place, code repetition is everywhere.

The worst part? No security. The sql calls are with mysql_ functions and string concatenation. Files are just uploaded without checking.

And I had to repair it.

Can you really trust the security features on your device?

Can you really verify that no one is looking at what you're doing all day, in your house or out and about?

What if I am the one looking at your naked ass right now?

I am tired of my idiot ‘friends’ asking me if I can hack Facebook Instagram etc. because some other idiot made them mad. Like fuck no. 1 it’s unethical as hell 2 it’s illegal I don’t want to go to jail. 3 I’m learning cyber security NOT hack stuff because someone hurt your useless feelings.

Ohhh and they always get pissed off when I explain everything wrong with their idiotic request

Security lifehacks 101

Why pay for password managers? Just use one secure password for every service you use! Password managers are really designed for fools who don’t know that you can just use one password for every service and who are ready to pay for that shit.

The best practice is to use your name starting with a capital letter + your main credit card number + CVC code from the back of that card as your go-to password. It’s long and hard to bruteforce and you can remember everything that way! You just need to remember that one password and you’ll always remember your payment info! No need for apple’s bad Apple Pay which is not so secure after all like everything else that Apple offers.

So this just happened. Some background before I begin: We're understaffed, my desk is in the back of the building, and there's no one really at the front to greet people. No security either...

Guy walks in wearing a flannel jacket (no shirt under it), pajama pants, and sandals. He looks like hell. Explains he was just released from a hospital and his apartment is locked. I let him use my phone to call his sister.

When I talk to his sister, she barely wants to speak with him. Tells me his apartment is locked for a reason and he's not allowed back. I'm just like: "So... what would you have us do for him?" At this point if his sister won't help, I was going to ask him to leave. Oh, and that hospital was a drug rehab.

So it ends with him waiting for a ride, but he ends up napping on the couch in the front of our office. CEO/Owner and his business partner walk right past and say nothing. They go into a meeting. I'm trying to figure out if I ask him to leave, wait outside for his ride... I'm a developer, this isn't my job.

A good 45-60 minutes later, after the guy walked outside and then came back in and laid back down on the couch, he leaves with his ride. Shortly after the owner walks out of his meeting, so I ask him what to do in this situation - more hoping he'd realize the need for more security.

If this story isn't crazy enough, the business partner pipes up - absolutely serious - and says he didn't say anything because he thought the guy was a developer.

So I've learned that we've got extremely low hygiene standards for developers here, with a relaxed dress code and are allowed nap times on the front couch.

Thankfully our CYBER security is better than our PHYSICAL security. :|

In other news, I have been forbidden by my boss to implement any security or performance improvements into the company infrastructure as this holds no business value. Furthermore, passwords are not to be a random alphanumeric+special-chars string but something legible.

My urgent, drop-everything, “bad actors have access to merchants and we can’t block them!” ticket that I rushed to finish didn’t make it into the release. It passed QA; everything works. There’s no complaints on code quality, either.

The blocker? My code uses the word “whitelist” (which is already present in the greater codebase in a related feature), and that made the woke VP (who happened to review the ticket) go REEEEEEE!! and demand I fix it to use approved language, therefore delaying the security fix until the next release cycle.

Yes, seriously.
It would be comical if I wasn’t so disgusted.

Oh well. Enjoy your bad company PR, dude. I hope it all burns.

My boss wants to be asynchronous with php. Then to render the backend async he wants to use beanstalk using python to be scalable.

I said : we can use node.js it's already asynchronous. And we don't care about the langage php python...

Boss : node.js isn't scalable, there is no security it's not good enough, it's not enough safe. I code with php since 15 years and it's better than node. To much problem in the node.js version 0.12.

OK BUT NOW WE HAVE NODEJS VERSION 6 LTS. WAKE UP. OMG I GIVE IT UP LET'S GO.

Stupid piece of legacy shit needing to silent print without the dialogs in IE on windows 10.

this is proving to be a thing of nightmares.

this has worked for years but no windows need to block this “for security”

windows and security - i would laugh but this is going to keep me awake at night.

Security fail here. I've just started a PPI claim and have been provided a link to a so called "very secure" client area.

There are no username or passwords and the screenshot is not a first time sign up screen.

All I need to login is a surname, postcode and DOB - all information easy enough to find online.

Pretty bad IMO, esp, so considering the effort required to add a proper login using a username/password combination.

I mean I'm logged in now and have no option to set an account password :|