Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
!Story
The day I became the 400 pound Chinese hacker 4chan.
I built this front-end solution for a client (but behind a back end login), and we get on the line with some fancy European team who will handle penetration testing for the client as we are nearing dev completion.
They seem... pretty confident in themselves, and pretty disrespectful to the LAMP environment, and make the client worry even though it's behind a login the project is still vulnerable. No idea why the client hired an uppity .NET house to test a LAMP app. I don't even bother asking these questions anymore...
And worse, they insist we allow them to scrape for vulnerabilities BEHIND the server side login. As though a user was already compromised.
So, I know I want to fuck with them. and I sit around and smoke some weed and just let this issue marinate around in my crazy ass brain for a bit. Trying to think of a way I can obfuscate all this localStorage and what it's doing... And then, inspiration strikes.
I know this library for compressing JSON. I only use it when localStorage space gets tight, and this project was only storing a few k to localStorage... so compression was unnecessary, but what the hell. Problem: it would be obvious from exposed source that it was being called.
After a little more thought, I decide to override the addslashes and stripslashes functions and to do the compression/decompression from within those overrides.
I then minify the whole thing and stash it in the minified jquery file.
So, what LOOKS from exposed client side code to be a simple addslashes ends up compressing the JSON before putting it in localStorage. And what LOOKS like a stripslashes decompresses.
Now, the compression does some bit math that frankly is over my head, but the practical result is if you output the data compressed, it looks like mandarin and random characters. As a result, everything that can be seen in dev tools looks like the image.
So we GIVE the penetration team login credentials... they log in and start trying to crack it.
I sit and wait. Grinning as fuck.
Not even an hour goes by and they call an emergency meeting. I can barely contain laughter.
We get my PM and me and then several guys from their team on the line. They share screen and show the dev tools.
"We think you may have been compromised by a Chinese hacker!"
I mute and then die my ass off. Holy shit this is maybe the best thing I've ever done.
My PM, who has seen me use the JSON compression technique before and knows exactly whats up starts telling them about it so they don't freak out. And finally I unmute and manage a, "Guys... I'm standing right here." between gasped laughter.
If only it was more common to use video in these calls because I WISH I could have seen their faces.
Anyway, they calmed their attitude down, we told them how to decompress the localStorage, and then they still didn't find jack shit because i'm a fucking badass and even after we gave them keys to the login and gave them keys to my secret localStorage it only led to AWS Cognito protected async calls.
Anyway, that's the story of how I became a "Chinese hacker" and made a room full of penetration testers look like morons with a (reasonably) simple JS trick.
9 -
Let the student use their own laptops. Even buy them one instead of having computers on site that no one uses for coding but only for some multiple choice tests and to browse Facebook.
Teach them 10 finger typing. (Don't be too strict and allow for personal preferences.)
Teach them text navigation and editing shortcuts. They should be able to scroll per page, jump to the beginning or end of the line or jump word by word. (I am not talking vi bindings or emacs magic.) And no, key repeat is an antifeature.
Teach them VCS before their first group assignment. Let's be honest, VCS means git nowadays. Yet teach them git != GitHub.
Teach git through the command line. They are allowed to use a gui once they aren't afraid to resolve a merge conflict or to rebase their feature branch against master. Just committing and pushing is not enough.
Teach them test-driven development ASAP. You can even give them assignments with a codebase of failing tests and their job is to make them pass in the beginning. Later require them to write tests themselves.
Don't teach the language, teach concepts. (No, if else and for loops aren't concepts you god-damn amateur! That's just syntax!)
When teaching object oriented programming, I'd smack you if do inane examples with vehicles, cars, bikes and a Mercedes Benz. Or animal, cat and dog for that matter. (I came from a self-taught imperative background. Those examples obfuscate more than they help.) Also, inheritance is overrated in oop teachings.
Functional programming concepts should be taught earlier as its concepts of avoiding side effects and pure functions can benefit even oop code bases. (Also great way to introduce testing, as pure functions take certain inputs and produce one output.)
Focus on one language in the beginning, it need not be Java, but don't confuse students with Java, Python and Ruby in their first year. (Bonus point if the language supports both oop and functional programming.)
And for the love of gawd: let them have a strictly typed language. Why would you teach with JavaScript!?
Use industry standards. Notepad, atom and eclipse might be open source and free; yet JetBrains community editions still best them.
For grades, don't your dare demand for them to write code on paper. (Pseudocode is fine.)
Don't let your students play compiler in their heads. It's not their job to know exactly what exception will be thrown by your contrived example. That's the compilers job to complain about. Rather teach them how to find solutions to these errors.
Teach them advanced google searches.
Teach them how to write a issue for a library on GitHub and similar sites.
Teach them how to ask a good stackoverflow question :>6 -
No, listen to me. I cannot approve this PR because your code does not comply with our code style. All the imports and annotations must be sorted in ascending order by length. They must all make fir-like blocks of code. Because it looks nice.
Now go and fix your code
I just smiled and walked away to obfuscate my code with firs . I had no idea what to even say to that... I still don't14 -
Fuck brand builders, or, how I learned to start giving a shit and love devrant.
Brand builders are people who generally have very little experience and are attempting to obfuscate their dearth of ability behind a wall of non-academic content generation. Subscribe, like, build a following and everyone will happily overlook the fact that your primary contribution to society is spreading facile content that further obfuscates the need for fundamentals. Their carefully crafted presence is designed promote themselves and their success while chipping away at the apparent value of professional ability. At one point, I thought medium would be the bottom of the barrel; a glorified blog that provides people with scant knowledge, little experience and routinely low integrity a platform to build an echo chamber of replayed or copied content, techno-mysticism and best-practice-superstition they mistake for a brand in an environment where there's little chance of peer review. I thought it couldn't get any worse.
Then I found dev.to
Dev.to is what happens when all the absence of ability and skills insecurity on the internet gets together to form a censorship mob to ensure that no criticism, reality or peer review will ever filter into the ramblings of people intent on forever remaining at the peak of the dunning-kreuger curve. It's the long tail of YMCA trophy culture.
Take for example this article:
https://dev.to/davidepacilio/...
It's a shit post listicle by someone claiming to be "senior," who confidently states that "you are only as good as the tools you use." Meanwhile all the great minds of history are giving him the side-eye because they understand tools are just a magnifier of ability. If you're an amazing carpenter, power tools will help you produce at an exponential rate. If you're a shitty carpenter, your work will still be shit, there will just be more of it. The actual phrase that's being butchered here is "you're only as good as the tools you create." There's no moral superiority to be had in being dependent on a tool, that's just a crutch. A true expert or professional is someone who can create tools to aid in their craft. Being a professional is having a thorough enough understanding of the thing you are doing so as to be able to craft force multipliers that make your work easier, not just someone who uses them.
Ok, so what?
I'm sure he's a plenty fine human to grab drinks with, no ill will to him as a human. That said, were you to comment something to that effect on dev.to, you'd be reported by all the hangers-on pretty much immediately, regardless of how much complimentary padding and passive, welcoming language you wrap your message in. The problem with a bunch of weak people ganging up on the voice of reason and deciding they don't want things like constructive criticism, peer review, academic process or the scientific method is, after you remove all of that, you're just left with a formless sea of ideas and thoughts with no categorization, no order. You find a lot of opinions and nothing to challenge them and thereby are left with no mechanism for strong ideas to rise to the top. In that system, the "correct" ideas are by default those posited by the strongest personality.
We all need some degree of positive reinforcement. We also need to be smacked upside the head when we're totally off in the weeds. It's all about balance. The forums of ancient Greece weren't filled with people fervently agreeing with one another and shouting down new ideas en masse. We need discourse, not demagoguery.
Dev.to, medium, etc are all the fast fashion of the tech industry. Personally, I'd prefer something designed to last a little longer.30 -
For all those that saw my previous post about Facebook embedding tracking metadata into photos: I just released a website for my project that allows you to obfuscate the tracking data in your browser.
https://fbmdob.watzon.tech
Hopefully this is helpful to some people :)2 -
Holy mother of god, Signal is working on a feature which makes that the sender part of the metadata is not readable for them (of course you still have accounts but not sure how they obfuscate that part) anymore.
This is taking metadata protection to the next motherfucking level.3 -
We were running an obfuscator as part of our build pipeline, but also were not. I discovered we had disabled every rule, and after asking around it turns out that the obfuscator broke the app (because of reflection and things I won't go into).
So I turned it off.
An hour later the CTO came to me and said to put it back. "We have to obfuscate, put it back."
"But... it wasn't doing anything, other than slowing the build down."
"I don't care, we HAVE to run obfuscation. It's in our contract with the client."
...4 -
I just used booking.com and good fucking god is the whole website a shit infested hell hole. They use scammiest and pushiest techniques to make you book a place asap without giving you space to breathe and read details.
They try to obfuscate what's actually necessary with what they want to take from you. For example just before reserving a room there's a checkbox that's close enough to words "terms and conditions" and "privacy policy" for unsuspecting user to habitually check it to proceed. However, you clicking "reserve" is considered your consent and that checkbox simply adds your email to their spamming list.
There are countless examples of absolute asshole design within every inch of that place and I don't even want to imagine what they do with my data.
Suffice to say this was the first and last time I will use their services and if I were to give any advice, is "don't be the dick responsible for website/app/service similar to booking.com"5 -
>building the same app once again because of a bug
>look in the unity editor settings for android
>find "proguard"
>google it, find it might be useful to minify, obfuscate code and other stuff
>try to minify the shit of the app
>original app was 25.1MB
>minified app is 24.6MB
>minified app using "Gradle (Experimental)" is 24.5MB
2 -
At my last place we launched a new payment page and added logging.
Who ever set the logging up didn't obfuscate the user card details and stored them in the db for anyone with access to see. :-O1 -
Just a quick rant on JavaScript,
So there’s a lot of people hating javascript, and while not a long time ago i was part of them, but I changed my opinion a little.
I think JavaScript is a great way to deal with website programming as it is quick and efficient, but I would not say to program directly on it, use a js-compilable language (CoffeScript, TypeScript, Kotlin(I think), etc.), but then you might say: “Well, no need for js then, compile it in byte code”. That would break the point of how I see web design/dev. The main intent behind webpages is to have an easy and fast way to send code to other computers to render them, that’s why it is interpreted: “Easy to send” and “*All* computers can handle it” with the proper browser. You need to be able to change the way the website is rendered and/or works sometimes, for diverse reasons like copy/pasting data, make it render properly or use plugins/add-ons to change that code to suit your needs.
I think js should be kept as a “readable byte-code”, so that means: {
Keep comments when compiling the js-compilable code,
Add standardized machine-readable comments that will indicate to smart code viewers how to show a particular thing (Like have a higher-end function compiled in js shown as a minimized code with explanations of the function)
Keep it nicely formated and don’t obfuscate (coz that’s annoying)
Etc.
}
So you bypass the quirks and all that pesky js stuff, while keeping it’s good sides.
-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-
Part 2:
Web design for non-web:
Ok so things like node.js, electron, react-native and all that stuff; I won’t say they’re bad but...
Why we have this is because web designers wanted to make desktop apps and were like “Hey! Making web pages is easy! Let’s port it to desktop”, the problem is: Web technologies were made to work on a restricted canvas, aka a browser. It’s good on web for reasons mention earlier and more. But it’s not on desktop! You’re trying to push it outside of those boundaries. It’s difficult to make it break that canvas and go outside, make something that really works! For social media clients and that kind of stuff that you want to make a little more inclusive, yes! it’s a great idea (hello devrantron ;), but not if it’s an exact same copy of the website, just use the website. But for things that are supposed to really make use of YOUR computer; no!
I see those PWA (progressive webapps aka mobile app, but it’s an offline website”), I stand for the same positions, social media and those sort of things: yes, great idea! Games? 🤢.
I have way more to say but I have difficulties to remember them while reading, so feel free to comment your thoughts
Lol, “just a quick rant”1 -
Crypto. I've seen some horrible RC4 thrown around and heard of 3DES also being used, but luckily didn't lay my eyes upon it.
Now to my current crypto adventure.
Rule no.1: Never roll your own crypto.
They said.
So let's encrypt a file for upload. OK, there doesn't seem to be a clear standard, but ya'know combine asymmetric cipher to crypt the key with a symmetric. Should be easy. Take RSA and whatnot from some libraries. But let's obfuscate it a bit so nobody can reuse it. - Until today I thought the crypto was alright, but then there was something off. On two layers there were added hashes, timestamps or length fields, which enlarges the data to encrypt. Now it doesn't add up any more: Through padding and hash verification RSA from OpenSSL throws an error, because the data is too long (about 240 bytes possible, but 264 pumped in). Probably the lib used just didn't notify, silently truncating stuff or resorting to other means. Still investigation needed. - but apart from that: why the fuck add own hash verification, with weak non-cryptographic hashes(!) if the chosen RSA variant already has that with SHA-256. Why this sick generation of key material with some md5 artistic stunts - is there no cryptographically safe random source on Windows? Why directly pump some structs (with no padding and magic numbers) into the file? Just so it's a bit more fucked up?
Thanks, that worked.3 -
Not sure if i actually managed to fix it or fuckitup/obfuscate it even more, so people will still be debugging this shit in 20+ years.. 🤔1
-
So today I had to fiddle around with obfuscation software to obfuscate software we are going to release....
4 tries in and the software is still crashing with different exceptions each time....
And at the same moment this text came in to my mind:
"If software is working after obfuscation it's not obfuscated enough"2
Top Tags
Weekly Rant
View