How it is to be a dev in my country?

At bit of an odd question this week.

For me (in the USA), it's being technical support for *every* website my family uses.

Over the weekend my wife visited her aunt and I get a call.

Wife: "How do I create an ebay account?"
Me: "I don't like where this is going. We already have an account."
Wife: "Not for me, dummy, Aunt T. She found some books she wants to buy on ebay."
Me: "You go thru the process to create an account? Email, name, password, etc."
Wife: "We tried that, but it's not working."
<few seconds of silence>
Me: "Oookaaay...why isn't it working? Is there an error?"
Wife: "I don't know, we already clicked off of it. Something about the email."
<few more seconds of silence>
Me: "Can you reproduce the error and tell me?"
Wife: "Uggh..are you serious? We've done it like 10 times, its not working. Just tell me what I need to do."
Me: "If you can't tell me the error, I can't help you. I'm not there and can't see what you see."
Wife: "Stop being an asshole."
<Aunt T takes the phone>
T: "Said something about using another email address. Does that help you?"
Me: "Are you sure you don't already have a ebay account?"
T: "No, I don't think so. I hate ebay. but I really want these books. I don't want the same problems as last time."
Me: "Last time?"
T: "Yes, I bought a coffee cup on ebay from China and it never arrived."
Me: "OK, so you do have an account?"
T: "I don't know, I mean, I never got the cup."
Me: "What email address did you use? I'll send a 'remind me' email so you can reset the password and login"
<go thru the motions, she is able to login>
T: "Ahhh...I do have an account! There are the golf balls I bought for <husband> for Christmas."
<face smack>
Wife: "Why didn't you do this from the start? I thought you knew a lot about computers. We basically figured this out ourselves. Goodbye!"
<click>

Shitty call
Me: what do you want?

Q: I Lost my iphone

Me: (already pissed) ok,do you have an icloud account?

Q: Yes, but i forgot the password.

Me: what!?!, ok, fine, we will reset it, which is your ID?

Q: I lost it too.

*stay calm* *stay calm*

Me: I can't help you go to an apple store and ask there. *I Close the call*

*Add that number to blacklist*

My dad got a new phone over the weekend and asked me to help him set it up (TL;DR his IPhone broke, he likely cussed out someone on the phone and now he's on android).

Setting up his bank app, I asked for his password (I somehow knew asking a 80+ year old man password questions wouldn't end well)

<pulls a card out of his wallet>
Dad: "Here you go."
Me: "This is your business card?"
Dad: "Yep. Password is at the bottom. That way I never forget it."
Me: "Jeez dad, you shouldn't have your bank's password on a business card. You don't give these out to people, do you?"
Dad: "Sometimes. Hell, they won't know what that is. Its just a bunch of nonsense."

Luckily the password didn't work. He had to reset it when his IPhone messed up and didn't remember what he changed the password to.

OK I can't deal with this user anymore.

This morning I get a text. "My laptop isn't getting emails anymore I'm not sure if this is why?" And attached is a screenshot of an email purporting to be from "The <company name> Team". Which isn't even close to the sort of language our small business uses in emails. This email says that his O365 password will soon be expiring and he needs to download the attached (.htm) file so he can keep his password. Never mind the fact that the grammar is awful, the "from" address is cheesy and our O365 passwords don't expire. He went ahead and, in his words, "Tried several of his passwords but none of them worked." This is the second time in less than a year that he's done this and I thought we were very clear that these emails are never real, but I'll deal with that later.

I quickly log into the O365 admin portal and reset his password to a randomly-generated one. I set this to be permanent since this isn't actually a password he should ever be needing to type. I call him up and explain to him that it was a phishing email and he essentially just gave some random people his credentials so I needed to reset them. I then help him log into Outlook on his PC with the new password. Once he's in, he says "so how do I reset this temporary password?" I tell him that no, this is his permanent password now and he doesn't need to remember it because he shouldn't ever need to be typing it anyway. He says "No no no that won't work I can't remember this." (I smile and nod to myself at this point -- THAT'S THE IDEA). But I tell him when he is in the office we will store the password in a password manager in case he ever needs to get to it. Long pause follows. "Can't I just set it back to what it was so I can remember it?"

NO FUCKING GOOD NIGHT FOR FLOYD.

THIS MULTI FACTOR AUTHENTICATION IS A FUCKING NIGHTMARE.

So my organisation uses some MFA app as an SSO to access any and everything. Fantastic. Absolutely wonderful. No VPN shit and one password to rule them all.

But, for some reason I accidentally deleted the app from my phone and as any normal human being would do, I also reinstalled the app.

Well, post reinstalling, the app does not detect the linked Org account.

I was cool, when I'll login, the system will throw a prompt to map the phone.

So I login to org URL from my machine and lo and behold, the URL says that MFA is already linked to the phone and I have to enter the Citrix type code to login.

But phone does not show the code because account is no longer linked and web does not have option to change/re-register the phone.

What the actual unholy fuck?????? Bloody retards. How am I suppose to get in now?

So after a Googling for a bit, a thread mentioned that this is most common issue faced by users with this MFA app. The only way to get this resolved is to contact your IT team.

Cool. Let's do that.

I opened the link to my IT portal and it asks me to login via SSO which is what I need help with in first place.

I can't login to Slack because fuckers ask SSO every time the app is exited. So no contact there.

Thankfully bastards allow Outlook so was able to drop a note to one of my team member, whom I connected recently and is very nice, asking her to help me sort this IT team.

If this is the most common use case then why the fuck not add a feature to help people overcome this shit?

And my IT team is absolute nuts. No other way allowed to reset the linking or connect them or any help links provided on login page.

Whoever was behind this design should be dipped in donkey shit and deep fried in pig urine.

this just happened a few seconds ago and I am just laughing at the pathetic site that is Facebook. xD
4 years ago:
So I was quite a noobie gamer/hacker(sort of) back then and i had a habit of having multiple gmail/fb accounts, just for gaming, like accounts through which i can log in all at once in the same poker room, so 4/5 players in the game are me, or just some multiple accounts for clash of clans for donations.
I had 7-8 accounts back then. one had a name that translated to "may the dead remain in peace "@yahoomail.com . it was linked to fb using same initials. after sometime only this and 2 of my main accs were all i cared about.even today when i feel like playing, i sometimes use those accs.

2 years ago.
My dad is a simple man and was quite naive to modern techs and used to hang around with physical button nokia phones.But we had a business change, my father was now in a partnership in a restaurant where his daily work included a lot of sitting job and and casual working. So he bought a smartphone for some time pass.
He now wanted to download apps and me to teach him.I tried a lot to get him his own acc, but he couldn't remember his login credentials.
so at the end i added one of my own fake ID's(maythedead...) so he could install from playstore, watch vids on youtube and whatever.

The Actual Adventure starts now
Today, 1 hour ago:
I had completely forgot about this incident, since my parents are now quite modern in terms of tech.
But today out of nowhere i recieved an email that someone has JUST CHAINGED MY FB PASSWORD FOR ONE OF MY FAKE ACCS!?!??
what the hell, i know it was just a useless acc and i never even check my fb from any acc these days, but if someone could login into that acc, its not very difficult to track my main accs, id's, etc so i immediately opened this fb security portal and that's where the stupidity starts:

1)To recover your account they FUCKIN ASKS FOR A PHYSICAL ID. yeah, no email, no security question you have to scan your driving license or passport to get back to your account.And where would I get a license for some person named "may the dead remain in peace"? i simply went back.
2) tried another hack that i thought that will work.Closed fb help page, opened fb again , tried to login with my old credentials, it says" old password has been changed,please enter new password", i click forget password and they send an otp. i thought yes i won, because the number and recover mail id was mine only so i received it.
when i added the otp, i was first sent to a password change page (woohoo, i really won! :)) but then it sends me again to the same fuckin physical id verification page.FFFFFFFFFuck

3)I was sad and terrified that i got hacked.But 10 mins later a mail comes ,"Your Facebook password was reset using the email address on Tuesday, April 10, 2018 at 8:24pm (UTC+05:30)."
I tried clicking the links attached, hoping that the password i changed(point<2>) has actually done something to account.NADA, the account still needs a physical license to open:/

4) lost, i just login to my main account and lookup for my lost fake account. the fun part:my account has the display pic of my father?!!?!
So apparently, my father wanted to try facebook, he used the fake account i gave him to create one, fb showed him that this id already has an fb account attached to it and he accidently changed my password.MY FATHER WAS THE HACKER THE WHOLE TIME xD.
but response from fb?" well sir, if you want your virtually shitty account back , you first will have to provide us with all details of your bank transactions or your voter id card, maybe trump will like it"

The hand of IT guy in family

My family sees me as guy who works on IT stuff. The best part is that I will have to help them whenever they encounter problem regarding electronics in daily activities.

Son! The internet is not working
Son! The printer is not working
Son! The TV is not working
Son! My phone didnt get any signals
Son! The microwave is not working
Son! The TV remote is not working
Son! Why is this whatsapp popup always appear whenever I opened it
Son! The dvd player is not working
Son! My phone wont charged
Son! I want to buy online stuff
Son! The email that ur uncle sent me cannot be opened
Son! The email that ur aunt sent me is not there
Son! Can u help me download this travelling app
Son! I opened a website and it told me that I have 163718362 virus!
Son! I forget my password of my facebook account!
Son! Some guy idk on facebook added me as his/her friends, what should i do?
....
Son! The internet is not working (again)

The fact is that, most if these problem, I helped them by just.. restarting the router, reboot the router for 1 min interval, find specific toggler in disfunctional hardware that they accidentally hit during sweeping the floor, take out the power and put it back again, show them how to's in many account/payment mechanism in apps, etc

The very best part that whenever they satisfied, whenever things back to work again, whenever they can reset the password:

"I've tried what you told me, but it just didnt work, but idk when u did it, it works! you are really an IT guy"

And i was like
🙃

I forgot my password to my mindfactory account, one of Germany's biggest online vendor for computer components. So I go through the resetting process, which is:

- apply for password reset
- get a mail
- confirm the mail
(So far, so good)

- get a mail with a new CLEAR TEXT PASSWORD

Is this the stone age!?

You never send an email containing the cleartext! You never even store the password as is!
You, as the provider, should never be able to know what the actual password was.

All you are supposed to do is to generate a random salt, and hash the user's password with the salt, and then you only store the salt and the hash. And whenever a user inputs their password, all you do is to check if the you can recreate the hash with the help of the salt and your hash algorithm. (There are libraries for that!)

If a user wants to reset their password? Send them to a mail with link on where they can assign a new password.

At no point should the password ever be stored or transmitted in any other medium.

Lady comes over to my cube and stands silently until I notice her in the mirror. She cheerfully asks that I help her reset her password.

Okay...one, I'm buried up to my balls in work that needs to be done, and here she is camping, expecting me to feel a disturbance in The Force to help on her whim, when our company has an issue system for shit like this. 👊

Two, I'm 👏 a 👏 developer 👏! My sign says Software Engineer on it, which might give some context as to why she forgot her password.

Look, I was nice to her. But it seems like I'm getting more and more phone calls and surprise visits lately from people that I shouldn't be.

One day I helped another teacher with setting up his backend with the currently running Nginx reverse-proxy, peace of cake right?

Then I found out the only person with ssh access was not available, OK then just reset the root password and we're ready to go.

After going through that we vim'd into authorized_keys with the web cli, added his pub key and tried to ssh, no luck. While verifying the key we found out that the web cli had not parsed the key properly and basically fucked up the file entirely.

After some back and forth and trying everything we became grumpy, different browsers didn't help either and even caps lock was inverted for some reason. Eventually I executed plan B and vim'd into the ssh daemon's settings to enable root login and activate password authentication. After all that we could finally use ssh to setup the server.

What an adventure that was 😅

My coworker cannot log in to his company email account. So I contacted the guys in charge of this by email, asking if they could help and asked whats the process now or how does this work. I assume if his email is not working, they cannot send him a password reset link.

their answer: yeah, sure, we reseted the password of the mentioned user, here is his new password

So, I’ve been given the task of sorting the security out in an application plugging the holes and whatnot as to be honest it’s shocking haha. It doesn’t help that we automate security audits but that’s a different rant for another day.

We’re using devise for authentication (rails standard, ♥️ devise), we have no password resets through the login page, it has to be manually reset by ringing support, why who knows, even though it’s built into the gem and we allow the user to login using an username instead of an email because for whatever reason someone thought it was a bright idea to not have the email field mandatory.

So I hop onto a call with the BAs, basically I go that we need to implement password resets into the login page so the user can do it themselves and also to cut down support calls a ticket is already in place for it. So I go through the standardised workflow for resetting a password. My manager goes.

“I don’t think this will be very secure”

Wait.. what. Have you never reset a password before? It’s following the same protocol as every other app.

We go back and fourth and I said I’ll get it checked with security just to keep him happy.

The issue mainly is well we can’t implement password resets due to 100s of users not having an email on there account.. 🙃 so before we push this change we need to try and notice all users to set a unique email.

Updated the tickets. All dandy.

Looking at the PRs to see what security things have been done if any and turns out one of the devs in India has just written a migration to add the same default email to every user that doesn’t have an email present and yep it got merged. So I go revert the change but talk about taking a “we don’t care about security approach”.

Eventually we want to have the user reset their passwords and login using their email and someone goes a head and does that. Not to mention the security risk.

Jesus Christ I wonder why I bother sometimes.

Hey @dfox

I am unable to login or reset password on my original account @dr-ant

I tried resetting password but I never get the password reset email.

Can you please help?

Our government's "information and technology institution" ran a ctf yesterday. Their website was a whole template. And like 1 hour before ctf website approximately got 400-500k request and they've hit by a ddos. During the competition individual competitors couldn't log in their accounts due to "wrong password" and also password reset mails not sent.

One of the rules of the competition was that the questions were not leaked out during the contest. But some groups and individuals wanted help for questions on some hack forums. CTF is over and seems like script kiddies gonna win.

Shitstorm.

hey, so i have recently started learning about node js and express based backend development.

can you suggest some good github repositories that showcase real life backend systems which i can use as inspiration to learn about the tech?

like for eg, i want to create a general case solution for authentication and profile management : a piece of db+api end points + models to :

- authenticate user : login/signup , session expire, o auth 2 based login/signup, multi account login, role based access, forgot password , reset password, otp login , etc

- authorise user : jwt token authentication, ip whitelisting, ssl pinning , cors, certificate based authentication , etc (

- manage user : update user profile, delete user, map services , subscriptions and transactions to user , dynamic meta properties ( which can be added/removed for a single user and not exactly part of main user profile) , etc

followed by deployment and the assoc concepts involved : deployment, clusters, load balancers, sharding ,... etc

----

these are all the buzzwords that i have heard that goes into consideration when designing a secure authentication system for a particular large scale website like linkedin or youtube. am not even sure how many of these concepts would require actual codelines and how many would require something else.

so wanted inspiration from open source content to learn about it in depth, replicate and create new better stuff if possible .

apart from that, other backend architectures like video/images storage system, or just some server for movie, social media, blog website etc would also help.