Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
So today (or a day ago or whatever), Pavel Durov attacked Signal by saying that he wouldn't be surprised if a backdoor would be discovered in Signal because it's partially funded by the US government (or, some part of the us govt).
Let's break down why this is utter bullshit.
First, he wouldn't be surprised if a backdoor would be discovered 'within 5 years from now'.
- Teeny tiny little detail: THE FUCKING APP IS OPEN SOURCE. So yeah sure, go look through the code! Good idea! You might actually learn something from it as your own crypto seems to be broken! (for the record, I never said anything about telegram not being open source as it is)
sources:
http://cryptofails.com/post/...
http://theregister.co.uk/2015/11/...
https://security.stackexchange.com/...
- The server side code is closed (of signal and telegram both). Well, if your app is open source, enrolled with one of the strongest cryptographic protocols in the world and has been audited, then even if the server gets compromised, the hackers are still nowhere.
- Metadata. Signal saves the following and ONLY the following: timestamp of registration, timestamp of the last connection with the server (both rounded to the day so not on the second), your phone number and your contact details (if you authorize it) (only phone numbers) in HASHED (BCrypt I thought?) format.
There have been multiple telegram metadata leaks and it's pretty known that it saves way more than neccesary.
So, before you start judging an app which is open, uses one of the best crypto protocols in the world while you use your own homegrown horribly insecure protocol AND actually tries its best to save the least possible, maybe try to fix your own shit!
*gets ready for heavy criticism*19 -
Prologue
My dad has an acquaintance - let's call him Tom. Tom is an gynecologist, one of the best in Poznań, where I live. He's a great guy but absolutely can not into tech of any kind besides his iPhone and basic PC usage. For about a year now I've been doing small jobs for him - build a new PC for his office, fix printer, fix wifi, etc. He has made a big mistake few years ago by trusting a guy, let's call him Shitface, with crating him software for work. It's supposed to be pretty simple piece of code in which you can create and modify patient file, create prescription from drugs database and such things. This program is probably one of the worst pierces of code I've ever seen and Shitface should burn for that. Worse, this guy is pretentious asshole lacking even basic IT knowledge. His code is garbage and it's taking him few months to make small changes like text wrapping. But wait, there's more. Everything is hardcoded so every PC using this software must have installed user controls for which he doesn't have license and static IP address on network card.
Part 1
Tom asked me to build him a new PC that will be acting like a server for Shitface's program. He needs it in Kalisz (around 150 km from my place). I Agred (pun intended) and after Tom brought me his old computer I've bought parts and built a new one. I have also copied everything of value and everything took me around three hours.
Part 2
Everything was ready but Shitface's program. I didn't know much about it's configuration so when I've noticed that it's not working even on the old PC I got a bit worried. Nevertheless I started breaking everything I know about it and after next three hours I've got it somewhat working. Seeing that there's still some problems with database connection (from Windows' Event Viewer) I wrote quick SMS to Shitface asking what can be wrong. He replied that he won't be able to help me any way until Monday (day after deadline). I got pissed and very courteously asked him for source code because some of libraries used in this project has license that requires either purchase of commercial license or making code open source. He replied within few minutes that he'll be able to connect remotely within next 10 minutes. He was trying to make it work for the next hour but he succeeded. It was night before deadline so I wrapped everything up and went to bed thinking that it won't take me more than an hour to get this new PC up and running in the office. Boy was I wrong.
Also, curious about his code, I've checked source and he is using beautiful ponglish (mixed Polish and English) with mistakes he couldn't even bother to fix. For people from Poland, here's an example:
TerminarzeController.DeleteTerminarzShematyDlaLekarza
Part 3
So I drove to Kalisz and started working on making everything work. Almost everything was ready so after half an hour I was done. But I wanted to check twice if it's all good because driving so far second time would be a pain. So I started up Shitface's program, logged in, tried to open ANYTHING and... KABUM. UNHANDLED EXCEPTION. WTF. I checked trace and for fuck sake something was missing. Keep in mind that then I didn't know he's using some third party control for Windows Forms that needs to be installed on client PC. After next fifteen minutes of googling I've found a solution. I just had to install this third party software and everything will work. But... It had to be exactly this version and it was old. Very old. So old that producent already removed all traces of its existence from their web page and I couldn't find it anywhere. I tried installing never version and copying files from old PC but it didn't work. After few hours of searching for a solution I called Mr Shitface asking him for this control installation file. He told me that he has it but will be able to send it my way in the evening. Resigned I asked for this new PC to be left turned on and drove home. When he sent me necessary files I remotely installed them and everything started working correctly.
So, to sum it up. Searching for parts and building new PC, installing OS and all necessary software, updating everything and configuring it for Tom taste took me around what, 1/3 of time I spent on installing Mr Shitface's stupid program which Tom is not even happy with. Gotta say it was one of worst experiences I had in recent months. Hope I won't have to see this shit again.
Epilogue
Fortunately everything seems to work correctly. Tom hasn't called me yet with any problems. Mission accomplished. I wanna kill very specific someone. With. A. Spoon.1 -
A few weeks ago I stepped onto the grounds of lovely Canada. Back then - coming from Europe - I was surprised. Free WiFi everywhere without all the bells and whistles of creating an account and such.
Well ... at least I thought so ...
Today I went to a location where they actually charge you for their wireless services - fair enough the coverage area is pretty huge - and provide you with an access coupon. All good my optimistic me told me but once the login page loaded...
There are a lot of things about UX I could rant about but let's put that aside. The coupon came from the office where they KNEW all your contact details but it required you to create an account with all of them again to redeem the coupon.
Not only that but it asked for things like the phone number - obviously asking for a Canadian landline number since hell who uses mobiles anyway with numbers longer than ten characters?! - and even though it had a nice country selection it kept the states field there even when selecting a country that doesn't have states ...
Oh, and on a regular phone screen (which would be the target user for WiFi on a campground I suppose) the input fields for state and zip were occluded by the margins of the input rendering the content invisible.
And if that weren't enough after creating your account they made you watch an ad as if the personal data and the 4$ you paid them wasn't enough for the lousy 400 KB/s you get for 24h ...
Gets better though! After creating the account they display your password to make sure you remembered it ... over a non-secured WiFi network ... and send you an email afterward ... password via unencrypted mail via an unencrypted WIRELESS connection ... not that it protects anything that would matter anyways you can just snoop the MAC of your neighbor and get in that way or for that sake get their password but oh well ...
Gosh, sometimes I just feel the urgent need to find the ones responsible and tell them to GTFO of the IT world ...
Is it just me feeling like this about crappy UI/UX design? Always wondering...2 -
Long rant ahead.. 5k characters pretty much completely used. So feel free to have another cup of coffee and have a seat 🙂
So.. a while back this flash drive was stolen from me, right. Well it turns out that other than me, the other guy in that incident also got to the police 😃
Now, let me explain the smiley face. At the time of the incident I was completely at fault. I had no real reason to throw a punch at this guy and my only "excuse" would be that I was drunk as fuck - I've never drank so much as I did that day. Needless to say, not a very good excuse and I don't treat it as such.
But that guy and whoever else it was that he was with, that was the guy (or at least part of the group that did) that stole that flash drive from me.
Context: https://devrant.com/rants/2049733 and https://devrant.com/rants/2088970
So that's great! I thought that I'd lost this flash drive and most importantly the data on it forever. But just this Friday evening as I was meeting with my friend to buy some illicit electronics (high voltage, low frequency arc generators if you catch my drift), a policeman came along and told me about that other guy filing a report as well, with apparently much of the blame now lying on his side due to him having punched me right into the hospital.
So I told the cop, well most of the blame is on me really, I shouldn't have started that fight to begin with, and for that matter not have drunk that much, yada yada yada.. anyway he walked away (good grief, as I was having that friend on visit to purchase those electronics at that exact time!) and he said that this case could just be classified then. Maybe just come along next week to the police office to file a proper explanation but maybe even that won't be needed.
So yeah, great. But for me there's more in it of course - that other guy knows more about that flash drive and the data on it that I care about. So I figured, let's go to the police office and arrange an appointment with this guy. And I got thinking about the technicalities for if I see that drive back and want to recover its data.
So I've got 2 phones, 1 rooted but reliant on the other one that's unrooted for a data connection to my home (because Android Q, and no bootable TWRP available for it yet). And theoretically a laptop that I can put Arch on it no problem but its display backlight is cooked. So if I want to bring that one I'd have to rely on a display from them. Good luck getting that done. No option. And then there's a flash drive that I can bake up with a portable Arch install that I can sideload from one of their machines but on that.. even more so - good luck getting that done. So my phones are my only option.
Just to be clear, the technical challenge is to read that flash drive and get as much data off of it as possible. The drive is 32GB large and has about 16GB used. So I'll need at least that much on whatever I decide to store a copy on, assuming unchanged contents (unlikely). My Nexus 6P with a VPN profile to connect to my home network has 32GB of storage. So theoretically I could use dd and pipe it to gzip to compress the zeroes. That'd give me a resulting file that's close to the actual usage on the flash drive in size. But just in case.. my OnePlus 6T has 256GB of storage but it's got no root access.. so I don't have block access to an attached flash drive from it. Worst case I'd have to open a WiFi hotspot to it and get an sshd going for the Nexus to connect to.
And there we have it! A large storage device, no root access, that nonetheless can make use of something else that doesn't have the storage but satisfies the other requirements.
And then we have things like parted to read out the partition table (and if unchanged, cryptsetup to read out LUKS). Now, I don't know if Termux has these and frankly I don't care. What I need for that is a chroot. But I can't just install Arch x86_64 on a flash drive and plug it into my phone. Linux Deploy to the rescue! 😁
It can make chrooted installations of common distributions on arm64, and it comes extremely close to actual Linux. With some Linux magic I could make that able to read the block device from Android and do all the required sorcery with it. Just a USB-C to 3x USB-A hub required (which I have), with the target flash drive and one to store my chroot on, connected to my Nexus. And fixed!
Let's see if I can get that flash drive back!
P.S.: if you're into electronics and worried about getting stuff like this stolen, customize it. I happen to know one particular property of that flash drive that I can use for verification, although it wasn't explicitly customized. But for instance in that flash drive there was a decorative LED. Those are current limited by a resistor. Factory default can be say 200 ohm - replace it with one with a higher value. That way you can without any doubt verify it to be yours. Along with other extra security additions, this is one of the things I'll be adding to my "keychain v2".11 -
I miss old times rants...So i guess, here it goes mine:
Tomorrow is the day of the first demo to our client of a "forward-looking project" which is totally fucked up, because our "Technical Quality Assurance" - basically a developer from the '90-s, who gained the position by "he is a good guy from my last company where we worked together on sum old legacy project...".
He fucked up our marvellous, loose coupling, publish/subscribe microservice architecture, which was meant to replace an old, un-maintainable enormous monolitch app. Basically we have to replace some old-ass db stored functions.
Everyone was on our side, even the sysadmins were on our side, and he just walked in the conversation, and said: No, i don't like it, 'cause it's not clear how it would even work... Make it an RPC without loose coupling with the good-old common lib pattern, which made it now (it's the 4th 2 week/sprint, and it is a dependency hell). I could go on day and night about his "awesome ideas", and all the lovely e-mails and pull request comments... But back to business
So tomorrow is the demo. The client side project manager accidentally invited EVERYONE to this, even fucking CIO, legal department, all the designers... so yeah... pretty nice couple of swallowed company...
Today was a day, when my lead colleague just simply stayed home, to be more productive, our companys project manager had to work on other prjects, and can't help, and all the 3 other prject members were thinking it is important to interrupt me frequently...
I have to install our projects which is not even had a heart beat... not even on developer machines. Ok it is not a reeeeaaally big thing, but it is 6 MS from which 2 not even building because of tight coupling fucktard bitch..., But ok, i mean, i do my best, and make it work for the first time ever... I worked like 10 ours, just on the first fucking app to build, and deploy, run on the server, connect to db and rabbit mq... 10 FUCKING HOURS!!! (sorry, i mean) and it all was about 1, i mean ONE FUCKING LINE!
Let me explain: spring boot amqp with SSL was never tested before this time. I searched everything i could tought about, what could cause "Connection reset"... Yeah... not so helpful error message... I even have to "hack" into the demo server to test the keystore-truststore at localhost... and all the fucking configs, user names, urls, everything was correct... But one fucking line was missing...
EXCEPT ONE FUCKING LINE:
spring.rabbitmq.ssl.enabled=false # Whether to enable SSL support.
This little bitch took me 6 hours to figure out...so please guys, learn from my fault and check the spring boot appendix for default application properties, if everything is correct, but it is not working...
And of course, if you want SSL then ENABLE it...
spring.rabbitmq.ssl.enabled=true
BTW i really miss those old rants from angry devs, and i hope someone will smile on my fucking torture5 -
!rant
TODAY WAS A SUCCESS!
-learned how to forward ports
-hosting a minecraft server
-made that stupid HP stream USEFUL
-i actually feel good about myself
note: modded server. You'll need Mantle (1.7.10), Tinker's Construct (1.7.10) and Ultra Block Compression (1.7.10).
pretty sure whitelist is disabled. the max is 50 players, not sure how good the connection will be. be nice to the ops, YoungWolves and Mehrsun
ip: 66.243.225.51
(default port)
again please be polite, the two OPs are not techy at all, but very nice gals6 -
My failed interaction with a girl:
So I go to a convention at the university.
It's nice I'm having fun, I see a girl dressed as Hermione, she is cute so I go talk to her for a little we joke around I'm really starting to like her. Then I say bye and hang out with friends for the rest of the evening. I see her leaving so I run to her and after catching up to her I ask if I could have her phone number. She says yes and enters her number on my phone. I'm super happy. I excitedly wait for the next day's evening to message her. We message for a while the next day she messages good morning, so I think things are going well, she must like me too right ? I mean we glanced at each other at the convention, she gave me her phone number and messaged good morning so I'm pretty sure she does...
Turns out she doesn't, she says she thought I wanted to be friends...
WHAT ?! FRIENDS ?? Are you 12 ? What friend would run to you to get your phone number and after getting it there would be a stupid grin on his face ??? She looks at 9gag and doesn't know the most overly used meme of "friendzone" ? Unbelievable either she was screwing with me or she is just that socially dense. So after that I'm pretty mad but I don't say any mean things I just accept the fact like a gentleman and carry on with my life. But also feeling depressed after believing we actually had a connection. Ugh I guess back to the coal mines for me huh, stupid conventions 😒9 -
A connection was looking for a developer in the city my brother-in-law recently moved to (for my sister's career), so I connected them. They exchanged a couple of emails, and he has an on-site interview tomorrow!
He and I are both .Net developers, and I'm older/more experienced, so I offered to rearrange my schedule to help him with some interview prep tonight.
He said no, that he's pretty confident about things, that he'll do some studying and research on his own.
Good for him and his confidence, but I'm kinda salty that he didn't take me up on my offer. I'm pretty damn clever. How dare someone reject my offer for assistance?? I hope the interview goes well of course but if it doesn't I'm very much going to feel some silent "I told you so!"7 -
ZNC shenanigans yesterday...
So, yesterday in the midst a massive heat wave I went ahead, booze in hand, to install myself an IRC bouncer called ZNC. All goes well, it gets its own little container, VPN connection, own user, yada yada yada.. a nice configuration system-wise.
But then comes ZNC. Installed it a few times actually, and failed a fair few times too. Apparently Chrome and Firefox block port 6697 for ZNC's web interface outright. Firefox allows you to override it manually, Chrome flat out refuses to do anything with it. Thank you for this amazing level of protection Google. I didn't notice a thing. Thank you so much for treating me like a goddamn user. You know Google, it felt a lot like those plastic nightmares in electronics, ultrasonic welding, gluing shit in (oh that reminds me of the Nexus 6P, but let's not go there).. Google, you are amazing. Best billion dollar company I've ever seen. Anyway.
So I installed ZNC, moved the client to bouncer connection to port 8080 eventually, and it somewhat worked. Though apparently ZNC in its infinite wisdom does both web interface and IRC itself on the same port. How they do it, no idea. But somehow they do.
And now comes the good part.. configuration of this complete and utter piece of shit, ZNC. So I added my Freenode username, password, yada yada yada.. turns out that ZNC in its infinite wisdom puts the password on the stdout. Reminded me a lot about my ISP sending me my password via postal mail. You know, it's one thing that your application knows the plaintext password, but it's something else entirely to openly share that you do. If anything it tells them that something is seriously wrong but fuck! You don't put passwords on the goddamn stdout!
But it doesn't end there. The default configuration it did for Freenode was a server password. Now, you can usually use 3 ways to authenticate, each with their advantages and disadvantages. These are server password, SASL and NickServ. SASL is widely regarded to be the best option and if it's supported by the IRC server, that's what everyone should use. Server password and NickServ are pretty much fallback.
So, plaintext password, default server password instead of SASL, what else.. oh, yeah. ZNC would be a server, right. Something that runs pretty much forever, 24/7. So you'd probably expect there to be a systemd unit for it... Except, nope, there isn't. The ZNC project recommends that you launch it from the crontab. Let that sink in for a moment.. the fucking crontab. For initializing services. My whole life as a sysadmin was a lie. Cron is now an init system.
Fortunately that's about all I recall to be wrong with this thing. But there's a few things that I really want to tell any greenhorn developers out there... Always look at best practices. Never take shortcuts. The right way is going to be the best way 99% of the time. That way you don't have to go back and fix it. Do your app modularly so that a fix can be done quickly and easily. Store passwords securely and if you can't, let the user know and offer alternatives. Don't put it on the stdout. Always assume that your users will go with default options when in doubt. I love tweaking but defaults should always be sane ones.
One more thing that's mostly a jab. The ZNC software is hosted on a .in domain, which would.. quite honestly.. explain a lot. Is India becoming the next Chinese manufacturers for software? Except that in India the internet access is not restricted despite their civilization perhaps not being fully ready for it yet. India, develop and develop properly. It will take a while but you'll get there. But please don't put atrocities like this into the world. Lastly, I know it's hard and I've been there with my own distribution project too. Accept feedback. It's rough, but it is valuable. Listen to the people that criticize your project.9 -
This is high speed fiber optics internet everyone, the woman I called told me that the connection was pretty good, wtf kill me
8 -
After reading mostly sad (and astonishing!) stories, I didn't really want to share my story.. but still, here I am, trying to contribute a wholesome story.
For me, this whole story started very early. I can't tell how old I was but I'm going to guess I was about 5 or 6, when my mom did websites for a small company, which basically consisted of her and.. that's it. She did pretty impressive stuff (for back then) and I was allowed to watch her do stuff sometimes.
Being also allowed to watch her play Sims and other games, my interest in computer science grew more and more and the wish to create "something that draws some windows on the screen and did stuff" became more real every day.
I started to read books about HTML, CSS and JS when I was around 10 or something. And I remember as it was yesterday: After finishing the HTML book I thought "Well that's easy. Why is this something people pay for?" - Then I started reading about CSS. I did not understand a single thing. Nothing made sense for me. I read the pages over and over again and I couldn't really make any sense of it (Mind you, I didn't have a computer back then, I just had a few hours a week on MOM-PC ^^)
But I really wanted to know how all this pretty-looking stuff worked and I tried to read it again around 1 year later. And I kid you not, it was a whole different book. It all made sense now. And I wrote my first markups with stylings and my dream became more and more reality. But there was one thing lacking. Back in the days, when there was no fancy CSS3. It was JavaScript. Long story short: It - again - made no fucken sense to me what the books told me.
Fast forward a few years, I was about 14. JavaScript was my fucken passion, I loved it. When I had no clue about CSS, I'd always ask my mom for tips. (Side story: These days it's the other way around, she asks me for tips. And it makes me unbelievably proud!)
But there was something missing. All this newschool canvas-stuff wasn't done back then and I wanted more. More possibilities, more performance, more everything.
Stuff begun to become wild. My stepdad (we didn't have the best connection) studied engineering back then, so he had to learn C. With him having this immensely thick book for C, I began to read it and got to know the language. I fell in love again. C was/is fucken awesome.
I made myself some calculators for physics and some other basic stuff and I had much fun using and learning it. I even did some game development, when I heard about people making C-coded games for PSP. Oh boy, the nights I spent in IRCs chatting with people about C, PSP-programming and all that good stuff, I'll never forget it - greatest time of my life!
But I got back to JS more and more and today I do it for money and I love it. I'll never forget my roots and my excurse into the C/C++ world and I'm proud to say, that I was able to more or less grow up with coding and the mindset that comes with it.1 -
I remember playing games like wolfenstein3D, supaplex, sokoban etc. on our family computer 486 which had as I remember around 100mhz processor. (120mhz in TURBO mode)
Yeah and I did created a few levels in wolfenstein, there was a simple editor.
From programming view I did code my first website only using html and inline css in early 2000s. However internet was a thing of a rich people back then (in my country), so my brother downloaded the whole website with docs and basics of html/css/js for me in collage. My first website was coded on 300mhz pentium2 (or 3?) with no internet connection, took me about a two months to complete and was total mess. But was graphically satisfying with nice gifs which took tens od seconds to download. Main container had 600px width and looked pretty good on my 800x600 resolution.
I still remember messing with BOM signature because of notepad could not save a file without BOM. Leaving all utf8 chars as mess after saving.
Good old times. -
I hate the elasticsearch backup api.
From beginning to end it's an painful experience.
I try to explain it, but I don't think I will be able to cover it all.
The core concept is:
- repository (storage for snapshots)
- snapshots (actual backup)
The first design flaw is that every backup in an repository is incremental. ES creates an incremental filesystem tree.
Some reasons why this is a bad idea:
- deletion of (older) backups is slow, as newer backups need to be checked for integrity
- you simply have to trust ES that it does the right thing (given the bugs it has... It seems like a very bad idea TM)
- you have no possibility of verification of snapshots
Workaround... Create many repositories as each new repository forces an full backup.........
The second thing: ES scales. Many nodes / es instances form a cluster.
Usually backup APIs incorporate these in their design. ES does not.
If an index spans 12 nodes and u use an network storage, yes: a maximum of 12 nodes will open an eg NFS connection and start backuping.
It might sound not so bad with 12 nodes and one index...
But it get's pretty bad with 100s of indexes and several dozen nodes...
And there is no real limiting in ES. You can plug a few holes, but all in all, when you don't plan carefully your backups, you'll get a pretty f*cked up network congestion.
So traffic shaping must be manually added. Yay...
The last thing is the API itself.
It's a... very fragile thing.
Especially in older ES releases, the documentation is like handing you a flex instead of toilet paper for a wipe.
Documentation != API != Reality.
Especially the fault handling left me more than once speechless...
Eg:
/_snapshot/storage/backup
gives you a state PARTIAL
/_snapshot/storage/backup/_status
gives you a state SUCCESS
Why? The first one is blocking and refers to the backup status itself. The second one shouldn't be blocking and refers to the backup operation.
And yes. The backup operation state is SUCCESS, while the backup state might be PARTIAL (hence no full backup was made, there were errors).
So we have now an additional API that we query that then wraps the API of elasticsearch. With all these shiny scary workarounds like polling, since some APIs are blocking which might lead to a gateway timeout...
Gateway timeout? Yes. Since some operations can run a LONG (multiple hours) time and you don't want to have a ton of open connections hogging resources... You let the loadbalancer kill it. Most operations simply run in ES in the background, while the connection was killed.
So much joy and fun, isn't it?
Now add the latest SMR scandal and a few faulty (as in SMR instead of CMD) hdds in a hundred terabyte ZFS pool and you'll get my frustration level.
PS: The cluster has several dozen terabyte and a lot od nodes. If you have good advice, you're welcome - but please think carefully about this fact.
I might have accidentially vaporized people sending me links with solutions that don't work on large scale TM.2 -
To work from home, I recently bought an internet connection at home. It has pretty good speed and is affordable for the base plan. The speed is around ~ 35 Mbps. Never had that fast internet in my life.
Now I have this sudden urge to buy a console and start gaming. That would require me to also buy a TV screen. So I'm now dealing with a temptation that would cost me atleast $500 in total.
This corona better stop soon...3
Top Tags
Weekly Rant
View