Meanwhile at NSA:

Alice: Uhm... Bob? I lost my SSH key...
Bob: *facepalms*
Alice: ... but i still have the public key! Could you please recalculate the private one for me?
Bob: Sure, give me a second. I'll fax it to you when it's ready.

Me: *wakes up from nightmare*

"Coding is solving puzzles".

I think everyone has heard that platitude. But it's not exactly right.

So I grew up in a very poor environment, a moldy building full of jobless addicts.

And in my town there was this shop where super poor parents could take their kids to borrow free toys and stuff.

So as a kid I remember being frustrated by these second hand jigsaw puzzles, because there were always a few pieces which had been teared up or chewed on, or were even completely missing.

That is what development is.

You pull in this seemingly awesome composer package, and that one super useful method is declared private, so you need to fork the whole thing.

Your coworker has built this great microservice in python, but instead of returning 404 not found, it returns 200 with json key/value saying "error": "not found".

There's a shitload of nicely designed templates for the company website, but half of them have container divs inside the components, the other half expect to be wrapped in container divs when included.

You're solving puzzles, but your peers are all brainless jigsaw-piece-chewers. They tried to mend a problem, but half way through got distracted, hungry and angry, started drooling over the task and used a hammer to fit in the remaining stuff.

Me and co-worker, working with firebase.

Co-worker: Hey man, I need the private key for the server.

Me: Why?

Co-worker: I need to put it in the client so that I can authenticate.

Me: No.

Co-worker: But this guide tells me ...

Me: No

Co-worker: ... that I need it to create tokens so I can log in.

Me: ... No.

Co-worker: But the guide..

Me: If the guide would ask you to kill yourself, would you?

Co-worker: No but..

*I walk over*

Me: This isn't even related to what we are doing. You can see it in the title.

Me: Did you read the title of this post?

Co-worker: No.

This facts are killing me

"During his own Google interview, Jeff Dean was asked the implications if P=NP were true. He said, "P = 0 or N = 1." Then, before the interviewer had even finished laughing, Jeff examined Google’s public certificate and wrote the private key on the whiteboard."

"Compilers don't warn Jeff Dean. Jeff Dean warns compilers."

"gcc -O4 emails your code to Jeff Dean for a rewrite."

"When Jeff Dean sends an ethernet frame there are no collisions because the competing frames retreat back up into the buffer memory on their source nic."

"When Jeff Dean has an ergonomic evaluation, it is for the protection of his keyboard."

"When Jeff Dean designs software, he first codes the binary and then writes the source as documentation."

"When Jeff has trouble sleeping, he Mapreduces sheep."

"When Jeff Dean listens to mp3s, he just cats them to /dev/dsp and does the decoding in his head."

"Google search went down for a few hours in 2002, and Jeff Dean started handling queries by hand. Search Quality doubled."

"One day Jeff Dean grabbed his Etch-a-Sketch instead of his laptop on his way out the door. On his way back home to get his real laptop, he programmed the Etch-a-Sketch to play Tetris."

"Jeff Dean once shifted a bit so hard, it ended up on another computer. "

-------BEGIN PRIVATE KEY-------

A US senator or judge or whatever his title is said today that he wants companies/governments to build a 'responsible encryption' system.

Preferably that would exist out of a big ass database which stores the private keys of citizens so in case a person loses their private key or the government needs access to encrypted content, that is possible.

NOO, WHAT COULD FUCKING POSSIBLY GO WRONG!?!?!

Seriously those kind of people should not be allowed to have the kind of positions they have.

This shit makes me so angry.

Found a private api key on a github project. Created a pull request with key changed to “TH1S5HOULDB3SECR3T!iMBECIL5“ comment was “security fix“ i wonder if they accept

Forgot the password of the private key used to login to all my vpn servers.

Now I’ve got to generate a new one and deploy it everywhere again through this shitty control panel for every server fucking manually.

🤬

Why thank you, I'd love you private key random person on stack overflow

Dear outsourced developers. Don't send me your private SSH key by email. I don't need it, it allows me to access anything else you can access pretending I'm you, and it shows a misunderstanding of how SSH keys work. 🤦🏻‍♂️

AES256. The private key was in a config file... in Github.

Holy crap.. The intern just pushed the private key to his own VPS to the firmwide git server...

Actual rant time. And oh boy, is it pissy.

If you've read my posts, you've caught glimpses of this struggle. And it's come to quite a head.

First off, let it be known that WINDOWS Boot Manager ate GRUB, not the other way around. Windows was the instigator here. And when I reinstalled GRUB, Windows threw a tantrum and won't boot anymore. I went through every obvious fix, everything tech support would ever think of, before I called them. I just got this laptop this week, so it must be in warranty, right? Wrong. The reseller only accepts it unopened, and the manufacturer only covers hardware issues. I found this after screaming past a pretty idiotic 'customer representative' ("Thank you for answering basic questions. Thank you for your patience. Thank you for repeating obvious information I didn't catch the first three times you said it. Thank you for letting me follow my script." For real. Are you tech support, or emotional support? You sound like a middle school counselor.) to an xkcd-shibboleth type 'advanced support'. All of this only to be told, "No, you can't fix it yourself, because we won't give you the license key YOU already bought with the computer." And we already know there's no way Microsoft is going to swoop in and save the day. It's their product that's so faulty in the first place. (Debian is perfectly fine.)

So I found a hidden partition with a single file called 'Image' and I'm currently researching how to reverse-engineer WIM and SWM files to basically replicate Dell's manufacturing process because they won't take it back even to do a simple factory reset and send it right back.

What the fuck, Dell.

As for you, Microsoft, you're going to make it so difficult to use your shit product that I have to choose between an arduous, dangerous, and likely illegal process to reclaim what I ALREADY BOUGHT, or just _not use_ a license key? (Which, there's no penalty for that.) Why am I going so far out of my way to legitimize myself to you, when you're probably selling backdoors and private data of mine anyway? Why do I owe you anything?

Oh, right. Because I couldn't get Fallout 3 to run in Wine. Because the game industry follows money, not common sense. Because you marketed upon idiocy and cheapness and won a global share.

Fuck you. Fuck everything. Gah.

VS Code is pretty good, though.

I really, honestly, am getting annoyed when someone tells me that "Linux is user-friendly". Some people seem to think that because they themselves can install Linux, that anyone can, and because I still use Windows I'm some sort of a noob.

So let me tell you why I don't use Linux: because it never actually "just works". I have tried, at the very least two dozen times, to install one distro or another on a machine that I owned. Never, not even once, not even *close*, has it installed and worked without failing on some part of my hardware.

My last experience was with Ubuntu 17.04, supposed to have great hardware and software support. I have a popular Dell Alienware machine with extremely common hardware (please don't hate me, I had a great deal through work with an interest-free loan to buy it!), and I thought for just one moment that maybe Ubuntu had reached the point where it just, y'know, fucking worked when installing it... but no. Not a chance.

It started with my monitors. My secondary monitor that worked fine on Windows and never once failed to display anything, simply didn't work. It wasn't detected, it didn't turn on, it just failed. After hours of toiling with bash commands and fucking around in x conf files, I finally figured out that for some reason, it didn't like my two IDENTICAL monitors on IDENTICAL cables on the SAME video card. I fixed it by using a DVI to HDMI adapter....

Then was my sound card. It appeared to be detected and working, but it was playing at like 0.01% volume. The system volume was fine, the speaker volume was fine, everything appeared great except I literally had no fucking sound. I tried everything from using the front output to checking if it was going to my display through HDMI to "switching the audio sublayer from alsa to whatever the hell other thing exists" but nothing worked. I gave up.

My mouse? Hell. It's a Corsair Gaming mouse, nothing fancy, it only has a couple extra buttons - none of those worked, not even the goddamn scrollwheel. I didn't expect the *lights* to work, but the "back" and "Forward" buttons? COME ON. After an hour, I just gave up.

My media keyboard that's like 15 years old and is of IBM brand obviously wasn't recognized. Didn't even bother with that one.

Of my 3 different network adapters (2 connectors, one wifi), only one physical card was detected. Bluetooth didn't work. At this point I was so tired of finding things that didn't work that I tried something else.

My work VPN... holy shit have you ever tried configuring a corporate VPN on Linux? Goddamn. On windows it's "next next next finish then enter your username/password" and on Linux it's "get this specific format TLS certificate from your IT with a private key and put it in this network conf and then run this whatever command to...." yeah no.

And don't get me started on even attempting to play GAMES on this fucking OS. I mean, even installing the graphic drivers? Never in my life have I had to *exit the GUI layer of an OS* to install a graphic driver. That would be like dropping down to MS-DOS on Windows to install Nvidia drivers. Holy shit what the fuck guys. And don't get me started on WINE, I ain't touching this "not an emulator emulator" with a 10-foot pole.

And then, you start reading online for all these problems and it's a mix of "here are 9038245 steps to fix your problem in the terminal" and "fucking noob go back to Windows if you can't deal with it" posts.

It's SO FUCKING FRUSTRATING, I spent a whole day trying to get a BASIC system up and running, where it takes a half-hour AT MOST with any version of Windows. I'm just... done.

I will give Ubuntu one redeeming quality, however. On the Live USB, you can use the `dd` command to mirror a whole drive in a few minutes. And when you're doing fucking around with this piece of shit OS that refuses to do simple things like "playing audio", `dd` will restore Windows right back to where it was as if Ubuntu never existed in the first place.

Thanks, `dd`. I wish you were on Windows. Your OS is the LEAST user friendly thing I've ever had to deal with.

Wow... this is the perfect week for this topic.

Thursday, is the most fucked off I’ve ever been at work.

I’ll preface this story by saying that I won’t name names in the public domain to avoid anyone having something to use against me in court. But, I’m all for the freedom of information so please DM if you want to know who I’m talking about.

Yesterday I handed in my resignation, to the company that looked after me for my first 5 years out of university.

Thursday was my breaking point but to understand why I resigned you need a little back story.

I’m a developer for a corporate in a team of 10 or so.

The company that I work for is systemically incompetent and have shown me this without fail over the last 6 months.

For the last year we’ve had a brilliant contracted, AWS Certified developer who writes clean as hell hybrid mobile apps in Ion3, node, couch and a tonne of other up to the minute technologies. Shout out to Morpheus you legend, I know you’re here.

At its core my job as a developer is to develop and get a product into the end users hands.

Morpheus was taking some shit, and coming back to his desk angry as fuck over the last few months... as one of the more experienced devs and someone who gives a fuck I asked him what was up.

He told me, company want their mobile app that he’s developed on internal infrastructure... and that that wasn’t going to work.

Que a week of me validating his opinion, looking through his work and bringing myself up to speed.

I came to the conclusion that he’d done exactly what he was asked to, brilliant Work, clean code, great consideration to performance and UX in his design. He did really well. Crucially, the infrastructure proposed was self-contradicting, it wouldn’t work and if they tried to fudge it in it would barely fucking run.

So I told everyone I had the same opinion as him.

4 months of fucking arguing with internal PMs, managers and the project team go by... me and morpheus are told we’re not on the project.

The breaking point for me came last Wednesday, given no knowledge of the tech, some project fannies said Morpheus should be removed and his contract terminated.

I was up in fucking arms. He’d done everything really well, to see a fellow developer take shit for doing his job better than anyone else in [company] could was soul destroying.

That was the straw on the camels back. We don’t come to work to take shit for doing a good job. We don’t allow our superiors to give people shit in our team when they’re doing nothing but a good job. And you know what: the opinion of the person that knows what they’re talking about is worth 10 times that of the fools who don’t.

My manager told me to hold off, the person supposed to be supporting us told me to stand down. I told him I was going to get the app to the business lead because he fucking loves it and can tell us if there’s anything to change whilst architecture sorts out their outdated fucking ideas.

Stand down James. Do nothing. Don’t do your job. Don’t back Morpheus with his skills and abilities well beyond any of ours. Do nothing.

That was the deciding point for me, I said if Morpheus goes... I go... but then they continued their nonsense, so I’m going anyway.

I made the decision Thursday, and Friday had recruiters chomping at the bit to put the proper “senior” back in my title, and pay me what I’m worth.

The other issues that caused me to see this company in it’s true form:
- I raised a key security issue, documented it, and passed it over to the security team.
- they understood, and told the business users “we cannot use ArcGIS’ mobile apps, they don’t even pretend to be secure”
- the business users are still using the apps going into the GDPR because they don’t understand the ramifications of the decisions they’re making.

I noticed recently that [company] is completely unable to finish a project to time or budget... and that it’s always the developers put to blame.

I also noticed that middle management is in a constant state of flux with reorganisations because in truth the upper managers know they need to sack them.

For me though, it was that developers in [company], the people that know what they’re talking about; are never listened to.

Fuck being resigned to doing a shit job.

Fuck this company. On to one that can do it right.

Morpheus you beautiful bastard I know you’ll be off soon too but I also feel I’ve made a friend for life. “Private cloud” my arse.

Since making the decision Thursday I feel a lot more free, I have open job offers at places that do this well. I have a position of power in the company to demand what I need and get it. And I have the CEO and CTO’s ears perking up because their department is absolutely shocking.

Freedom is a wonderful feeling.

I just can't understand what will lead an so called Software Company, that provides for my local government by the way, to use an cloud sever (AWS ec2 instance) like it were an bare metal machine.

They have it working, non-stop, for over 4 years or so. Just one instance. Running MySQL, PostgreSQL, Apache, PHP and an f* Tomcat server with no less than 10 HUGE apps deployed. I just can't believe this instance is still up.

By the way, they don't do backups, most of the data is on the ephemeral storage, they use just one private key for every dev, no CI, no testing. Deployment are nightmares using scp to upload the .war...

But still, they are running several several apps for things like registering citizen complaints that comes in by hot lines. The system is incredibly slow as they use just hibernate without query optimizations to lookup and search things (n+1 query problems).

They didn't even bother to get a proper domain. They use an IP address and expose the port for tomcat directly. No reverse proxy here! (No ssl too)

I've been out of this company for two years now, it was my first work as a developer, but they needed help for an app that I worked on during my time there. I was really surprised to see that everything still the same. Even the old private key that they emailed me (?!?!?!?!) back then still worked. All the passwords still the same too.

I have some good rants from the time I was there, and about the general level of the developers in my region. But I'll leave them for later!

Is it just me or this whole shit is crazy af?

I was working as a contractor for a client who just got enough funding to hire a full-time dev. I lovingly referred to him as "Mr. Koolaid" because he was obsessed with whatever the newest hotness was and cried constantly about how the 3-year-old code-base didn't use The Next Big Thing(tm). This was my first interaction with him:

Mr. Koolaid: I'd like access to the github repository. My username is xxxx.

Me: We currently aren't hosting the code on github. If you send me your public ssh key, I'll get you access to the private server.

Mr. Koolaid: I'd like to access the github repository.

Me: It's not on github; send me your public key and I'll get you access.

Mr. Koolaid: Can we skype real quick? You don't need my public key to grant me access to the github repo.

*Mr. Koolaid proceeds to forward me github's documentation on adding users to an organization and the documentation for adding users to a private repo. The email is written in a very passive-aggressive tone.*

ಠ_ಠ

Worst WTF dev experience? The login process from hell to a well-fortified dev environment at a client's site.
I assume a noob admin found a list of security tips and just went like "all of the above!".

You boot a Linux VM, necessary to connect to their VPN. Why necessary? Because 1) their VPN is so restrictive it has no internet access 2) the VPN connection prevents *your local PC* from accessing the internet as well. Coworkers have been seen bringing in their private laptops just to be able to google stuff.
So you connect via Cisco AnyConnect proprietary bullshit. A standard VPN client won't work. Their system sends you a one-time key via SMS as your password.

Once on their VPN, you start a remote desktop session to their internal "hopping server", which is a Windows server. After logging in with your Windows user credentials, you start a Windows Remote Desktop session *on that hopping server* to *another* Windows server, where you login with yet another set of Windows user credentials. For all these logins you have 30 seconds, otherwise back to step 1.
On that server you open a browser to access their JIRA, GitLab, etc or SSH into the actual dev machines - which AGAIN need yet another set of credentials.

So in total: VM -> VPN + RDP inside VM -> RDP #2 -> Browser/SSH/... -> Final system to work on
Input lag of one to multiple seconds. It was fucking unusable.

Now, the servers were very disconnect-happy to prevent anything "fishy" going on. Sitting at my desk at my company, connected to my company's wifi, was apparently fishy enough to kick me out every 5 to 20 minutes. And that meant starting from step 1 inside the VM again. So, never forget to plugin your network cable.

There's a special place in hell for this admin. And if there isn't, I'll PERSONALLY make the devil create one. Even now that I'm not even working on this any more.

So that happened. Don't want to be the responsible for leaking my company's private key.

Deleted the only copy of a private key file tonight.

Working on a database priorly designed and maintained by some private agency.

The fuck I'm dealing with!

Boolean values stored as 'TRUE'/'FALSE'. It's varchar, my dudes.

There are no FK relations. Just the values of IDs in a column.

There are no indexes, all on just the PKs, nothing else. Nothing.

Null, what's that? I'm dealing with 'N/A', my dudes.

Unique key, what's that? The table which stores users has all the fields nullable. Email is not unique ( even though that's the required behaviour).

ALL the numeric values are stored as varchar. Varchar, my dudes. Varchar. '1', '1.1'

And finally, the good ole, 1 table to rule them all. Normalisation, fuck that.

And what's the root cause of all this? My PM used to hand them Excel sheets she maintains on her local system. FTW. I don't have a enough explanations.

Why nobody uses public/private key authentication for ssh and disable password auth?

Am I the only one around here doing this?

The solution for this one isn't nearly as amusing as the journey.

I was working for one of the largest retailers in NA as an architect. Said retailer had over a thousand big box stores, IT maintenance budget of $200M/year. The kind of place that just reeks of waste and mismanagement at every level.

They had installed a system to distribute training and instructional videos to every store, as well as recorded daily broadcasts to all store employees as a way of reducing management time spend with employees in the morning. This system had cost a cool 400M USD, not including labor and upgrades for round 1. Round 2 was another 100M to add a storage buffer to each store because they'd failed to account for the fact that their internet connections at the store and the outbound pipe from the DC wasn't capable of running the public facing e-commerce and streaming all the video data to every store in realtime. Typical massive enterprise clusterfuck.

Then security gets involved. Each device at stores had a different address on a private megawan. The stores didn't generally phone home, home phoned them as an access control measure; stores calling the DC was verboten. This presented an obvious problem for the video system because it needed to pull updates.

The brilliant Infosys resources had a bright idea to solve this problem:

- Treat each device IP as an access key for that device (avg 15 per store per store).
- Verify the request ip, then issue a redirect with ANOTHER ip unique to that device that the firewall would ingress only to the video subnet
- Do it all with the F5

A few months later, the networking team comes back and announces that after months of work and 10s of people years they can't implement the solution because iRules have a size limit and they would need more than 60,000 lines or 15,000 rules to implement it. Sad trombones all around.

Then, a wild DBA appears, steps up to the plate and says he can solve the problem with the power of ORACLE! Few months later he comes back with some absolutely batshit solution that stored the individual octets of an IPV4, multiple nested queries to the same table to emulate subnet masking through some temp table spanning voodoo. Time to complete: 2-4 minutes per request. He too eventually gives up the fight, sort of, in that backhanded way DBAs tend to do everything. I wish I would have paid more attention to that abortion because the rationale and its mechanics were just staggeringly rube goldberg and should have been documented for posterity.

So I catch wind of this sitting in a CAB meeting. I hear them talking about how there's "no way to solve this problem, it's too complex, we're going to need a lot more databases to handle this." I tune in and gather all it really needs to do, since the ingress firewall is handling the origin IP checks, is convert the request IP to video ingress IP, 302 and call it a day.

While they're all grandstanding and pontificating, I fire up visual studio and:

- write a method that encodes the incoming request IP into a single uint32
- write an http module that keeps an in-memory dictionary of uint32,string for the request, response, converts the request ip and 302s the call with blackhole support
- convert all the mappings in the spreadsheet attached to the meetings into a csv, dump to disk
- write a wpf application to allow for easily managing the IP database in the short term
- deploy the solution one of our stage boxes
- add a TODO to eventually move this to a database

All this took about 5 minutes. I interrupt their conversation to ask them to retarget their test to the port I exposed on the stage box. Then watch them stare in stunned silence as the crow grows cold.

According to a friend who still works there, that code is still running in production on a single node to this day. And still running on the same static file database.

#TheValueOfEngineers

I love how the Keybase Linux client installs itself straight into /keybase. Unix directory structure guidelines? Oh no, those don't apply to us. And after uninstalling the application they don't even remove the directory. Leaving dirt and not even having the courtesy to clean it up. Their engineers sure are one of a kind.

Also, remember that EFAIL case? I received an email from them at the time, stating some stuff that was about as consistent as their respect for Unix directory structure guidelines. Overtyping straight from said email here:

[…] and our filesystem all do not use PGP.
> whatever that means.

The only time you'll ever use PGP encryption in Keybase is when you're sitting there thinking "Oh, I really want to use legacy PGP encryption."
> Legacy encryption.. yeah right. Just as legacy as Vim is, isn't it?

You have PGP as part of your cryptographic identity.
> OH REALLY?! NO SHIT!!! I ACTIVELY USED 3 OS'S AND FAILED ON 2 BECAUSE OF YOUR SHITTY CLIENT, JUST TO UPLOAD MY FUCKING PUBLIC KEY!!!

You'll want to remove your PGP key from your Keybase identity.
> Hmm, yeah you might want to do so. Not because EFAIL or anything, just because Keybase clearly is a total failure on all levels.

Written quickly,
the Keybase team
> Well that's fucking clear. Could've taken some time to think before hitting "Send" though.

Don't get me wrong, I love the initiatives like this with all my heart, and greatly encourage secure messaging that leverages PGP. But when the implementation sucks this much, I start to ask myself questions about whether I should really trust this thing with my private conversations. Luckily I refrained from uploading my private key to their servers, otherwise I would've been really fucked.

Just need to get this off my chest. Started a new job 3 weeks ago at a company that has been around ~18 years, it is only recently that they have started to grow more rapidly. I was brought in under the guise that they wanted to embrace change and better practices and so said I was up for the challenge.

In my 2nd week I was asked to produce a document on tackling the technical debt and an approach to software development in the future for 3 consultants who were coming in to review the development practices of the company on behalf of the private equity firm who has taken a major stake in the company. I wrote the document trying to be factual about the current state and where I wanted to go, key points being:

Currently a tightly coupled monolith with little separation of concerns (73 projects in one solution but you have to build two other solutions to get it to build because there are direct references.).

Little to no adherence to SOLID principles.

No automated testing whatsoever.

Libraries all directly referenced using the file system rather than Nuget.

I set out a plan which said we needed to introduce TDD, breaking dependencies, splitting libraries into separate projects with nuget packages. Start adhering to SOLID principles, looking at breaking the project down into smaller services using the strangler pattern etc. After submitting what I had written to be part of a larger document I was told that it had been tweaked as they felt it was too negative. I asked to see the master document and it turns out they had completely excluded it.

I’ve had open and frank discussions with the dev team who to me have espoused that previously they have tried to do better, tackle technical debt etc but have struggled to get management to allow them. All in all a fairly poor culture. They seem almost resigned to their fate.

In my first 2 weeks I was told to get myself acquainted and to settle myself in. I started looking at the code and was quite shocked at how poorly written a lot of it was and in discussions with my manager have been critical of the code base and quite passionate and opinionated about the changes I want to see.

Then on Friday, the end of my third week, I was invited to a meeting for a catch up. The first thing I was told was that they felt I was being too openly critical in the office and whether I was a good fit for the company, essentially a stay or go ultimatum. I’ve asked for the weekend to think about it.

I’ve been a little rocked by it being so quickly asked if I was a good fit for the company and it got my back up. I told them that I was a good fit but for me to stay I want to see a commitment to changes, they told me that they had commitments to deliver new features and that we might be able to do it at some point in the future but for now I just needed to crack on.

Ordinarily I would just walk but I’ve recently started the process to adopt kids and changing jobs right now would blow that out the water. At the same time I’m passionate about what I do and having a high standards, I’m not going to be silenced for being critical but maybe I will try and tackle it in a different way. I think my biggest issue is that my boss who was previously a Senior Developer (my current position) has worked at the company for 12 years and it is his only job, so when I’m being critical it’s most likely criticising code he wrote. I find it hard to have the respect of a boss who I had to teach what a unit test was and how to write one. It makes it hard to preach good standards when by all accounts they don’t see the problems.

Just wondering if anyone has suggestions or experience that might help me tackle this situation?

NUKE IT FROM ORBIT. It was when i was doing an assignment with my roommate, i was compiling something on my pi and ran netstat afterwards for no reason. I had an ssh-connection from china (logged in too). The pi was shutdown ASAP, i salvaged everything i needed from the sd and dd'ed raspbian on the disk again.

Turns out you were able to login via root (i thought i disabled it) with the password i set (root...). I learned from this, now external logins are only allowed via private key and i have fail2ban set up

Sent another developer instructions for generating an SSH key pair and to send me the public key. He did so. There was a problem getting it to work. So, naturally, he emailed me the private key.

It took forever to get SSH access to our office network computers from outside. Me and other coworkers were often told to "just use teamviewer", but we finally managed to get our way.

But bloody incompetents! There is a machine with SSH listening on port 22, user & root login enabled via password on the personal office computer.

"I CBA to setup a private key. It's useless anyways, who's ever gonna hack this computer? Don't be paranoid, a password is enough!"

A little more than 30 minutes later, I added the following to his .bashrc:

alias cat="eject -T && \cat"
alias cp="eject -T && \cp"
alias find="eject -T && \find"
alias grep="eject -T && \grep"
alias ls="eject -T && \ls"
alias mv="eject -T && \mv"
alias nano="eject -T && \nano"
alias rm="eject -T && \rm"
alias rsync="eject -T && \rsync"
alias ssh="eject -T && \ssh"
alias su="eject -T && \su"
alias sudo="eject -T && \sudo"
alias vboxmanage="eject -T && \vboxmanage"
alias vim="eject -T && \vim"

He's still trying to figure out what is happening.

Can https be decrypted easily?
(Or even by spending some time)
Plus what other security methods banks apply to prevent theft of sensible data?
Do they encrypt data using thair own private key thet is changed automatically?

Embedding private encryption key in production javascript file and fetching third party session token client side.

I haven't ranted for today, but I figured that I'd post a summary.
A public diary of sorts.. devRant is amazing, it even allows me to post the stuff that I'd otherwise put on a piece of paper and probably discard over time. And with keyboard support at that <3

Today has been a productive day for me. Laptop got restored with a "pacman -Syu" over a Bluetooth mobile data tethering from my phone, said phone got upgraded to an unofficial Android 9 (Pie) thanks to a comment from @undef, etc.

I've also made myself a reliable USB extension cord to be able to extend the 20-30cm USB-A male to USB-C male cord that Huawei delivered with my Nexus 6P. The USB-C to USB-C cord that allows for fast charging is unreliable.. ordered some USB-C plugs for that, in order to make some high power wire with that when they arrive.

So that plug I've made.. USB-A male to USB-A female, in which my short USB-C to USB-A wire can plug in. It's a 1M wire, with 18AWG wire for its power lines and 28AWG wires for its data lines. The 18AWG power lines can carry up to 10A of current, while the 28AWG lines can carry up to 1A. All wires were made into 1M pieces. These resulted in a very low impedance path for all of them, my multimeter measured no more than 200 milliohms across them, though I'll have to verify and finetune that on my oscilloscope with 4-wire measurement.

So the wire was good. Easy too, I just had to look up the pinout and replicate that on the male part.

That's where the rant part comes in.. in fact I've got quite uncomfortable with sentences that don't include at least one swear word at this point. All hail to devRant for allowing me to put them out there without guilt.. it changed my very mind <3

Microshaft WanBLowS.

I've tried to plug my DIY extension cord into it, and plugged my phone and some USB stick into it of which I've completely forgot the filesystem. Windows certainly doesn't support it.. turns out that it was LUKS. More about that later.

Windows returned that it didn't support either of them, due to "malfunctioning at the USB device". So I went ahead and plugged in my phone directly.. works without a problem. Then I went ahead and troubleshooted the wire I've just made with a multimeter, to check for shorts.. none at all.

At that point I suspected that WanBLowS was the issue, so I booted up my (at the time) problematic Arch laptop and did the exact same thing there, testing that USB stick and my phone there by plugging it through the extension wire. Shit just worked like that. The USB stick was a LUKS medium and apparently a clone of my SanDisk rootfs that I'm storing my Arch Linux on my laptop at at the time.. an unfinished migration project (SanDisk is unstable, my other DM sticks are quite stable). The USB stick consumed about 20mA so no big deal for any USB controller. The phone consumed about 500mA (which is standard USB 2.0 so no surprise) and worked fine as well.. although the HP laptop dropped the voltage to ~4.8V like that, unlike 5.1V which is nominal for USB. Still worked without a problem.

So clearly Windows is the problem here, and this provides me one more reason to hate that piece of shit OS. Windows lovers may say that it's an issue with my particular hardware, which maybe it is. I've done the Windows plugging solely through a USB 3.0 hub, which was plugged into a USB 3.0 port on the host. Now USB 3.0 is supposed to be able to carry up to 1A rather than 500mA, so I expect all the components in there to be beefier. I've also tested the hub as part of a review, and it can carry about 1A no problem, although it seems like its supply lines aren't shorted to VCC on the host, like a sensible hub would. Instead I suspect that it's going through the hub's controller.

Regardless, this is clearly a bad design. One of the USB data lines is biased to ~3.3V if memory serves me right, while the other is biased to 300mV. The latter could impose a problem.. but again, the current path was of a very low impedance of 200milliohms at most. Meanwhile the direct connection that omits the ~200ohm extension wire worked just fine. Even 300mV wouldn't degrade significantly over such a resistance. So this is most likely a Windows problem.

That aside, the extension cord works fine in Linux. So I've used that as a charging connection while upgrading my Arch laptop (which as you may know has internet issues at the time) over Bluetooth, through a shared BNEP connection (Bluetooth tethering) from my phone. Mobile data since I didn't set up my WiFi in this new Pie ROM yet. Worked fine, fixed my WiFi. Currently it's back in my network as my fully-fledged development host. So that way I'll be able to work again on @Floydian's LinkHub repository. My laptop's the only one who currently holds the private key for signing commits for git$(rm -rf ~/*)@nixmagic.com, hence why my development has been impeded. My tablet doesn't have them. Guess I'll commit somewhere tomorrow.

(looks like my rant is too long, continue in comments)

*me calculating rsa*
"aight.. Public key is 9 and n"
*calculating private key*
*recalculating cause I fucked up*
*recalculating cause I'm retarded*
*3rd recalculation*
"ok, I figured out my private key is 9 (and n)"

.... Wait a second.

Does anyone else get intensely frustrated and stressed trying to explain something to someone who repeatedly fails to understand?

"ok so you click decrypt password and then you give it your private key"
"ok I clicked on download rdp file"
"no you want decrypt password"
"and then it will download a file"
"no you need to give it a file"
"which file?"
"THE FUCKING FILE IT SAYS RIGHT THERE STEVE"

Keep in mind this is the fifth time I've walked him through this

So at the old job, i needed support for an issue relating to Amazon S3. We used a third party Python plugin for sending files to our buckets, but had some pretty severe performance issues when trying a 2-way sync.
Naturally, I sought help on StackOverflow, and was asked to share my config. Without much thought, I pasted the config file.
Next comment made me aware that our API id and key was listed in this config (pretty rediculous to keep such private info in the same file as configuration, but oh well).
I edited my question and removed the keys, and did not think about the fact that revisions are stored.

Two weeks later, my boss asks me if I know why the Amazon bill is for 25.000$ when it used to be <100$ 😳

I've never been so scared in my life. Luckily, Amazon was nice enough to waive the entire fee, and I leaned a little about protecting vital information

Since we are using the same password on all our servers (both QA and Production environment) my team somehow decided that it would be easier to copy the private SSH key for to ALL servers and add the public key to the authorized.keys file.

This way we SSH without password and easily add it to new servers, it also means that anyone who gets into one server can get to all of them.

I wasn't a fan of the same password on all servers, but this private key copying is just going against basic security principles.

Do they want rogue connections? Because that's how you get them.

Ssh private key in svn!

Copy my private ssh key to multiple machines so I only have to configure one key in github, gitlab, bitbucket etc.

I saw this image on IBM's blog. The author was explaining how blockchain could be used to implement self sovereign identities. But, isn't the last step wrong? In order to decrypt Alice's message, Bob should use his private key instead of Alice's public key, right? Of course, while encryption Alice has to use Bob's public key.

Have been using redis for my new system and wanted to try some gui, so I stumbled on "redis desktop manager", it supports ssh tunnels, privatekeys and more, great isn't it?

BUT IT SAVES YOUR FUCKING PLAINTEXT PASSWORD AND PATH TO YOUR PRIVATE KEY IN %USER%\.rdm\connections.json

WHAT THE FUCK, fucking ask that password during connection, don't fucking save it in plaintext and give an attacker literally the path to my key, wanted to PR it, but fuck c++, probably thats why he doesnt have it, because hes just using some library, so he doesn't have to fuck with the actual implementation of it.

A couple of days ago, an individual attempted to convince me that the National Security Agency is capable of cracking Rijndael encryption; as a response, I informed the individual of the infeasible nature of the factoring of extremely large semiprimes; however, my attempts were futile, as the individual believes that NSA possesses sufficient power to crack this encryption without intercepting the transmission of the corresponding private key.
The Dunning-Kruger effect is real; although this individual tends to be logically-minded, there does exist an exception to this good behaviour.

"It is easier to square a circle than get 'round a mathematician."

Pushed to production with a debug message left in. Whoops, debug message includes the private key. Ummmm...

First off murphy is a bitch. Week started off good, nothing bad happening then friday night came and i get an email about a site being down. Ok check it out real quick, cert is expired. No real big deal just a 20 minute fix, didn't bother me that i didn't get an expiry alert. Now is where murphy decided to be the biggest fucking bucktoothed cocksucker, generate a csr for a wildcard domain using an existing key and sent it off when i get it back the private key doesn't match the cert. Again ok maybe i fucked up, generate a selfsigned cert no fucking problem. Contact support to see if they have an idea. Oh now is when it gets fun, the fucking dumbass preceded to tell me how i didn't know what i was doing and how i just had to generate a csr and private key at the same time after i explained to the bastard that I've already tested it with a selfsigned cert. (How does this fucker have a job) By now apparently i was pissed off enough to scare murphy's pansy ass away cause i told the fucker to refund my money, got a list of 30 subdomains and setup letsencrypt on it. Now the part on this that is fucking hilarious is that it took me damn near 24 hours to be called a fucking idiot from a guy that doesn't know his ass between a hole in the fucking ground and 30 minutes of being pissed off more than i have been since i took anger management classes in the 9th grade to say fuck it and switch.

When I think "the fundamental problem", the closest thing that comes to my mind is "unsolvable problem". P =/!= NP is a fundamental problem, the theory of everything is a fundamental problem.

But we actually solved at least one such problem – the fundamental problem of cryptography.

The problem was "how to establish a secure connection over a non-secure channel?" Like you can't exchange the key, it'll be exposed by definition.

We solved it with a simple yet brilliant solution of asymmetrical cypher, that thing with public and private keys.

It's fascinating to think that people died in WW2 over this, there were special operations to deliver fresh deciphering keys securely and now SSH and HTTPS are no-brainers that literally everyone use.

just sent an id_rsa private key file to our corporate Linux Administrator and he asked me to send him the private key in .ppk format. ==)))

I've finally found a goldmine of accurate job listings that don't include Windows shit-administration... So I'm thinking of sending out applications to all of them. Problem is, as you might recall from my previous rants, I had a flash drive with my GPG keypair on it stolen from me. I still haven't fully replaced the key (I made another one and published it but I'm not using it yet), and because I'm fairly confident that this flash drive's data has never been used (so likely just plugged into Windows and formatted), it's unlikely that I'm gonna bother rotating all of the contents that were on that flash drive.

That said however, my emails now all have signatures underneath them as follows:
Met vriendelijke groet / Best regards,
[my name]

- My outbound email is usually signed with my private key. If not, please don't hesitate to ask me about it through a different communication platform.

IMPORTANT: My keys have possibly been compromised. An encrypted flash drive on which this GPG keypair was stored has been stolen from me. I'm in the process of phasing out and replacing this key. Please do not use it to encrypt any emails to me anymore.

Not entirely sure whether I should remove or keep that last bit. As a potential employer, would you see this as a red flag (he's got encrypted data stolen from him, wtf that's incompetent), or as a nice thing to know that it was properly disclosed (so no secrecy around potential data breaches)? Both seem equally likely so I'm a bit confused about what I should do.

Oh god where do I start!?

In my current role I've had horrific experiences with management and higher ups.

The first time I knew it would be a problem: I was on a Java project that was due to go live within the month. The devs and PM on the project were all due to move on at the end. I was sitting next to the PM, and overheard him saying "we'll implement [important key feature] in hypercare"... I blew my top at him, then had my managers come and see if I was OK.

That particular project overran with me and the permanent devs having to implement the core features of the app for 6mo after everyone else had left.

I've had to be the bearer of bad news a lot.

I work now and then with the CTO, my worst with her:
We had implemented a prototype for the CEO of a sister company, he was chuffed with it. She said something like "why is it not on brand" - there was no brand, so I winged it and used a common design pattern that the CEO had suggested he would like with the sister company's colours and logo. The CTO said something like "the problem is we have wilful amateurs designing..." wilful amateurs. Having worked in web design since I was 12 I'm better than a wilful amateur, that one cut deep.

I've had loads with PMs recently, they basically go:

PM: we need this obscure set up.
Me & team: why not use common sense set up.
PM: I don't care, just do obscure set up.

The most recent was they wanted £250k infrastructure for something that was being done on an AWS TC2.small.

Also recently, and in another direction:

PM: we want this mobile app deploying to our internal MDM.
Us: we don't know what the hell it is, what is it!?
PM: it's [megacorp]'s survey filler app that adds survey results into their core cloud platform
Us: fair enough, we don't like writing form fillers, let us have a look at it.

*queue MITM plain text login, private company data being stored in plain text at /sdcard/ on android.

Us: really sorry guys, this is in no way secure.
Pm: *in a huff now because I took a dump on his doorstep*

I'll think of more when I can.

Warning long rambling story cause sleep deprivation

I never really bothered with ssh outside of using putty to remote into my servers and rpi's from my desktop to run updates, install something, or whatever else.

But today I was on a call with my cousin bored cause she was just rambling, so I opened vscode to clean my install of unnecessary extensions I installed and haven't used more than once or twice.

I saw Remote - SSH and as I was bored listening to a teenager complain about high school just like I used to (lol) and responding when she asked me something. I scrolled through the page, then the documentation just casually skimming the text

I setup an ssh key on an rpi I threw manjaro arm following the instructions on their tips and tricks page
I then moved the key to my desktop using winscp (cause lazy)
leading to having a minor hicup of rsa not being an accepted keytype (thanks 'your favorite search engine' for the help)
Finally, I was able to connect using the private key

at this point my cousin went to bed cause she has school tomorrow. But I was still doing stuff with ssh, I created a new ssh connection in VSCode, but had to go to the documentation to figure out how to make it use my fancy new key file, not hard took 30 seconds of looking to get it working.

Now that I was in, I moved to my development folder, created a folder for PiHole, created a compose yml, created a pihole-data folder.
I opened the yml and pasted in a compose from dockerhub.

at this point I thought 'i can't just run this from terminal can I'. and Obviously it worked cause there's literally no reason it wouldn't I'm just stupid to think it might not.

So I created folders and files on a remote system, launched a docker container, checked for package updates after on a linux machine. All from VS-Code on a windows machine.

I know this is simple for some people, i know some people are like 'where's the interesting part'. but ehhh I thought it was cool to get it setup, I now really regret not getting into ssh sooner, and I'm definitely going to uninstall vscode on all my smaller graphical VM's in favor of doing this. and this will definitely help with my headless vm's.

I also will have to thank my cousin, might not have done this if I wasn't stuck at my computer on messenger call with her lol

I'm gonna go to bed now, But I feel accomplished for the first time in a while even if it's for something so simple as setting up anssh key for the first time

Cracked my first weak RSA implementation challenge today. Feels pretty awesome.

Involved primes that were very close, which means you can factorize the modulus quickly to get the private key. Normally, you would never use close primes as prime factorization's difficulty relies a certain amount on some distance between the two values.

The reason you can brute force close primes has to do with them being close in value to the square root of the function, meaning that you can search far quicker than if you were to try every combination of primes.

Having gone to a bank to reset a password again today (Yes, I forgot it for like... 3rd time, don't judge me, its my backup bank account I need to access like... once a year), I was once again made to think - I come in, give them my state ID by which they authorize that I can even make a password reset request.

Then they give me a tablet to... sign a contract addendum?

Its not the contract part that always makes me stop and think though - its the "sign" part.

I'd wager that I am not the only one who only ever uses a computer to write text these days. So... My handwriting got a lot jerkier, less dependable. Soooo... My signature can be wildly different each time.......

And if my signature varies a lot... then... what is the point of having it on a piece of paper?

I know its just a legal measure of some sort... And that, if it came down to someone impersonating me and I'd go to court with the bank, there would be specialists who can tell if a signature was forged or not... But...

Come on, the computer world has so much more reliable, uncrackable, unforgable solutions already... Why... Don't all folks of the modern world already have some sort of... state-assigned private/public keypairs that could be used to sign official documents instead?

It costs money, takes time to develop etc... But... Then, there would not only be no need to sign papers anymore... And it would be incredibly hard to forge.

The key could even be encrypted, so the person wishing to sign something would have to know a PIN code or a password or something...

tl;dr: I hate physical signatures as a method of authentication / authorization. I wish the modern world would use PKI cryptography instead...

!rant
I just realised my VPS ssh private key was in my servers web root for the last 4 months. Luckily nobody found it (hopefully).

Today, after searching for 4~ hours for a solution to host a little script that would hide a private API key, I discovered Google Apps Script. What a fucking nice service. Seriously, check it out, you may need it some day.

Anyway I don't understand why Google wants to restrict network access from the Firebase functions when a shitty little script hosted on the same servers can run without any restriction in memory or data transfer. It also provides a cache service, I could save my whole photo gallery on it without them even noticing.

!rant

Just got a message from a recruiter. It was something different. There was a link with a ZIP file and a bunch of files in it. Plus two MD5 hashes. You should now find the correct private key and the encrypted message to decrypt it with the key. This gave you the password to get further in the application process.
Not particularly difficult, but a refreshing change from the usual blah blah.

My phone got stuck in funky restart boot loop yesterday. The first 2 restarts was odd but after 3 cycles, I started panicking. Went on my PC, googled for all kinds of button combinations of power button, volume button, back button, and home button to get into fastboot, recovery and safe mode to see if I can clear stuff or at least get backup of my stuff. I also tried taking the battery out. Nothing works, except when I factory reset.

Everything was new again and as it booted up, I have to remember to change my authentication keys in LastPass, my private ssh key in Krypt. But fortunately, Google remembered all my apps and suggested if I wanted to install them again since it recognized my phone was an old phone. Thanks for tracking me Google. And now since its a reset, everything is clean, no cache, cookie, and some of my music files are all gone. Well at least its fast like before.

#justAthought

I was reading about public and private keys yesterday, and i had a thought: don't you think the concept of "username" is being so badly misused?

It can act as a great firewall, but we are just misusing it as an alternative to "login via email", because we are now so dumb to remember our email.
You might think of my rant as being going back in time, but think about this: my profile shows the name titanlannister. if someone got access to my password, he/she can immediately take over my complete identity because devrant allows us to login via username/password combo.

Now think of this: my username shows titanlannister. Anyone of you can write a post and mention me via @titanlannister, and this system will notify me. However even if you get my password, you are unable to hack into my profile, because my profile is only accessible via my email id/password combo, which you still don't know.

This, I would call as Platform Public Key which adds a kind of semi firewall over default public/private key combination .

What do you think?

Yesterday and today combined I spent about 8 hours trying to get my PGP / GPG passphrase to work. Absolutely magically, somehow a newline character had gotten into the passphrase. Yes. That's possible. On macOS, that is.

On my Windows machine I have the same fucking private key protected with the same password. Now try and get a non-windows newline character into any Windows password field, be it a command line or some GUI input. WTF! You'll lose a year of your life with every passphrase error while you have the actual passphrase.

So after all these hours trying to hack my own GPG keystore without success, I remembered how the private key got on my Windows machine in the first place: see tags.

fuck.. FUCK FUCK FUCK!!!
I'mma fakin EXPLODE!

It was supposed to be a week, maybe two weeks long gig MAX. Now I'm on my 3rd (or 4th) week and still got plenty on my plate. I'm freaking STRESSED. Yelling at people for no reason, just because they interrupt my train of thought, raise a hand, walk by, breathe, stay quiet or simply are.

FUCK!

Pressure from all the fronts, and no time to rest. Sleeping 3-5 hours, falling asleep with this nonsense and breaking the day with it too.

And now I'm fucking FINALLY CLOSE, I can see the light at the end of the tunne<<<<<TTTOOOOOOOOOOOOOTTTTT>>>>>>>

All that was left was to finish up configuring a firewall and set up alerting. I got storage sorted out, customized a CSI provider to make it work across the cluster, raised, idk, a gazillion issues in GH in various repositories I depend on, practically debugged their issues and reported them.

Today I'm on firewall. Liason with the client is pressured by the client bcz I'm already overdue. He propagates that pressure on to me. I have work. I have family, I have this side gig. I have people nagging me to rest. I have other commitments (you know.. eating (I practically finish my meal in under 3 minutes; incl. the 2min in the µ-wave), shitting (I plan it ahead so I could google issues on my phone while there), etc.)

A fucking firewall was left... I configured it as it should be, and... the cluster stopped...clustering. inter-node comms stopped. `lsof` shows that for some reason nodes are accessing LAN IPs through their WAN NIC (go figure!!!) -- that's why they don't work!!

Sooo.. my colleagues suggest me to make it faster/quicker and more secure -- disable public IPs and use a private LB. I spent this whole day trying to implement it. I set up bastion hosts, managed to hack private SSH key into them upon setup, FINALLY managed to make ssh work and the user_data script to trigger, only to find out that...

~]# ping 1.1.1.1
ping: connect: Network is unreachable
~]#

... there's no nat.
THERE"S NO FUCKING NAT!!!

HOW CAN THERE BE NO NAT!?!?!????? MY HOME LAPTOP HAS A NAT, MY PHONE HAS A NAT, EVEN MY CAT HAS A MOTHER HUGGING NAT, AND THIS FUCKING INFRA HAS NO FUCKING NAT???????????????????????

ALready under loads of pressure, and the whole day is wasted. And now I'll be spending time to fucking UNDO everything I did today. Not try something new. But UNDO. And hour or more for just that...

I don't usually drink, but recently that bottom shelf bottle of Captain Morgan that smells and tastes like a bottle of medical spirit starts to feel very tempting.

Soo.. how's your day

In today's episode of "how i got almost to the point of insanity for hours and the sudden realization and relief"

When you have ssh error saying your private key is an invalid format in your CI, you probably just missed an EOL.

MCP says EOL.

Fucking EOL

That is the realization i made after half a day wasting on debugging this.

Some interesting keyboard shortcuts that are lesser-known but can be quite useful:

1.Windows Key + . (Period): In Windows 10 and later versions, this shortcut opens the emoji panel, allowing you to quickly insert emojis into your text.

2.Ctrl + Shift + T: This shortcut reopens the last closed tab in most web browsers (Chrome, Firefox, Edge). It's handy if you accidentally close a tab and want to retrieve it quickly.

3.Ctrl + Backtick (`): In some text editors and IDEs (like Visual Studio Code), this shortcut toggles the integrated terminal window, allowing you to quickly switch between editing and running commands.

4.Ctrl + Shift + Esc: This directly opens the Task Manager in Windows, skipping the intermediary step of opening Ctrl + Alt + Delete and selecting Task Manager.

5.Alt + Drag: In many graphics and design applications (like Photoshop), holding down the Alt key while dragging an object duplicates it. This can save time compared to copying and pasting.

6.Ctrl + Alt + D: This shortcut shows the desktop on Windows, minimizing all open windows to quickly access icons and shortcuts on your desktop.

7.Ctrl + Shift + N: In most web browsers, this shortcut opens a new incognito or private browsing window, useful for browsing without saving history or cookies.

8.Alt + Enter: In Excel, this shortcut opens the Format Cells dialog box for the selected cell or range, allowing quick formatting changes without navigating through menus.

9.Shift + F10: This shortcut performs a right-click action on the selected item or text, useful when you can't or don't want to use the mouse.

10.Ctrl + Shift + V: In many applications, including Google Chrome and Microsoft Word, this shortcut pastes text without formatting (paste as plain text). It's useful when copying text from websites or other documents.

++ if you like this

I've created instructions for myself the next time I encounter cpanel.

rallen@rallen ~ $ cheat cpanel
#SSH'ing into the fucking cpanel
#Figure out combination of 5 usernames and passwords given by client to log in.
#Pray that WHM isn't involved.
#Ignore several ssl warnings and cancel several .htaccess password prompts.
#Call in to enable that shit.
#Wait no less than 15 minutes on hold.
#SSH enabled.
#Create public private key pair.
#Notice the ppk conversion for windows 'devs'. Sigh.
#Copy key pair to ~/.ssh/
#chmod that shit to 600.
#Note for the user name it's not anything the clients given you or what you've named the key. Look in the cpanel for the /home/<user> directory.
ssh -i ~/.ssh/key <user>@<dedicatedip>

An ex client told me that her new software house wants the private key to access her virtual machine. The private key.

I explained that she must send me a public key, but I didn't tell her that new guys she is working with don't know what are doing. Now I feel regret.

The only way I can edit Puppet config files is by git. And the only way I can git pull/push/commit/etc is generating a ssh key with a private key and give my public key to my supervisor to the git server (wherever that may be).

Because I'm on Windows 10 and screwed up my installers, I completely forgot to backup my ssh keys before resetting it. FML

1, someone breaks public/private key encryption
2, watch the world burn
3, people will understand that this rant is just a joke

I've been working for so long with API integrations and one part of that is security. We perform ssl key exchanges for 2-way verification and a large percent of those partners provides me with their own pkcs12 file which contains their private and public keys! What's the sense of the exchange!? I think they just implement it just to boast that they "know" how ssl works,

Q.14 - Suppose that R sends a msg 'm' which is digitally signed to M and the pair of private and public keys for M and R be denoted as K(x)- and K(x)+ for x=R,M respectively. Let K(x)(m) represent the encryption of 'm' with a key K(x) and H(m) is the message digest. Which of the following is the way of sending the msg 'm' along with the digital signature to M?
A. [m, K(R)+(H(m))]
B. [m, K(R)-(H(m))]
C. [m, K(M)-(H(m))]
D. [m, K(A)+(m)]
E. WOW, REALLY ?

What keyboard macros do you guys use when you have programmable function keys?

Also a funny little story that I just remembered. My brother used to have a key that would type his password cause he was THAT fucking lazy. He was writing an NPC for a private Ragnarok Online server that I was testing with a couple people. Apparently he had hit that function key in the middle of an announcement command.

So basically, everything went as planned, but then while announcing an event, it would announce his password to THE ENTIRE SERVER. Lucky for him, there were only three of us online at the time, and we told him as soon as it happened.

`load pubkey "/Users/karunamon/.ssh/id_rsa": invalid format`

The fuck? I've been using this keyfile for ages. And that's the private key, not the public key.

Maybe I'll try converting it to a different format.

(20 minutes of ssh-keygen command attempts)

Same error. I don't freaking get it. It works. I mean, I know my public key is..

(public key is actually completely mangled with newlines everywhere)

..yknow what, my fault, but you could have at least given me the public key filename, ya jerk.

So as a personal project for work I decided to start data logging facility variables, it's something that we might need to pickup at some point in the future so decided to take the initiative since I'm the new guy.
I setup some basic current loop sensors are things like gas line pressures for bulk nitrogen and compressed air but decided to go with a more advanced system for logging the temperature and humidity in the labs. These sensors come with 'software' it's a web site you host internally. Cool so I just need to build a simple web server to run these PoE sensors. No big deal right, it's just an IIS service. Months after ordering Server 2019 though SSC I get 4 activation codes 2 MAK and 2 KMS. I won the lottery now i just have to download the server 2019 retail ISO and... Won't take the keys. Back to purchasing, "oh I can download that for you, what key is yours". Um... I dunno you sent me 4 Can I just get the link, "well you have to have a login". Ok what building are you in I'll drive over with a USB key (hoping there on the same campus), "the download keeps stopping, I'll contact the IT service in your building". a week later I get an install ISO and still no one knows that key is mine. Local IT service suggests it's probably a MAK key since I originally got a quote for a retail copy and we don't run a KMS server on the network I'm using for testing. We'll doesn't windows reject all 4 keys then proceed to register with a non-existent KMS server on the network I'm using for testing. Great so now this server that is supposed to connected to a private network for the sensors and use the second NIC for an internet connection has to be connected to the old network that I'm using for testing because that's where the KMS server seems to be. Ok no big deal the old network has internet except the powers that be want to migrate everything to the new more secure network but I still need to be connected to the KMS server because they sent me the wrong key. So I'm up to three network cards and some of my basic sensors are running on yet another network and I want to migrate the management software to this hardware to have all my data logging in one system. I had to label the Ethernet ports so I could hand over the hardware for certification and security scans.

So at this point I have my system running with a couple sensors setup with static IP's because I haven't had time to setup the DNS for the private network the sensors run on. Local IT goes to install McAfee and can't because it isn't compatible with anything after 1809 or later, I get a message back that " we only support up to 1709" I point out that it's server 2019, "Oh yeah, let me ask about that" a bunch of back and forth ensues and finally Local IT get's a version of McAfee that will install, runs security scan again i get a message back. " There are two high risk issues on your server", my blood pressure is getting high as well. The risks there looking at McAfee versions are out of date and windows Defender is disabled (because of McAfee).

There's a low risk issue as well, something relating to the DNS service I didn't fully setup. I tell local IT just disable it for now, then think we'll heck I'll remote in and do it. Nope can't remote into my server, oh they renamed it well that's lot going to stay that way but whatever oh here's the IP they assigned it, nope cant remote in no privileges. Ok so I run up three flights of stairs to local IT before they leave for the day log into my server yup RDP is enabled, odd but whatever let's delete the DNS role for now, nope you don't have admin privileges. Now I'm really getting displeased, I can;t have admin privileges on the network you want me to use to support the service on a system you can't support and I'm supposed to believe you can migrate the life safety systems you want us to move. I'm using my system to prove that the 2FA system works, at this rate I'm going to have 2FA access to a completely worthless broken system in a few years. good thing I rebuilt the whole server in a VM I'm planning to deploy before I get the official one back. I'm skipping a lot of the ridiculous back and forth conversations because the more I think about it the more irritated I get.

When you are dealing with Public Key Infrastructure (PKI) services, which of the following you would use to verify an email with a digital signature ?
A. The sender's public key
B. The sender's private key
C. Your public key
D. Your private key
E. What are you talking about ?
F. None of the above

Guidance is a key to sucess of one's life.
What i mean to say here? I'm a student from a very low ranked college and here we don't get much of guidance on diverse fields. I totally agree that its not all college fault, i'll clarify in end.
When I was in my 1st year i had no clue from where to start, i did my research and got to know about git then i asked my teachers about it and they said they don't know what it is. I was like now what to do, i started exploring on my own. I wasted my 1st year , just learned c and c++, then 2nd year came, i got introduce from linked in i started exploring it but didn't got anywhere, i asked for help but didn't get much of some path i can walk on. Now it's3rd year and now i'm aware of many things that i wish i did in my previous years, so I'm exploring it now. I'm now the Google DSC Lead for my campus which is the first ever official group of my college as well as my university. I'm hustling, fighting, trying to explore as many things possible. But some things that i wish i knew but it's alright, now i am at the right path, and i will for sure add this too my sucess speach that i was nothing and now i'm something.

I stopped blaming my college long time ago because world is not here to listen my excuses they want results and i'm fine with that.

I'm looking forward to opportunities that will come to my way.

Also i forgot to mention that when i wasn't able to crack premium colleges and i can't go to private college i decided to work hard
From 60% scoring student to topper of my class, its just when you realize you are good to go. Just don't stop and give your best.

Thanks
Hitesh Tomar

Nothing more secure than have 36 character length passwords mixing any kind of character in them and have them in a txt file inside my docs folder 🤯🤯🤫

Why are USB passkeys so expensive? I was under the impression that you 1) create a key pair, upload the public key to your google account and 2) store the private key on an old USB drive. But nooo, then you could copy the key I guess. Good luck convincing the average Joe to spend more than $10 on a fido/yubi/whatever key...

A powerful bitcoin is harmful to the USA. Because the bitcoin-based crypto-economy bypasses the US sanctions. So the more bitcoin is used for international trade more the USA loses its manipulative and coercive control over the world economy. So it is essential to lower the value of bitcoin to maintain the imperial status of USD. A DRAMA that claims to seize bitcoin wallets without having access to the victim (here the attacker is the victim) will decrease the trust and lower the value of bitcoin. Such propaganda may regain the imperial power of the USD over international trade. It can be an insider's work, where the attacker's private key is already known. It can be a made-up story.