devRant - A fun community for developers to connect over code, tech & life as a programmer

Search - "protect the code"

127

catgirl

1154

5y

Today we were all called into a meeting and the CEO was livid. He went on a rage about how the CTO was wasting money on useless shit (GitHub Enterprise). He said I bought laptops for a reason if there’s a fire someone better protect our assets and code. He wouldn’t reason with us and went into github and deleted everything. The CTO was fired and no one is leading our team. Wondering if I should quit 😶

rant git workplace work ceo github

29
74

Root

82599

5y

I'm getting ridiculously pissed off at Intel's Management Engine (etc.), yet again. I'm learning new terrifying things it does, and about more exploits. Anything this nefarious and overreaching and untouchable is evil by its very nature.

(tl;dr at the bottom.)

I also learned that -- as I suspected -- AMD has their own version of the bloody thing. Apparently theirs is a bit less scary than Intel's since you can ostensibly disable it, but i don't believe that because spy agencies exist and people are power-hungry and corrupt as hell when they get it.

For those who don't know what the IME is, it's hardware godmode. It's a black box running obfuscated code on a coprocessor that's built into Intel cpus (all Intell cpus from 2008 on). It runs code continuously, even when the system is in S3 mode or powered off. As long as the psu is supplying current, it's running. It has its own mac and IP address, transmits out-of-band (so the OS can't see its traffic), some chips can even communicate via 3g, and it can accept remote commands, too. It has complete and unfettered access to everything, completely invisible to the OS. It can turn your computer on or off, use all hardware, access and change all data in ram and storage, etc. And all of this is completely transparent: when the IME interrupts, the cpu stores its state, pauses, runs the SMM (system management mode) code, restores the state, and resumes normal operation. Its memory always returns 0xff when read by the os, and all writes fail. So everything about it is completely hidden from the OS, though the OS can trigger the IME/SMM to run various functions through interrupts, too. But this system is also required for the CPU to even function, so killing it bricks your CPU. Which, ofc, you can do via exploits. Or install ring-2 keyloggers. or do fucking anything else you want to.

tl;dr IME is a hardware godmode, and if someone compromises this (and there have been many exploits), their code runs at ring-2 permissions (above kernel (0), above hypervisor (-1)). They can do anything and everything on/to your system, completely invisibly, and can even install persistent malware that lives inside your bloody cpu. And guess who has keys for this? Go on, guess. you're probably right. Are they completely trustworthy? No? You're probably right again.

There is absolutely no reason for this sort of thing to exist, and its existence can only makes things worse. It enables spying of literally all kinds, it enables cpu-resident malware, bricking your physical cpu, reading/modifying anything anywhere, taking control of your hardware, etc. Literal godmode. and some of it cannot be patched, meaning more than a few exploits require replacing your cpu to protect against.

And why does this exist?
Ostensibly to allow sysadmins to remote-manage fleets of computers, which it does. But it allows fucking everything else, too. and keys to it exist. and people are absolutely not trustworthy. especially those in power -- who are most likely to have access to said keys.

The only reason this exists is because fucking power-hungry doucherockets exist.

rant trust zone ime nsa smm intel amd corruption

26
68

legionfrontier

3543

7y

A group of Security researchers has officially fucked hardware-level Intel botnet officially branded as "Intel Management Engine" they did so by gathering it all the autism they were able to get from StackOverflow mods... though they officially call it a Buffer Overflow.
On Wednesday, in a presentation at Black Hat Europe, Positive Technologies security researchers Mark Ermolov and Maxim Goryachy plan to explain the firmware flaws they found in Intel Management Engine 11, along with a warning that vendor patches for the vulnerability may not be enough.

Two weeks ago, the pair received thanks from Intel for working with the company to disclose the bugs responsibility. At the time, Chipzilla published 10 vulnerability notices affecting its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE).

The Intel Management Engine, which resides in the Platform Controller Hub, is a coprocessor that powers the company's vPro administrative features across a variety of chip families. It has its own OS, MINIX 3, a Unix-like operating system that runs at a level below the kernel of the device's main operating system.

It's a computer designed to monitor your computer. In that position, it has access to most of the processes and data on the main CPU. For admins, it can be useful for managing fleets of PCs; it's equally appealing to hackers for what Positive Technologies has dubbed "God mode."

The flaws cited by Intel could let an attacker run arbitrary code on affected hardware that wouldn't be visible to the user or the main operating system. Fears of such an attack led Chipzilla to implement an off switch, to comply with the NSA-developed IT security program called HAP.

But having identified this switch earlier this year, Ermolov and Goryachy contend it fails to protect against the bugs identified in three of the ten disclosures: CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707.

The duo say they found a locally exploitable stack buffer overflow that allows the execution of unsigned code on any device with Intel ME 11, even if the device is turned off or protected by security software.

For more of the complete story go here:
https://blackhat.com/eu-17/...
https://theregister.co.uk/2017/12/...

I post mostly daily news, commentaries and such on my site for anyone that wish to drop by there

undefined orwell smiles from the great beyond

19
32

devmo

32

7y

About 2 years ago, our management decided to "try outsourcing". I was in charge for coordinating dev tasks and ensuring code quality. So management came up with 3 potential candidates in India and I had to assess them based on Skype calls and little test tasks. Their CVs looked great and have been full of "I'm a fancy experienced senior developer." ....After first 2 calls I already dismissed two candidates because they had obviously zero experience and the CV must have been fake. ..After talking to the third candidate, I again got sceptical. The management, however, started to think that I'm just an ass trying to protect my own position against outside devs. They forced me to give him a chance by testing him with a small dev task. The task included the following statement

"Search on the filesystem recursively, for folders named 'container'. For example '/some_root_folder/path_segments/container' " The term 'container' was additionally highlighted in red!

We also gave him access to a git repo to do at least daily push. My intention was to look at his progressions, not only the result.
I tried the task on my own and it took me two days, just to have a baseline for comparison. I, however, told him to take as much time as he needs. (We wanted to be fair and also payed him.)

..... 3 weeks went by. 3 weeks full of excuses why he isn't able to use git. All my attempts to help him, just made clear that he has never seen or heard of git before. ...... He sent me his code once a week as zip per email -.- ..... I ignored those mails because I made already my decision not wanting to waste my time. I mean come on?! Is this a joke? But since management wanted me to give him a chance .... I kept waiting for his "final" code version.

In week 5, he finally told me that it's finished and all requirements have been met. So I tried to run his code without looking at it ..... and suprise ... It immediately crashed.

Then I started to look through the code .... and I was ..... mind-blown. But not in a good way. .....

The following is what I remember most:

Do you remember the requirement from above? .... His code implementing it looked something like this:

Go through all folders in root path and return folders where folderName == "/some_root_folder/path_segments/container".

(╯°□°）╯︵ ┻━┻

Alone this little peace of code was on sooooooo many levels wrong!!!!! Let me name a few.

- It's just sooooo wrong :(
- He literally compared the folderName with the string "/some_root_folder/path_segments/container"...... Wtf?!?
- He did not understand the requirement at all.
- He implemented something without thinking a microsecond about it.
- No recursive traversal
- It was Java. And he used == instead of equals().
- He compares a folderName with a whole path?!? Wtf.
- How the hell did he made this code return actual results on his computer?!?

Ok ...now it was time to confront management with my findings and give feedback to the developer. ..... They believed me but asked me to keep it civilized and give him constructive feedback. ...... So I skyped him and told him that this code doesn't meet the requirements. ......... He instantly defended himself . He told me that I he did 'exactly what was written in the requirements document" and that there is nothing wrong. .......He had no understanding at all that the code also needs to have an actual business purpose.

(╯°□°）╯︵ ┻━┻

After that he tried to sell us a few more weeks of development work to implement our "new changed requirements" ......

(╯°□°）╯︵ ┻━┻

Footnote: I know a lot of great Indian Devs. ..... But this is definitely not one of them. -.-

tl;dr
Management wants to outsource to India and gets scammed.

undefined scam outsourcing

9
30

Fast-Nop

39368

1y

The Vivaldi team: open source is cool. It gave us Chromium to fork from, that's more than 90% of "our" code base!

Question to the Vivaldi team: then why don't you open source your Vivaldi code?

The Vivaldi team: uhm, when it comes to our browser, open source isn't cool because we fear someone might fork it. We need to protect ourselves from that possibility.

random vivaldi open source

21
27

jamescodesthing

3076

7y

I’m back for a fucking rant.

My previous post I was happy, I’ve had an interview today and I felt the interviewer acted with integrity and made the role seem worthwhile. Fuck it, here’s the link:
https://www.devrant.io/rants/889363

So, since then; the recruiter got in touch: “smashed it son, sending the tech demo your way, if you can get it done this evening that would be amazing”

Obviously I said based on the exact brief I think that’s possible, I’ll take a look and let them know if it isn’t.

Having done loads of these, I know I can usually knock them out and impress in an evening with no trouble.

Here’s where shit gets fucked up; i opened the brief.

I was met with a brief for an MVP using best practice patterns and flexing every muscle with the tech available...

Then I see the requirements, these fucking dicks are after 10 functional requirements averaging an hour a piece.

+TDD so * 1.25,
+DI and dependency inversion principle * 1.1
+CI setup (1h on this platform)
+One ill requirement to use a stored proc in SQL server to return a view (1h)
+UX/UI design consideration using an old tech (1-2h)
+unobtrusive jquery form post validation (2h)
+AES-256 encryption in the db... add 2h for proper testing.

These cunts want me to knock 15-20h of Work into their interview tech demo.

I’ve done a lot of these recently, all of them topped out at 3h max.

The job is middling: average package, old tech, not the most exciting or decent work.

The interviewer alluded to his lead being a bit of a dick; one of those “the code comes first” devs.

Here’s where shit gets realer:
They’ve included mock ups in the tech demo brief’s zip... I looked at them to confirm I wasn’t over estimating the job... I wasn’t.

Then I looked at the other files in the fucking zip.

I found 3 of the images they wanted to use were copyright withheld... there’s no way these guys have the right to distribute these.

Then I look in the font folder, it’s a single ttf, downloaded from fucking DA Font... it was published less than 2mo ago, the license file had been removed: free for Personal, anything else; contact me.

There’s no way these guys have any rights to this font, and I’ve never seen a font redistributed legally without it’s accompanying licence files.

This fucking company is constantly talking about its ethical behaviours.

Given that I know what I’m doing; I know it would have taken less time to find free-for-commercial images and use a google font... this sloppy bullshit is beyond me.

Anyway, I said I’d get back to the recruiter, he wasn’t to know and he’s a good guy. I let him know I’d complete the tech demo over the weekend, he’s looked after me and I don’t want him having trouble with his client...

I’ll substitute the copyright fuckery with images I have a license for because there’s no way I’m pushing copyright stolen material to a public github repo.

I’ll also be substituting the topic and leaving a few js bombs in there to ensure they don’t just steal my shit.

Here’s my hypotheses, anyone with any more would be greatly welcomed...
1: the lead dev is just a stuck up arsehole, with no real care for his work and a relaxed view on stealing other people’s.
2: they are looking for 15-20h free work on an MVP they can modify and take to market
3: they are looking for people to turn down this job so they can support someone’s fucking visa.

In any case, it’s a shit show and I’ll just be seeing this as box checking and interview practice...

Arguments for 1: the head told me about his lead’s problems within 20mn of the interview.
2: he said his biggest problem was getting products out quickly enough.
3: the recruiter told me they’d been “picky”, and they’re making themselves people who can’t be worked for.

I’m going to knock out the demo, keep it private and protect my work well. It’s going to smash their tits off because I’m a fucking great developer... I’ll make sure I get the offer to keep the recruiter looked after.

Then fuck those guys, I’m fucking livid.

After a wonderful interview experience and a nice introduction to the company I’ve been completely put off...

So here’s the update: if you’re interviewing for a shitty middle level dev position, amongst difficult people, on an out of date stack... you need people to want you, don’t fuck them off.

If they want my time to rush out MVPs, they can pay my day rate.

Fuuuuuuuuck... I typed this out whilst listening to the podcast, I’m glad I’m not the only one dealing with shit.

Oh also; I had a lovely discriminatory as fuck application, personality test and disability request email sent to me from a company that seems like it’s still in the 90s. Fuck those guys too, I reported them to the relevant authorities and hope they’re made to look at how morally reprehensible their recruitment process is. The law is you don’t ask if the job can be done by anyone.

rant recruitment tech demo disability the absolute fuck listening to the podcast interview

6
27

Tayza

287

6y

Today’s achievement: my phone didn’t autocorrect ‘fucking’ to ‘ducking’.

Clearly it’s as pissed off as I am about receiving shitty emails from the other team manager in my dept giving me and my team work to do and throwing us under the bus when he does jack shit all day except read BBC news and go on Facebook. On the odd occasion he does actually do work, it’s not good work, it’s riddled with bugs because he’s ‘too senior to need a code peer review’. Such a fucktard...

Oh, and the work he’s asked us to do technically sits in his team so I’ll be firing that straight back at him 😁

I’m all for being a team player and helping each other but I’m going to protect my team over helping someone. The gloves are about to come off....

rant so much for teamwork asshole coworker fucktard

3
26

VenomDev

716

7y

Worst one I’ve seen so far is when I was working for my previous community another developer joined to help me, without the permission of me or the other lead developer he pushed a client-side update. We didn’t think it was a big deal, but once we began reviewing the code it became a big deal... he had placed our SQL credentials into that file that every client downloads. All the person had to do was open the file and could connect to our SQL which contained 50k+ players info, primarily all in-game stuff except IPs which we want to protect at all costs.

Issue becomes, what he was trying to do required the games local database on the client-side, but instead he tried connecting to it as an external database so he decided to copy server-side code and used on the client.

Anyways, the database had a firewall that blocked all connections except the server and the other lead dev and myself. We managed to change the credentials and pull the file away before any harm was done to it, about 300 people had downloaded the file within an hours period, but nothing happened luckily. IP to the DB, username, password, etc, were all changed just to keep it protected.

So far this is the worst, hopefully it doesn’t get worse than this :/

rant wk99

1
25

AleCx04

28239

4y

See, static typing? that shit is for putos. You think you're so cool with your advanced intellisense being able to tell you "yo....dat shit ain't the type you think it is" or your compiler telling you "yo dumbass, you fucked this parameter up in here, you are doing <x> when in reality you should be doing #@$@#$@!<X at line !@#@#$#>"

pfffft static typing. Such a pansy ass thing to worry about.

Picture us, working outside of the safety net of static typing, as jungle explorers, walking slowly, with a machete in hand and our other hand clutched tightly at our hip pistol, not knowing what to shoot at, but eagerly prepared for when shit fucks up because whatever the fuck you did was not properly safeguarded by a compiler to tell you that you fucked up, even if the compiler message is unintelligible (looking at you C and C++)

We is men here, we is brave retarded adventurers.

As our sanity blips into oblivion and we look at our code that has no sort of type checking expecting our shitty intellisense extensions to protect us....

Edit: if you can't understand the sarcasm in here and the plea for sanity then you are obviously a retard and have no place in the world of development

rant plz send help i hate other devs i still love php

21
23

scorpgoku

660

7y

Not actually a rant, but need some place to vent it out.

The company where I work develops embedded devices enabling the automobiles to connect to the internet and provide various end user infotainment services. My job mostly relates to how and when we update the devices.

There are about 100 different
variants of the same device, each one different from the other in a way that the process required to update for each of these device variants is significantly Different. Doing this manually would be and actually was a nightmare for almost everyone, so I set out on writing a tool that addresses this issue.

I designed my solution mostly in Python, allowing me for quick prototyping. First of all, I'd never written a single line of python code in my life. So I learn python, in matter of 2 nights. I took days off from work so I could work on this problem I had in my head. And in about 4 days, I was up with a solution that worked, reliably. I prepared a complete framework, completely extendable, in order to have room for 101th variant that might come in at any time. And then to make it easier and a no Brainer for everyone, the software is able to automatically download nightly builds and update the test devices with nothing more than a double click.

But apparently this wasn't enough. Today I found out that someone worked on a different solution in the background just a week ago, while reusing most part of my code. And now they start advertising their solution over mine, telling everyone how crappy my code is. Seriously, for fucks sake, my code has been running without issues since more than a year now. To make it worse, my manager seems to take sides with the other guy. I mean I don't even have someone to explain the situation to.

I really feel betrayed and backstabbed today. I worked my days, my nights, my vacations on this code. I put blood, sweat and tears into this. I push my self over my limits, and when that was not enough, I pushed my self even harder. But it all seems in vain today. All the hours that I spent, just to make it easier for everyone... All a complete waste. When you write code with such passion, your code is like your family... You want to protect it... But with all this office politics and shit, I seem to be losing my grip.

I've been contemplating the entire night, where I might have gone wrong, what could I've done to deserve this...but to no avail. I'm having troubles sleeping, and I'm not sure what I should do next.

Despair, sheer bloody Despair!

rant fuck office politics sadface fuckthisshit

8
22

RogelioHit

25

8y

Damn, my boss added me to a "almost" complete protect with a bunch of spaghetti code in a language that I don't know more than the syntax of for loops and declaration of variables (swift) ..... I'm really fucked

undefined swift sad

6
19

ghishadow

183

8y

game of codes
https://youtu.be/3vI_7os2V_o
this video is for those developers who watch game of thrones

undefined protect the code game of codes game of thrones

4
17

PaperTrail

10743

8y

Still dealing with the web department and their finger pointing after several thousand errors logged.

SeniorWebDev: “Looks like there were 250 database timeout errors at 11:02AM. DBAs might want to take a look.”

I look at the actual exceptions being logged (bulk of the over 1,600 logged errors)..

“Object reference not set to an instance of an object.”

Then I looked the email timestamp…11:00AM. We received the email notification *before* the database timeout errors occurred.

I gather some facts…when the exceptions started, when they ended, and used the stack trace to find the code not checking for null (maybe 10 minutes of junior dev detective work). Send the data to the ‘powers that be’ and carried on with my daily tasks.
I attached what I found (not the actual code, it was changed to protect the innocent)
Couple of hours later another WebDev replied…

WebDev: “These errors look like a database connectivity issue between the web site and the saleitem data service. Appears the logging framework doesn’t allow us to log any information about the database connection.”

FRACK!!...that Fracking lying piece of frack! Our team is responsible for the logging framework. I was typing up my response (having to calm down) then about a minute later the head DBA replies …

DBA: “Do you have any evidence of this? Our logs show no connectivity issues. The logging framework does have the ability to log an extensive amount of data regarding the database transaction. Database name, server, login, command text, and parameter values. Everything we need to troubleshoot. This is the link to the documentation …. If you implement the one line of code to gather the data, it will go a long way in helping us debug performance and connectivity issue. Thank you.”

DBA sends me a skype message “You’re welcome :)”

Ahh..nice to see someone else fed up with their lying bull...stuff.

undefined
17

olback

10981

7y

tldr; Windows security sucks. You as a org-admin cant do anything about it. Encrypt your device. Disable USB Live boot in the bios and protect it with a STRONG password.

First of i just want to say that i DO NOT want to start the good ol' Linux VS Windows debate. I'm just ranting about Windows Security here...
Second, here's why i did all of this. I did all of this mainly becuase i wanted to install some programs on my laptop but also to prove that you can't lock down a Windows pc. I don't recomend doing this since this is against the contract i signed.

So when i got my Laptop from my school i wanted to install some programs on it, sush as VS Code and Spotify. They were not avalible in the 'Software Center' so i had to find another way. Since this was when we still used Windows 7 it was quite easy to turn sticky keys in to a command prompt. I did it this way (https://github.com/olback/...). I decided to write a tutorial while i was at it becuase i didn't find any online using this exact method. I couldn't boot from a USB cause it's disabled in the bios wich is protected by a password. Okey, Sticky keys are now CMD. So let's spam SHIFT 5 times before i log in? Yeah, thanks for the command promt. Running 'whoami' returned 'NT SYSTEM'. Apparantly NT System has domain administator rights wich allowed me to make me an Administrator on the machine. So i installed Everything i wanted, Everything was fine untill it was time to migrate to a new domain. It failed of course. So i handed my Laptop to the IT retards (No offense to people working in IT and managing orgs) and got it back the day after, With Windows 10. Windows 10 is not really a problem, i don't mind it. The thing is, i can't use any of the usual Sticky keys to CMD methods since they're all fixed in W10. So what did i do? Moved the Laptop disk to my main PC and copied cmd.exe to sethc.exe. And there we go again. CMD running as NT System on Windows 10. Made myself admin again, installed Everything i needed. Then i wanted to change my wallpaper and lockscreen, had to turn to PowerShell for this since ALL settings are managed by my School. After some messing arround everything is as i want it now.

'Oh this isnt a problem bla bla bla'. Yes, this is a problem. If someone gets physical access your PC/Laptop they can gain access to Everything on it. They can change your password on it since the command promt is running as NT SYSTEM. So please, protect your data and other private information you have on your pc. Encypt your machine and disable USB Live boot.

Have a good wekend!

*With exceptions for spelling errors and horrible grammar.

undefined enjoy your weekend security windows windows security sucks

4
13

adracea

892

8y

Hmm...recently I've seen an increase in the idea of raising security awareness at a user level...but really now , it gets me thinking , why not raise security awareness at a coding level ? Just having one guy do encryption and encoding most certainly isn't enough for an app to be considered secure . In this day an age where most apps are web based and even open source some of them , I think that first of all it should be our duty to protect the customer/consumer rather than make him protect himself . Most of everyone knows how to get user input from the UI but how many out here actually think that the normal dummy user might actually type unintentional malicious code which would break the app or give him access to something he shouldn't be allowed into ? I've seen very few developers/software architects/engineers actually take the blame for insecure code . I've seen people build apps starting on an unacceptable idea security wise and then in the end thinking of patching in filters , encryptions , encodings , tokens and days before release realise that their app is half broken because they didn't start the whole project in a more secure way for the user .

Just my two cents...we as devs should be more aware of coding in a way that makes apps more secure from and for the user rather than saying that we had some epic mythical hackers pull all the user tables that also contained unhashed unencrypted passwords by using magix . It certainly isn't magic , it's just our bad coding that lets outside code interact with our own code .

undefined secure coding security coding raising awareness hacking
12

ultrono

2358

7y

I'm raging all over the place at the moment. I've just inherited possibly the worst PHP project (Codeigniter) in 10 years.

Apart from the fact that the previous developer has created 87 different header and footer files (same content, but each screen has different footer file for some reason, i.e. footer-login.php, header-login.php, footer-profile.php, header-profile.php etc.), he seems to like adding the following comment all over the place: "Released under MIT license: http://opensource.org/licenses/..." to some how protect is shitty code. I mean take a look at the below of some high quality,propriety Jquery he's written, under MIT.

undefined fml codeigniter rage php jquery

4
11

iloveerp

11

5y

Have you ever had the moment when you were left speechless because a software system was so fucked up and you just sat there and didn't know how to grasp it? I've seen some pretty bad code, products and services but yesterday I got to the next level.

A little background: I live in Europe and we have GDPR so we are required by law to protect our customer data. We need quite a bit to fulfill our services and it is stored in our ERP system which is developed by another company.

My job is to develop services that interact with that system and they provided me with a REST service to achieve that. Since I know how sensitive that data is, I took extra good care of how I processed the data, stored secrets and so on.

Yesterday, when I was developing a new feature, my first WTF moment happened: I was able to see the passwords of every user - in CLEAR TEXT!!

I sat there and was just shocked: We trust you with our most valuable data and you can't even hash our fuckn passwords?

But that was not the end: After I grabbed a coffee and digested what I just saw, I continued to think: OK, I'm logged in with my user and I have pretty massive rights to the system. Since I now knew all the passwords of my colleagues, I could just try it with a different account and see if that works out too.

I found a nice user "test" (guess the password), logged on to the service and tried the same query again. With the same result. You can guess how mad I was - I immediately changed my password to a pretty hard.

And it didn't even end there because obviously user "test" also had full write access to the system and was probably very happy when I made him admin before deleting him on his own credentials.

It never happened to me - I just sat there and didn't know if I should laugh or cry, I even had a small existential crisis because why the fuck do I put any effort in it when the people who are supposed to put a lot of effort in it don't give a shit?

It took them half a day to fix the security issues but now I have 0 trust in the company and the people working for it.
So why - if it only takes you half a day to do the job you are supposed (and requires by law) to do - would you just not do it? Because I was already mildly annoyed of your 2+ months delay at the initial setup (and had to break my own promises to my boss)?

By sharing this story, I want to encourage everyone to have a little thought on the consequences that bad software can have on your company, your customers and your fellow devs who have to use your services.
I'm not a security guy but I guess every developer should have a basic understanding of security, especially in a GDPR area.

rant erp crisis security data protection fml

2
10

donnico

1269

7y

Rant rant rant!

Le me subscribe to website to buy something.

Le register, email arrives immediately.
*please not my password as clear text, please not my password as clear text *

Dear customer your password is: ***

You dense motherfucker, you special bread of idiotic asshole its frigging 2017 and you send your customer password in an email!???

They frigging even have a nice banner in their website stating that they protect their customer with 128bit cryptography (sigh)

Protect me from your brain the size of a dried pea.

Le me calm down, search for a way to delete his profile. Nope no way.
Search for another shop that sells the good, nope.
Try to change my info: nope you can only change your gender...

Get mad, modify the html and send a tampered form: it submits... And fail because of a calculation on my fiscal code.

I wanna die, raise as a zombie find the developers of that website kill them and then discard their heads because not even an hungry zombie would use that brains for something.

rant sigh password security

1
10

blacckpigy

341

8y

!Rant
The new bill passed the house for ISP to be able to sell data. This get me ticked off. I already ausme that ISP did it under the table. Doesn't make it right. Now it legal for them to breach our privacy. At what leave do i need to run my own internet just to feel safe. VPN can sell the data, ISP can sell data about you. I spend my life teaching how to protect people online and now I can't even say they are safe at home from someone with wrong intention. A quote comes to mind.
"Dear lord I need to see some change, because the man in the mirror is wearing a mask"
I shouldn't have to feel every time. I boot my PC, that I need to remind my self that what I'm doing now is being sold so someone can lable me. When will the common man learn to protect their privacy online; And where is the line in the sand?

It not all bad, this event has given me the itch to code. Just to spin some heads I'm going to make a script to make random Google query across the widest array of topics, so my profile is full of contradiction.

The few who read this have a nice day!

undefined security privacy rant

6
10

platypus

5522

5y

I need to encrypt some large files at rest and then decrypt them immediately prior to processing.

App and files are on a Linux system (CentOS). App is in C. Machine is controlled by a third party.

What encryption libraries would you recommend? And, is there any clever way of managing the decryption key beyond compiling it in the code and doing some basic obfuscation?

Are they fancy obfuscation libraries out there, for example?

And, the reason I'm not going to SO (well, one reason) is that I don't want to have 50 answers that tell me that's it's impossible to 100% protect data on a machine you don't control. This I understand---just looking for "best effort" solution.

question option encryption at rest best of a bad situation

8
9

Skintigth

16

6y

I had a school project with a friend, we concord to code some parts of the program, share it and explain the code so the teacher see the code was ours, when the final date come, after some doubts from my find we could delive the project with a not good note, the time passed and the teacher repeated the temps for a final protect, my friend was totally lost, the he arrives with all of his part, I questioned him about the code but he don't not so much abut, we almost fail the final protect because he buy the code to someone else and couldn't explain it to the teacher.
This was my face when I knew he cheated.

rant frustrating friend project wk112 school

1
9

deviloper

2203

6y

I'm a developer, member of the A-Team. Actually I'm the leader of the A-Team.

We are incredibly skilled. Our problem solving capabilities is amazing, almost 100 times more effective than the rest of people. We produce code 10 times faster and better than anybody else. We have THE knowledge.

We can save the company in case of emergency.

For that reason, it's of paramount importance to nurture and protect the A-Team.

- When there is a bug, A-Team will not correct it. Because, if A-Team is busy, and bad shit happens, the company could be destroyed and we couldn't help

- When there is some important features to develop with a deadline, A-Team will not participate: A-Team must stay alert and ready in case of emergency

- If huge catastrophe happens and long hours, night and weekend are needed to fix it, A-Team will not risk burning the A-Team because it's the only high skilled team we have. The company cannot afford to have an A-Team member exhausted, underpaid, unhappy leaving or sleepy. Therefore, the company will sacrifice other less important people.

A-Team is company biggest asset and must be protected in any kind of situations.
The company should also pay training for them in order to increase their skills and make them unreplaceable.

These are my conditions. I'm the leader of the A-Team. You can't afford to loose me.

rant a-team

7
7

Demolishun

34913

2y

Made custom app for company for certain kinds of inspections. Was requested to make a license key for the app that is used internally. This was in case they wanted to franchise the business.

I made zero effort for the code to even protect against a weak attack vector. Like some shitty ass base64 or some shit like that. Any casual could crack it.

Years went by and was not talked about ever again. I took the shitty code I wrote for this out of the app. I can put it back, but guaranteed they will never ask again.

rant wk322 nfg
7

Kotamigo

72

6y

Hi there, First “rant” here, although it’s more of a question.

I have been working on a side project for some time and it has come to the point where I feel it might be prudent to protect my work with a patent or something similar.

The project in question is a multiplayer browser based game. The code is currently open source, but that can always change.

Given this is software people use rather than a service that developers might build off of, is copyright more appropriate than creative commons?

Based in the US if you can't tell and I'm above the age of majority luckily.

Thanks for any advice!

question cc copyright patent trademark

2
7

Unradelic

24

4y

The dangers of PHP eval()

Yup. "Scary, you better make use of include instead" — I read all the time everywhere. I want to hear good case scenarios and feel safe with it.

I use the eval() method as a good resource to build custom website modules written in PHP which are stored and retrieved back from a database. I ENSURED IS SAFE AND CAN ONLY BE ALTERED THROUGH PRIVILEGED USERS. THERE. I SAID IT. You could as well develop a malicious module and share it to be used on the same application, but this application is just for my use at the moment so I don't wanna worry more or I'll become bald.

I had to take out my fear and confront it in front of you guys. If i had to count every single time somebody mentions on Stack Overflow or the comments over PHP documentation about the dangers of using eval I'd quit already.

Tell me if I'm wrong: in a safe environment and trustworthy piece of code is it OK to execute eval('?>'.$pieceOfCode); ... Right?

The reason I store code on the database is because I create/edit modules on the web editor itself.

I use my own coded layers to authenticate a privileged user: A single way to grant access to admin functions through a unique authentication tunnel granting so privileged user to access the editor or send API requests, custom htaccess rules to protect all filesystem behind the domain root path, a custom URI controller + SSL. All this should do the trick to safely use the damn eval(), is that right?!

Unless malicious code is found on the code stored prior to its evaluation.

But FFS, in such scenario, why not better fuck up the framework filesystem instead? Is one password closer than the database.

I will need therapy after this. I swear.

If 'eval is evil' (as it appears in the suggested tags for this post) how can we ensure that third party code is ever trustworthy without even looking at it? This happens already with chrome extensions, or even phone apps a long time after reaching to millions of devices.

question eval is evil htaccess eval() php eval security

11
7

Enocra

618

8y

I had to make a commit today to protect my code from my cat. And it wasn't even the weirdest commitlog I've ever made.

undefined cat commit
6

Pepsi1x1

236

6y

While attempting to quit smoking and after spending a full day trying to understand why the previous devs took this approach to encrypting a string and my lack of nicotine addled brain not allowing me to see that this was a “Secure”String and so uses a machine specific key (that’s why the code that worked locally wouldn’t run on production 😑) this is my rant on comments added to the helper I had to write

/// <summary>
/// If you are using this class and it's not for backward compatibility - then you probably shouldn't be using it
/// Nothing good comes from "Secure" strings
/// Further to this Secure strings are only "useful" for single user crypto as the encryption uses the login creds, transferring
/// this data to another client will result in them never being able to decrypt it
///
/// Windows uses the user's login password to generate a master key.
/// This master key is protected using the user's password and then stored along with the user's profile.
/// This master key then gets used to derive a number of other keys and it's these other keys that are used to protect the data.
///
/// This is also a broken crypto method via injection (see Hawkeye http://hawkeye.codeplex.com/) plus the string is stored in plain
/// text in memory, along with numerous other reasons not to use it.
/// </summary>
public class SecureStringHelper
{

rant

3
6

Teknas

2751

7y

Any idea of how to protect your nodejs source code on a client's onsite server ?

If they can SSH, they can get the entire source.

This is built into the angular framework very well but I don't know how to do this on a server.

Any neat packages for obfuscation, uglification etc ?

rant nodejs

8
5

nanhb

1512

5y

I had this dream, We had to destroy this super mainframe who wanted some revenge because we as a programmers made a lot of mistakes in the code.

So we had to create this amazing machine with super powers and machine learning and then to go back to the past to save the world and to find me and protect me from the same machines that we created..

At the end, I died.. because the fucking machine betrayed me.

random dreamweaver joke dream in code machine learning to make it sound complicated wk175 dream

1
5

Demolishun

34913

252d

So I am considering side games to add my main games. Mini games I guess they are called. I thought it might be fun to have random chessboards in game you can actually play. I wanted to actually have a decent chess engine behind the game. Off the bat I found a GPL one. I think it is designed to be communicated externally. So what does that mean for using it in my game? If I communicate to an external process is this violating GPL? I have no intention of making my game open source. Well it seems this use case is very nuanced:
https://opensource.stackexchange.com/...

The consensus on a lot of these discussions is the scope of the use of the program. Are you bundling for convenience or bundling for intrinsic utility? This is fascinating because using a compiler on a Windows platform could be a possibly violation. That is a proprietary program calling a GPL one. This is actually handled in the GPL as far as I know. So, if I use a GPL engine as a mini game is that the same as a full blown chess game? What if I support 10 different engines in a full blown chess game?

Now to play devil's advocate even further. Are proprietary phone apps that communicate to GPL software that serve data intrinsically linked? The app will not function without the server or computer os the server runs on. A lot of the web tech is largely GPL or has large amount of GPL programs. Should the web code be under GPL? Should the phone app be under GPL? This sounds ridiculous to some degree. But is that the same as bundling a GPL app and communicating to it from the program via network or command line? The phone app depends upon this software.

Now to protect myself I will find a decent chess engine that is either LGPL or something more permissive. I just don't want the hassle. I might make the chess engine use a parameter in case someone else might want a better engine they want to add though. At that point it is the user adding it. Maybe the fact that it would not be the only game in town is a factor as well.

I am also considering bundling python as a whole to get access to better AI tools (python is pretty small compared to game assets). It seems everything is python when it comes to AI. The licensing there is much better though. I would love to play with NLP for commanding npcs.

I am not discussing linking at all, btw.

question external gpl game app

3
4

Xirate

322

5y

!rant, but funny
tl;dr I made something that was to protect me in case the customer doesn't pay, wanted to check if it's still there, messed up a little :D
>do an Android app project for almost 6 months
>issues with payment for it
> =.=
>firebase
>"Add new application"
>Remote Config
>add single integer variable
>back to app code
>if (integerFromFirebase != 0) navigateTo(new Fragment())
>mwahahahaha
>but they ended up paying me in the end
>huh...
>see another post on how to secure yourself if customer doesn't want to pay
>well, consider yours as more sophisticated
>hmm... wonder if they removed it
>firebaseconsole.exe
>change "enableJavaScript" (needed a legit name, so it can't be easily backtracked) to 1
>publish changes
>app still works fine
>mhhh... they removed it? really?
>can't fking believe it
>apkpure.com
>search for the app
>download apk
>unzip
>decompile dex file
>find the fragment
>can't find the code that navigates to blank fragment, but the config fetch is still there
>wtf
>look at the app
>restart it
>SHIT ITS NOT WORKING NOW XDDDDD
>changed the variable back to 0
>found out that the lambda in which I navigate to the blank fragment is in other .java file. New thing learned :v
>idk if I'm in trouble but I highly doubt it (console shows max 10 active users atm)

Was fun tho :v

rant android

3
3

TeaTea

182

3y

I'm a senior dev and on my new project, I am really working my a** off and enabling the other developers to concentrate on the work, while I'm handling all of the processes in the background for the client.

I couldn't really write code for a month now, but I'm okay with it because I can protect the team from dealing with all of these bs.

We have feedback discussions right now and I received something like: You are doing your job very well, but you are nagging too much about the client and the processes. Tbh I'm only complaining about this stuff behind the scenes and never in front of the client and compared to the past I reduced it by a lot.

Situations like that are so frustrating for me. I really had a good feeling that I'm on the right track and still people complain about characteristic aspects that are not happening on purpose.

I don't really invest much time into thinking if the voice/tone could have been improved.

Just needed to get this stuff out. Also, I am thinking about starting a rant book, so that I don't share any bad thoughts anymore with my colleagues /superiors

rant dev

3
3

iamrp

2521

5y

Microsoft announced a new security feature for the Windows operating system.

According to a report of ZDNet: Named "Hardware-Enforced Stack Protection", which allows applications to use the local CPU hardware to protect their code while running inside the CPU's memory. As the name says, it's primary role is to protect the memory-stack (where an app's code is stored during execution).

"Hardware-Enforced Stack Protection" works by enforcing strict management of the memory stack through the use of a combination between modern CPU hardware and Shadow Stacks (refers to a copies of a program's intended execution).

The new "Hardware-Enforced Stack Protection" feature plans to use the hardware-based security features in modern CPUs to keep a copy of the app's shadow stack (intended code execution flow) in a hardware-secured environment.

Microsoft says that this will prevent malware from hijacking an app's code by exploiting common memory bugs such as stack buffer overflows, dangling pointers, or uninitialized variables which could allow attackers to hijack an app's normal code execution flow. Any modifications that don't match the shadow stacks are ignored, effectively shutting down any exploit attempts.

random exploit security microsoft

5
0

David-Balaban

0

5y

9 Ways to Improve Your Website in 2020

Online customers are very picky these days. Plenty of quality sites and services tend to spoil them. Without leaving their homes, they can carefully probe your company and only then decide whether to deal with you or not. The first thing customers will look at is your website, so everything should be ideal there.

Not everyone succeeds in doing things perfectly well from the first try. For websites, this fact is particularly true. Besides, it is never too late to improve something and make it even better.
In this article, you will find the best recommendations on how to get a great website and win the hearts of online visitors.

Take care of security

It is unacceptable if customers who are looking for information or a product on your site find themselves infected with malware. Take measures to protect your site and visitors from new viruses, data breaches, and spam.

Take care of the SSL certificate. It should be monitored and updated if necessary.

Be sure to install all security updates for your CMS. A lot of sites get hacked through vulnerable plugins. Try to reduce their number and update regularly too.

Ride it quick

Webpage loading speed is what the visitor will notice right from the start. The war for milliseconds just begins. Speeding up a site is not so difficult. The first thing you can do is apply the old proven image compression. If that is not enough, work on caching or simplify your JavaScript and CSS code. Using CDN is another good advice.

Choose a quality hosting provider

In many respects, both the security and the speed of the website depend on your hosting provider. Do not get lost selecting the hosting provider. Other users share their experience with different providers on numerous discussion boards.

Content is king

Content is everything for the site. Content is blood, heart, brain, and soul of the website and it should be useful, interesting and concise. Selling texts are good, but do not chase only the number of clicks. An interesting article or useful instruction will increase customer loyalty, even if such content does not call to action.

Communication

Broadcasting should not be one-way. Make a convenient feedback form where your visitors do not have to fill out a million fields before sending a message. Do not forget about the phone, and what is even better, add online chat with a chatbot and\or live support reps.

Refrain from unpleasant surprises

Please mind, self-starting videos, especially with sound may irritate a lot of visitors and increase the bounce rate. The same is true about popups and sliders.

Next, do not be afraid of white space. Often site owners are literally obsessed with the desire to fill all the free space on the page with menus, banners and other stuff. Experiments with colors and fonts are rarely justified. Successful designs are usually brilliantly simple: white background + black text.

Mobile first

With such a dynamic pace of life, it is important to always keep up with trends, and the future belongs to mobile devices. We have already passed that line and mobile devices generate more traffic than desktop computers. This tendency will only increase, so adapt the layout and mind the mobile first and progressive advancement concepts.

Site navigation

Your visitors should be your priority. Use human-oriented terms and concepts to build navigation instead of search engine oriented phrases.

Do not let your visitors get stuck on your site. Always provide access to other pages, but be sure to mention which particular page will be opened so that the visitor understands exactly where and why he goes.

Technical audit

The site can be compared to a house - you always need to monitor the performance of all systems, and there is always a need to fix or improve something. Therefore, a technical audit of any project should be carried out regularly. It is always better if you are the first to notice the problem, and not your visitors or search engines.

As part of the audit, an analysis is carried out on such items as:

● Checking robots.txt / sitemap.xml files
● Checking duplicates and technical pages
● Checking the use of canonical URLs
● Monitoring 404 error page and redirects

There are many tools that help you monitor your website performance and run regular audits.

Conclusion

I hope these tips will help your site become even better. If you have questions or want to share useful lifehacks, feel free to comment below.

Resources:

https://networkworld.com/article/...

https://webopedia.com/TERM/C/...

https://searchenginewatch.com/2019/...

https://macsecurity.net/view/...

rant website

Top Tags

rant linux code windows fuck i java c programming android dev the is javascript js life joke a python

Weekly Rant

Most unrealistic deadline you've had?

devRant © 2021 Hexical Labs LLC
Privacy Policy | Terms of Service