Are you serious? Are you afraid of an SQL injection or something, and instead of properly sanitizing your queries you disallow characters? Or is your software and database so outdated that you're afraid special characters will break it? Goodbye security

RIP Privacy

Gahaa!!! Finally back home, after 7 fucking hours of sitting in busses and trains!

BUT I GOT MY NEXUS 6P!! Yoo-hoo!!! :D

And I've got a nice story about it.

So when I bought it, the guy selling it to me was a nontechnical type (I think?) whose wife was the previous owner. So I thought to myself, cool a nontechnical user used it.. probably no hardware mods or anything to worry about. Apparently they even factory reset it for me :)

Now, when I left to go back home, I of course immediately booted up the thing and did the whole doodad of logging into it, setting up the device etc.

Then it struck me. When I booted up the device and wanted to log in, there was a lock from Google that required me to first authenticate as either a previous account of the device, or their unlock pattern. So I figured, eh fuck it, I'll just flash some AOSP without GApps or send the owner an email asking what the previous pattern is.

But I still had to wait 30 minutes at the bus stop so I thought to myself.. previous owner was a nontechnical woman.. maybe I could crack it. No way to know if I don't try. So I started putting in random unlock patterns.

3 attempts later - I shit you not! - pattern accepted.
Do you want to add this account?

Oh boy Google, of course I do! Thanks for letting me in pal!

3 fucking attempts. That's all it took to crack the unlock pattern of an unknown person. 😎

!security

(Less a rant; more just annoyance)

The codebase at work has a public-facing admin login page. It isn't linked anywhere, so you must know the url to log in. It doesn't rate-limit you, or prevent attempts after `n` failures.

The passwords aren't stored in cleartext, thankfully. But reality isn't too much better: they're salted with an arbitrary string and MD5'd. The salt is pretty easy to guess. It's literally the company name + "Admin" 🙄

Admin passwords are also stored (hashed) in the seeds.rb file; fortunately on a private repo. (Depressingly, the database creds are stored in plain text in their own config file, but that's another project for another day.)

I'm going to rip out all of the authentication cruft and replace it with a proper bcrypt approach, temporary lockouts, rate limiting, and maybe with some clientside hashing, too, for added transport security.

But it's friday, so I must unfortunately wait. :<

Dear all wonderful ranters,

I apologize profusely in advance if over the next few days I cannot contain my anger at people and rant about non-dev things. I promise I will try my best to not do this, but there are very few places (none) other than here where I feel comfortable enough to express myself freely and not censor my words.

I will be working as a security guard (3rd job) for a car show full of pretentious assholes who have a tendency to think I'm their servant. I have wonderful bosses who have my back, and there are truly amazing people in attendance as well, but if someone tries to run me over again after a long ass day, I might need to vent.

I fully accept any and all down votes, and will likely delete the rant after it's out of my system, unless there's a conversation going in comments (I wouldn't do that to you).

Please bear with me while I try boot to strangle everyone I come across. I'm hoping this year is the year everyone is nice, but history tells me that's naive and won't happen.

All my love,
Your (co)queen who may end up arrested for using her bionic arm to rip their balls off and feed them to their wives

Yesterday my employer banned the use of all wireless keyboards and mice due to security concerns. This applies to all employees, including our many remote employees (I wonder how they plan to enforce that). I’m trading in my nice quiet wireless keyboard for some Cherry MX blues to protest. I really liked my current keyboard and mouse too. RIP

I am beyond speechless. My Bank forces me to use a password that consists of EXACTLY 8 characters, and at least one small character, one big and one number. Oh, and it should not be identical to the last 5 passwords.

What's the best part about this?
THEY HAVE A FUCKING METER TO MEASURE YOUR PASSWORD STRENGTH. FUCKING HYPOCRITES!

Not even a 2 factor makes via sms can make me feel save when you have such a big pile of shit behind it

!dev

I'm checking out at Walgreens right now and have an item with a security device on it. The cashier just took a pair of scissors to it. Didn't work obviously and now I think she's trying to rip the cords off the box

My windows defender has gone out of the window.
Now whenever i open windows security app, it shows a blank page.
There's is no tray process running and I can't find any service too.
I know it's a huge virus attack.
Can anyone suggest some methods to know what is causing this problem?

This has happened once before. That time i used DISM and checked windows files integrity. It replaced corrupted ones and then windows worked fine.

This time i want to know the cause.
I wanna root it out and rip it apart.

After two years of being in (metaphorical) jail, I once again was given the a privilege of unlocking and rooting my phone. Damn. Frick Huawei, never coming back to that experience.

I gotta say, rooting... Feels a tad less accessible nowadays than when I last practiced it. All this boot image backup, patch, copy, reflash is crying to be automised, only reason I can think of why that changed and magisk can no longer patch itself into the phone's initrd is that it's somehow locked? Was it a security concern? Or can sideloaded twrp no longer do that?

Oh, and the war... The war never changes, only exploits do - fruck safety net... Good for Google that they now have an *almost* unfoolable solution (almost). The new hardware-based check is annoying af, but luckily, can still be forced to downgrade back to the old basic check that can be fooled... Still, am I the only one who feels Google is kinda weird? On one hand, they support unlocking of their own brand of phones, but then they continuously try to come up with frameworks to make life with a rooted or unlocked phone more annoying...

On the other hand, I do like having my data encrypted in a way that even sideloading twrp doesn't give full access to all my stuff, including password manager cache...

Any recommendations what to install? I do love the basic tools like adaway (rip ads), greenify (yay battery life!), viper4android (More music out of my music!) and quite honestly even lucky patcher for apps where the dev studio practices disgust me and don't make me want to support them...

Having a meeting with an old client of our company's today, guiding him through the deployment process for his front and backend, because he thought that we were withholding information, and at one point in the call he asks me if the './' at the beginning of the deployment script was a special security measure put in place by us... 😂