Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Search - "security"
Manager: We need to setup the security in the Mexico server
Dev: You mean that 3rd party firewall add on?
Dev: And set up the billing on the Mexico account?
Dev: lol, sure thing I’ll create the ticket
Manager: What’s so funny?
Ticket: Build wall and get Mexico to pay for it.14
Manager: Hey fullstackchris, the maps widget on our app stopped working recently...
Dev: (Skeptical, little did he know) Sigh... probably didn't raise quota or something stupid... Logs on to google cloud console to check it out...
Google Dashboard: Your bill.... $5,197 (!!!!!!) Payment method declined (you think?!)
Dev: 😱 WTF!?!?!! (Calls managers) Uh, we have HUGE problem, charges for $5000+ in our google account, did you guys remove the quota limits or not see any limit reached warnings!?
Managers: Uh, we didn't even know that an API could cost money, besides, we never check that email account!
Dev: 🤦♂️ yeah obviously you get charged, especially when there have literally been millions of requests. Anyway, the bigger question is where or how our key got leaked. Somewhat started hammering one of the google APIs with one of our keys (Proceeds to hunt for usages of said API key in the codebase)
Dev: (sweating 😰) did I expose an API key somewhere? Man, I hope it's not my fault...
Terminal: grep results in, CMS codebase!
Dev: ah, what do we have here, app.config, seems fine.... wait, why did they expose it to a PUBLIC endpoint?!
Long story short:
The previous consulting goons put our Angular CMS JSON config on a publicly accessible endpoint.
WITH A GOOGLE MAPS API KEY.
JUST CHILLING IN PLAINTEXT.
Though I'm relieved it wasn't my fault, my faith in humanity is still somewhat diminished. 🤷♂️
Oh, and it's only Monday. 😎
Fuck the memes.
Fuck the framework battles.
Fuck the language battles.
Fuck the titles.
Anybody who has been in this field long enough knows that it doesn't matter if your linus fucking torvalds, there is no human who has lived or ever will live that simultaneously understands, knows, and remembers how to implement, in multiple languages, the following:
- jest mocks for complex React components (partial mocks, full mocks, no mocks at all!)
- token cancellation for asynchronous Tasks in C#
- fullstack CRUD, REST, and websocket communication (throw in gRPC for bonus points)
- database query optimization, seeding, and design
- nginx routing, https redirection
- build automation with full test coverage and environment consideration
- docker container versioning, restoration, and cleanup
- internationalization on both the front AND backends
- secret storage, security audits
- package management, maintenence, and deprecation reviews
- integrating with dozens of APIs
- fucking how to center a div
and that's a _comically_ incomplete list; barely scratches the surface of the full range of what a dev can encounter in a given day of writing software
have many of us probably done one or even all of these at different times? surely.
but does that mean we are supposed to draw that up at a moment's notice some cookie-cutter solution like a fucking robot and spit out an answer on a fax sheet?
recruiters, if you read this site (perhaps only the good ones do anyway so its wasted oxygen), just know that whoever you hire its literally the luck of the draw of how well they perform during the interview. sure, perhaps some perform better, but you can never know how good someone is until they literally start working at your org, so... have fun with that.
Oh and I almost forgot, again for you recruiters, on top of that list which you probably won't ever understand for the entirety of your lives, you can also add writing documentation, backup scripts, and orchestrating / administrating fucking JIRA or actually any somewhat technical dashboard like a CMS or website, because once again, the devs are the only truly competent ones - and i don't even mean in a technical sense, i mean in a HUMAN sense of GETTING SHIT DONE IN GENERAL.
There's literally 2 types of people in the world: those who sit around drawing flow charts and talking on the phone all day, and those WHO LITERALLY FUCKING BUILD THE WORLD
why don't i just run the whole fucking company at this point? you guys are "celebrating" that you made literally $5 dollars from a single customer and i'm just sitting here coding 12 hours a day like all is fine and well
i'm so ANGRY its always the same no matter where i go, non-technical people have just no clue, even when you implore them how long things take, they just nod and smile and say "we'll do it the MVP way". sure, fine, you can do that like 2 or 3 times, but not for 6 fucking months until you have a stack of "MVPs" that come toppling down like the garbage they are.
How do expect to keep the "momentum" of your customers and sales (I hope you can hear the hatred of each of these market words as I type them) if the entire system is glued together with ducktape because YOU wanted to expedite the feature by doing it the EASY way instead of the RIGHT way. god, just forget it, nobody is going to listen anyway, its like the 5th time a row in my life
we NEED tests!
we NEED to know our code coverage!
we NEED to design our system to handle large amounts of traffic!
we NEED detailed logging!
we NEED to start building an exception database!
BILBO BAGGINS! I'm not trying to hurt you! I'm trying to help you!
Don't really know what this rant was, I'm just raging and all over the place at the universe. I'm going to bed.20
Oh you're a frontend guy? Good, we need one of those.
Oh you're a backend guy too? Good, we need one of those.
Oh you're a security guy too? Good, we need one of those.
Oh you're a devops guy too? Good, we need one of those.
Oh you're a QA guy too? Good, we need one of those.
Oh you're an SEO guy too? Good, we need one of those.
"Well, sorry to say fullStackCraft, but we found your cloud architecture skills just a little too lacking for this position. We really need someone who can do frontend, backend, security audits, QA assessments, SEO, AND build scaling cloud architecture. Oh and while you're at it, can you turn fucking water into gold? We need that at our company too. You didn't get the position, but it'd be great if you could refer us to someone who is very advanced in fucking alchemy. Thanks!"
Absolutely toxic the way software people are treated I swear. The money may be the only good thing that is left.17
The client has a giant database with all credit and debit cards
ALL INFOS IN FUCKING PLAINTEXT
THE CARD NUMBER
THE EXPIRY DATE
I'M SHAKING AF38
micromanager: "Quick and easy win! Please have this done in 2-3 days to start repairing your reputation"
ticket: "Scrap this gem, and implement your own external service wrapper using the new and vastly different Slack API!"
slack: "New API? Give me bearer tokens! Don't use that legacy url crap, wth"
prev dev: "Yeah idk what a bearer token is. Have the same url instead, and try writing it down so you don't forget it?"
Slack admin: "I can't give you access to the slack integration test app, even though it's for exactly this and three others have access already, including your (micro)manager."
Slack: "You can also <a>create a new slack app</a>!" -- link logs me into slack chat instead. After searching and finding a link elsewhere: doesn't let me.
Slack admin: "You want a new test slack app instead? Sure, build it the same as before so it isn't abuseable. No? Okay, plan a presentation for it and bring security along for a meeting on Friday and I'll think about it. I'm in some planning meetings until then."
This job is endless delays, plus getting yelled at over the endless delays.
At least I can start on the code while I wait. Can't test anything for at least a week, though. =/18
I was a bit drunk.
But I wanted to improve security of the company. So, I went in Azure and activated “Security defaults” which forces MFA for all users in the company. (Because RH always forget to enable MFA for new employees, and I actually care about security)
Then I went in office 365 management and instead of resetting MFA for all users (Forcing everyone to redo MFA setup), I (by mistake) clicked on reset all passwords.
I tested my own account it was fine and went to sleep.
Got a call from CEO at 7am, all 30 employees cannot login in, cannot work.
What a shit show I made…
I have a call with CEO in about 2 hours, I don’t even know how to justify myself…
So children: don’t activate company wide options while drunk. Ever.23
Some 'wk306' highlights from different people:
Walk around the office in his underwear, because he forgot he left his trousers in the bathroom
Run a red light outside the office due to not wearing his required glasses. When questioned by co-workers, replied "I don't follow those facist rules"
Asking if we work less will we get paid more, because the project will take longer to do (while in a startup with no funding trying to secure some)
Tell a senior dev to stop testing in his spare time, as we won't be able to release on time if he keeps finding critical security bugs
Telling me "your timezone is not my concern", when asking for help with new tooling so we don't have to be online at the same time
Blaming my team for requesting too much help, leading to his team missing deadlines, in a meeting with very senior managers. When the reason we were requesting help was the handover doc we were given was filled with lies about features being finished and "ready to ship" and lacking any unit tests
Being accused of bullying and harassment to the CEO, because someone asked "did you follow up with X about the partnership they emailed us about". The person who was responsible, forgot 4 times, and saw it as an "attack" to mention it in team meetings
Telling an entire office/building mid November they've secured funding for at least the next year, then announcing in January after the Christmas break that its cheaper to move to India, so they are closing the office in 30 days2
Doing some Christmas shopping.
Creating some throwaway accounts in various e-shops
Some e-shops send me my password via email upon registration.
I've spent the better half of a day emailing those e-shops to revise their IT security policies.
Haven't bought a single gift yet.
Time well spent!6
Conversation with the bank today
Bank: For security purposes what was your childhood nickname?
Bank: What, I mean, Can you repeat that?
Me: I had a rough childhood!5
While writing up this quarter's performance review, I re-read last quarter's goals, and found one my boss edited and added a minimum to: "Release more features that customers want and enjoy using, prioritized by product; minimum 4 product feature/bug tickets this quarter."
... they then proceeded to give me, not four+ product tickets, but: three security tickets (two of which are big projects), a frontend ticket that should have been assigned to the designer, and a slow query performance ticket -- on top of my existing security tickets from Q3.
How the fuck was I supposed to meet this requirement if I wasn't given any product tickets? What, finish the monster tickets in a week instead of a month or more each and beg for new product tickets from the product manager who refuses to even talk to me?
Fuck these people, seriously.8
So, you want to tell me the security method used by the f*cking state of Missouri is CSS's "display: none"???
I watched the news recently and they talked about cyber security.
To demonstrate "how serious the topic is" they showed a screen with a terminal and literally pinged google.com.
I thought that was funny9
I just had to print out some bills for a colleague.
Nothing too bad you say?
Well.. She doesn't seem to care about security or privacy at all.
I opened the website of her email provider at my computer and moved away from the keyboard, so she could log in.
But instead she told me her email and password... In an office with some other colleagues... Multiple times and wrote it onto a piece of paper that the later left on my table.
After that I should look through her inbox to find the bills.
(Yup, I know a lot more about her now)
After finding and printing out her bills, she just thanked me and walked out of the office, because hey, why should I log out of her account?
It's nice that she trusts me... But that was a bit too much...4
My CTO prefers to hire very expensive consultants than to trust on staff. It's funny, because he also decided that all technical teams should run on the absolute minimal amount of resources.
You can't imagine how shitty it felt this morning when he sent an email talking about a security consultant that we should hire, just because he thinks the guy could "take our expertise to the next level".
They will charge us 450/hour to run assessments, to find the exact same things my team discovered a year ago.4
Google cripples ad and tracking blockers: In January, Chromium will switch to Manifest V3 which removes an essential API in favour of an inferior one. As usually, Google is being deceitful and touts security concerns as pretext.
That hits all Chromium based browser, such as my beloved Vivaldi. The team argues with their own browser internal blocker, but that's far worse than uBlock Origin. One of Vivaldi's core promises was privacy, and that will go out of the window. The team simply doesn't react to people pointing that out. They're fucked, and they know it.
So what now? Well, going back to Firefox because that will include the crippled new API for extension compatibility, but also keep the powerful old one specifically so that ad and tracking blockers will keep working. Google has just handed Mozilla a major unique selling point, and miraculously, Mozilla didn't fuck it up.26
Devs: Hey, what should we do?
provide our SDKs for download as easily as possible so that any potential customer can try it out and see how much better we are compared to our competitors?
Should we lock our SDKs behind a login where the customer needs to create an account and enter the most amount of private information possible, just in case, then also require to create some security access tokens that he needs to configure in his app to have access to our service via the sdk and also hide all of the documentation behind a login which requires some permission based roles to access and also make the sdks closed source so that it’s a pain in the ass to debug and understand?
B! Definitely B! Make sure to piss off and annoy our customers as much as humanly possible!
IE is dead ?!
NOT SO FAST.
The whole singin in Visual 2022 uses... Internet explorer renderer and... doesn't work on a Windows Server 2022 because of... "Enchanced internet explorer security policy".
I'm dying inside.7
DEAR CTOs, PLEASE ASK THE DEVELOPER OF THE SOFTWARE WHICH YOU ARE PLANNING TO BUY IN WHAT LANGUAGE AND WHAT VERSION THEY ARE WRITTEN IN.
Background: I worked a LONG time for a software company which developed a BIG crm software suite for a very niche sector. The softwary company was quite successfull and got many customers, even big companies bought our software. The thing is: The software is written in Ruby 1.8.7 and Rails 2. Even some customer servers are running debian squeeze... Yes, this setup is still in production use in 2022. (Rails 7 is the current version). I really don't get it why no one asked for the specific setup, they just bought it. We always told our boss, that we need time to upgrade. But he told every time, no one pays for an tech upgrade... So there it is, many TBs of customer data are in systems which are totally old, not updated and with possibly security issues.9
When I need cash, sometimes I go to my clients and sell them "security updates"...
I am a one (wo)man Mafia!4
That log4j RCE is some fucking nasty business!!! Its exploits have already been observed multiple times in our company scope.
Time for some unplanned Saturday evening hot-patches :/
P.S. Why the fuck leave such a feature enabled as default??? I mean really, whose brilliant idea was "let's leave the message parser enabled as well as the LDAP query hooks... BY FUCKING DEFAULT!!!"
I mean really, is anyone using that? ANYONE?
And then they laugh at me when I say "stay away from frameworks", "use as little libraries as possible", "avoid foreign code in your codebase",...
you know what.... JOKE'S ON YOU!10
Cyber security. Deep knowledge of cyber security and networks is what I wish I had. The math stuff that no one bothers with, specifically.7
Years ago I used to work a guvmant site. They had really strict security rules for internet and how you spent your time. Makes sense considering what that site did. I was a support engineer for some of their process control equipment.
I was approached by an operator supervisor to install dvd player software on a business machine (non process related). Basically just a general purpose PC with no function other than time cards and general office use. I was fine with the request, but the reason was for watching movies during a holiday period by the operators. Not for anything official. So I made some noise about my dislike of this request feigning moral superiority. But the supervisor swore up and down it was for "training" dvds.
So I wrote a simple windows script. The script basically popped up a window that said:
"Security has detected unauthorized media inserted into this machine. Please state the reason for this infraction." It provided a dialog to enter a justification. After you entered the justification it said: "Security has been contacted and your user logged. You will be contacted shortly."
This script was then attached to the supervisors Start folder so it ran when he, and only he logged in. We made sure the "training" video (some movie) was already inserted at this point.
He logged in. He just about shit his pants when reading this. He promptly logged and left the building to walk somewhere else in the site. We called him and let him know it was a gag. His response: That son of a bitch Demolishun!2
Stop calling people by their old occupation titles. .
Please address them by using their new titles accordingly
and they will like it their job more.
OLD: *Garden Boy*
NEW: *Landscape Executive and Animal Nutritionist*
OLD: *Petrol attendant*
NEW: *Fuel transmission engineer*
NEW: *Front Desk Controller*
NEW: *Printed Document Handler*
NEW: *Business Communication Conveyer*
OLD: *Window Cleaner*
NEW: *Transparent Wall Technician*
OLD: *Temporary Teacher*
NEW: *Associate Teacher*
OLD: *Tea Boy*
NEW: *Refreshment Director*
OLD: *Garbage Collector*
NEW: *Environmental Sanitation Technician*
NEW: *Security Enforcement Director*
NEW: *Practical Sexual Relations Officer*
NEW: *Wealth Relocation Officer*
NEW: *Automobile Propulsion Specialist*
NEW: *Domestics Managing Director*
NEW: *Food Chemist*
NEW: *Oral Research and Evaluation Director*
Which one got you more?15
Electric cars are not better for the environment. All petrol cars combined are only responsible for 7.9% of CO2 emissions. If your electric car is charged from a grid that is powered by a coal-burning power station, it contributes nothing to dealing with climate change. It only provides you with the false sense of security, and you can look cool telling your friends that “you know, I drive a Tesla, I’m environmentally conscious, your gas car is bad”.
Electric cars are lame. When I’m out of fuel, I can refuel fully in minutes. With electric car, I’ll have to wait at least five hours. Let’s be realistic, superchargers aren’t common, and will never be.
Gasoline is 46.4 MJ/kg, or 34.2 MJ/l. Li-Ion is 0.36–0.875. Let’s be generous and say it’s 0.9. To match 1 kg of petrol, I would need 51 kilos of batteries.
Average gas tank is 18 gallons, or 68 litres. To match that, my battery must have a weight of 2.5 metric tonnes. Bear in mind, empty battery and full battery has the same weight. Also, bear in mind, batteries perform worse in the winter.
As per energy density and practicality, things don’t get much better than petrol. Liquid hydrogen has higher energy density, but to store it, gas tank has to have very, very thick walls, to withstand the pressure. And, hydrogen is a bitch. It’s extremely dangerous. You can’t smell it until it’s too late. Hydrogen-air mixture will explode if you look at it the wrong way.
All that “electric cars good for climate” hype is merely Elon maintaining his stock bubble.29
Wrote some code that solved a program in a semi unique way for the codebase. As in not oft used functionality of language.
Some time later... This might be hard to understand. Maybe I should do a different way.
Some time later... No, I will leave a comment to describe what is going on.
Some time later... That comment is kind of cryptic. Maybe should rethink.
Some time later... No, if the next dev doesn't know how this works then they should learn how it works. (reasoning here is that the functionality requires a knowledge of internals of language)
Some time later... Also, if nobody else gets this then they have to ask me how it works. Job security?
Some time later... STOP THINKING ABOUT THIS CODE AND MOVE ON!5
I tweeted a silly story about how I accidentally hacked my principal's email account when I was in middle school. (Yes, I did say "accidentally". The school network's security was that bad.)
Within minutes I had four replies telling me to contact people on Instagram to get my hacked account back. I guess I said the magic words and triggered some bots.
Working in security for many years only granted me world-class paranoia about taking pictures of myself and my family. It even made it hard to keep in touch with my friends as we don’t live in the same country anymore.
The good side is that it pays well enough to grant me a platinum foil hat.8
I should just quit. I am not paid enough to deal with this pissing contest.
Need to add instructions (on readme) for installing pnmp, or if possible, have the top-level npm i install it (lol).
Also, it looks like we are no longer using lerna? If that's right, let's remove the dependency; its dependencies give some security audit messages at install.
it's good enough for now. Added a new ticket to resolve package manager confusions. (Migrate to pnpm workspaces)
I will probably be responsible for automating deployment of this (I deployed the webapp on cloudflare pages and there is no work that needs to be done. "automating deployment" literally means replacing npm with pnpm). I disagree that it's good enough for now.
Imagine all readmes on github document how to install yarn/pnpm.
If you think an OOP static site developer can't handle modern JS framework, you are probably right.2
Why I love Salesforce 👀
- Run a test method
- failure: no field found
- checks test, queries field
- checks field security (access permissions) visible to user
- runs test again
- failure: no field found
- adds debug log of queried field
- runs test again
Thanks, thanks for fucking with me today 🥲6
Excerpts from "Bastard devops from hell" checklist:
- Insistently pronounce git with a soft "G" and refuse to understand people not using that pronunciation, the same goes for jithub, jitlab, jit lfs, jitkraken etc.
- Reject all pull requests not in haiku format, suggest the author needs to be more culturally open minded when offending.
- increment version numbers ONLY based on percentage code changed: Less than 1% patch increment, less than 5% minor increment, more than that major version increment.
- Cycle ALL access keys, personal tokens, connection strings etc. every month "for security reasons"
- invent and only allow usage of your own CI/CD language, for maximum reuse of course. Resist any changes to it after first draft release23
I found this old printout of my username and password for my school account from ca 2008. I really like how the password are the same as the username except for some capitalization 😂😅
I think what would help is to teach them these things:
- awareness for security in code
- how to use a fucking VCS like Git and how it works
The more I look into Windows 11 the more I hate it. There's just 1 (one) more thing that's wrong with it every time I look.
It's a security and ethical nightmare. I almost wish I didn't specialize in computer recovery & cybersecurity.
So thankful that my high-end gaming-built PC is apparently "not compatible" with Windows 11. Oh, you don't want to break my computer and ruin my entire life? That's actually a complement, man.18
!rant Security training at work comes in the form of a serialized TV show where each episode concerns some security topic kind of tangentially and ends with a “REMEMBER… “ followed by the lesson you were supposed to get from the episode.
I kind of love it. A lot. I actually look forward to security training, and I’m not the only one. They stagger the release so you can’t binge watch all the seasons at once and you get three episodes at a time. 😂1
Why the fuck do people not change their router admin password!? I was at a hotel today and could access their router admin interface with the default credentials. I guess this isn't purely the fault of the hotel because not all people know a damn thing about security and only use the interface to change the SSID and password of the AP. But why allow them to leave the default password? Why isn't this a standard feature to be forced to change the password :|13
I know folks do their best, but come on Apple, this can't be that hard. Bought an IPhone at an estate sale (elderly individual died suddenly, so no one had knowledge of the apple id, passwords, etc) and I've been trying to convince apple to clear the activation lock. (AS = Apple Support)
<after explaining the situation>
AS: "Have you tried putting the phone in recovery mode? That should clear the lock"
Me: "I've already done that. It prompts for the apple id and password, which I don't have"
AS: "You need to talk to the owner and get the information"
Me: "As I explained, I purchased the phone at an estate sale of someone who died. I have the bill of sale, serial number, the box, obituary. What else do you need?"
AS: "Have you tried contacting a family member? They might have have that information."
Me: "The family members at the sale told us this is all they had. This kind of thing has to happen. I can't believe Apple can't clear the activation lock."
AS: "Yes, we can, but I'm very sorry we take security seriously."
Me: "I understand, what do I do now?"
AS: "Did you log out of the phone? Go to settings ..."
Me: "Yes, I tried all those steps before calling. It prompts for the AppleID and password."
AS: "Did you try entering the password?"
Me: "No, I don't have it. I already explained there is no way to know"
AS: "Yes..yes...sorry...I'm just reading the information in front of me. I found something, have you tried submitting a activation lock removal request?"
Me: "Yes, it was denied, didn't tell me why, which is why I'm calling. What about taking this phone to an Apple store? I have all the paperwork."
AS: "Sure, you can try. You might need the death certificate. The family or the coroner will have a copy."
Me: "What!? Apple requires a death certificate to unlock a phone!? I'm pretty sure not even the family is going to give a total stranger a death certificate"
AS: "Sorry sir, I'm just reading what is in front of me. Without that certificate, there is no way to prove the person died. You can try the Apple store, but they will likely require it."
Me: "That's a lot of drama for unlocking a phone. A *phone*"
AS: "Yes sir, I understand. If there anything else we can do let us know and thank you for being an a apple customer."
Next stop, the Apple Store.12
We had an obligatory training today about security of remote access to company resources.
We sat for an hour listening to some outdated advice regarding passwords and preparing a work environment at home. Finally the instructor said his goodbyes and left. The rest of us stayed in the call to pass some actual recommendations.
Then we received a join request from a waiting lobby. Everyone muted. I let the guy in. For the next 8 minutes we watched the unaware instructor eat his breakfast and sign some documents stamped with a logotype of our competition.
Then I cleared my throat very loudly. He will have to print some of those documents again.4
Apple: this AppleID has been locked for security reasons.
User: Sign Out
Apple: Enter the Apple ID password to turn off Find My iPhone.
User: Turn Off
Apple: You must enter both your Apple ID and password.
Apple, please stop bugging me, all I need is to test my websites on Safari occasionally because some customers prefer to use iPhone. Just don't bother me with your Apple ID crap9
Offensive and defensive at both code and infrastructure levels.
So many times I see devs not give a flying pancake about security. Whether it be rolling integers for sql injection or permission guarding to prevent someone executing something they shouldn't.
Why is security in this industry always the last thing to be concerned about when it's the first thing that's going to kill your business.
Registering a new account for microsoft teams:
`Your password cannot contain a space, &# characters combination, or the following characters: < >`
Are they storing the passwords in plain text? Are they not sanitizing the input? Why the fuck would they care if I put motherfucking emojis in my password? What the fuck are you doing to the passwords, Microsoft? TELL ME.4
Love how DoD work requires sec+ certification but as you are learning the material you realize they don’t follow any procedures or practices.6
So it turns out that one of our systems is so fucking old that its Log4j is off the hook. What they say of blessings being disguised as curses is real.2
Good thing it's only for my personal website so I couldn't care less.5
Our school had for an open source way of dealing with home schooling and managing the school network and so on.
Now the government forced a "proprietary" system on our school and everyone hates it. The teachers didn't want it the pupils didn't want it but who cares "what we do is the best".
Btw the proprietary system costs a fuck load of money even though they just mixed many open source projects and made it their own proprietary thing.
And this company now get's loads of money for their shitty system that never really worked once since we got it.
They blocked so many ip's that we can't even access google and it's services on the school wifi and the bandwith dropped severely with the new system.
Oh and many random ip's e.g. one of my vps is accessible but the other one not.
Discord is blocked.
And so on...
I need to learn for tests next week and need to access that stuff on the portal but...
Now they decided to switch the LDAP server to the new system and since a few hours i can't access this fucking thing.
It seems like the platform now contacts the new server which isn't even up and running....
Never change a fucking running system....
Oh and we got smart boards and it runs on android and they didn't block adb. Now i installed clash of clans on one of those things. Haha whoops.
These boards cost 7000€ and have security patches from 2 years ago....and Android 87
The most annoying hack I've had to deal with was back when I did IT support, actually. Level 1 call center tech at the time. Apparently someone fell for a phishing email and gave out his outlook credentials. The phisher used that email account to send out another phishing email to roughly 1800 employees.
Security Operations noticed, because this guy's job didn't generally involve sending out mass-communication emails. They investigated, figured out what had happened, and opted for the nuclear option: they reset the password for EVERY SINGLE ACCOUNT that received the email. All 1800 of them. Over the weekend.
I walked into the call center Monday morning and checked the call stats, then did a double-take. There were over 300 people waiting in the queue. I almost left and called in sick. Turns out it wasn't that bad though. Annoying to reset so many passwords and having no downtime due to the full queue, but on the other hand my stats were better that day than any other, since every call was a 5-minute password reset.1
Other team lead: Hi DevOps Team, We need you to deploy this app to production. It's maintainers gave up on it in 2019, but we looked at it and it feels right.
Me: Uhm. That's not going to work. It'll fail the security scan before you can even finish the build in CI.
Other team lead: Yeah, this app is the right thing to do, and we needed it last week, but since that won't work, we'll just use this other very very infant technology that was just born yesterday. It's not stable in production, or on MySQL, or in AWS at all, but it's the other direction we can to go.
Me: What problem are you trying to solve in the first place?
Other team lead: Oh, we need access to the read from the production database.2
Waiting for the floors I just mopped to dry, and I'm still thinking about migrating and if, for example, the swiss give me a good job offer, I would most likely stick around. I don't hate to stick around Europe, but it defo doesn't have any of the elements I like. (megacity, snows, English speaking, multicultural, non-torturous migration laws)
Like, I'm at that point where I'm not making enough money and want to leave (also, gaining the freedom to leave from degree soon enough) but I absolutely hate my home place (personal reasons) but they pay a crapton better, plus I can get social security benefits.
... And I want to do a phd. 😐
Someone beat some sense into me please.13
I hate Wednesdays. Networking has the Antimalware service run a full/deep scan every Wednesday and my machine is basically unusable until it finishes.
Devs: "Can we have the scheduled task not run during the day, maybe even on the weekend?"
Gary: "Security is our #1 priority and without proper security methods in place, we'll be open to outside threats. Security begins with you, and ..blah blah blah"
Bite me Gary. I got something for ya.
Get-ScheduledTask | ? TaskName -eq 'Windows Defender Scheduled Scan' | Stop-ScheduledTask9
Apparently Patreon has fired (and then outsourced) the entire cyber security team. What's the worst that could happen?
Sometimes I think about packing up my bags and just going into security consulting just to get away from the world of being an infrastructure anarchist for software companies that are overvalued "Export to Excel" generators.2
I f&#king hate it here. I am just eyeing to exit as soon as 1 year of my contractual obligation is over. My employer is a good employer. Provides good benefits but I just can't take the bureaucrazy in here. Just yesterday, had to ask another team to deploy objects on our behalf as they are the schema owner. They did it and asked us to review it today. But how? We don't even have manual access to the schema, because we are not the content owner and security! But that's fine, I can always query the catalog views and check the metadata and should be able to conclude the deployment. Right? NOOOO. Because security! Of what? Column names?
Prev rant: https://devrant.com/rants/5145722/...2
New job. Almost all sites are blocked due to "security"... even spotify. I can' listen to the music. Fortunately i have access to dev rant xd4
google's so worried about security they make breaking changes without notice
but keep some session logged in from TWENTY-NINE-TEEN!!?!?!?4
At the beginning of the last year of university a new flatmate arrived. His father dropped him at the apartment and then called me asking for the Wi-Fi password.
I told him I could not remember it on the spot and I would tell it to his son later.
I actually remembered it very well and I could say I didn’t tell him because of security reasons …
Actually I was embarrassed to say on phone: “PubesRule!”
The password was actually decided by a previous flatmate…😅3
f it ain't broke, don't fix it!
I feared my Android phone's touchscreen suffered severe damage from using it in the rain, until I discovered that the 3-button navigation stopped working after an Android 12 security update (both in Nova launcher as well as in official Google Pixel launcher). Wasted time drying the unplugged phone and googling for repair options before finally wasting more time changing system settings back and forth, rebooting, changing system settings, rebooting, etc.
Remember those happy times before mobile phones have been invented, which of course I don't really want back either. I just want developers to stop breaking features that used to work. Regression testing outside the happy path, anyone? I mean, it's not a hacked maker project, it's a commercial phone that I bought and intend to use with the latest official software. Don't want to think about the next breaking changes that Android 13 might bring.10
Does someone know a site where i can get professional level help/guides/tutorials with system architecture questions? Like best practices for implementing common features? (Something like stackoverflow but where u actually get an answer instead of insults)
Googling for tutorials gives very basic/demo level results that might not be great for scale/security in prod env7
Salesforce lightning web components have such bullshit limitations that they claim is because of security but it's just because it's overengineered garbage.
Want to use web components? Nope.
Want to pass in a value to a function in a click listener expression? Nope.
Want to use scss? Nope, compile it to css yourself.
Want to use the fucking document object? Guess what it's overridden except for very specific third party frameworks.
Who in the fuck thought it was a good idea to override the document object? Your app isn't more secure, literally the entire internet uses the document object and it still becomes available in runtime anyway so what the fuck??
LWC is the biggest garbage I've ever seen, you know a framework's a big red flag when there are developers solely for the framework.
There is a new security release coming out that apparently removes some of these nuances (understatement) so there might be some light at the end of the tunnel.4
My org (of which i'm basically CTO) has this administrative tool that a team uses to combat spam and scams, which is quite the problem for us.. the tool was written like 9 years ago, by my predecessor, very quick & dirty and unaesthetic and without input from those who would use it as far as interface or UX... it got modded a little a few years later by a kind of amateur coder who was at the time on the spam control team, and now there's this new maybe slightly less amateur coder guy on the team who has written this amateur tool that scrapes data off our site and massages it and stores it on his own server and then provides a better interface, or so they say.... this is all because for a couple of years people didnt want to "bother me" with a request to improve our internal tool, they thought I was "too busy" doing other things... so instead this outsider has built this stupid thing that lives on his own personal server and so now we have these problems to do with performance, security, privacy for user info, etc etc... someone please shoot me....1
Back in https://devrant.com/rants/5492690 @Nihil75 referred to SlickVPN with a link, where you can buy a lifetime licence for $20. I thought - what the hell.. I don't need a public VPN rn, but for $20 for a lifetime lic - I'll take it, in case I'll ever need one.
I had some trouble signing up - the confirmation email never reached my inbox. So I got in touch with support. And they.... generated and send me a password in plain-text.
And there even isn't any nagging requirement to change the pass after I sign in for the first time!
IDK... As for a service claiming to be security-oriented, the first interaction already screams "INSECURE".
Well.. should still be OK for IP switching, to unlock Netflix content I guess. Don't need anything secure for that 🤷16
Dependency hell is the largest problem in Linux.
On Windows, I just download an executeable (.exe) file, and it just works like a charm! But Linux sometimes needs me to install dependencies.
At one point, I nearly broke my operating system while trying to solve dependencies. I noticed that some existing applications refused to start due to some GLIBC error gore. I thought to myself "that thing ain't gonna boot the next time", so I had to restore the /usr/lib/x86_64-linux-gnu/ folder from a backup.
And then there is a new level of lunacy called "conflicting dependencies". I never had such an error on Windows. But when I wanted to try out both vsftpd and proFTPd on Linux, I get this error, whereas on Windows, I simply download an .exe file and it WORKS! Even on Android OS, I simply install an APK file of Amaze File Manager or Primitive FTPd or both and it WORKS! Both in under a minute. But on Linux, I get this crap. Sure, Linux has many benefits, but if one can't simply install a program without encountering cryptic errors that take half a day to troubleshoot and could cause new whack-a-mole-style errors, Linux's poor market share is no surprise.
Someone asked "Why not create portable applications" on Unix/Linux StackExchange. Portable applications can not just be copied on flash drives and to other computers, but allow easily installing multiple versions on a system. A web developer might do so to test compatibility with older browsers. Here is an answer to that question:
> The major argument [for shared libraries] is security, that if there is a vulnerability in a commonly-used library, then only that library has to be updated […] you don't have to have 4 different versions of a library installed
I just want my software to work! Period. I don't mind having multiple versions of libraries, I simply want it to WORK! To hell with "good reasons" for why it doesn't, and then being surprised why Linux has a poor market share. Want to boost Linux market share? SOLVE THIS DAMN ISSUE!.
Understand that the average computer user wants stuff to work out of the box, like it does in Windows.58
I dont understand the Log4j vulnerability.
Isnt the ability to execute code a feature they added so that you can add dynamic data to the logs?
If it is a feature then isnt it written in the documentation?
Is the problem that a lot of companies forgot to sanitize the input before logging it?23
Laziest habit? Anything done between 1pm-4:30pm and 4:59pm-8pm. During that time, habits include unnecessary refactoring, poking the CI/CD containers, editing already made prototypes in gimp inkscape, pasting stackoverflow topics to youtube, bouncing from macOS, windows and kde distros in search of zen/rice, adding a calendar emoji on my slack :), making useless automation scripts, building on every variable's value change, tinkering pixels, shades, gradients (and their angles), dimens, anim values, anim curves, opacity, blurs and just nuking the ui just to copy paste an old one, 60% just chatting in code alongs, changing key bindings (from ide to OS), and ultimately zoning out on a podcast about cyber security. And of course: waiting for ++ and comments
I had to explain that it’s a security measure that’s been up for almost a month. PM knows this but left it to me to explain because ownership of the site is on me. The donations page and api gets hit by a lot of bots because it’s a public api and there are no security measures like captchas to deter the bots. I’m inheriting this website and I didn’t build it.
Staff member says other staff want to know if the Cloudflare page can be customized so it looks more legit. Um, Cloudflare is a widely known legit service. Google it.
A few thoughts pop into my head:
1. Engineering communicated to stakeholders about the Cloudflare messaging a month ago.
2. Wow, stakeholders don’t share relevant info with their staff who aren’t on these emails.
3. Woooow, stakeholders and staff don’t look at the website that often.2
CORS is shit
Stupid useless shit that protects from nothing. It is harmful mechanism that does nothing but randomly blocks browser from accessing resources - nothing more.
Main idea of CORS is that if server does not send proper header to OPTIONS request, browser will block other requests to that server.
What does stupid cocksuckers that invented CORS, think their retarded shit can protect from?
- If server is malicious, it will send any header required to let you access it.
- If client has malicious intents - he will never use your shit browser to make requests, he will use curl or any ther tool available. Also if server security bases on something as unreliable as http headers it sends to the client - its a shit server, and CORS will not save it.
Can anyone give REAL examples when CORS can really protect from anything?32
Play Store's $25 registration fee - for getting PWA listed in their shitty catalogue? Who in the right mind would even jump in this clusterfuck of store to find a *web* app? For all you know, Google, there is such thing as QR codes - and customers can just scan the code (or type in that sweet address). Voila! Boom!!! Ching-ching!
Hello-hello, monopolistic cashgrabage! I came to inform you that your TWA bullshit is unneeded in ETHICAL space. The only ones who would benefit from this thing are permission-hungry publishers. And I'm already sick of this culture where people are put into store bubbles. You can't hide the fact that this data and features you provide, with "native" layer, may be misused in a jiffy - and by big players, no less. Of course, as a vile dumpster that you are, you don't mind it.
Don't even bring up a battery consumption that comes with PWA and browser. This doesn't matter if you use an app for some 2 minutes to tick your mental checkboxes! I'm just sick of app stores and native apps that collect the data without normal warning, and dare to take more than 1 second to fucking load the cached data. Take a lesson or two from PWAs that collect (probably useful) cache, instead of my specs, and load almost instantly.11
A new update was just released to AltRant!
This update features:
- Massive UI responsiveness fixes and enhancements, including many fixes for UI bugs, fixes and things that needed tweaking
- A COMPLETE overhaul of all devRant API methods (a switch to my new library, SwiftRant)
- Progress with Android compatibility (replaced incompatible libraries for compliance with Mutata)
- Enhanced security with the Keychain
Here’s the link to join again:
I've been in touch by phone with a recruiter from collabera.com and they seem to be in a huge rush to get started with me in a cloud support engineer for Microsoft Azure. They have a screening call setup on Wednesday for me with an Account Manager at Microsoft Azure. With rising recruitment scams among other things, I'd looking to verify they are legitimate before I give them any information beyond the info I already gave. They've told me they need me to start the job ASAP.
They've asked for:
- Legal name
- State and County Name
- Partial date of birth (They were very clear to not include the year of birth)
- Choice of pay option
They've already sent me a pay offer and information on the health insurance plan I would receive.
There is a known phishing scam from collabera.net impersonating collabera.com according to the BBB that they're warning about.
I want to make sure that beyond low balling me for a pay offer (they said it's an 18-month contract) there's not anything else fishy going on.
I have other interviews this week and will likely have an offer from another company directly (not through a staffing agency) in a few weeks. While I want to accept offers that are good, I want to make sure I'm not giving my personal information to scammers.
Based on some research there seem to be a lot of scams using the company's name. I found the article https://theregister.com/2020/07/... at least indicates the company is real. In my call with them they did not insist on me giving them my social security number or other personal information (which they'd need for identity theft) and they also gave me information on the health insurance plan. On the other hand they seemed unprofessional. It's hard to know who to believe. They also sent me information on IIS I'm supposed to read before the screening call. It all seems very weird. I'm skeptical to say the least. It's all very detailed if it's a fake job offer scam.
I don’t want to skip a real interview but feel anxious after reading a lot of bad things about the agency.15
I'm trying to reach Alice but none of my messages get through. Maybe Eve has something to do with it 🤔5
A customer specialising in identification and security solutions called today, claiming "they" found malware on their website. Then they provided a weird link to some shady malware scanner, and the "malware" turned to be a <noscript> tag which adds ?noscript to the page url, so we can serve no-JS optimised content. As a bonus, the scanner only detected it on two URLs, even though every single page on the site contains that same line of code.
Joke's on them, have fun paying for priority support outside of the business hours for nothing.2
I've been in IT for a while now, maybe 15ish years. Was always into security, networking, programming. Worked my way up, so to speak, to field I wanted. A while back I got what I considered a "dream job" and now I am not so sure. Many parts of it are not what I expected: people, workflow, work quality. The thing is, I don't think I want to be in my specific field anymore, maybe not even tech. I have considered a career change but I'm unsure of what I'd want to do and feel like I'll be fumbling around and going backward.
Has anyone gotten out of a situation like this, changed careers or sub-career even?3
Jesus christ I need my VP and CIO to get their hands out of Azure and GCP and just let me work.
Yes, governance and security and IAM are big deals. That's why you have infraops people like me to deal with that.
I'm literally working with one hand tied behind my back because just about every button press or CLI command I need to do my damn job as a professional cloud fluffer requires me to go bother an executive and ask permission to pretty please can I deploy a new container, can you go press the shiny button? No not that one, move your mouse up...up..now UP..ok over lef-no..can I have mouse control? Sigh fine, do you see where it says "Approvers", no that says "Release Pipeline"
Look I actually kinda like this job, I do, in as much as when I have something to do I get left the fuck alone to do it. Meetings are minimal, aside from the odd days when one of our app services decides to yeet itself into the river Styx, there's little distractions.
Yeah, developers do dumb shit but that's probably best left to the notion of job security and never talked about again less they go to HR and complain that the ops guy was very stern and direct and made the developer take some accountability for their work product.
It's so intergalactically stupid that I have to go ask permission just to do ops tasks by the same people barging down my goddamn door asking why the ops task isn't done yet.
"Because you won't give me permissions in GCP to actually DO anything".
Okay. Rant over. Time for lunch. Good meeting, see you all at the holiday party.2
Any of us had annoyances with people with “a million dollar app idea” but what about these which gives unsolicited career advice?
I’m dealing with a boomer which keeps trying me to change my career and work into cyber security (because TV told him it’s a well paid field) despite me kindly telling him for multiple times which it’s not going to happen because I won’t throw away a career I love to work in a field which seems deadly boring to me (I love anything about coding from design to typing for hours on Vim meanwhile the only thought of reading for hours obscure documentation to find potential vulnerabilities on a system kills my spirit).9
I was on Instagram and I saw a boy advertising to sell 5k followers and I was wondering, how do they do that? Can they programmically create and control those accounts? I know they can use the Instagram API to some degree but I feel like Instagram probably has security set up to detect that type of stuff (5k accounts following someone at the same time, etc). Does anybody know? I’m actually really curious7
Real conversation with my shit bank
Me: Hey, I want to change the phone number associated with my card because I no longer have access to it. (aka stolen). I can't find the option to do so on your website anymore.
Them: Yeah, for security reasons you now have to come down to the bank (which involves standing in line for anywhere between 40 minutes and 2 hours) to do that simple change.
The actual fuck.12
Client be like:
Pls, could you give the new Postgres user the same perms as this one other user?
Then I find out that, for whatever reason, all of their user accounts have disabled inheritance... So, wtf.
Postgres doesn't really allow you to *copy* perms of a role A to role B. You can only grant role A to role B, but for the perms of A to carry over, B has to have inheritance allowed... Which... It doesn't.
So... After a bit of manual GRANT bla ON DATABASE foo TO user, I ping back that it is done and breath a sigh of relief.
Oooooonly... They ping back like -- Could you also copy the perms of A on all the existing objects in the schema to B???
Ugh. More work. Lets see... List all permissions in a schema and... Holy shit! That's thousands of tables and sequences, how tf am I ever gonna copy over all that???
Maybe I could... Disable the pager of psql, and pipe the list into a file, parse it by the magic of regex... And somehow generate a fuckload of GRANT statements? Uuuugh, but that'd kill so much time. Not to mention I'd need to find out what the individual permission letters in the output mean... And... Ugh, ye, no, too much work. Lets see if SO knows a solution!
And, surprise surprise, it did! The easiest, simplest to understand way, was to make a schema-only dump of the database, grep it for user A, substitute their name with B, and then input it back.
What I didn't expect is for the resulting filtered and altered grant list to be over 6800 LINES LONG. WHAT THE FUCK.
...And, shortly after I apply the insane number of grants... I get another ping. Turns out the customer's already figured out a way to grant all the necessary perms themselves, and I... No longer have to do anything :|
Joy. Utter, indescribable joy.
Is there any actual security reason for disabling inheritance in Postgres? (14.x) I'd think that if an account got compromised, it doesn't matter if it has the perms inherited or not, cuz you can just SET ROLE yourself to the granted role with the actual perms and go ham...3
On the topic of having to make decisions as a dev that shouldn’t be made (solely, at least) by devs…
There’s a lot to like in my current work environment: I enjoy being around my colleagues, I get to do a variety of tasks, and many of them interesting to me and/or great learning opportunities, the pay doesn’t suck and so on… there’s also not much pressure put on the dev team from other parts of the organisation. The flipside of the coin is that nobody who should express some kind of vision as to how we should develop the product further does so.
Me and my fellow devs in the team are so frustrated about it. It feels like we’re just floating around, doing absolutely nothing meaningful. It’s as if the business people just don’t care. And we are the ones ending up deciding what features to develop and what the specs are for those etc. and I really don’t think we should be the ones doing that.
One would think that’s a great opportunity to work on refactoring, infrastructure, security and process improvements and so on - but somehow we get bothered just enough by mundane issues we can’t get to work on those effectively. Also, many of the things we’d want to do would need sign-off from the management, but they are not responsive really. Just not there. Except for our TM, but they don’t have the power neccessary… at least they are trying tho…
Currently having very funny project lead, who gives on the spot estimates for 9 years old very pathetic quality code having Android app in security domain. Memory leaks, bad practices, typos, CVEs etc. you name it we have it in our source of the app.
Since 5-6 sprints of our project, almost 50% of user stories were incomplete due to under estimations.
Basically everyone in management were almost sleeping since last 7-8 years about code quality & now suddenly when new Dev & QA team is here they wanted us to fix everything ASAP.
Most humourous thing is product owner is aware about importance of unit test cases, but don't want to allocate user stories for that at the time of sprint planning as code is almost freezed according to him for current release.
Actually, since last release he had done the same thing for each sprint, around 18 months were passed still he hadn't spared single day for unit testing.
Recently app crash issue was found in version upgrade scenario as QAs were much tired by testing hundreds of basic trivial test cases manually & server side testing too, so they can't do actual needful testing & which is tougher to automate for Dev.
Recently when team's old Macbook Pros got expired higher management has allocated Intel Mac minis by saying that few people of organization are misusing Macbooks. So for just few people everyone has to suffer now as there is no flexibility in frequent changing between WFH & WFO. 1 out of those Mac minis faced overheating & in repair since 6 months.
Out of 4 Devs & 3 QAs, all 3 QAs & 2 Devs had left gradually.
I think it's time to say goodbye 😔4
Was working on a high priority security feature. We had an unreasonable timeline to get all of the work done. If we didn’t get the changes onto production before our deadline we faced the possibility of our entire suit being taken offline. Other parts of the company had already been shut down until the remediations could be made -so we knew the company execs weren’t bluffing.
I was the sole developer on the project. I designed it, implemented it, and organized the efforts to get it through the rest of the dev cycle. After about 3 month of work it was all up and bug free (after a few bugs had been found and squashed). I was exhausted, and ended up taking about a week and a half off to recharge.
The project consisted of restructuring our customized frontend control binding (asp.net -custom content controls), integrations with several services to replace portions of our data consumption and storage logic, and an enormous lift and shift that touched over 6k files.
When you touch this much code in such a short period of time it’s difficult to code review, to not introduce bugs, and _to not stop thinking about what potential problems your changes may be causing in the background_.3
After brute forced access to her hardware I spotted huge memory leak spreading on my key logger I just installed. She couldn’t resist right after my data reached her database so I inserted it once more to duplicate her primary key, she instantly locked my transaction and screamed so loud that all neighborhood was broadcasted with a message that exception is being raised. Right after she grabbed back of my stick just to push my exploit harder to it’s limits and make sure all stack trace is being logged into her security kernel log.
Fortunately my spyware was obfuscated and my metadata was hidden so despite she wanted to copy my code into her newly established kernel and clone it into new deadly weapon all my data went into temporary file I could flush right after my stick was unloaded.
Right after deeply scanning her localhost I removed my stick from her desktop and left the building, she was left alone again, loudly complaining about her security hole being exploited.
My work was done and I was preparing to break into another corporate security system.
- penetration tester diaries2
eSIM is great from a cyber security standpoint. Unlike a traditional SIM card enabled phone, if your device is stolen, an attacker cannot remove the SIM card, place it into another phone, and access your SMS messages or make and receive phone calls as you (e.g. password reset codes, etc).3
Please share your thoughts on Dependabot security alerts on Github, more specifically for NPM packages in package-lock.json.
In 99% of cases I've found them useless as:
- package-lock.json is in the repo, but not in the NPM package (=no value to users)
- most of the updates relate to devDependencies (=no value to users)
- it clutters the git history (and changelog if it is auto-generated) with a batch of patch updates (updated depx to .1, .2, .3) while the only important thing in the next release notes is the delta (updated depx from .1 to .3) (=no value to users)10
I always hated in school computing lessons when the teachers pet students would snitch on you for getting around the school network stuff.
Many people in the lesson would always play games instead of doing what they were meant to. So the teacher turned off the internet in the room using the admin control stuff. Then when I found a way around it all so I could watch some educational YouTube videos, the stupid teachers pet would snitch on me. Luckily the teacher knew I wasn’t using it to mess around, always felt good when he said that I could access it because I’m the biggest security threat to the school.
Did you ever have issues with snitches in computing lessons?6
Origin, the game thingy that launches other games..
Not a huge fan, but I've built up a small game collection from special offers/freebies/etc.
But every now and then, this happens:
Why can't they fix their shit !
Meanwhile, trying to log in with Ubisoft connect..
Their, 2 stage security wants to send me an email, great !
Only, before I can read the email, it says:
"Session has expired due to inactivity, please log in again."
I wasn't inactive, I was checking my bloody email you bastard !7
Who led this flattening user input object into the Next.js codebase, also thinking that `runContext` is going to make better companion than `eval`?
Yet another reason to switch over Sapper and other Svelte minimalistic solutions, in my opinion.1
Thoughts after a security conference.
The private sector, no matter the size, often plays a role (e.g. entry vector, DDoS load generating botnet, etc.) in massive, sometimes country-wide attacks. Shouldn't that make private businesses' CyberSec a matter of national security? Shouldn't the government create and enforce a security framework for private businesses to implement in their IT systems? IMO that'd also enforce standardised data security and force all the companies treat ITSec with at least minimal care (where "minimal" is set by the gov)
What are your thoughts?10
How do you like to develop through a VM through a VPN to another continent? Because it seems one of our clients is about to enforce such a model.... due to security reasons...9
Mark Russinovich, the chief technology officer of Microsoft Azure, says developers should avoid using C or C++ programming languages in new projects and instead use Rust because of security and reliability concerns.35
We should find a way to replace passwords: any password manager which I tried is inaccurate in identifying login forms and is too hard to use for non technical people older than 40 and convince people to not use some stupid name + birth year combination as their passwords is a frustrating uphill battle.13
*Frustrated user noises* Whyyyy, Grafana, why don't you implement any actual query forgery checks?!
So long as a user has access to the Grafana frontend, they can happily forge the requests going off to the backend, and modify them to return *whatever* data they want from the datasource.
No matter that they're a read-only user. That only stops them from modifying the dashboard definitions on the frontend, but doesn't enforce any sort of immutability on the BE...
If anyone had any tips on how to further secure it, I'm curious...5
So i have been thinking..
SQL is a lang that runs on a specific software on the server, and helps creating data stores(databases and tables) that can be queried & manipulated.
is there a way to run sql like queries on the client side with no interaction from backend at all?
Say i have 5 inter related data models. in a backend world, they will form nice little tables of a db with all their joins and composite keys. from the server, i shall be querying them like "SELECT name from x where y=z & ..."
but what if i could store them like tables in browser memory and run the same query filters via a query language... is this possible?
or am i talking something far fetched here?8
Welp, Guess I'm back after almost 3 years. I graduated and can now officially call myself a network & security engineer.1
Thats top notch design.
All actions happening on the page go to one endpoint. Removing old trusted computers, changing the password, changing 2FA, you name it.
Now if you want to remove all old trusted devices, you cannot remove all at once, there is no button for it. So you click one after the other. And then it stops working. Ok, then do the normal password rotation. Hmm, button has a loading spinner and then nothing happens.
Looking into the browser console:
- All requests go to /myaccount/security/graphql
- All requests get a 429 Too many requests
- Even if you just click a panel, it tracks the action to the graphql endpoint. Or at least tries to because even that gets shot down with a 429
Pretty dumb, eh? Must be some small shitty website. It's not. It's fucking paypal.1
I love my Mac but damn, most MacOS releases are so damn useless, I won't do a major OS overhaul (updating from Big Sur to Montrey) just to get Share Play and the opportunity to watch movies together with my few Mac using friends, I don't need those fucking marketing driven bells and whistles, just give me a stable UNIX base an efficient and good looking UI and regular security patches and I'm good.
I would be happy to keep using Mavericks but without yearly MacOS release how Apple would be able to convince normies to replace their 10 years old MacBooks?4
The it manager said that the site on my private vps where we are using a small tool as reference, is a security issue and what if it may be hacked... Well, from this point of perspective all the websites shall be switched off. The tool lovered the problem resolution from 30 to 2 minutes.. I have asked for on premise server before but noone gave a shit so I hosted on my private vps. I wont give it back for free, its a sure thing. Soon they will start to get the complains that its offline because the customer is using it for debugging too. I feel like IT and dev is really moving appart. They act as bunch of pathetic jelous guys who couldn't learn programming and ended up in installing windows on machines...7
Client's IT department is fine about giving me a laptop for exclusive access to their VPN, security reasons, etc. Ok, fine I get it.
But they do not want to give me a Linux machine - only Windows!
How am I supposed to get shit done.11
A question to all software security specialists of devRant. Please, take it serious.
Is it fundamentally possible to restrict a SQL database like Postgres in a way that unintended SQL queries are impossible to execute? Perhaps in some kind of whitelist fashion. Is it possible to achieve the kind of security that will be just fine exposed to the outside world akin to "SQL queries in onClick handlers" scenario?
Or is this an uphill battle of never being able to moderate an infinite set of possible fraudulent queries?5
The platform team who provides all other teams with common framework emails everybody we need to upgrade the framework to new version. Let’s say version 1.a.0. They say it brings crucial security features and all pipelines using old versions would be blocked. My colleague created a story to upgrade all of our 10 microservices. When I got to it in a couple of days for some fucking reason they already rolled out 1.a.1 and didn’t inform anybody, the pipelines just logged warning u need to use 1.a.1. Alright, I did the upgrade to 1.a.1 and merged ducking everything in 10 fucking microservices. In a couple of days at morning they roll our 1.a.2 and require everybody to upgrade ducking degenerates as they found a high severity bug. I wanted to start again but was lazy and did nothing all day to learn that at 6pm the fuckers roll out 1.a.3!!! And again require everyone to upgrade!1!1!1eleven
Ten fuxkibg microservices. Goddamit write some unit tests, do friends&family, do fucking tests on small group of your inner clients before rolling out this shit that everybody must to use.
Spat at the display
What did I do while down for the count with Covid?
* Setup a static React site
* Hosted the site at Cloudflare Pages
* Protected the page through CF access
* Extracted the JWT
* Setup a Rails API to validate the token
Now I have static React UIs with a nice rich API backend.2
I wonder if crypto exchanges are so damn vulnerable or just so transparent.
I mean, it is impossible to scroll tech articles for more than a few seconds before stumbling on a report of yet another crypto exchange being nicked a couple hundred mil USD.
- It could be that their security severely sucks (wouldn't blame them for it, most businesses do suck at securing shit).
- It could be that the entire black hat community is putting it's might on stealing money that is so fucking easy to launder.
- It could be that is damn nigh impossible to cover up a crypto hack since the evidence of coins drifting away is forever on display in the public ledger, and in that case crypto companies are not hacked more often than regular companies, they are just much more often publically shamed for it.
- It could be a mix of all the above, but my intuition is that one factor is more relevant.
Which would be the most relevant factor? One of the above or yet another attack vector to the stupidest value conduit ever?4
I’m side-eyeing my apartment building’s management for emailing me a non-password-protected document that includes my Social Security number. 🤨4
One of our senior colleagues in my last project at TCS had brought a pen drive with him, not sure why! He worked on a client system, which he believed was not monitored by TCS. So what he did was, he plugged in the pen drive in his computer and tried to copy some files from his pen drive to the computer. However, he wasn’t able to copy the files.
We weren’t aware of this until our project manager, who sits at the farthest end of the ODC shouted at the top of his voice, calling out his name. In front of the entire ODC, he was scolded since the HR team had called the manager informing that the machine assigned under this employee’s name has detected a security breach.
He had to explain the reason; where he said he wanted to copy some codes that he had to office machine in order to reduce his manual effort, which was probably very silly of him! For the next few days I hardly saw him inside the ODC, probably had to visit people to show cause or other things and was harrassed by our manager, insulted every time he passed by him.
He was not suspended although, maybe the manager or someone else saved him, although normally such violations would have seen him terminated.3
I’m in a tough spot - I’m completely overloaded with sysadmin type work (server upgrades, firewall and vendor coordination, security, password maintenance) that I don’t have time to complete any programming work assigned to me. My bosses are aware and have done their best to help, but I just can’t keep up (have two young kids too and just can’t work nights anymore without trouble at home). My bosses have been great, so I feel terrible about this, but I think I’m going to have to look for another employer, I can’t do this anymore. Am I a horrible person to leave them with so much work even though they tried to help me?8
i once changed all of the passwords of my main online accounts(google, apple, facebook, telegram, outlook) as they weren't changed for years.
i decided unique and long passwords for each of them.😎
immediately after changing the passwords, i forgot all of them. 😵fortunately, i was able to reset.
Has this ever happened to anyone?3
A philosophical question about maintenance/updating.
There is no need to repeat the reasons we need to update our dependencies and our code. We know them/ especially regarding the security issues.
The real question is , "is that indicates a failure of automation"?
When i started thinking about code, and when also was a kid and saw all these sci fi universes with robots etc, the obvious thing was that you build an automation to do the job without having to work with it anymore. There is no meaning on automate something that need constant work above it.
When you have a car, you usually do not upgrade it all the time, you do some things of maintance (oil, tires) but it keeps your work on it in a logical amount.
A better example is the abacus, a calculating device which you know it works as it works.
A promise of functional programming is that because you are based on algebraic principles you do not have to worry so much about your code, you know it will doing the logical thing it supposed to do.
Unix philosophy made software that has been "updated" so little compared to all these modern apps.
Coding, because of its changeable nature is the first victim of the humans nature unsatisfying.
Modern software industry has so much of techniques and principles (solid, liquid, patterns, testing that that the air is air) and still needs so many developers to work on a project.
I know that you will blame the market needs (you cannot understand the need from the start, you have to do it agile) but i think that this is also a part of a problem .
Old devices evolved at much more slow pace. Radio was radio, and still a radio do its basic functionality the same war (the upgrades were only some memory functionalities like save your beloved frequencies and screen messages).
Although all answers are valid, i still feel, that we have failed. We have failed so much. The dream of being a programmer is to build something, bring you money or satisfaction, and you are bored so you build something completely new.14
Is it really good OpSec to log me out of outlook every hour when the password manager lets me automatically log back in?2
So, I've been with my current employer four years now, three and a half of which have been spent working as a time material developer for a huge fashion company. I've been trying to get out of It for the past six months only for my exit to be postponed everytime. There's also no clear idea as to what I would be moved to, going forward. Nobody Is telling me a thing and I think other developers will be moved to different projects before I do.
That's why I took matters into my own hands and started getting back into the recruitement process. I'm about to receive an offer. A fairly better one.
The thing is, I wanna use such offer to see if my current employer can reedem himself and propose to me a good counter offer. I'm not in the mood of starting over, but I want security and management to have a fucking idea of what my future Is gonna be like at this fucking company.
What do you guys think? Am I playing with Fire?1
For a project I'm working on:
Does your work allow you to sign in to your personal accounts for i.e. Gmail or Facebook on your work device?
Do you think this should be allowed?
Do you do it yourself?
I imagine it's a gray area. I'm even thinking it could be a security risk? But maybe healthier too to keep business and private life separate? Thoughts?4
Mongodb CEO and the developer who build this shit for brains interface should be tarred and feathered. Almost 90minutes in and I cannot connect to anything other than error codes. What in the actual fuck is your job other than to make it difficult for a "free tier" user to connect?
"connect ECONNREFUSED 127.0.0.1:27017"
Oh ok another 20 minutes of work and you give me a bland beige error code like "```TLS/SSL is disabled. If possible, enable TLS/SSL to avoid security vulnerabilities.```"... um ok how do I enable it for your site, your database or on my computer... oh wait you don't say shit do you?
So now I'm fully 81 minutes into this shit show and all I get for error codes are these really descriptive gems 'getaddrinfo ENOTFOUND cluster0.hudbd.mongodb 'dot' net` comes up if I choose `mongo` with "connection string scheme" above it or `bad auth : Authentication failed'7
I had a little question about recruitment:
What would make you consider a position with a relocation package? What kind of arrangement/security would you like?3
Classiflying hack tools as virus on windows defender or whatever puts in risk users that want to hack some device but have to disable user defender to use them (and could potentially download malicious software bundled together or inside the hack tool)3
Every single time that I realised how much of my expertise sounds like vaporware to people, mostly management and C-level.
Have been working on security for quite some time now but seeing that I can't really get through make me feel useless and not worth my weight in shit.1
the red haired girl and the blue haired girl.
there was this story about a programmer who spent years studying computer science before finally getting a job.
the dev studied only computer science and was put on blue team after a few days.
a few hours into one of the constant coding sessions, the boss told the devs that red team members and blue team members would be working in pairs.
the person from red team transferred the devs work to their data base without the dev knowing, then locked down the devs computer. the dev could not do anything. later, the dev got fired for not doing any work. after that, the company got millions of dollars, and the dev did not see any of it.
both the dev and the managers made a note not to hire any programmer who cannot secure their work.
it is not ethical to teach people programming without also teaching them cyber security.
computer networking, programming and security should all be the same major.
it is a bad idea to teach people how to build anything without telling them how to secure it.
the story above was just a scenario, but it probably happens way more often than people think.
Schools should teach both things in the same major.5
A few years ago we had a fail-over which was successful until we started failing everything back to primary servers. The applications could not start at all.
4 hours into troubleshooting, only to find out some java security files were misbehaving. Update from another server and it worked.
Up to date i haven't understood how it failed
all their petty torturous crap does is get them beaten and killed jn the long run. meanwhile their 'security' system keeps them trapped. hurray.
Last year I did a statistics course, and my classes were completely remote. When it came down to exam season, instead of studying I learned python's data analysis libraries, I passed with flying colors. I have an idea, if exams continue to be online I will be spending a lot of my time trying to get the answers from whatever API they are using, hopefully, they have poor security. If it's hopeless, I'll just study1
I love how shitty looking VPN software is used in my company. How can I trust in you providing me security if you can't fucking provide correctly rendered icons?1