Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
They call it $5/gb hotel wifi, i call it free uncapped 100meg fibre because your security sucks
Oh and they host their entire POS (and database with backups) on the same network accessible to every TV in the hotel
18 -
"You should use Windows server!"
It was a high security project which needed to run very stable. Even the windows sysadmin looked at that guy like 'dude what the actual fuck'.27 -
Me wanting to board Plane,
Goes through security Check...
"Sorry sir Laptops are not allowed."
Me
"Why?"
Security
"It could be a modified bomb"
Me
"But this is a Tablet!"
Security
"No sir, it has a Keyboard and Trackpad attached to it, its also running Windows..."
Me
"Excuse me, but this is clearly a Tablet"
*Detatches Keyboard from Surface Book*
"See? Tablet."
Security,
"Sorry sir, but no. You cant board the plane with this, only Tablets and Smartphones"
Me
"WTF? you dont allow Laptops because they could be bombs but A FUCKING SMARTPHONE IS ALLOWED? AND TABLETS TOO?!"
Security
"Yes, because the Battery is not removable..."
Me
"But my Laptop Battery is also not Removable..."
Security
"I dont have anymore Time for an Argument"
Me
"So I can board the Plane?"
Security
"No, the Ticket will be refunded"
WHO THE FUCK CAME UP WITH THIS BULLSHIT? LIKE RLY? WHO!!
I MEAN WHAT THE FUCK IS ALLOWED?!30 -
At the airport.
Security: Please put all your electronics in the bin, including your watch.
Me: No problem
<goes through scanner>
Me: there was an Apple Watch in here and now it is gone.
Security: Oh, you lost your Apple Watch?
Me: No! I put my Apple Watch in the bin like you instructed and YOU lost my Apple Watch.
Security: It must be in the spinners.
Me: So my $500 Watch is in the spinners being run over by bins?
Security: you have to put the small things on the bottom.
Me: It was on the bottom and I did as you asked, this is entirely on you. Do not try to shift the blame to me again please.
Security: As I said...
Me: As I said, Do not try to shift the blame to me again. This is entirely your responsibility once you separate me from my electronics so you can perform security theatre. Have a nice day.
—————
Fuck this god damn security theatre. Fuck the dumbasses they hire. Fuck your country. Fuck your god damn feeling of insecurity. Fuck Your ineffective security theatre.
Sick my fucking dick until you choke and gag you worthless pieces of shit. Homeless people the street provide more security than you incompetent, under-educated assholes. Fuck you
And yes, I have 2 fucking laptops. I have a real fucking job where I provide actual value and for that I need a work laptop. I don’t come to work in a stupid looking outfit with a chip on my shoulder looking to inconvenience people. I come to work to provide real value to someone.
Fuck you and your worthless bullshit41 -
A dude with a THICK Russian accent just called me offering server security services.
After I politely declined, he insisted on a free audit of my servers. I declined that as well.
Now I’m backing up our DB’s and going through my nginx logs.
Am I being racist?19 -
Are you serious? Are you afraid of an SQL injection or something, and instead of properly sanitizing your queries you disallow characters? Or is your software and database so outdated that you're afraid special characters will break it? Goodbye security
15 -
"I really love the new $3k Fortigate firewall switch you bought for the office after our chat about security but it doesn't change the fact that you can access any computer in the company using Password123" - me13
-
Presenting my paper on PHP Security in IEEE conference today... Wish me luck. I hope it gets published 😃🤞4
-
What the actual fuck? Person (or people!) who devised this password policy, you are an idiot (or idiots - all of you). You are stupid and insane and have no idea about security or user experience.
14 -
A conversation with our network/system admin.
Me : Can I install linux on my computer, windows is slow and terrible.
Him : No, if you use anything but Windows in this company, you will be fired for bypassing our security protocols. Its written in your contract.
Me : *boots up my Macbook*
10 -
Found a security hole....
A fast food delivery service had an ID for every order it Said
"example.com/order/9237" - i go 9236... finds another persons order, address, and phone number
So What should i do?
i thought of making a crawler and then make statistics on everyones orders and send Them a link 😂20 -
Found a private api key on a github project. Created a pull request with key changed to “TH1S5HOULDB3SECR3T!iMBECIL5“ comment was “security fix“ i wonder if they accept3
-
PM: We need security on signup, the password entry should contain "A capital letter, 2 numbers, a symbol, an inspiring message, a spell, a gang sign, a hieroglyph and the blood of a virgin."
ME:
8 -
The amount of thinking and programming that goes into writing a secure backend is fucking high but I love it!
It helps to think like someone who'd want to hack a user or the application so you know most security measures you have to take :)9 -
I'm a programmer and an aspiring cyber security specialist. Yesterday, after I gave a presentation about smart bulb hacking, I heard through a coworker that a cyber security company is interested in talking to me. Yay!11
-
I recently found a company that used employee social security numbers as their login username and their MMDDYYYY as their password (which could not be changed) also their entire network was using a router with no wifi password set. :/8
-
Dear Prof,
One does not simply encrypt the exam tips and give it to the students in a computer security introductory module.
Sincerely,
Disgruntled Undergraduate5 -
Fuck me, big fucking security flaw with a UK internet service provider, my head has gone through my desk and hit the floor it’s that bad.
23 -
(The PM is pretty technical)
One day:
Me: Could you create this subdomain?
PM: Sure, just a sec.
Me: Ohh and could you add a letsencrypt cert? (one click thingy)
PM: Why would you need that on this kinda site...
Me: Well in general for security...
PM: Nahh.
*walks away*
Next day:
(referring to my internship manager/guider as Bob)
Bob: Hey... we have a new subdomain!
Me: Yup!
Bob: Wait why is there no letsencrypt certificate installed...?!?
Me: Well, the PM didn't find that neccesary...
Bob: (Oo) of course it is... are we going for security by default or what?
Me: Yup agreed.
Bob: *creates cert and sets everything up in under a minute*
It wasn't a high profile site (tiny side project) but why not add SSL when you can for free?8 -
- I'm forced to do dev on Windows with no admin because security
- We receive patches to critical systems from outside company on FTP secured with password "asd123" and install them without reading because fuck security2 -
Just looked at the anonymous analytics I collect on the security/privacy blog.
No SQL Injection attacks yet (would be useless anyways as I don't use MySQL/MariaDB for the databasing.
Directory Traversal attacks. Really? 🤣
Nice try, guys.39 -
Some of you might have seen it already, those who didn't just have to.
One of the best rants I've read lately.
"Our security auditor is an idiot. How do I give him the information he wants?"
https://serverfault.com/questions/...4 -
Someone asked for an RSS feed for the security/privacy blog, I thought?
Well, hereby! There are three feeds:
https://much-security.nl/main.xml - a feed which is updated with both blog posts and external links relating to privacy/security I find interesting/useful.
https://much-security.nl/own.xml - a feed only containing the blogs posts themselves. For people who are only interested in that part.
https://much-security.nl/external.x... - a feed only containing external links. For people who'd like to stay updated on recent cyber security/privacy thingies.
Tracking: every time a feed is visited, a redis value for that feed get's incremented. No time, ip addresses, user agent or whatsoever is saved. Just one variable getting increased once.
New domain name will also be revealed soon (probs tomorrow, going to bed soon as I've just been sick) :D.
Oh and just a warning, the main/external feed are the only ones populated with exactly one item right now :P30 -
Fucking crunchyroll hardcodes their access tokens in a Constants Class in their APK, technically that is a security issue.
What the actual fuck Crunchyroll!? No fucking wonder you got DNS Hijacked so quick, security is literally your second priority you dumbed down twats, get some real devs and some real QAs for fucking god sakes, you're tearing down your own system by inviting exploits.8 -
Pure evil and geniusness, this is a must read for JavaScript developers and security enthusiasts !
https://hackernoon.com/im-harvestin...
9 -
Had a discussion with a developer about security. His software transfers all user data (password and files) unencrypted, so anyone can grab them with wireshark. I told him that this is a severe issue. He said no its no problem because if you get hacked its your own fault, because you probably used an insecure network. NO ! YOU FUCKING MALADJUSTED SHEEP-MOLESTING OBJECT OF EXECRATION, YOU SHOULD ALWAYS ENCRYPT SENSITIVE USERDATA NO MATTER WHAT NETWORK YOU USE. FUCKING KILL ME ALREADY.
Not implementing encryption is one thing but then acting like its no problem is a fucking nother one. Why do people not understand that security of userdata is important???11 -
As a firm supporter of information security, it really "irks" me to see people get up and walk away form their desks without locking their machines... Anyone else with me on this?!18
-
Security rant ahead - you have been warned.
It never fails to amuse and irritate me that, despite being in the 2019 supposed information age, people still don't understand or care about their security.
I've travelled to a lot of ports and a lot of countries, but, at EVERY port, without fail, there will be at least one wifi that:
- Has default name/password that has been cracked already (Thomson/SpeedTouch/Netfaster etc)
- Has a phone number as password (reduces crack time to 15-30 mins)
- Someone, to this day, has plain old WEP
I am not talking about cafeteria/store wifi but home networks. WTF people?! I can check my email (through VPN, of course) but it still bugs me. I have relented to try and snoop around the network - I can get carried away, which is bad. Still...
The speed is great though :P9 -
This looks good!
The users will be able to create a sandbox, basically a seperate Kernel for running a lightweight Windows Sandbox using Hypervisor for running/testing .exe files.
https://theverge.com/2018/12/...
19 -
Typical TSA (Airport Security)
Security: Please put all of your handheld objects and your outer clothes in this basket.
Me: (puts my bag, in flight luggage, and takes out laptop, bluetooth speaker, bluetooth mouse, bluetooth keyboard, tablet, android phone, dongle bag, and windows phone)
S: (stares at me as if I am a rich kid)
M: May I go through?
S: (nods)
M: (smirks, and goes through metal detector)
BeepBeepBeep!
M: (oh shit.)
Scanning Officer: Raise your hand!
M: Mmmhmm
S: (Hovers the detection stick around my body, but it doesn't ring, tells me to pass through the detector again. Still rings. Super confused. Asks me to do this 2-3 times more. Still same.)
M: Aha! I have my bluetooth earphones here! Sorry!
S: (stares at me, as if he is saying what a f****** weirdo)
My stuff comes out. I put my devices in the bag. The scanning officer stares at me.
M: (smirks)
To be continued....2 -
Customer: «We want all the users belonging to this organization share the same username and password»
[Editor's note: we are talking about 500 users, more or less half of the total in the system]
Customer, after some minutes: «It's very important for us having the web interface using HTTPS, because we care security a lot».
So, please, go fuck yourself. And die.6 -
Security tips guys :
use iptables -A INPUT -j DROP to secure your servers.
NO ONE can access your servers now... NO ONE...20 -
Security for 2017: Because SSL has nothing to do with security, and just Google's way of increasing it's monopoly...
18 -
I really have this fucking love/hate relationship with application security.
For a lot of stuff that I write, user input has to be validated, authentication is required and so on and I do love looking into that, pentesting my own applications to death and thinking about the security architecture of the application itself.
But, sometimes, I just want to focus on the fucking features and then it annoys the living hell out of me that securing an application can take so much time and brain power.
Yay and grrrr, I guess.8 -
OK... OK... OK...
Today we reached another level of security for one of our MiniMac in the office...
sudo chmod -R 400 /
Oh... he was supposed to write ./ but he forgot the dot...
Now, even the OS can’t work...5 -
Adventures in security land, part II:
I’m getting pulled off the security review team and instead relegated to part-time security tickets alongside my usual dev work. (So, someone else finds them, i fix them.)
Guess I found and debated too many problems with the lead dev’s code. 🙄13 -
My IT team installed Antivirus on my 5 year old Mac Mini due to company security policy after the recent Ransomware attacks.
Now my Mac is slow as fuck. They are not even providing me new Mac, due to budget constraints. Totally fucked.
Fuck Ransomware. Fuck security policies. Fuck my company. Fuck everyone. Fuck everything. 😤11 -
That is peak security:
- Require timebased OTP for login
- Also require recaptcha for login
- Select the frickin bus, palm tree and cross walk 93 times
- Finally manage to please the algorithm
- The 30 second validity window of TOTP expired
*GAAH!*18 -
We recently took over development of an app. Upon inspection the API had no security, and passwords were stored in plain text. While the manager was slightly concerned, it wasn't a big deal....
That was until, using only a browser, I found the bosses account and personal email address.
Minutes later I was in his gmail, Facebook and credit cards account.
Improving security is now concern #1, and my boss is "suffering" 2 factor authy on everything.7 -
So my office is located in the oldest part of the hospital I work at. Weird shit happens here, especially at night. Currently working on configuring our security cameras, stand by for triply shit.12
-
Got called up today by my org's cyber security team.
Reason: Installed a font called "Hack" (https://github.com/source-foundry/...)
🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️1 -
My argument: Password change policies (every 3, 6 moths, etc.) are a detriment to security because users will either come up with simple, throw-away passwords (knowing they will need to change them soon anyways) or use the same password anyways with a few variations.
Discuss.22 -
I work at a place where security is really high when it comes to server access. Today I was in urgent need to get admin access to a server, this is a real pain. Luckily I found an xml in version control containing the credentials for the web application which happens to be an admin account! Lucky me, saved me at least two weeks of waiting to get admin access!
4 -
I think I ranted about this before but fuck it.
The love/hate relation I have with security in programming is funny. I am working as a cyber security engineer currently but I do loads of programming as well. Security is the most important factor for me while programming and I'd rather ship an application with less features than with more possibly vulnerable features.
But, sometimes I find it rather annoying when I want to write a new application (a web application where 90 percent of the application is the REST API), writing security checks takes up most of the time.
I'm working on a new (quick/fun) application right now and I've been at this for.... 3 hours I think and the first very simple functionality has finally been built, which took like 10 minutes. The rest of the 3 hours has been securing the application! And yes, I'm using a framework (my own) which has already loads of security features built-in but I need more and more specific security with this API.
Well, let's continue with securing this fucker!10 -
Pro security tip:
Use a very simple password because h4x0rs expect a difficult one so they can't cr4ck yours8 -
For security purposes, it should be good practice to lock your pc when you walk away. At my office, we practice harmless pranks when someone forgets, to "teach them a lesson". Usually just involves reversing/inverting displays, reversing mouse buttons, or changing the desktop background like this (because everyone is a closet bronie apparently)
17 -
At my previous job we had to complete an online security training exercise. It shows you how to behave secure in the work place, to not open unknown links etc. The scary part was that the entire training thing was BUILT IN FUCKING FLASH. So I'm suppose to listen to some god damn virus shitting flash application on how to do online security?! Get your shit together before teaching others.5
-
This is just priceless. I submitted my thesis to an academic congress, which sent me this confirmation email. They are so 'concerned about security' that they assured me the email is legitimate by including MY PASSWORD.
3 -
This is the most hilarious stackoverflow rant ever, quote:
"Strong cryptography only means the passwords must be encrypted while the user is inputting them but then they should be moved to a recoverable format for later use."
Full rant:
http://serverfault.com/questions/...6 -
My team manager showed me a web application of a new client and asked me if I can find vulnerabilities in it to push for a better product contract. She showed me the system architecture and asked me if I could try finding something from their login page. I politely refused since we don't have written permission to conduct a security audit (it's also a ministry website). She was pretty disappointed and idk if I'm doing the right thing not helping the company (I'm an intern but still). I'm sure I can scan in stealth but I don't think it's ethical on a corporate level. Thoughts?11
-
Every time I got a mandatory security question, I type in "go fuck yourself with a cactus". There's only one answer for all of them.6
-
My security knowledge is so bad. But I don't know where should I start.😖
My coworkers know about this, so I don't get involved on related topics.🤤
Last time I asked same question, someone gave me link, and it all about DIY welding metal tubes into a security door.🤦♂️
Any better suggestion?13 -
It's a new semester and the introductory class for a General Ed is going on.
Prof: What do you want to be when you are done with engineering?
Me: I'd like to be in the security domain but I'm still not sure.
Prof: Then why are you doing Computer Science? You can just get a job as a security personnel.
FML.2 -
so yeah let's have conference about security but its perfectly fine to have registrations over non-secure connection!
4 -
Clicking "forgot my password" and getting a mail with my password in clear text. Sending a mail and asking why they don't care about security. The answer I'm getting is "it's a feature, makes things easier". Yeah...3
-
Microsoft seriously hates security, first they do enforce an numer, upper and lowercase combined with a special character.
But then they allow no passwords longer than 16 characters....
After that they complain that "FuckMicrosoft!1" is a password they've seen to often, gee thanks for the brute force tips.
To add insult to injury the first displayed "tip" take a look at the attached image.
15 -
WTF!!!!! I officially have someone trying to extort me just had this in my email box this morning!
--------
Hello,
My name is [name removed], I'm an IT security expert and I found a security issue on your website.
This email is personal and in no way related to any of my employers.
I was able to access to a lot of files which contains sensitive data.
I attached a screenshot of the files I found to this email.
I would be happy to give you the method I used to access these files in order to let you fix it.
Would be a monetary compensation possible?
Please forward this email to the right person, if your are not responsible for the security of the website.
Best Regards,
[name removed]
---
He can basically see the contents of my wp-config.php. How has he managed this?71 -
github security flaw affects mac os and linux... no windows, and no MS didn't take over github yet
https://neowin.net/news/...11 -
Someone ask to me as a security engineer.
Bro : what do you think about most secure way to authenticate, i read news using fingerprint no longer safe?
Me : yes they can clone your fingerprint if you take a photo with your fingerprint to camera.
Bro : so what is the other way to authenticate more secure and other people can't see in picture ?
Me : D*ck authentication is more secure now, other people can't see your d*ck pattern right?10 -
Today, the security department stopped our new project and told us to work on the last project instead because of a top-secret security flaw.
Problem is, they are not allowed to tell us what the problem is. FML
1 -
"Ultron brings to you the best in security and encryption, directly taken from IE 5.5."
*screams internally*2 -
I'm the best.
I started a project and 12 hours of work and 16 commits later I decide to reorganize the entire project focusing on security and user experience.
I'm a genius.2 -
I think what would help is to teach them these things:
- awareness for security in code
- how to use a fucking VCS like Git and how it works -
Thanks to mandatory password change, today:
- My windows account got locked because my phone kept logging into wifi using
old password.
- Google Hangouts were silently running in background with old session until I re-opened it. Work of others delayed by 4 hours due to missing message notifications.
- Docker for Windows lost credentials needed to use SMB mounts - 1h of debugging why my containers mount empty folders ( now I will know)
- Google G-Sync for Outlook asked for new password on outlook restart - few mails delayed.
All of that for sake of security that could be easily solved with 2FA instead, not faking that "I do not change number at the end of my password" -
My boss just came to me and demanded that we drop the first layer of security from our new servers so that the snake oil salesmen he used can open test it. I did try to explain that you don't remove security to test security.8
-
I know lots of you love stickers. But be careful according to this article.
Putting Stickers On Your Laptop is Probably a Bad Security Idea
https://it.slashdot.org/story/18/...
22 -
Because nothing says "security" like some good ol' Base64 encoding. Bet whoever wrote that code was wearing mirror shades.1
-
Working in security for many years only granted me world-class paranoia about taking pictures of myself and my family. It even made it hard to keep in touch with my friends as we don’t live in the same country anymore.
The good side is that it pays well enough to grant me a platinum foil hat.8 -
This is not fucking security, it's obscurity! What the fuck is a memorable word without any context! It drives me up the fucking wall. This doesnt help anyone it just promotes people to put silly shit like password or something so they won't forget but it just makes their account weaker.
19 -
Security Horror Story:
A password authenticator which is case-insensitive and all special characters are treated as the same value. As a bonus, all passwords are truncated to 4 characters.2 -
I swear, the next time I hear a web developer say to me: "Yeah let's pretend as if the security hole in the website isn't there, because truth be told, i cannot be bothered to fix it."4
-
!rant
!!SecurityArticle
I wrote an article about how common practices make us vulnerable to security breaches and what steps to take to prevent them. Thought I'd share it here. Any kind of feedback is most welcomed!
Link:
https://linkedin.com/pulse/...12 -
IT security calls to tell me my new password, because it is poor practice to send it over encrypted message.
New password = password
I'm glad we are taking security so seriously!2 -
The security on my school computers is a joke.
The standard student accounts have no user rights, but the "guest" account has admin rights???
The teachers private data is not secured, it's just hidden from explorer, so if you manually type in the folder location into the explorer bar, you can access the teacher's data. Not to mention everything is running on Windows 7 machines from 10 years ago.1 -
Have you heard that Facebook is developing a cryptocurrency?
Huge waste of money. Everyone knows Facebooks security flaws and will problably not invest in their cryptocurrency because of that.11 -
Hey, DBA guy! Security blocked this one port for the database. Can you change the database to a different port?
Me: No, I actually like working here.2 -
Anyone who's interested in cyber security, go follow Binni Shah (@binitamshah) on Twitter. The amount of tutorials and guides she retweets is crazy and very informative.
Also if you're not on Twitter you're missing out on a lot of content to learn from ✌️19 -
many from the outside world believe incognito is the purest form of anonymity and security.....because its logo has a suspicious man with a hat and an overcoat2
-
So after 6 months of asking for production API token we've finally received it. It got physically delivered by a courier, passed as a text file on a CD. We didn't have a CD drive. Now we do. Because security. Only it turned out to be encrypted with our old public key so they had to redo the whole process. With our current public key. That they couldn't just download, because security, and demanded it to be passed in the fucking same way first. Luckily our hardware guy anticipated this and the CD drives he got can burn as well. So another two weeks passed and finally we got a visit from the courier again. But wait! The file was signed by two people and the signatures weren't trusted, both fingerprints I had to verify by phone, because security, and one of them was on vacation... until today when they finally called back and I could overwrite that fucking token and push to staging environment before the final push to prod.
Only for some reason I couldn't commit. Because the production token was exactly the same as the fucking test token so there was *nothing to commit!*
BECAUSE FUCKING SECURITY!5 -
We literally have Ph.D's here who dont know how to use a Linux CLI... I'm baffled as to how you get into the security industry without understanding actual security. The only thing your Ph.D. counts for is understanding the rules that allow you to ball-bust people into paying your salary.7
-
half day gone try to find or remember the password of some SSL/key/encrypt/crt/shit/whatever.
Blaming myself for hours, how could I not save the password somewhere?
#Enter Password:
(I pressed enter, no password).
it works.
I love IT security -
I'm at a Dutch Meet-up about security and privacy. Quite interesting. Any Dutch ranters here as well?
6 -
Dear Identity Providers, Never ask for "favorite teacher" or "mother’s maiden name." Security questions are among the worst ideas in security to date. If you insist, at least let me provide my own questions!9
-
Why the fuck do people not change their router admin password!? I was at a hotel today and could access their router admin interface with the default credentials. I guess this isn't purely the fault of the hotel because not all people know a damn thing about security and only use the interface to change the SSID and password of the AP. But why allow them to leave the default password? Why isn't this a standard feature to be forced to change the password :|12
-
Just a rant... It really sucks to work with maven on a security-paranoid financial institution enforcing ntml proxy auth...
Also usb ports disabled... :(5 -
Security fail here. I've just started a PPI claim and have been provided a link to a so called "very secure" client area.
There are no username or passwords and the screenshot is not a first time sign up screen.
All I need to login is a surname, postcode and DOB - all information easy enough to find online.
Pretty bad IMO, esp, so considering the effort required to add a proper login using a username/password combination.
I mean I'm logged in now and have no option to set an account password :|
3 -
When an application has tons of security holes and fixes never make it into sprint prioritization because "they're not new features"4
-
We developed this website plus custom CMS for an university. I told them that we could host the entire system and take care of it for an annual fee but they decided to host it in house because security. The IT guy didn't ask for my public key, he sent me a password. By email. Less than 8 characters long. Only recognizable abbreviated words. And a dot.3
-
Every week in my intro to information security class we are asked about what security stuff has gone down in the past week. Equifax is making it incredibly easy to not have to do much research.1
-
A swedish insurance company has two different solution for logging in to their system.
1. An advanced high security single sign on solution involving active directory, verification of the network the request came from etc etc.
2. Using a link and passing your credentials in the query string!!! Like: insurancecompany.com?username=admin&password=password.
Solution 2 works with admin accounts from anywhere.4 -
Seems like my connection to much-security isn't so... secure 😂
Didn't you forget something, @linuxxx?
6 -
Question
What server monitoring do you use, both for statistics and security?
--------------------
tl;dr ends here
Ideally I would like to have one clean dashboard that shows me all the nodes I have, proxmox already offers a great range of stats - but it is a page per container etc. so not ideal, I thought of having datadoghq, but their per host pricing is huge, since I have more than 5 hosts to track.12 -
So apparently some major vpn connection providers got compromised some time ago.
https://twitter.com/hexdefined/...
https://twitter.com/cryptostorm_is/...
adding the fact that major enterprise vpn network providers had security flaws earlier this year
https://sdxcentral.com/articles/...
Sums up what was the major topic in security this year.
At the end I see something like cloud act that allows wiretapping anyone.
https://justice.gov/opa/pr/...
And when we multiply this by number of companies that have services in cloud that sums up privacy these days.
Non existent.6 -
What the actual f. I just changed my password on uplay to a 30 character password which works fine on the web account manager. Apparantly some moron decided to limit password field in the uplay client where your actual games are stored to 17 or 18 characters.
And that while they want to "improve" security. Please ubisoft, fix your shit4 -
!dev
I'm checking out at Walgreens right now and have an item with a security device on it. The cashier just took a pair of scissors to it. Didn't work obviously and now I think she's trying to rip the cords off the box4 -
The one thing more annoying than my girlfriend is the chain of mail I get from Github saying,
"One of your dependencies has a security vulnerability."5 -
Security Issues with Chrome:
My dad was just saying that his work wouldn't let him use Google Chrome because of its supposed 'security issuse'. Just wondered if anyone knew of any real 'security issuse' with chrome that are legitimate? Or is it all just rumours...11 -
Cryptography and Network Security
<william Stallings>
Got the book ^ ^
Feel free to comment any cool book about security :)3 -
Conversion topic: a security feature the PM doesn't like
PM: but WordPress doesn't do this.
Me: yes but WP is hacked every couple weeks and isn't exactly a security standard!
Debate continues for 5 minutes... And I'm forced to remove the feature 😑 -
PM asked me to develop an application to fetch data from the customer's DB, which would require an access security token provided by the customer. To get the token, I would have to travel to Germany (I live in Portugal) to get it personally (it's not possible to have someone else pick it up for me).
It turns out the security token is a completely closed environment, with its own OS, without the possibility of installing any application or communicating with the exterior. The laptop itself would boot from the token's OS.
It was concluded I would have to hack the security token, which is completely non compliant. So the PM decided not to go forward with it.
But now, I have to go Germany anyway to pick up the security tokens because they forgot to order them for these other guys who would be using them to access the customer's DB manually and they don't want to delay the project anymore.
Oh, and the security tokens cost the project 500€/month each...3 -
Question for Web Server Gurus and Security Ninjas.
How to prevent bots, crawlers, spammers sending various numerous requests to your web servers?
There have been numerous requests to routes like /admin /ssh /phpmyadmin etc etc and all kinds of stuff to the web server.
Is there a way to automatically block those stupid IPs :/9 -
Is it me or is password security is a giant mess right now?
Everyone has a gazillion ways to sign in.
Everything needs an account so eventually you get a password manager to keep track.
After reauthenticating passwordword manager, then you get to the next screen that requires you to enter a code from 2FA. Internet isn't fun to use any more.12 -
I don't know why is that everytime you guys find a security bug or a data leak or that someone is saving plain passwords on their database, you try to cover and censor the company name. Listen people, fuck the company and their name and their brand if someone's data might be in danger. Everybody should be aware of what is happening with their personal information.
Also, maybe would be great if devRant would let users to post anonymous rants for this kind of issues or a special thread with latest news about our online security.3 -
Sometimes human stupidity still surprises me.
Today I was able to stop the release of a ticket at the last moment that intended to put urls WITH A SECURITY TOKEN TO ACCESS USER DATA through a link shortener.
Some PM assumed that it would be a reasonable course of action to map an url secured via jwt through to a 4 character, countable, base64 string so that we don't have to send multiple sms if they contain this url. I can accept that the implications might slip through one person but the fact that this was put into a ticket by a pm, prioritized by PO, estimated by an entire team, implemented by a professional developer, reviewed by a senior and then scheduled for release without anyone asking themselves if there might be a reason for a security token to be long, that one shocks me.8 -
When you've been looking forward to a lecture on security only to find out you have to hack their website in order to register and you're completely lost 😫5
-
What's a good password manager for Linux?
A few (optional) conditions (in order of preference):
1. It's free
2. It supports ssh, gpg, etc.
3. It has a GUI (a nice one with gtk/qt support)
4. It's (properly) secure
5. It has FIDO U2FA support (i.e. supports physical security keys like Yubikey or Solo)
6. It has a browser extension
7. It's compatible/non-conflicting with gnome-keyring17 -
Stackoverflow has introduced the latest evolution in computer security - Dance Dance Authentication
https://m.youtube.com/watch/... -
People who are shitting on a chrome browser for desktop because of security reasons, but using it on their phones - you are mental.2
-
Imagine implementing PHP scripts which execute shell commands defined in URL GET query params on your customer's dedicated server without any basic authentication or similar. The only security is by barely obfuscating it's URL.
I think I've seen it all now...3 -
Security check at the airport, I hand hover my surface pro as usual, the guy asked if I have also an ipad... Lol man I don't need that expensive toy limited to stupid apps1
-
Privacy peeps, what's your opinion on usage of surveillance for national defence, domestic security, etc. ?
I'm just curious, most privacy-minded people I know generally trip up when confronted with stuff like "yeah, but if surveillance was a thing then that blast which killed 20 people yesterday could have been averted."
I've heard quite a few opinions on both sides, what's yours?18 -
security fiasco due to a malicious npm package:
Because of a bitcoin miner present in event-stream npm module (https://bleepingcomputer.com/news/...), my entire team and I had to scan all our nodejs apps, repos and the most excruciating one, all node_modules folders across all our dev machines and servers, to see if event-stream and flatmap-stream is present, then not just delete it but update a bu**load of upstream dependencies which internally used event-stream. All due to one malicious package which was hidden several layers beneath.
And, this happened almost 8 months after the aforesaid vulnerability was first found.10 -
When customers pretend to really care about security but then share server folders to "everyone" 🤨2
-
Why is it that security (hacking) distros went so popular?
I see more and more posts pictures even on devrant featuring them. Even I see people at my uni that are on kali. I can't believe all of them are that into security. I even know two linux noob friends that wont listen to advice and went to kali as first distro.
I'd never use kali/parrot/whatever vs my current manjaro setup... I'd rather go back to arch.7 -
I reached out to a developer who's site was being contracted out to Amazon devs, because when their site launched it had a couple of security issues. This was his response:
"An additional thought/opinion... Just because a college freshman from Arizona wasn't too hungover to make the effort to notify us and take the liberty of classifying this as a security issue for us doesn't mean we need to take their word for it."5 -
People, even on devrant, are complaining about having to change their Twitter passwords. A major security event is not the only occasion to change your password (for anything).
You should change your passwords for everything regularly. Like, once every month or two.
This is why password managers are brilliant.5 -
So I was like "imma be smart with my internet security and put 2 factor on my GitHub" only to find out I'm getting authenticating errors on trying to push. Disabling 2FA makes it work again.
GitHub y u do dis D:5 -
Anybody else feel like their Internet traffic constanty being monitored after downloading pen testing tools?
Have our identities been added to lists of potential cyber criminals :/
Thoughts?
(For ethical purposes - involving your own site's security!!)2 -
@linuxxx
Can you do a security / privacy check for ProtonVPN? All I know is that it is Switzerland based and pretty much secure.9 -
They tell me to only review security in the security reviews I'm doing (and if I bring to attention that they're implementing a weak encryption so even though they're not using it at the moment it might cause issues so be careful with that they say to only review security 😵) and then I see this mssql in a where:
AND ISNULL(field, 0) IS NULL
And I think wtf, should I report that? I did and it's a bug and they're thanking me now....
God dammit it's hard to "review security" here...3 -
Wowza..... Security certifications get expensive! Gonna have to spend half the week writing one hell of a business case for the certs my team needs!2
-
Tomorrow I must present a summery of what the prof said in the first session of security+ within 20 min.
All he said was about the most important security certs and some definitions including CIA triangle.
Any idea how I can make my summery cooler or anything relative I can say in addition to those?6 -
I've implemented my own version of IoT all over my room and home.
Hope the protocol I've designed has proper security...1 -
A very suspicious thing happened at work last Friday, security team told me to uninstall adblockplus and disconnect.me plugin 😟5
-
!rant
Recently I started to be interested in how code actually work. I do a for-loop or an if-statement but how do they actually work at the lowest level.
Another thing I've been interested in is security. I thought about learning how to hack my own systems in order to learn how to write more secure code and keep people out. But I'm a little afraid that as soon as I start look at how to hack, the police will storm through the window and take my computer 😂😂8 -
!rant
I'm a computer engineering student.
I'm very much interested in Systems and networking.
That's why I was thinking of persuing cyber-security as a career option.
But I'm not quite sure if that is a good choice.
Also I don't know how to proceed in order to achieve excellence in cyber-security.
It would be a great help if you guys could help me.
Thanks :)20 -
A fellow uni student shared this deal with everyone in our security course. The first place I thought of re-sharing it was here.
https://humblebundle.com/books/...
Hopefully my fellow devranters will find this a good deal.5 -
Has anyone used python within cyber security?
I really want to get into cyber security. I'm curious what programming languages are used within that industry.4 -
My country has the best security experts. They convince people that they are not thiefs, Then when people believe them and give them their data, They change the password.1
-
So just now I had to focus on a VM running in virt-manager.. common stuff, yeah. It uses a click of le mouse button to focus in, and Ctrl-Alt-L to release focus. Once focused, the VM is all there is. So focus, unfocus, important!
Except Mate also uses Ctrl-L to lock the screen. Now I actually don't know the password to my laptop. Autologin in lightdm and my management host can access both my account and the root account (while my other laptop uses fingerprint authentication to log in, but this one doesn't have it). Conveniently my laptop can also access the management host, provided a key from my password manager.. it makes more sense when you have a lot of laptops, servers and other such nuggets around. The workstations enter a centralized environment and have access to everything else on the network from there.
Point is, I don't know my password and currently this laptop is the only nugget that can actually get this password out of the password store.. but it was locked. You motherfucker for a lock screen! I ain't gonna restart lightdm, make it autologin again and lose all my work! No no no, we can do better. So I took my phone which can also access the management host, logged in as root on my laptop and just killed mate-screensaver instead. I knew that it was just an overlay after all, providing little "real" security. And I got back in!
Now this shows an important security problem. Lock screens obviously have it.. crash the lock screen somehow, you're in. Because behind that (quite literally) is your account, still logged in. Display managers have it too to some extent, since they run as root and can do autologin because root can switch user to anyone else on the system without authentication. You're not elevating privileges by logging in, you're actually dropping them. Just something to think about.. where are we just adding cosmetic layers and where are we actually solving security problems? But hey, at least it helped this time. Just kill the overlay and bingo bango, we're in!2 -
Doing a talk on 'Security in PHP' and live demo on web attacks and safeguard tips this Saturday. Any tips fellow Ranters...?13
-
How did you learn cyber security, especially pentesting ?
I know that making VM lab and/or doing CTFs and reading writeups can help a lot, but is there any more "formal" way to get into things like pentesting etc. ?
(Without having to pay for OSCP, Sans and all this)5 -
Mfw on azure/iot conference, one presenter shows his certificate validation, to connect to all devices in his house:
return true;
He said:
"lets not be paranoid about security" -
So much talk about wannacry and security, but everyone will forget in a few weeks and go back to using old unpatched OS with vulnerabilities.. Why don't people understand that security is a necessity, not a luxury!6
-
why is every auth provider utter and complete shit?
why are docs and tutorials that try to teach auth so complete shit?
No wonder there are so many security holes everywhere, nobody bothers to make it simple for the next person.
Next time people that cry about security/bad auth, and work in that field, this one is for you:
5 -
I came across this blog (I guess) that's mostly critique about the security of major open source projects. The author claims to be a security researcher.
At least some of the claims seem to have merit, but how much? Opinions?
https://madaidans-insecurities.github.io/...3 -
second big issue for g+ in few months and they're going to shut down earlier... google security ROTFL
https://thurrott.com/cloud/social/...2 -
So a ticketmaster security breach.
If you bought tickets using ticketmaster between September-2017 and June-2018 beware. Globally.
https://zdnet.com/article/... -
Security starts as soon as the project starts. Every decision you make needs to be one that considers whether you will compromise on security - but human beings fail to do this for one reason - bureaucracy.5
-
Does your company allow you to bring your own devices?
If so, dou have a choice on which programs/operating system gets installed?
If not, for which security reasons?4 -
So after waiting 3 days for an ID to get into a computer, I'm now told it's going to take 12-14 hours before I can do online security training just so I can actually start working. I'm only at this job for a month and I'm not going to even touch any real work at this rate...
Oh well, at least I'm paid by the hour, not by the amount of work -
Im not sure if im a good or bad person by allowing my users to set a weak password.
They get to use almost whatever they want, but it may be bruteforced easily.
I let users decide their own security on that point.5 -
The most frustrating part of the "your password must be min. 8 characters long and include a number and a special character" thing is that it does not improve security.
On the contrary.
I wonder how many people in the company have the name of the city they are located in, and the current year in their password...
#newyork18 #beijing20173 -
"In Python 3, exec is a function; its use has no effect on the compiled bytecode of the function where it is used."
Found in a stackoverflow post.
So wait, you mean to say, you could hide code in a pyc file or am I mistaken?
How is this not a security concern?12 -
Why is 99% of my development job responding to audits, security questions, and idiocy spewing from something called an “Office of Innovation”? So this Innovation team sends down a project request which is silently intended to push my resource allocation over 100%. Security shoots down the idea. Innovation team tells me to tell security no, we need this. Ummm, here’s a thought, why don’t you idiots all get together and tell me when there’s some coding to be done?1
-
Learning information security yet again after doing multiple information security things for company and manager is pushing to do it saying "due immediately" and they're after sending "a number of emails" (it's due in a month and they sent 1 email).
Annoying that these things must be done again and again just because someone in sales let something slip or left their journal behind like a dumb dumb. It's not like I'm never off-site with my stuff or I interact with customer(s) yet1 -
This rant is tribute to the guy who doesn't allow you to login to site before authorization..
the level of security one can never imagine 😂 -
What's the best natural language processing software that won't f you up?
I'm a big fan of Alexa's capabilities but we all know that Alexa is to security what North Korea is to democracy.
Is there any software that can compete with powerhouses that are Alexa, Google home, Siri or cortana?4 -
Anyone have much success with Kali/WiFi penetration testing?
I've been tasked with trying to break WPA security within a couple of hours without a dictionary attack - is that even possible?
I have an Alfa AWUS036NHA capable of monitoring mode if that makes any difference. It's my first time trying anything like this.10 -
Mozilla has announced plans to remove support for the FTP protocol from Firefox. Users won't be able to download files via the FTP protocol and view the content of FTP folders inside the Firefox browser.
According to the report of ZDNet: Michal Novotny, a software engineer at the Mozilla Corporation said "We're doing this for security reasons, FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources. Also, a part of the FTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past." Novotny says Mozilla plans to disable support for the FTP protocol with the release of Firefox 77, scheduled for release in June this year.
Users will still be able to view and download files via FTP, but they'll have to re-enable FTP support via a preference inside the about:config page.13 -
Ok.
I am not a security expert, but when i was working on downloading youtube videos directly from googlevideos.com server, found out there was some security issue that allows to manipulate login requests.
Reported to google.
Let's see how it goes.2 -
!rant
Anyone there who uses a mac, and are somewhat conscious about security, I recommend reading through this page:
https://github.com/drduh/...
Any ranting about choice of OS and hardware, I'll show you why my nick is ChainsawBaby1 -
Signed up for an account on an online store, which then proceeded to send me my full password in plaintext, and in an unencrypted email.
Sent them an email 3 weeks ago detailing the security issue (i was extremely nice about it), but no response.
What else can i do?4 -
!Rant
I stumbled upon this github repo , thought anyone working on a web app could get some tips from it :
https://github.com/FallibleInc/...
Hope this helps.3 -
Just reported a minor tracking bug I found on WebKit to the WebKit bugzilla, and I have a few thoughts:
1. Apple product security can be kind of vague sometimes - they generally don't comment on bugs as they're fixing them, from the looks of it, and I'm not sure why that is policy.
2. Tracking bugs *are* security bugs in WebKit, which is quite neat in a way. What amazes me is how Firefox has had a way to detect private browsing for years that they are still working on addressing (indexedDB doesn't work in private browsing), and chrome occasionally has a thing or two that works, with Safari, Apple consistently plays whack-a-mole with these bugs - news sites that attempt to detect private browsing generally have a more difficult time with Safari/WebKit than with other browsers.
I guess a part of that could be bragging rights - since tracking bugs (and private browsing detection bugs, I think) count as security bugs, people like yours truly are more incentivised to report them to Apple because then you get to say "I found a security bug", and internal prioritisation is also higher for them. -
I took a systems security class when I was in college and the exams were the most difficult ones that I had. We had to do two exams and I felt pretty stupid on both.
Passed the exams but they gave me some doubts about my skills. -
When a junior develops an API call which return the user information and there is session_key and password encrypted in it too.
Dude! do you even know some basic security ! Please don't just Select * From table join table only !3 -
How should you approach someone and tell them they have been an victim of social engineering without being mean?
I was at an security conference today and watched a lot of speaks, and I must say that the atmosphere and the people around made it even better.
Here is one takeaway:
Does the security of IT has to be this depressing most of the time, like there is so many IoT devices, services, websites and critical infrastructure that has security flaws and all we can do is watch for now and say we are all fucked. Then try to lead the industry to better practices, like owasp (duck it) . Stop accepting and using shitty answers from SO that has security flaws (why learn something a way that is wrong in the first place?).
We need more awareness about IT security overall, how can one developer know that certain technologies can have certain vulnerabilities such as XSS, XSRF and even SQL injection if there is no information about it in among all shitton tutorials, guides and SO answers in the first place?
Lighten up! Being sad and depressing about these issues is not the best way to approach this! We need to embrace all steps taken towards better security, even the smallest ones.
Check out OWASP if you are not familiar :
https://owasp.org/index.php/...
Thanks for reading. -
Getting all the shitty half-broken stuff because you're 'just a contractor'...
...and not being allowed to use your own top-of-the-range stuff due to 'data security policies' 😧1 -
Guys, I'm changing my email provider and am looking for a (paid) one that focuses on security and data privacy. Any suggestions/experiences?5
-
Had a client whom was using the staging system on my server as cdn, remote computing, etc... because his prod server was a cheap vhost while the vm was a beast compared to it. I shut it down without telling. I just got a call that his site is now slow a f and full of errors.
I kindly told him that there was a recent security breach called dirty cow. Then I told him that I shut the vm down because it would mean security risk for him since there are no patches available yet and only Power on again with there was work for me to do.
If you want resources pay for them -
If only NPM' security team (so pretty much NSP's) would inform the package owners as soon as they discover vulnerabilities and give them the standard 30-90 days to fix them and release a new version before going public, instead of straight out publishing the security audits which generates noise on the terminal (obviously when using npm) and on Github
-
I rarely use devrant for such things but I'm curious as to the response. I've found several quite serious security vulnerabilities in our main application which have been raised internally yet management keep coming out with "we don't have budget to fix them" what should I do in this situation? How would you handle it?6
-
[Talk by a security expert. The main point was, complexity kills security.]
7 minutes later a friend via IM: Hey, let's use OpenStack! Just 33 micro services to install! -
Want to use Http-VPN. Now I have to use Internet Explorer and Java and have to disable all security on my system. Fml
-
I've always considered myself a stalwart proponent of strong, effective security. But I'll be damned if my company's security policy isn't choking it's developers out.
It's like whenever a developer requirement and potential security vulnerability meet, the company doubles down on the security side, ignores their dev's needs entirely, and then takes a privilege away just to punish us for having the audacity to try and do our God damn jobs.6 -
Team are getting into using Machine learning for anomalous behaviour detection for authentication and traffic behaviour... It's so interesting and another useful tool in our security arsenal
-
Trying to get my head round LDAP for , what will eventually be, a government project.
Security up the wazoo is difficult1 -
Another 'fun' rant
Wrote a new server application and got the request from customer services to make it compatible with a slightly older DB version.
Today, CS asked me to install everything on the customer's test environment so I made a build and installed it there.
Wanted to run the service, no .Net framework 4.7.1 installed. Fine, download the installer ...
Start installing .Net framework 'unsupported OS'. Started looking into it. Customer is still running an old unsupported Windows Server 2008 ...
Asked some colleagues whether this was normal. Apparently, yes.
Seems CS isn't capable of telling customers to at least have a supported windows version when they want our software. As if security issues due to people here not understanding TCP/IP isn't enough, we now have security issues due to old, unsupported Windows versions.
Note to self: never trust anyone who says that 'security is the most important thing in our software enviornment'. -
!rant
Many out there say you should use 2 factor authentication with everything, but personally i feel lile that would just turn your phone into a sigle point of failure.
Phisical security is my primary worry, because loosing your phone or having it stolen yould pretty much lock you out of all your accounts.
Another thing is i don't know as much about android security, and i wouldn't be confortable managing it.
I have 2FA active for some key services, but imho a strong password is usually enough. I think its far more more importat for your overall security to avoid passwords re-use.
What do you think? Do you have 2FA on all the time?9 -
Attempted to install MetaTrader 5 with wine on linux, loving the irony of "... please install using Window 7 ... trading requires maximum security" bahaha4
-
What makes WhatsApp not privacy friendly? They don't state that they share contact information and only statistical stuff (App last opened, etc.) Which is marketing, but not really bad. And they use end to end encryption.
By the way, this here is there Whitepaper on end to end encryption. But haven't read through it yet. https://whatsapp.com/security/...15 -
Uh oh, watch out for the latest security issue in Atlassian products ...
https://confluence.atlassian.com/ji...3 -
When you hear that the "advanced hollistic security" product the client bought is a basic firewall...1
-
My bank just switched from RSA SecurID to SMS-based 2-factor authentication, claiming it offers "equal security".
Is it not common knowledge that SMS 2FA is a security joke?? What the fuck guys?!? -
After brute forced access to her hardware I spotted huge memory leak spreading on my key logger I just installed. She couldn’t resist right after my data reached her database so I inserted it once more to duplicate her primary key, she instantly locked my transaction and screamed so loud that all neighborhood was broadcasted with a message that exception is being raised. Right after she grabbed back of my stick just to push my exploit harder to it’s limits and make sure all stack trace is being logged into her security kernel log.
Fortunately my spyware was obfuscated and my metadata was hidden so despite she wanted to copy my code into her newly established kernel and clone it into new deadly weapon all my data went into temporary file I could flush right after my stick was unloaded.
Right after deeply scanning her localhost I removed my stick from her desktop and left the building, she was left alone again, loudly complaining about her security hole being exploited.
My work was done and I was preparing to break into another corporate security system.
- penetration tester diaries2 -
I just used a contact form of a local webshop. I couldnt enter my email address because it contains a +.
I contacted them to tell them about this issue and the response was it is because of security reasons. Since when is following specs a security breach? Unless their system is one leak I don't see how its possible.
Am I wrong or did they either lie or have a leak in their system?2 -
In highschool right now and I'm seriously interested in network and information security. I recently managed to work out possible internships at some top security firms based out of sweden. I am super stoked and am excited to see the pros work. Might be interesting.
-
What. Setproctitle actually changes /proc/PID/cmdline? Who thought that was a good idea? Now a bunch of people at my "security" company think that makes the command line a safe way to pass secrets.1
-
Have you ever wondered why the developer part of the tech world is so rich and full of community? Devrant is one example.
Coming from a background of IT and cybersecurity I've never felt this way before. Why the IT and security world isn't as rich?1 -
@dfox Was watching your live stream today and you talked about security... You should really add an HSTS preload directive to devrant.io to prevent spoofing.1
-
What would you do if you discover a major security flaw in an enterprise product that claims to be secure and has GDPR compliance? Like a really major flaw in a core feature of the product!9
-
https://engadget.com/2018/01/...
google security support... people get mad for only TEN (?) years XP support1 -
Yeah, so when you create an account just about anywhere nowadays, you need to choose a strong password. Fair enough. But then, some sites/services/systems require a second password, sort of a password hint as an extra security for retrieving your first password in case you forget it. Well OK...That hint question just becomes very *in*secure when you must choose from some extremely stupid presets like "In which town were you born?" or "What was your mother's maiden name?", all of which are trivia that for most people can be easily googled, or looked up on facebook ffs. And these "in which town did this or that happen?" questions? As there is only one town in my country it's not a long shot that I was born in Mariehamn, met my partner in Mariehamn and had my first job in Mariehamn. Security questions for imbecils.4
-
So, I’ve been given the task of sorting the security out in an application plugging the holes and whatnot as to be honest it’s shocking haha. It doesn’t help that we automate security audits but that’s a different rant for another day.
We’re using devise for authentication (rails standard, ♥️ devise), we have no password resets through the login page, it has to be manually reset by ringing support, why who knows, even though it’s built into the gem and we allow the user to login using an username instead of an email because for whatever reason someone thought it was a bright idea to not have the email field mandatory.
So I hop onto a call with the BAs, basically I go that we need to implement password resets into the login page so the user can do it themselves and also to cut down support calls a ticket is already in place for it. So I go through the standardised workflow for resetting a password. My manager goes.
“I don’t think this will be very secure”
Wait.. what. Have you never reset a password before? It’s following the same protocol as every other app.
We go back and fourth and I said I’ll get it checked with security just to keep him happy.
The issue mainly is well we can’t implement password resets due to 100s of users not having an email on there account.. 🙃 so before we push this change we need to try and notice all users to set a unique email.
Updated the tickets. All dandy.
Looking at the PRs to see what security things have been done if any and turns out one of the devs in India has just written a migration to add the same default email to every user that doesn’t have an email present and yep it got merged. So I go revert the change but talk about taking a “we don’t care about security approach”.
Eventually we want to have the user reset their passwords and login using their email and someone goes a head and does that. Not to mention the security risk.
Jesus Christ I wonder why I bother sometimes.2 -
so i did this convenient download script that worked like a charm at home only to find out internet is blocked for these kind of things at work. adding a port results in a single connection success that will be blocked on the next attempt. i get it with all the security concerns but am curious which way it-department tells me to download 3k+ files with likely dynamic filenames otherwise...2
-
Is anyone in the house working on Cloud Access Security Broker (CASB)? If yes, how is the domain and what's the market value of it?
-
I love doing multiple tech things. Development, Ops and security. Why can't people see this as tech experience and not individual subdomain experience. Why can't people switch jobs easily over Dev, Sec and Ops?
Smh.1 -
Working with external teams on this new project involving pretty sensitive stuff like bank transactions.
Talking about user flow and how to handle authentication, like 2-factor and stuff.
Newish guy on external team (though experienced) says they have a proposal.
Security Questions.
... like "What was you first car" security questions...
awkward silence in room...8 -
what about security ! when u put your file url to update - insert - download data in databes ! u give easy access to evry hacker in word ! how can i secur it 😑😑?3
-
I've implemented Chat function for my app. Since I'm a security noob what is the preferred way of encrypting the messages End-to-end maybe?
I'm definitely not leaving them as plain text :)4 -
How many people on devRant are skilled with pentesting / Offensive Security? How long did it take you to understand it? How do you keep yourself from crossing over white hat territory into grey hat territory?3
-
When you discover a rather big security flaw in a mate code and your boss tell you that he might fix it for "version 2", for now we are good. Wtf, we are just hurting ourselves if this shit gets discovered by some other guy.
We are developing an android app for management and selling, for other company and we are a litte short in time for finishing the first version, but fuck, its a big security flaw. -
Good arch based security/privacy distros? I only know about BlackArch. Are there any good alternatives that are also pretty userfriendly for everyday work/development tasks?3
-
I'd love to get into a career within the cyber security industry.
Anyone got advice?
I've played around with Kali/Parrot and setup a proxmox box to perform pen testing and have a fair number of PDF ebooks and audio books on networks, security and pen testing12 -
My uncle is interestes in security, but personal security, he wants to be more peivate. So he told me he had installed Kali linux and got a course it, so I tried to explain him that this is more of a professional thing... that he needs something else.. and so he asked me: "What do I need, which book can I buy?"
I didn't really know. For me it's common sense to get a NAS, maybe have a laptop that is never connected to the internet, or maybe encrypt trafic encrypt hard disks.
But is there a book for that? You have 30 seconds to shine, how would u respond?6 -
Anyone have any recommendations on an open source security/malware scanner to run at server level for the OS and web server files on Linux?2
-
Best thing about having two screens and rectangle is that you can collect all the security pop-ups on the smaller one and just continue working till it's actually convenient to restart everything. (Like after the meeting)
Seriously corporate security measures are completely fucked. Not only did they manage to slow down even Go compiles to a crawl with defender and other crap. Just tried to write 6 words to our PO. Focus got stolen by 4 of the 6 words typed.
One of them demanding to restart Firefox and that one can't be closed or moved out of the way unless you have some fancy window manager tool. This isn't security this is harassment.4 -
Hey there, I've never really done anything like this but I'm in the second year of college.
I really want to go into the security area, not completely sure but pretty inclined to pentesting.
The question is, what, in your opinion, do you think is a good starting point so I'm pretty much ready to start working when I finish my 5 year course? My college doesn't have any or many security classes, so I'll have to do it all by myself.
Right now I know java, C and html, css and Javascript, which I'm learning by myself.5 -
Anyone have any info about unconventional ways to inject JavaScript into an external website? I'm trying to become more knowledgeable about security vulnerabilities in the web apps I build and I've been having a lot of fun trying this stuff out in other live sites haha. I've tried adding js code to text boxes, input fields, and the uri but nothing has been successful. I read something about modifying cookies I think...6
-
So first day on the job, I'm in the application security team. Any tips? Anything much appreciated!7
-
So I changed my FB account password and it gave me email notification with an ip address. And then when I logged in it gave me another notification email with a different IP address this time. Should I be concerned about my network security? This is just SO ANNOYING!!!2
-
Two security researchers have published details about a vulnerability in the Windows Printing Service which impacts all Windows versions.
According to a Report of ZDNet : The vulnerability codenamed 'PrintDemon' which is located in Windows Print Spooler (Windows component responsible for managing print operations). The service sends data to be printed to a USB port for physically connected printers. In a report published, security researchers Alex Ionescu & Yarden Shafir said they found a bug in this old component that can be abused to hijack the Printer Spooler internal mechanism. The bug can not be used to break into a Windows client remotely over the internet, so it's not something that could be exploited to hack Windows systems over the internet.4 -
Let's play a game.
Theme: Security awareness - grey-hat style.
How to play:
Post the name of the site followed by actual bad-password restrictions of well-known companies in the comments.
If no-one beats me to it, I plan to share some of the more alarming ones(or all) on a twitter and tag the relative companies as well as various security enthusiasts.4 -
When Spring Security protects exactly the opposite of what you think you asked ... But you don't know why...
-
Security expert advices over security is like a priest preaching about the way of life. Both of them tend to same thing that it would protect from `evil`
-
According to a report from ZDNet: IBM's new toolkit give developers easier access to Fully Homomorphic Encryption (FHE) which is a technology with promise for a number of security use cases. In case you do not know about FHE, you can take a look at My Quora Answer (https://qr.ae/pNKR2p).
"While the technology holds great potential, it does require a significant shift in the security paradigm," the report adds. "Typically, inside the business logic of an application, data remains decrypted, [Flavio Bergamaschi, FHE pioneer and IBM Researcher] explained. But with the implementation of FHE, that's no longer the case -- meaning some functions and operations will change."
The toolkit is available on GitHub for MacOS and iOS and it will soon be available for Linux and Android. -
We can’t use google sheets, cause of security risks.
(Okay...)
Not even for our showcase content.
Which is public.
The showcase content which goal of the company is to have seen by as many ppl as possible.
Cause security issues which may lead to the possibility of people seeing it.
Seeing the content we want them to see.
Roses are red
My dog ate my led
I may be going crazy
It would be so easy
If they used their head
Or at least fucking read
Edit: if any security expert can give me a valid explanation better than: “it’s the protocol” I am willing to accept I am wrong, but then the point is that they (colleagues) are dicks for not explaining5 -
I'd like to one day work on security consulting/advising (incident response, opsec, SOC, etc). For those of you here that are currently in or have worked with people in that field: what advice do you have for handling cyber risk situations?1
-
Anyone tried this Krypt.co thing? I just tried setting it up and I hooked up my Github and Google account with it. The odd thing during the connection, it kept asking me to add it as a Security Key. I didn't realize the Chrome Extension tricked the browser to think that it had a security key connected to it.
-
Sometimes I'll block a code submission with the words security vulnerability", then go have a 10 minute break to see if the others can spot it on their own.
-
I'm currently learning assembly in school and...I acctually kinda like it. (To my surprise). I was wondering if there were any good resources for learning about security at the assembly/system level?1
-
from the students point of view: my it-security module last semester which had nothing new for me because i was thrown into an internship with no work prepared and had to teach myself for the whole semester in it-security which has shown me that said path was the right one for me :)
-
I'm lost here 😑! Got a new job and I supposed to analyze/fix/update/ the communication softwares/hardwares internally. Data security is insanely important and everything should be inexpensive 😑. Any suggestion what I can use as softwares and communication tools?7
Top Tags
Weekly Rant
View