Long but worth it...

So I was cleaning out my Google Drive last night, and deleted some old (2 years and up) files. I also deleted my old work folder, it was for an ISP I worked for over 2 years ago. After deleting the files I had a little twinge of "Man I hope they're not still using those". But seriously, it'd be a pretty big security risk if I was still the owner of those files... right? Surely they copied them and deleted all the info from the originals. IP addresses, Cisco configs, username and passwords for various devices, pretty much everything but customer info.

Guess who I get a call from this morning... "Hi this is Debbie from 'ISP'. I was trying to access the IP Master List and I can't anymore. I was just told to call you and see if there's any way to get access to it again" (Not her real name...)

I had to put her on hold so I could almost die of laughter...

Me: "Sorry about that Debbie, I haven't worked for that company for over 2 years. Your telling me in all that time no one thought to save them locally? No one made a copy? I still had the original documents?!"

Long pause

D: "Uh... Apparently not..."

Another long pause

D: "So is there any way you can give me access to them again?"

Me: "They're gone Debbie. I deleted them all last night."

D: Very worried voice "Can... Can you check?"

This kids is why you never assume you'll always have access to a cloud stored file, make local copies!!

A little bit of background on this company, the owner's wife fired me on trumped up "time card discrepancy" issues so she could hire her freshly graduated business major son. The environment over there was pretty toxic anyway...

I feel bad for "Debbie" and the other staff there, it's going to be a very bad week for them. I also hope it doesn't impact any customers. But... It is funny as hell, especially since I warned the owner as I was clearing out my desk to save copies, and plan on them being gone soon. Apparently he never listened.

This is why you should have a plan in place... And not just wing it...

PS. First Post!

Me wanting to board Plane,
Goes through security Check...
"Sorry sir Laptops are not allowed."
Me
"Why?"
Security
"It could be a modified bomb"
Me
"But this is a Tablet!"
Security
"No sir, it has a Keyboard and Trackpad attached to it, its also running Windows..."
Me
"Excuse me, but this is clearly a Tablet"
*Detatches Keyboard from Surface Book*
"See? Tablet."
Security,
"Sorry sir, but no. You cant board the plane with this, only Tablets and Smartphones"
Me
"WTF? you dont allow Laptops because they could be bombs but A FUCKING SMARTPHONE IS ALLOWED? AND TABLETS TOO?!"
Security
"Yes, because the Battery is not removable..."
Me
"But my Laptop Battery is also not Removable..."
Security
"I dont have anymore Time for an Argument"
Me
"So I can board the Plane?"
Security
"No, the Ticket will be refunded"

WHO THE FUCK CAME UP WITH THIS BULLSHIT? LIKE RLY? WHO!!
I MEAN WHAT THE FUCK IS ALLOWED?!

A former colleague made an online shopping app. Boss wanted to promote him to Senior Developer when he still working with us.

14 days ago another colleague checked the code and told the boss that it's ready for production. No one asked me because everyone in the company thinks am the stupid developer of them all.

So what happened?
Well the total value of the cart was being over to payment gateway using a hidden field. Well you know the rest of the story.

The client has sued our company for this issue and boss came running to me and asked me to check if it was our fault or something else.

I checked and found the hidden value where the total value of cart was being stored and send over to payment gateway. The following is the conversation between me and the colleague who checked the code:

Me: So you checked the code and everything was okay?
Him: Yes, all good.
Me: Did you see this hidden field where the total value of cart is being passed to the payment gateway?
Him: Yes
Me: Why didn't you fix this?
Him: What's there to fix?
Me: Well someone can temper the value and let it pass to the payment gateway.
Him: No, they can't we are using https
Me: I' am done with you

He has Masters in software engineering and has few security certificates.

Happened a few weeks ago but still awesome.

Me and a good friend have a website together but we don't monitor it too much.
He studied with me in the same class but went towards frontend/apps where I chose backend/servers/security. He knows how to do basic Linux stuff but that's about it.

We were at a party when he noticed that our site was offline. Walked over to me (because I manage the server) to notify me so I could look into it said I'd look into it (phone):
*visits site: nothing*
*online dig tool: got the server ip*
*remembered this one didn't have pubkey authentication - after three passwords attempts I'm in*

"service apache2 status"
*service doesn't exist*
*right, migrated this one from Apache to nginx....*
"history"
*ah, an nginx restart probably suffices...*
"service nginx restart"

BAM, site is reachable again.

*god damnit, lets encrypt cert expired...*
"history"
*sees command with certbot and our domain both in one*
"!892"
*20 seconds later: success message*
*service nginx reload*

BAM, site works securely again.

"Yo mate, check the site again"

Mate: 😶 w-w-what? *checks site and his watch* you started less than two minutes ago...?
Me: yeah..?
Mate: 😶 now this is why YOU manage our server and I don't 😐

His face was fucking gold. It wasn't that difficult for me (I do this daily) but to him, I was a God at that moment.

Awesome moment 😊

And here comes the last part of my story so far.
After deploying the domain, configuring PCs, configuring the server, configuring the switch, installing software, checking that the correct settings have been applied, configuring MS Outlook (don't ask) and giving each and every user a d e t a i l e d tutorial on using the PC like a modern human and not as a Homo Erectus, I had to lock my door, put down my phone and disconnect the ship's announcement system's speaker in my room. The reasons?
- No one could use USB storage media, or any storage media. As per security policy I emailed and told them about.
- No one could use the ship's computers to connect to the internet. Again, as per policy.
- No one had any games on their Windows 10 Pro machines. As per policy.
- Everyone had to use a 10-character password, valid for 3 months, with certain restrictions. As per policy.
For reasons mentioned above, I had to (almost) blackmail the CO to draft an order enforcing those policies in writing (I know it's standard procedure for you, but for the military where I am it was a truly alien experience). Also, because I never trusted the users to actually backup their data locally, I had UrBackup clone their entire home folder, and a scheduled task execute a script storing them to the old online drive. Soon it became apparent why: (for every sysadmin this is routine, but this was my first experience)
- People kept deleting their files, whining to me to restore them
- People kept getting locked out because they kept entering their password WRONG for FIVE times IN a ROW because THEY had FORGOTTEN the CAPS lock KEY on. Had to enter three or four times during weekend for that.
- People kept whining about the no-USB policy, despite offering e-mail and shared folders.
The final straw was the updates. The CO insisted that I set the updates to manual because some PCs must not restart on their own. The problem is, some users barely ever checked. One particular user, when I asked him to check and do the updates, claimed he did that yesterday. Meanwhile, on the WSUS console: PC inactive for over 90 days.
I blocked the ship's phone when I got reassigned.
Phiew, finally I got all those off my chest! Thanks, guys. All of the rants so far remind me of one quote from Dave Barry:

Wow, just wow.

The Dutch national security spy agency and also their military one are complaining that the organisation that was brought to life to check if they don't spy on innocent people (and execute illegal hacks and overstep their surveillance powers etc) is investigating too much and asking too many technical questions relating to ongoing operations.

Well, this shows that this is necessary apparently! I'm glad this organisation is doing their job.

Oh, the irony.

This rant is a confession I had to make, for all of you out there having a bad time (or year), this story is for you.

Last year, I joined devRant and after a month, I was hired at a local company as an IT god (just joking but not far from what they expected from me), developer, web admin, printer configurator (of course) and all that in my country it's just called "the tech guy", as some of you may know.

I wasn't in immediate need for a full-time job, I had already started to work as a freelancer then and I was doing pretty good. But, you know how it goes, you can always aim for more and that's what I did.

The workspace was the usual, two rooms, one for us employees and one for the bosses (there were two bosses).

Let me tell you right now. I don't hate people, even if I get mad or irritated, I never feel hatred inside me or the need to think bad of someone. But, one of the two bosses made me discover that feeling of hate.

He had a snake-shaped face (I don't think that was random), and he always laughed at his jokes. He was always shouting at me because he was a nervous person, more than normal. He had a tone in his voice like he knew everything. Early on, after being yelled for no reason a dozen of times, I decided that this was not a place for me.

After just two months of doing everything, from tech support to Photoshop and to building websites with WordPress, I gave my one month's notice, or so I thought. I was confronted by the bosses, one of which was a cousin of mine and he was really ok with me leaving and said that I just had to find a person to replace me which was an easy task. Now, the other boss, the evil one, looked me on the eye and said "you're not going anywhere".

I was frozen like, "I can't stay here". He smiled like a snake he was and said "come on, you got this we are counting on you and we are really satisfied with how you are performing till now". I couldn't shake him, I was already sweating. He was rolling his eyes constantly like saying "ok, you are wasting my time now" and left to go to some basketball practice or something.

So, I was stuck there, I could have caused a scene but as I told you, one of the bosses was a cousin of mine, I couldn't do anything crazy. So, I went along with it. Until the next downfall.

I decided to focus on the job and not mind for the bad boss situation but things went really wrong. After a month, I realised that the previous "tech guy" had left me with around 20 ancient Joomla - version 1.0 websites, bursting with security holes and infested with malware like a swamp. I had never seen anything like it. Everyday the websites would become defaced or the server (VPN) would start sending tons of spam cause of the malware, and going offline at the end. I was feeling hopeless.

And then the personal destruction began. I couldn't sleep, I couldn't eat. I was having panick attacks at the office's bathroom. My girlfriend almost broke up with me because I was acting like an asshole due to my anxiety issues (but in the end she was the one to "bring me back"(man, she is a keeper)) and I hadn't put a smile on my face for months. I was on the brink of depression, if not already there. Everyday I would anxiously check if the server is running because I would be the one to blame, even though I was trying to talk to the boss (the bad one was in charge of the IT department) and tell him about the problem.

And then I snapped. I finally realised that I had hit rock bottom. I said "I can't let this happen to me" and I took a deep breath. I still remember that morning, it was a life-changing moment for me. I decided to bite the bullet and stay for one more month, dealing with the stupid old server and the low intelligence business environment. So, I woke up, kissed my girlfriend (now wife), took the bus and went straight to work, and I went into the boss's office. I lied that I had found another job on another city and I had one month in order to be there on time. He was like, "so you are leaving? Is it that good a job the one you found? And when are you going? And are you sure?", and with no hesitation I just said "yup". He didn't expect it and just said "ok then", just find your replacement and you're good to go. I found the guy that would replace me, informing him of every little detail of what's going on (and I recently found out, that he is currently working for some big company nowadays, I'm really glad for him!).

I was surprised that it went so smoothly, one month later I felt the taste of freedom again, away from all the bullshit. Totally one of the best feelings out there.

I don't want to be cliche, but do believe in yourself people! Things are not what the seem.

With all that said, I want to give my special thanks to devRant for making this platform. I was inactive for some time but I was reading rants and jokes. It helped me to get through all that. I'm back now! Bless you devRant!

I'm glad that I shared this story with all of you, have an awesome day!

Another incident which made a Security Researcher cry 😭😭😭
[ NOTE : Check my profile for older incident ]
-----------------------------------------------------------
I was invited by a fellow friend to a newly built Cyber Security firm , I didn't asked for any work issues as it was my friend who asked me to go there . Let's call it X for now . It was a good day , overcast weather , cloudy sky , everything was nice before I entered the company . And the conversation is as follows :

Fella - Hey! Nice to see you with us .
Me - Thanks! Where to? *Asking for my work​ area*
Fella - Right behind me .
Me - Good thing :)
Fella - So , the set-up is good to go I suppose .
Me - Yeah :)
*I'm in my cabin and what I can see is a Windows VM inside Ubuntu 12.4*

*Fast forward to 1 hour and now I'm at the cafeteria with the Fella*

Fella - Hey! Sup? How was the day?
Me - Fine *in a bit confused voice*
Fella - What happened mate , you good with the work?
Me - Yeah but why you've got Windows inside Ubuntu , I mean what's the use of Ubuntu when I have to work on Windows?
Fella - Do you know Linux is safe from Malwares?
Me - Yeah
Fella - That's why we are using Windows on VM inside Linux .
Me - For what?
Fella - To keep Windows safe from Malwares as in our company , we can't afford any data loss!
Me - 😵 *A big face palm which went through my head and hit another guy , made me a bit unconscious*

I ran for my life as soon as possible , in future I'm never gonna work for anyone before asking their preferences .

*Me working on the security system of the notes app thingy*

"hmm, should check if a users' ip is valid, let's look for some online services..."

*can't find a good one without rate limits*

😞

*hold on, I wrote one myself 🤣*

I am so fucking retarded sometimes.

Ex-boss (who boasted 20 years of programming exp.) Would not let us work on a web project saying we didn't have enough experience and said he'd do it alone... Fast forward to 3 days before presenting to client, we get to check the log in interface and immediately find that there's no actual security, no validation... Just 2 text boxes with hard coded users and no way to add more without creating them in db... And if you knew the next page's URL you can actually skip the login... Needless to say he was removed from the project that instant and we (interns at the time) had to do everything from scratch. A 3 months project done in 2 days. Never been more stressed in my life :'(

Well, here's the OS rant I promised. Also apologies for no blog posts the past few weeks, working on one but I want to have all the information correct and time isn't my best friend right now :/

Anyways, let's talk about operating systems. They serve a purpose which is the goal which the user has.
So, as everyone says (or, loads of people), every system is good for a purpose and you can't call the mainstream systems shit because they all have their use.

Last part is true (that they all have their use) but defining a good system is up to an individual. So, a system which I'd be able to call good, had at least the following 'features':
- it gives the user freedom. If someone just wants to use it for emailing and webbrowsing, fair enough. If someone wants to produce music on it, fair enough. If someone wants to rebuild the entire system to suit their needs, fair enough. If someone wants to check the source code to see what's actually running on their hardware, fair enough. It should be up to the user to decide what they want to/can do and not up to the maker of that system.
- it tries it's best to keep the security/privacy of its users protected. Meaning, by default, no calling home, no integrating users within mass surveillance programs and no unnecessary data collection.
- Open. Especially in an age of mass surveillance, it's very important that one has the option to check the underlying code for vulnerabilities/backdoors. Can everyone do that, nope. But that doesn't mean that the option shouldn't be there because it's also about transparency so you don't HAVE to trust a software vendor on their blue eyes.
- stability. A system should be stable enough for home users to use. For people who like to tweak around? Also, but tweaking *can* lead to instability and crashes, that's not the systems' responsibility.

Especially the security and privacy AND open parts are why I wouldn't ever voluntarily (if my job would depend on it, sure, I kinda need money to stay alive so I'll take that) use windows or macos. Sure, apple seems to care about user privacy way more than other vendors but as long as nobody can verify that through source code, no offense, I won't believe a thing they say about that because no one can technically verify it anyways.

Some people have told me that Linux is hard to use for new/(highly) a-technical people but looking at my own family and friends who adapted fast as hell and don't want to go back to windows now (and mac, for that matter), I highly doubt that. Sure, they'll have to learn something new. But that was also the case when they started to use any other system for the first time. Possibly try a different distro if one doesn't fit?

Problems - sometimes hard to solve on Linux, no doubt about that. But, at least its open. Meaning that someone can dive in as deep as possible/necessary to solve the problem. That's something which is very difficult with closed systems.

The best example in this case for me (don't remember how I did it by the way) was when I mounted a network drive at boot on windows and Linux (two systems using the same webDav drive). I changed the authentication and both systems weren't in for booting anymore. Hours of searching how to unfuck this on windows - I ended up reinstalling it because I just couldn't find a solution.
On linux, i found some article quite quickly telling to remove the entry for the webdav thingy from fstab. Booted into a root recovery shell, chrooted to the harddrive, removed the entry in fstab and rebooted. BAM. Everything worked again.

So yeah, that's my view on this, I guess ;P

The best I have seen and exploited was years ago with a web shop that allowed me to set my own check-out price by just inspecting the element and setting the desired price. It just happily advanced to the next step where they invoked the payment provider with my custom price. Unfortunately the shop doesn't exist anymore. I have encountered many more security leaks but this one was so easy and lucrative to exploit.

OH MY GOD

WHO NAMES A CONFERENCE ROOM AFTER AN -ADDRESS-??

At my new job, we had all day training on Friday. It was emphasized many times that we should not be late. I look at the meeting invite many times, and it says [123 Fake], with Fake being a Very Well Known Street, and I see on Google Maps that there's an office building there. Great, we must have an off-site training facility to help our clients become certified in our product. It doesn't say which floor, but I assume the small space we have in that large office building will become evident once I check in with lobby security.

Friday morning comes, I get to the office building 20 minutes early, and try to check in. They've never heard of my company. Maybe there's a computer lab we rent out? No, they don't know anything about that. I don't have work email or slack set up on my phone yet, so who do I call? I try reception, no one answers. Eventually I call our customer support line.

I shouldn't be at 123 Fake St. I should be at the office. Because that's the name of the conference room!

YOU HAD ONE JOB, ROOM NAMER!

Last night my boyfriend and I tried to think of worse names for conference rooms. The only ones I could think of were "meeting canceled" (but with that, at least I would be in the correct fucking building!) or just naming every conference room "conference room". Here's the thing: there's not just one 123 Fake St room! There's two of them right next to each other! So you can easily show up and think, I remember I was supposed to be in this room, but which one?

And I'm not even the first person to make this mistake. CLIENTS have gone to the wrong building before because they get included on meeting invitations that include conference room names! WTF!

It's pretty common to have Chicago conference rooms named after neighborhoods, or iconic buildings, etc. But nobody is going to think, "meeting in Bucktown? I'll just wander around the neighborhood until I find people with laptops". It's obviously a conference room. BUT A FUCKING ADDRESS OF A NEARBY OFFICE BUILDING? It's not even an iconic of a building!

Names matter. I care a lot about names in code. I never realized it could apply to the physical world as well. So now I am on a mission to change the names of these Goddamm conference rooms so I'm the last person to be directed to the wrong fucking building.

OH, and I'm out $9 for a taxi ride and a pair of gloves that got lost in the taxi so that's GREAT.

The stupid stories of how I was able to break my schools network just to get better internet, as well as more ridiculous fun. XD

1st year:
It was my freshman year in college. The internet sucked really, really, really badly! Too many people were clearly using it. I had to find another way to remedy this. Upon some further research through Google I found out that one can in fact turn their computer into a router. Now what’s interesting about this network is that it only works with computers by downloading the necessary software that this network provides for you. Some weird software that actually looks through your computer and makes sure it’s ok to be added to the network. Unfortunately, routers can’t download and install that software, thus no internet… but a PC that can be changed into a router itself is a different story. I found that I can download the software check the PC and then turn on my Router feature. Viola, personal fast internet connected directly into the wall. No more sharing a single shitty router!

2nd year:
This was about the year when bitcoin mining was becoming a thing, and everyone was in on it. My shitty computer couldn’t possibly pull off mining for bitcoins. I needed something faster. How I found out that I could use my schools servers was merely an accident.
I had been installing the software on every possible PC I owned, but alas all my PC’s were just not fast enough. I decided to try it on the RDS server. It worked; the command window was pumping out coins! What I came to find out was that the RDS server had 36 cores. This thing was a beast! And it made sense that it could actually pull off mining for bitcoins. A couple nights later I signed in remotely to the RDS server. I created a macro that would continuously move my mouse around in the Remote desktop screen to keep my session alive at all times, and then I’d start my bitcoin mining operation. The following morning I wake up and my session was gone. How sad I thought. I quickly try to remote back in to see what I had collected. “Error, could not connect”. Weird… this usually never happens, maybe I did the remoting wrong. I went to my schools website to do some research on my remoting problem. It was down. In fact, everything was down… I come to find out that I had accidentally shut down the schools network because of my mining operation. I wasn’t found out, but I haven’t done any mining since then.

3rd year:
As an engineering student I found out that all engineering students get access to the school’s VPN. Cool, it is technically used to get around some wonky issues with remoting into the RDS servers. What I come to find out, after messing around with it frequently, is that I can actually use the VPN against the screwed up security on the network. Remember, how I told you that a program has to be downloaded and then one can be accepted into the network? Well, I was able to bypass all of that, simply by using the school’s VPN against itself… How dense does one have to be to not have patched that one?

4th year:
It was another programming day, and I needed access to my phones memory. Using some specially made apps I could easily connect to my phone from my computer and continue my work. But what I found out was that I could in fact travel around in the network. I discovered that I can, in fact, access my phone through the network from anywhere. What resulted was the discovery that the network scales the entirety of the school. I discovered that if I left my phone down in the engineering building and then went north to the biology building, I could still continue to access it. This seems like a very fatal flaw. My idea is to hook up a webcam to a robot and remotely controlling it from the RDS servers and having this little robot go to my classes for me.

What crazy shit have you done at your University?

Boss hands over to me an old security audit report and tells me "Go through this and check if all the problems mentioned have been resolved". Quick glance through the report shows all expected issues - SQLi, plaintext transmission and storage etc. I tell him that I need access to the application both from admin and a user with restricted privileges.
He hands me the admin credentials and tells me, "After you login in, just go the "Users" tab. You'll find the profiles of all the users there. You can get the emails and passwords of any user you want from there."
I had to hold back a chuckle. There's nothing to verify. If they haven't resolved storing plain text passwords in the database (AND displaying it IN PLAIN TEXT in the website itself (which to my surprise wasn't mentioned in the audit)), they probably haven't even looked at the report.

Dev: Hey that internal audit you asked me to perform didn’t go so well

Manager: It has too! I’ll get in a lot of trouble if it doesn’t pass.

Dev: Ok well it’s a lot of work to get it to a passing state, we have to dedicate a lot of resources to fix all these findings.

Manager: We don’t have any spare resources, they are all working on new projects! Why did you have to find things??

Dev: ….It’s a lot of hard to miss stuff, like missing signatures on security clearance forms

Manager: Ok can’t you just say that everything is all good? They’ll probably not double check.

Dev: I’m not really comfortable with that…Look all of these findings are all just from one member of the team consistently not doing their job, can’t you just address that with him and I can make a note on the audit that issues were found but corrective action was made? That’s the whole point of audits.

Manager: You don’t get it, if anything is found on the audit I’ll look bad. We have to cover this up. Plus that’s a really good friend of mine! I can’t do that to him. Ok you know what? You are obviously not the right person for this task, I’ll get someone else to do it. Go back to your regular work, I’m never assigning you audits again.

!dev
> Get on Deutsche Bahn train
> Train delayed
> Miss Eurostar connection (not just me, many people did too), get the next one
> Building works in Brussels Station
> Maps inaccurate
> Get lost
> Find Eurostar terminal
> Electricity failure
> Check-in suspended
> After 40min, announcement
> This train cancelled, get the next one
> Electricity fixed
> Check in, finally
> Now 2½ trains worth of people need to get on this one
> Somehow fit on train
> Lose table because family needs it (fair, but annoying)
> Train departs
> More delays due to scheduling conflict
> Arrive in Lille Europe
> Stop for 10 minutes for no reason
> Announcement: "there is an illegal passenger on board, everyone and their luggage needs to get off"
> Get off train, stand on platform for a decade
> "Who has left an orange bag on coach 18?"
> Nobody
> They bring the bag out
> It's red, not orange
> "Oh it's mine, sorry" - some woman
> Wait around for ages
> "Everybody go downstairs and go through security again"
> Go through security and passport control
> Get back on train
> Arrive at St. Pancreas
> Last train to where I live has gone
> Woohoo, I get to pay for an expensive hotel in London
> Get rail replacement bus service home
> Home 😒

Security rant ahead - you have been warned.
It never fails to amuse and irritate me that, despite being in the 2019 supposed information age, people still don't understand or care about their security.
I've travelled to a lot of ports and a lot of countries, but, at EVERY port, without fail, there will be at least one wifi that:
- Has default name/password that has been cracked already (Thomson/SpeedTouch/Netfaster etc)
- Has a phone number as password (reduces crack time to 15-30 mins)
- Someone, to this day, has plain old WEP
I am not talking about cafeteria/store wifi but home networks. WTF people?! I can check my email (through VPN, of course) but it still bugs me. I have relented to try and snoop around the network - I can get carried away, which is bad. Still...
The speed is great though :P

So today I basically "lost" the chance to enter this remarkable security StartUp. The dream made true... a couple of Python nice scripts, the logic test that wasn't that big, everything was going well.

I met the CEO, damn! He seems to be a great dude. But suddenly, a wild co-founder appeared.

The dude started to talk about money and how he didn't perceive me as a Senior developer (not even if my results were telling him the oppositive); he ended up with: you seemed to be Mid-advance.
I was like: Ok, I understand. Wasn't that big because I knew that I could have demonstrated my skills.

Then he asked about my salary expectations, I answered to him my realistic expectations, that to be honest, it wasn't a lot of damn money! Because, I really was expecting a chance to learn more, have bigger challenges, bring value, etc.

He said: Okay let me check this with my partner. But, that was a week ago.
Anyway, today I received an email from the CEO, with the typical apologize telling me that the vacancy will be paused by the moment.

Oh, I didn't mention that one friend of mine is working there and he told me a couple of hours ago that they have hired a Junior developer because he was willing to accept what they wanted to pay him. Puff it broke my heart, but I wish him luck because even though I was dying to be on that security StartUp, I’m not at the point to accept a misery of money to work harder, I just felt frustrated with that stingy guy.

Currently working on the privacy site CMS REST API.

For the curious ones, building a custom thingy on top of the Slim framework.

As for the ones wondering about security, I'm thinking out a content filtering (as in, security/database compatibility) right now.

Once data enters the API, it will first go through the filtering system which will check filter based on data type, string length and so on and so on.

If that all checks out, it will be send into the data handling library which basically performs all database interactions.

If everything goes like I want it to go (very highly unlikely), I'll have some of the api actions done by tonight.

But I've got the whole weekend reserved for the privacy site!

A Month ago...
Me: when are you going to complete the report
Friend: we can do it in minutes
Me: you can't Ctrl + c and Ctrl +v as there is plagiarism check
Friend: we have spin bot
Me: you do that now itself . if something happens? You can join me .
Friend: just chill

Now ...
Me: done with report
Friend: feeding it to spin bot!

Feeds text related to database security....

Spin bot:
Garbage collector == city worker
SQL statements == SQL explanation
SQL queries == SQL interrogation
SQL injection == SQL infusion
Attack == assault
Malicious == noxious
Data integrity == information uprightness
Sensitive == touchy
.....
Me: told you so...
**spin not == article rewriter

Warning: long read....

I got a call this morning from a client who was panicking about not being able to login to his web panel.

So I went to the web panel and tried to login and was just redirected back to the login page. No errors or anything (at least visible on the page). Went looking for an error_log file and found it.

It turns out there was an error was showing: Disk quota exceeded.

So I went into the cPanel and checked, he used about 16GB out of 100GB and that got me confused. So I looked around and found out he was using about 510000/500000 inodes.

Went looking trough FTP to see where he has so many files and try and remove some.

Well it turns out that there were about 7 injected websites (warez, online casino, affiliate one etc) and a full hacking web panel on his FTP. After detailed analysis some who actually built the site (I just maintain some parts) made an upload form available to public with any checks on it. Meaning anyone could upload whatever they wanted and the form would allow it.

The worst part is that the client is not allowing us to secure the form with some sort of login or remove it completely (the best option) as it is not really needed but he uses it to upload some pdf catalogs or something.

TL; DR;
Old programmer created an upload form that was accessible to anyone on the web without adding any security or check as to see what kind of files was getting uploaded. Which lead to having maximum number on inodes used on server and client being unable to login.

Side note:
And ofc I had to go and fix the mess behind him again, even though he stopped working a long time ago and I started just recently and have been having nightmares of this project.

The website for our biggest client went down and the server went haywire. Though for this client we don’t provide any infrastructure, so we called their it partner to start figuring this out.
They started blaming us, asking is if we had upgraded the website or changed any PHP settings, which all were a firm no from us. So they told us they had competent people working on the matter.

TL;DR their people isn’t competent and I ended up fixing the issue.

Hours go by, nothing happens, client calls us and we call the it partner, nothing, they don’t understand anything. Told us they can’t find any logs etc.

So we setup a conference call with our CXO, me, another dev and a few people from the it partner.
At this point I’m just asking them if they’ve looked at this and this, no good answer, I fetch a long ethernet cable from my desk, pull it to the CXO’s office and hook up my laptop to start looking into things myself.

IT partner still can’t find anything wrong. I tail the httpd error log and see thousands upon thousands of warning messages about mysql being loaded twice, but that’s not the issue here.
Check top and see there’s 257 instances of httpd, whereas 256 is spawned by httpd, mysql is using 600% cpu and whenever I try to connect to mysql through cli it throws me a too many connections error.

I heard the IT partner talking about a ddos attack, so I asked them to pull it off the public network and only give us access through our vpn. They do that, reboot server, same problems.

Finally we get the it partner to rollback the vm to earlier last night. Everything works great, 30 min later, it crashes again. At this point I’m getting tired and frustrated, this isn’t my job, I thought they had competent people working on this.

I noticed that the db had a few corrupted tables, and ask the it partner to get a dba to look at it. No prevail.

5’o’clock is here, we decide to give the vm rollback another try, but first we go home, get some dinner and resume at 6pm. I had told them I wanted to be in on this call, and said let me try this time.

They spend ages doing the rollback, and then for some reason they have to reconfigure the network and shit. Once it booted, I told their tech to stop mysqld and httpd immediately and prevent it from start at boot.

I can now look at the logs that is leading to this issue. I noticed our debug flag was on and had generated a 30gb log file. Tail it and see it’s what I’d expect, warmings and warnings, And all other logs for mysql and apache is huge, so the drive is full. Just gotta delete it.

I quietly start apache and mysql, see the website is working fine, shut it down and just take a copy of the var/lib/mysql directory and etc directory just go have backups.

Starting to connect a few dots, but I wasn’t exactly sure if it was right. Had the full drive caused mysql to corrupt itself? Only one way to find out. Start apache and mysql back up, and just wait and see. Meanwhile I fixed that mysql being loaded twice. Some genius had put load mysql.so at the top and bottom of php ini.

While waiting on the server to crash again, I’m talking to the it support guy, who told me they haven’t updated anything on the server except security patches now and then, and they didn’t have anyone familiar with this setup. No shit, it’s running php 5.3 -.-

Website up and running 1.5 later, mission accomplished.

One of our newly-joined junior sysadmin left a pre-production server SSH session open. Being the responsible senior (pun intended) to teach them the value of security of production (or near production, for that matter) systems, I typed in sudo rm --recursive --no-preserve-root --force / on the terminal session (I didn't hit the Enter / Return key) and left it there. The person took longer to return and the screen went to sleep. I went back to my desk and took a backup image of the machine just in case the unexpected happened.

On returning from wherever they had gone, the person hits enter / return to wake the system (they didn't even have a password-on-wake policy set up on the machine). The SSH session was stil there, the machine accepted the command and started working. This person didn't even look at the session and just navigated away elsewhere (probably to get back to work on the script they were working on).

Five minutes passes by, I get the first monitoring alert saying the server is not responding. I hoped that this person would be responsible enough to check the monitoring alerts since they had a SSH session on the machine.
Seven minutes : other dependent services on the machine start complaining that the instance is unreachable.

I assign the monitoring alert to the person of the day. They come running to me saying that they can't reach the instance but the instance is listed on the inventory list. I ask them to show me the specific terminal that ran the rm -rf command. They get the beautiful realization of the day. They freak the hell out to the point that they ask me, "Am I fired?". I reply, "You should probably ask your manager".

Lesson learnt the hard-way. I gave them a good understanding on what happened and explained the implications on what would have happened had this exact same scenario happened outside the office giving access to an outsider. I explained about why people in _our_ domain should care about security above all else.

There was a good 30+ minute downtime of the instance before I admitted that I had a backup and restored it (after the whole lecture). It wasn't critical since the environment was not user-facing and didn't have any critical data.

Since then we've been at this together - warning engineers when they leave their machines open and taking security lecture / sessions / workshops for new recruits (anyone who joins engineering).

A store in Russia was robbed for 30k$ using ArtMoney.

ArtMoney is a Game cheating program that is used in games that have no AntiCheat system or it is insanely horrible(Cookie clicker as an example for a game that had no anticheat and ArtMoney is used in it)

The robbers placed orders for tech(like phones and laptops) and then used the program to change the prices from thousands of dollars down to 5$.

The cheat program is insanely easy to defend against or detect its changes.

This is a good reminder to check your security if youre adminstating things like online shops or other stuff thag can be targeted at a similar fashion.

I arrived at 8am sharp today, SHARP, I usually arrive 2-3min earlier, so I can start with my actual work at 8am sharp, but traffic was rough and my scooter wouldn't turn on, so I wasn't able to.
Suddenly my boss calls me into his office, being all like "you are late everyday, you won't start work until 5 after 8 yadayada". Wtf?? You know I have a clock on my desk and I always check the clock when I'm arriving at work? (He has security cameras everywhere, so he can actually see me check the clock every morning). This morning I arrived at 8am sharp and the only reason why I started with work late is because he thought it's necessary to remind me to be at work in time. Now he expects me to start with work 5min early everyday, fuck off!

!!oracle

I'm trying to install a minecraft modpack to play with a friend, and I'm super psyced about it. According to the modpack instructions, the first step is to download the java8 jre. Not sure if I actually need it or not, but it can download while I'm doing everything else, so I dutifully go to the download page and find the appropriate version. The download link does point to the file, but redirects to a login page instead. Apparently I need an oracle account to download anything on their site. stupid.

So I make an account. It requires my life story, or at least full name and address and phone number. stupid. So my name is now "fuck off" and I live in Hell, Michigan. My email is also "gofuckyourself" because I'm feeling spiteful. Also, for some reason every character takes about 3/4ths of a second to type, so it's very slow going. Passwords also cannot contain spaces, which makes me think they're doing some stupid "security" shenanigans like custom reversible encryption with some 5th grade math. or they're just stupid. Whatever, I make the stupid account.

Afterwards, I try to log in, but apparently my browser-saved credentials are wrong? I try a few more times, try enabling all of the javascripts, etc. No beans. Okay, maybe I can't use it until I verify the email? That actually makes some sense. Fine, I go check the throwaway inbox. No verification email. It's been like five minutes, but it's oracle so they probably just failed at it like everything else, so I try to have them resend the email. I find the resend link, and try it. Every time I enter my email address, though, it either gives me a validation error or a server error. I try a few mores times, and give up. I try to log in again; no dice. Giving up, I go do something else for awhile.

On a whim later, I check for the verification email again. Apparently it just takes bloody forever, but it did show up. Except instead of the first name "Fuck" I entered, I'm now "Andrew", apparently. okay.... whatever. I click the verify button anyway, and to my surprise it actually works, and says that I'm now allowed to use my account. Yay!

So, I go back to the login page (from the download link) and enter my credentials. A new error appears! I cannot use redirects, apparently, and "must type in the page address I want to visit manually." huh? okay, i go to the page directly, and see the same bloody error because of course i do because oracle fucking sucks. So I close the page, go back to the download list, click the link, wait for the login page redirect (which is so totally not allowed, apparently, except it works and manual navigation does not. yay backwards!), and try to log in.

Instead of being presented with an error because of the redirect, it lets me (try to) log in. But despite using prefilled creds (and also copy/pasting), it tells me they're invalid. I open a new tab container, clear the cache (just to be thorough), and repeat the above steps. This time it redirects me to a single signon server page (their concept of oauth), and presents me with a system error telling me to contact "the Administrator." -.- Any second attempts, refreshes, etc. just display the same error.

Further attempts to log in from the download page fail with the same invalid credentials error as before.

Fucking oracle and their reverse Midas touch.

So... I was using my laptop one day and randomly my mouse started spazzing out, I thought maybe it's broken or something so I paused the video I was watching and waited for a couple of seconds, soon after I played the video, my mouse started moving around again, closing windows and opening up different things. I got so scared I shut my laptop down before it could open anything else.

A few minutes later I turn it back on and everything looks fine, I thought whatever that was all about is probably gone, had to double check my security settings etc. and let it be for now.

A few days later I found out that it was actually my dad, in the next room trying to hook up his Bluetooth mouse to his iMac which for some reason got connected to my laptop instead. He was moving it around trying to see whether or not it's working, thus the spazzing out of it on my screen...lmao boy I felt so relieved after that 😂

~not really a hack however it gave me a good laugh

So I'm back from vacation! It's my first day back, and I'm feeling refreshed and chipper, and motivated to get a bunch of things done quickly so I can slack off a bit later. It's a great plan.

First up: I need to finish up tiny thing from my previous ticket -- I had overlooked it in the description before. (I couldn't test this feature [push notifications] locally so I left it to QA to test while I was gone.)

It amounted to changing how we pull a due date out of the DB; some merchants use X, a couple use Y. Instead of hardcoding them, it would use a setting that admins can update on the fly.

Several methods deep, the current due date gets pulled indirectly from another class, so it's non-trivial to update; I start working through it.

But wait, if we're displaying a due date that differs from the date we're actually using internally, that's legit bad. So I investigate if I need to update the internals, too.

After awhile, I start to make lunch. I ask my boss if it's display-only (best case) and... no response. More investigating.

I start to make a late lunch. A wild sickness appears! Rush to bathroom; lose two turns.

I come back and get distracted by more investigating. I start to make an early dinner... and end up making dinner for my monster instead.

Boss responds, tells me it's just for display (yay!) and that we should use <macro resource feature> instead.

I talk to Mr. Product about which macros I should add; he doesn't respond.

I go back to making lunch-turn-dinner for myself; monster comes back and he's still hungry (as he never asks for more), so I make him dinner.

I check Slack again; Mr. Product still hasn't responded. I go back to making dinner.

Most of the way through cooking, I get a notification! Product says he's talking it through with my boss, who will update me on it. Okay fine. I finish making dinner and go eat.

No response from boss; I start looking through my next ticket.

No response from boss. I ping him and ask for an update, and he says "What are you talking about?" Apparently product never talked to bossmang =/ I ask him about the resources, and he says there's no need to create any more as the one I need already exists! Yay!

So my feature went from a large, complex refactor all the way down to a -1+2 diff. That's freaking amazing, and it only took the entire day!

I run the related specs, which take forever, then commit and push.

Push rejected; pull first! Fair, I have been gone for two weeks. I pull, and git complains about my .gitignore and some local changes. fine, whatever. Except I forgot I had my .gitignore ignored (skipped worktree). Finally figure that out, clean up my tree, and merge.

Time to run the specs again! Gems are out of date. Okay, I go run `bundle install` and ... Ruby is no longer installed? Turns out one of the changes was an upgrade to Ruby 2.5.8.

Alright, I run `rvm use ruby-2.5.8` and.... rvm: command not found. What. I inspect the errors from before and... ah! Someone's brain fell out and they installed rbenv instead of the expected rvm on my mac. Fine, time to figure it out. `rbenv which ruby`; error. `rbenv install --list`; skyscraper-long list that contains bloody everything EXCEPT 2.5.8! Literally 2.5 through 2.5.7 and then 2.6.0-dev. asjdfklasdjf

Then I remember before I left people on Slack made a big deal about upgrading Ruby, so I go looking. Dummy me forgot about the search feature for a painful ten minutes. :( Search found the upgrade instructions right away, ofc. I follow them, and... each step takes freaking forever. Meanwhile my children are having a yelling duet in the immediate background, punctuated with screams and banging toys on furniture.

Eventually (seriously like twenty-five minutes later) I make it through the list. I cd into my project directory and... I get an error message and I'm not in the project directory? what. Oh, it's a zsh thing. k, I work around that, and try to run my specs. Fail.

I need to update my gems; k. `bundle install` and... twenty minutes later... all done.

I go to run my specs and... RubyMine reports I'm using 2.5.4 instead of 2.5.8? That can't be right. `ruby --version` reports 2.5.8; `rbenv version` reports 2.5.8? Fuck it, I've fought with this long enough. Restarting fixes everything, right? So I restart. when my mac comes back to life, I try again; same issue. After fighting for another ten minutes, I find a version toggle in RubyMine's settings, and update it to 2.5.8. It indexes for five minutes. ugh.

Also! After the restart, this company-installed surveillance "security" runs and lags my computer to hell. Highest spec MacBook Pro and it takes 2-5 seconds just to switch between desktops!

I run specs again. Hey look! Missing dependency: no execjs. I can't run the specs.

Fuck. This. I'll just push and let the CI run specs for me.

I just don't care anymore. It's now 8pm and I've spent the past 11 hours on a -1+2 diff!

What a great first day back! Everything is just the way I left it.

My girlfriend configuring her e-mail account in the app because her phone had to be reset to factory :
-I can't figure out how to do these setting, annoying...
-Oh yeah the imap and smtp servers can be tricky, let me put that
(I Google the settings for her mail provider and put them in)
-It still doesn't work.
-Uuuh, maybe with another security setting, try it.
-This shit still doesn't work, seriously my phone is broken.
-Have you verified the e-mail address and carefully typed the password?
-Yes of course, I've tried it several time
(I take the phone and check all the parameters... During a looooong time... Until it hits me.)
-Hmm... Can you read the e-mail you've entered?
-Yeah, it's my mail, blabla@hotmail.com.
-No can you read it again please?
-It's blabla, why?
-No, can you *spell* your e-mail?
-Yeah it's B-L-A-B-L-A-@-H-O-M-A... Ow shit...
- ¯\_(ツ)_/¯

So at work with the Macs we use, we have some guy come in after hours to service the Macs, and that means the security risk of leaving our passwords on our desks.

Not being a fan of this I tell my boss, he knows it's a risk and despite that he doesn't want this guy coming in while we're here.

Though my main problem is the Mac guy Steve is arrogant and thinks he's a know it all, and with the software I have on the Mac may end up deleting something important, I have git repo and all but I feel off just letting someone touch my computer without me being there.

I tell my boss about the software and stuff he just says contact Steve and tell him about it, to ignore the software and such, I say alright, I write up an email telling him not to touch the software listed and the folders of software documents (again it's all backed up).

No reply, I tell my boss and he says call him, I call him and he hangs up on me on the second ring!

Not sure if he's busy, but I left him a message, asking if he got my email, no reply and it's coming close to the end of the day (going to service Macs in the weekend)

I'm just not going to leave my info because if this guy can't check emails or even get back to someone why should I bother with this bullshit of risking my work.

From all the info I hear about him and my previous rants he's an arrogant prick who loves Macs.

Can't wait to leave this company, pretty sure leaving my password on my desk is a breach of our own security policy, and since 8-9 people are doing it, it's a major risk.

But he's friends with the CEO so apparently it's fuck our own security policy.

I love it when a fellow "dev" asks about some interesting security topic (full disk encryption) and I'm like "yeah I use LUKS pretty much everywhere".. and then takes an entire arm when given a hand.

Performance in LUKS? Yeah sure you can benchmark it within cryptsetup. Here's how to do it and choose a good cipher for your CPU.

D: Oh also how do I check my battery life?
M (thinking): you lazy fucking piece of shit.
M: FUCKING GOOGLE IT
D: Obviously that means that you don't know it.
M (thinking): so not only lazy but also disgustingly ungrateful, fucking twat.
M: acpi. Next time fucking Google it.
D: You know what? Never mind.

As if I'm the one that's fucking wrong now!! But you know what, never mind indeed. Because you've successfully wasted my fucking time instead of fucking googling "check battery life Linux" like a sensible dev would.

Fellow "dev", if you're on devRant I hope you read this. You can seriously go fuck yourself.

Found that out that one of our company's internal API (I hope it's only internal) is exposing some personal data. After finally getting the right people involved they said they'd fix it 'immediately'.

5 days later I check and now there is more personal data exposed...which includes personal security questions and the hashed answers to said questions.

And of course they are using a secure hashing mechanism...right? Wrong. md5, no salt

Sigh...

Me: API support, please check why I'm getting ECONNTIMEDOUT for 3% of requests

supp: before we look into this, please answer these questions: a), b), c), d), e)

Me and coleague: *spend 20 minutes gathering all the details into a nice answer. Post the answers*

Slack bot: *removes the answer [allegedly for compliance/security]*

api supp: any update?

..... I really want to smash smth. Hulk SMASH!!!

Hololens development forced me into Visual Studio after spending years doing Unity development with MonoDevelop in MacOS.

Why haven't anyone told me to switch sooner! Thanks to Visual Studio + ReSharper, my brain farts turn into a coherent code almost automatically.

I hate that I need MacOS for the iOS development and Win 10 for Hololens. Running Win 10 on Parallels kinda works, but it is a compromise. Developing without headphones/earplugs is out of the question if you don't want to go deaf.

I wan't all the tools for a single OS so I don't have to maintain multiple computers and even more importantly travel with multiple laptops. Just love the security check question "Do you have any electronics with you? Please put it into the container." - "Could I get a couple more containers, please..."

In the before time (late 90s) I worked for a company that worked for a company that worked for a company that provided software engineering services for NRC regulatory compliance. Fallout radius simulation, security access and checks, operational reporting, that sort of thing. Given that, I spent a lot of time around/at/in nuclear reactors.

One day, we're working on this system that uses RFID (before it was cool) and various physical sensors to do a few things, one of which is to determine if people exist at the intersection of hazardous particles, gasses, etc.

This also happens to be a system which, at that moment, is reporting hazardous conditions and people at the top of the outer containment shell. We know this is probably a red herring or faulty sensor because no one is present in the system vs the access logs and cameras, but we have to check anyways. A few building engineers climb the ladders up there and find that nothing is really visibly wrong and we have an all clear. They did not however know how to check the sensor.

Enter me, the only person from our firm on site that day. So in the next few minutes I am also in a monkey suit (bc protocol), climbing a 150 foot ladder that leads to another 150 foot ladder, all 110lbs of me + a 30lb diag "laptop" slung over my shoulder by a strap. At the top, I walk about a quarter of the way out, open the casing on the sensor module and find that someone had hooked up the line feed, but not the activity connection wire so it was sending a false signal. I open the diag laptop, plug it into the unit, write a simple firmware extension to intermediate the condition, flash, reload. I verify the error has cleared and an appropriate message was sent to the diagnostic system over the radio, run through an error test cycle, radio again, close it up. Once I returned to the ground, sweating my ass off, I also send a not at all passive aggressive email letting the boss know that the next shift will need to push the update to the other 600 air-gapped, unidirectional sensors around the facility.

I just had my cell phone cloned yesterday. End of the day, my phone lost signal suddenly. I thought it was a problem with my chip, so I decided to check that on a store and buy a new one next day.

Today, after I recover my chip and number, I started to see the mess. Someone used my number to send message to all my contacts on whatsapp, asking for money. Also, I had some contact info changed on the bank broker, which is really serious. I do not know what else is compromised, and I'm truly worried about it.

Someone has some good tips for improving security while using cellphones?

Another incident which made a Security Researcher cry
[ NOTE : Check profile to read older incidents ]
-----------------------------------------------------------
So this all started when I was at my home (bunked the office that day xD) and I got a call from a..... Let's call him Fella as I always do . So here we go . And yeah , our Fella is a SysAdmin .
-----------------------------------------------------------
Fella - Hey man sup!
Me - Good going mate , bunked the office , weather's nice , gonna spend time with my girl today . So what's goinon?
Fella - Bruh my network sharing folders ain't working no more .
Me - Did you changed or modified anything?
Fella - Nope
Me - Okay , gimme your login creds lemme check .
Fella - Check your inbox *texts me the credentials*

*I logged in and what I'm seeing is that server runs on Windows2008R2 , checked the event logs , everything's fine and all of a sudden what I found is fucking embarrassing , this wise man closed SMB service*
Me - Did you closed SMB service?
Fella - Yeah
Me - You know what it does?
Fella - Yeah it's a protocol , I turned it off to protect the server from Wannacry .
Me - Fuckerrrr!!!!! Asshole dumbass you fuckin piece of Dodo's shit!! SMB is the service responsible for files and network sharing!!!
Fella - But....I just wanted protection
Me - 😭😭😭

*A long conversation continues with a lot of specially made words to decrease the rate of frustration which I used already*

Fella - Okay I'm turning it on .
Me - Go on....... Asshole
Fella - It worked! Thanks a lot bro
Me - Just leave me and my soul away from evil and hang up .

*Now the question is , who the hell gives them the post of SysAdmin? While thinking this question , I almost thought of committing suicide​ but then my girl came with coffee and my rubber duck*

And I thought dealing with recruiters couldn't get worse..

Applied for a job, get a call back a short while later. Recruiter guy has zero details about the job, but needs some background info. Then says he needs a few more things, it'll come in an email. Calls me 5 minutes later asking why I haven't replied yet, told him im not home.

Get home, check my mail.. please send full address, social security number and a copy of both sides of my photo ID.

Nooooooooooooope. Email back, say no can do.. no replies, job listing deleted a few hours later.

Time for a REAL fucking rant.

io_uring manpages say you can set the CAP_SYS_NICE capability to allow SQPOLL to work. You can't, you still get an operation not permitted errno result.

Why? I checked, it says 5.10 mainline is required. Pretty sure I just manually downloaded and installed the Deb's myself. uname reports that I am at 5.10. So what gives?

Maintainer submitted a patch because they fucked up and made the *actual* capability check look for what's basically root permissions (CAP_SYS_ADMIN... c'mon...) and is now trying to rectify a glaring security shortcoming.

Patch hasn't been accepted or even addressed yet but they already updated the manpages with the estimated mainline kernel release as if it had made it into the release candidate. Manpages have made it into latest debs but the actual change has not.

Where the fuck is the Linus Torvalds that would ream the fuck out of shitty developers doing shitty things? The political correctness climate has discouraged such criticism now and the result... this. This fucking mess, where people are allowed to cut corners and get away with it because it would hurt their feelings when faced with pressure.

I'm not just guessing either. The maintainer has already said some of the "tone" of criticisms hurt his feelings. Yes, sorry, but when you claim 90% speedup over a typical epoll application using your new magical set of syscalls, and nobody can even get 1-2% speedup on a similar machine, people are going to be fucking skeptical. Then when you lower it to 60% because you originally omitted a bunch of SECURITY RELATED AND CORRECTNESS CHECKING CODE, we're going to call you the fuck out for fudging numbers.

Trying to maintain the equivalent of academic integrity within the computer science field is an exercise of insanity. You'd be fired and shunned from publishing in journals if you pulled that shit in ANY OTHER FUCKING FIELD, but because the CS scene is all about jerking each other off at every corner because the mean people keep saying mean things on Twitter and it hurts your feelings therefore we're all allowed to contribute subpar work and be protected from criticisms when others realize it's subpar.

These aren't mistakes anymore, it's clear you're just trying to farm clout at Facebook - maybe even FOR Facebook.

Fuck you. Do it right, the first time. Sick of shitty code being OK all of a sudden.

After a few weeks of being insanely busy, I decided to log onto Steam and maybe relax with a few people and play some games. I enjoy playing a few sandbox games and do freelance development for those games (Anywhere from a simple script to a full on server setup) on the side. It just so happened that I had an 'urgent' request from one of my old staff member from an old community I use to own. This staff member decided to run his own community after I sold mine off since I didn't have the passion anymore to deal with the community on a daily basis.

O: Owner (Former staff member/friend)
D: Other Dev

O: Hey, I need urgent help man! Got a few things developed for my server, and now the server won't stay stable and crashes randomly. I really need help, my developer can't figure it out.
Me: Uhm, sure. Just remember, if it's small I'll do it for free since you're an old friend, but if it's a bigger issue or needs a full recode or whatever, you're gonna have to pay. Another option is, I tell you what's wrong and you can have your developer fix it.
O: Sounds good, I'll give you owner access to everything so you can check it out.
Me: Sounds good

*An hour passes by*

O: Sorry it took so long, had to deal with some crap. *Insert credentials, etc*
Me: Ok, give me a few minutes to do some basic tests. What was that new feature or whatever you added?
O: *Explains long feature, and where it's located*
Me: *Begins to review the files* *Internal rage wondering what fucking developer could code such trash* *Tests a few methods, and watches CPU/RAM and an internal graph for usage*
Me: Who coded this module?
O: My developer.
Me: *Calm tone, with a mix of some anger* So, you know what, I'm just gonna do some simple math for ya. You're running 33 ticks a second for the server, with an average of about 40ish players. 33x60 = 1980 cycles a minute, now lets times that by the 40 players on average, you have 79,200 cycles per minute or nearly 4.8 fucking cycles an hour (If you maxed the server at 64 players, it's going to run an amazing fucking 7.6 million cycles an hour, like holy fuck). You're also running a MySQLite query every cycle while transferring useless data to the server, you're clusterfucking the server and overloading it for no fucking reason and that's why you're crashing it. Another question, who the fuck wrote the security of this? I can literally send commands to the server with this insecure method and delete all of your files... If you actually want your fucking server stable and secure, I'm gonna have to recode this entire module to reduce your developer's clusterfuck of 4.8 million cycles to about 400 every hour... it's gonna be $50.
D: *Angered* You're wrong, this is the best way to do it, I did stress testing! *Insert other defensive comments* You're just a shitty developer (This one got me)
Me: *Calm* You're calling me a shitty developer? You're the person that doesn't understand a timer, I get that you're new to this world, but reading the wiki or even using the game's forums would've ripped this code to shreds and you to shreds. You're not even a developer, cause most of this is so disorganized it looks like you copy and pasted it. *Get's angered here and starts some light screaming* You're wasting CPU usage, the game can't use more than 1 physical core, and after a quick test, you're stupid 'amazing' module is using about 40% of the CPU. You need to fucking realize the 40ish average players, use less than this... THEY SHOULD BE MORE INTENSIVE THAN YOUR CODE, NOT THE OPPOSITE.
O: Hey don't be rude to Venom, he's an amazing coder. You're still new, you don't know as much as him. Ok, I'll pay you the money to get it recoded.
Me: Sounds good. *Angered tone* Also you developer boy, learn to listen to feedback and maybe learn to improve your shitty code. Cause you'll never go anywhere if you don't even understand who bad this garbage is, and that you can't even use the fucking wiki for this game. The only fucking way you're gonna improve is to use some of my suggestions.
D: *Leaves call without saying anything*

TL;DR: Shitty developer ran some shitty XP system code for a game nearly 4.8 million times an hour (average) or just above 7.6 million times an hour (if maxed), plus running MySQLite when it could've been done within about like 400 an hour at max. Tried calling me a shitty developer, and got sorta yelled at while I was trying to keep calm.

Still pissed he tried calling me a shitty developer...

WARNING: There is a dangerous malware out in the wild, and chances are, you have it installed on your computer.

It's called Windows Update, and it is marketed as a software that "delivers security patches to your PC". Wrong. What it actually does is hard-reboot your computer at randomly picked time intervals without asking for your consent, or even showing any type of warning, basically deleting all unsaved progress that you've made in your programs or games. It also deletes/undoes all registry tweaks that you might have made (e.g. to the context menu), it deletes your nvidia display configurations, uninstalls any custom themes that you might have installed, possibly even downloads another malware disguised as "Microsoft Edge" and shoves it in your face on next boot without giving a possibility to close it. Oh and it might also make your computer unbootable so you have to go to the advanced recovery settings to fix it manually.

Yes, everything I just mentioned above happened to me about an hour ago. This LITERALLY classifies the software as a malware (Google: "software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system"). If we throw in all the data collection that happens without your consent, Microsoft actually manages to check not only one, but all three boxes in the "malware" definition.

Pleas, stop using microshit, and switch to linux as soon as possible if you can.

Rant

So a couple months ago, my dad called me to try and solve a problem he was having in his work.
You see, my dad owns a driving school and he was teaching 14 and 15yo kids how to ride mopeds and their theory exams are made in the school's facility, by going to this website of the entity that rules the moped teaching thing. When the time to have the exams came, they couldn't even see the exams and one of the kids had one of his attempts wasted (they had 3 attempts). We mailed and called the entity multiple times, to no avail, as they told us to "check the website, the instructions are all there". They were also trying to get it together but they couldn't. Here's the "funny" part: the software in which the exams were done ran on XP and there was no way in hell we could make it work on our W10 PCs. Not to mention this is a natiowide problem.
We reinstalled Java to v.7.9 (I think...?) as the "instructions" told us, with no results whatsoever.
So my dad decided to call me and asked me to bring a PC that didn't run W10. The closest thing to XP I could think of was my uncle's Toshiba, that had Vista, so I went to his house and grabbed it and drove to my dad's school. Even in compatibility mode, it didn't work. Everyone was in despair LoL. I was even put on the phone with the entity's technician, who didn't know how to solve it either but was trying, as well with our tech guy.
After a bit of running around and crying inside, our secretary remembered we still had a tower on site that ran XP. We went for the thing and connected it and booted it up. After reinstalling Java and setting security to "medium" (required), and meddling with zoom (the window was too small to show the whole exam and if the window showed up before we set the zoom to 75% or so we couldn't choose the answers) it was finally set to do the exams.
I've never felt so relieved for solving tech stuff LoL. It took me 3h to get it done and I feel it would have been easier if we had remembered about the tower earlier but oh well what can one do.

I am curious to know， where people get their tech news from?

I use:

- TopGitHub app to check the github trends (star growth in days，weeks or months)
- Geek app， which has 1 to 2 articles every 2 days on random tech， hacking stuff.
- Security app， which aggregates news from various tech sources.

I mostly get my news from apps right now as its an easy go when i am on the loo (like right now ;))

trs()

For those of you desiring to post non-rants, I wrote a handy utility function for you:

/*
* Toggles whether this post is
* a rant or not.
*/
function toggleRant()
{
// Check if toggling is safe
for(var i = 0; i < 999999999; i ++)
for(var t = 0; t < 999999999; t ++);
console.log("Crazy security checks came through.")

// Toggle ('isRant' is true by default)
isRant = !isRant
}

From now on, you can easily put 'toggleRant()' on the first line of any rant. As we all know, the 'isRant' on devRant is true by default.

Feel free to play around with it:

toggleRant()
toggleRant()
toggleRant()

This would also indicate that your "rant" is not a rant.

I've also wrapped the 'toggleRant' into another function with a shorter name for you lazy people (which most programmers are):

/*
* Wrapper for 'toggleRant'.
*/
function tr()
{
toggleRant()
trogus() // Just in case
}

Or if you type one additional letter, you also make sure that it's extra safe to call the function:

/*
* Extra safe version of 'tr'.
*/
function trs()
{
for(var i = 0; i < 746985768; i ++);
console.log ("Extra safe")

tr()
}

TL;DR: Google asked me to PROVIDE a phone number to verify connection from a new device, on the said device.

Yesterdayto log into my work Google account from my personal laptop to check emails, calendars update and so on. I opened up a private navigation window, went to Google sign-in page, entered my credentials, all is well.

Google then decided to "verify it's me" and prompted me to PROVIDE a phone number (work account without work phone means no phone number set up) so that they can send a verification code to the number I just provided to make sure the connection is legit.

Didn't want to do that, clicked "use another method" and got asked to fill the last password I remember, which would be my current password thanks to my trusty password manager. After submitting, I'm prompted with an error saying I have to contact my admin to reset my password because they can't log me in with my CURRENT password.

I ain't gonna do that, so went back to login page, provided my phone number, got the code, filled in the code, next thing I know I'm browsing through my emails.

What the duck? Could have been anybody giving any phone number. So much for extra security.

Also don't care that they have my phone number, the issue is more about the way used to obtain it: locking me out of my account and having no other way of logging in.

Despite common sense, I think technology is not making our lives easier. It's just build chaos on top of chaos.

Take server-side programming for instance.

First you have to find someone to host your thing, or a PaaS provider. Then you have to figure out how much RAM and storage you need, which OS you're going to use. And then there's Docker (which will run on top of a VM on AWS or GCP anyway, making even less sense). And then there's the server technology: nginx, Apache (and many many more; if, that is, you're using a server at all). And then there are firewalls, proxies, SSL. And then you go back to the start, because you have to check if your hosting provider will support the OS or Docker or your server. (I smell infinite recursion here.)

Each of these moving parts come with their own can of worms in terms of configuration and security. A whole bible to read if you want to have the slightest clue about what you're doing.

And then there's the programming language to use and its accompanying frameworks. Can they replace the server technology? Should you? Will they conflict with each other and open yet another backdoor into your system? Is it supported by your hosting provider? (Did I mention an infinite recursion somewhere?)

And then there's the database. Does it have a port to the language/framework of your choosing? Why does it expose an web interface? Is it supposed to replace your server? And why are its security features optional again? (Just so I have to test both the insecure and the secure environments?)

And you haven't written a single line of code yet, mind you.

Because of some theft this year and even though we already have security cameras, my apartment building decided to check the front door locks so it's more secure.

This key looks very high tech... Only issue though is I never use the key anyway... I just entered the door code...

So what is the point of changing the locks? I'm going to guess whoever is stealing isn't picking the lock... People would notice... They must know the code.

Also it seems most of the apartment locks are digital key card/pins too. Wondering if this just means most owners are young or just are techies/devs...

Me : "I need to stop geeking out about security because I have exams and need to write a report"

Me 2 hours later : "Ooooo.. what's this cool article about?Let's check it out 😎"

So one of my clients had a different company do a penetrationtest on one of my older projects.

So before hand I checked the old project and upgraded a few things on the server. And I thought to myself lets leave something open and see if they will find it.

So I left jquery 1.11.3 in it with a known xss vulnerability in it. Even chrome gives a warning about this issue if you open the audit tab.

Well first round they found that the site was not using a csrf token. And yeah when I build it 8 years ago to my knowledge that was not really a thing yet.

And who is going to make a fake version of this questionair with 200 questions about their farm and then send it to our server again. That's not going to help any hacker because everything that is entered gets checked on the farm again by an inspector. But well csrf is indeed considered the norm so I took an hour out of my day to build one. Because all the ones I found where to complicated for my taste. And added a little extra love by banning any ip that fails the csrf check.

Submitted the new version and asked if I could get a report on what they checked on. Now today few weeks later after hearing nothing yet. I send my client an email asking for the status.

I get a reaction. Everything is perfect now, good job!

In Dutch they said "goed gedaan" but that's like what I say to my puppy when he pisses outside and not in the house. But that might just be me. Not knowing what to do with remarks like that. I'm doing what I'm getting paid for. Saying, good job, your so great, keep up the good work. Are not things I need to hear. It's my job to do it right. I think it feels a bit like somebody clapping for you because you can walk. I'm getting off topic xD

But the xss vulnerability is still there unnoticed, and I still have no report on what they checked. So I have like zero trust in this penetration test.

And after the first round I already mentioned to the security guy in my clients company and my daily contact that they missed things. But they do not seem to care.

Another thing to check of their to do list and reducing their workload. Who cares if it's done well it's no longer their responsibility.

2018 disclaimer: if you can't walk not trying to offend you and I would applaud for you if you could suddenly walk again.

tldr: Fuck Apple AND Microsoft...

Tried to check my "me" email today (iCloud)... and well it's apparently "locked" for god only knows what reason, and they will only let me recover it through a Hotmail account that I haven't used in >10years.. So I tried that and after one login attempt outlook.com is telling me "you've entered too many wrong password attempts, you must reset your password"... ugh OK, so I hit the button and it's asking me "my" security question.. 'where did you and your spouse meet?'.. wtf? I'm not married now nor was I @12yrs old when I made this account....

Well thanks so I guess that's fucked for forever...

this just happened a few seconds ago and I am just laughing at the pathetic site that is Facebook. xD
4 years ago:
So I was quite a noobie gamer/hacker(sort of) back then and i had a habit of having multiple gmail/fb accounts, just for gaming, like accounts through which i can log in all at once in the same poker room, so 4/5 players in the game are me, or just some multiple accounts for clash of clans for donations.
I had 7-8 accounts back then. one had a name that translated to "may the dead remain in peace "@yahoomail.com . it was linked to fb using same initials. after sometime only this and 2 of my main accs were all i cared about.even today when i feel like playing, i sometimes use those accs.

2 years ago.
My dad is a simple man and was quite naive to modern techs and used to hang around with physical button nokia phones.But we had a business change, my father was now in a partnership in a restaurant where his daily work included a lot of sitting job and and casual working. So he bought a smartphone for some time pass.
He now wanted to download apps and me to teach him.I tried a lot to get him his own acc, but he couldn't remember his login credentials.
so at the end i added one of my own fake ID's(maythedead...) so he could install from playstore, watch vids on youtube and whatever.

The Actual Adventure starts now
Today, 1 hour ago:
I had completely forgot about this incident, since my parents are now quite modern in terms of tech.
But today out of nowhere i recieved an email that someone has JUST CHAINGED MY FB PASSWORD FOR ONE OF MY FAKE ACCS!?!??
what the hell, i know it was just a useless acc and i never even check my fb from any acc these days, but if someone could login into that acc, its not very difficult to track my main accs, id's, etc so i immediately opened this fb security portal and that's where the stupidity starts:

1)To recover your account they FUCKIN ASKS FOR A PHYSICAL ID. yeah, no email, no security question you have to scan your driving license or passport to get back to your account.And where would I get a license for some person named "may the dead remain in peace"? i simply went back.
2) tried another hack that i thought that will work.Closed fb help page, opened fb again , tried to login with my old credentials, it says" old password has been changed,please enter new password", i click forget password and they send an otp. i thought yes i won, because the number and recover mail id was mine only so i received it.
when i added the otp, i was first sent to a password change page (woohoo, i really won! :)) but then it sends me again to the same fuckin physical id verification page.FFFFFFFFFuck

3)I was sad and terrified that i got hacked.But 10 mins later a mail comes ,"Your Facebook password was reset using the email address on Tuesday, April 10, 2018 at 8:24pm (UTC+05:30)."
I tried clicking the links attached, hoping that the password i changed(point<2>) has actually done something to account.NADA, the account still needs a physical license to open:/

4) lost, i just login to my main account and lookup for my lost fake account. the fun part:my account has the display pic of my father?!!?!
So apparently, my father wanted to try facebook, he used the fake account i gave him to create one, fb showed him that this id already has an fb account attached to it and he accidently changed my password.MY FATHER WAS THE HACKER THE WHOLE TIME xD.
but response from fb?" well sir, if you want your virtually shitty account back , you first will have to provide us with all details of your bank transactions or your voter id card, maybe trump will like it"

So i am a diabetic and carry an insulin pump. Now being in India, the pump is not covered by insurance (for some god forsaken reason that I don’t know) and therefore is not a common sight here (contradictoraly India has a major diabetes problem). So I was at the metro station going through security check and the security personnel asks me what the pump was and asked me to show it to him. Now since insulin pumps are uncommon here I understood his concern and showed it to him. Now I like to carry the pump under my shirt with a clip pouch. So naturally I had to lift up my shirt to show it to him. But this isn’t the highlight of the story.
The guy behind me rised above and started peeking over my shoulder and constantly repeating like a 2 year old child what is this. And that too with my fucking abdomen exposed. I went into rage mode there and then like wtf dude, none of your business just step back a little.
Now my issue is that I do not understand that in their own curiosity, why do people forget to respect others privacy. And a very big problem with medical equipment manufacturing organisations (yeah you medtronic). Why are you only concerned with sales and why not awareness? I mean spreading awareness will only help your sales as more people will become aware about your product and it will be less awkward and concerning for people like me to wear your device out in the public

!myrant

I'm a junior developer in a small company alongside with a fellow programmer. Since I have an interest in Security and our Sys Admin left, my boss offered me to do some sys admin stuff.

I feel bad for my fellow programmer just because there is an old man in the company that doesn't come to me with his tech problems and goes to him.

Something like this goes down today:
OM: Hey, I can't watch my Fox Live News. Can you help me?
FP: The problem isn't on our side

*OM keeps pestering him*

FP: Let me check it out

*Goes and fix the issue and comes back laughing *

My coworker is to kind 😬😂😅

So today it finally happened.

Npm modules broke my system and / or endangered the security of my system.

Installed a global cli utility
That utility depends on package A
That depends on package B

That fucking install a bin called sudo

Yeah.. You heard it right a bin called sudo.

This bin goes in the global module folder that is piped in your path variable.

Now everytime you type sudo you are running somebody else code instead of your system utility.

I am shivering and at loss of swear words.

Opened an issue on the cli that started this matrioska game of horror.

Who the fuck tought that a bin called sudo would be a good fucking idea?

Oh and yes is even an harmless package that try to provide the sudo experience for windows (I went in to check the code of course..)

And I frigging need that cli for work

For now I aliased the sudo in my bashrc still i feel vulnerable and naked now.

For all the hate that Java gets, this *not rant* is to appreciate the Spring Boot/Cloud & Netty for without them I would not be half as productive as I am at my job.

Just to highlight a few of these life savers:
- Spring security: many features but I will just mention robust authorization out of the box
- Netflix Feign & Hystrix: easy circuit breaking & fallback pattern.
- Spring Data: consistent data access patterns & out of the box functionality regardless of the data source: eg relational & document dbs, redis etc with managed offerings integrations as well. The abstraction here is something to marvel at.
- Spring Boot Actuator: Out of the box health checks that check all integrations: Db, Redis, Mail,Disk, RabbitMQ etc which are crucial for Kubernetes readiness/liveness health checks.
- Spring Cloud Stream: Another abstraction for the messaging layer that decouples application logic from the binder ie could be kafka, rabbitmq etc
- SpringFox Swagger - Fantastic swagger documentation integration that allows always up to date API docs via annotations that can be converted to a swagger.yml if need be.
- Last but not least - Netty: Implementing secure non-blocking network applications is not trivial. This framework has made it easier for us to implement a protocol server on top of UDP using Java & all the support that comes with Spring.

For these & many more am grateful for Java & the big big community of devs that love & support it.

Open source is poison, hoax and source of much troubles.

Even as I love OSS, and I use it a lot, when things go south, they go south terribly.

There was "security" updates in one OSS program I have been using, that accidentally prevented use cases which specifically affected me. I raised bug report, made issue and gave small repro for it.
One of the core developers acknowledges that yes, this is problem, and could be handled with few added options, which users of similar use case could use to keep things working. He then tags issue "needs help" and disappears.
After I have waited some time, I ask help how I could fix it myself, like how to setup proper dev environment for that tool. Asked it in their forums few days later, as issue didn't get any response. Then asked help in their slack, as forums didn't get any help.

Figured out how to get dev environment up, fix done (~4 lines changed, adding simple check for option enabled or not) and figured out how to test that this works.
I create pull request to project, checking their CONTRIBUTING and following instructions there. Then I wait. I wait two weeks, and then one of the core develors goes to add label "needs response from maintainer". That is now almost two weeks ago...

So, bug that appeared in October, and issue that was created October 8th, is still not fixed, even as there is fix in PR for 28 days this far.

And what really ticks me off? People who make statements like: "it is OSS, have you thought of contributing and fixing things yourself?" when we run into problems with open source software.

Making fix yourself ain't biggest problem... but getting it actually applied seems to be biggest roadblock. This kind of experiences doesn't really encourage me to spend time fixing bugs in OSS, time is often better spend changing to different tool, or making changes in my own workflow or going around problem some kludge way.

I try to get business starting, and based on OSS tools. But my decision is staggering, as I had also made decision to contribute back to OSS... but first experiences ain't that encouraging.

Currently, OSS feels like cancer.

Pentesting for undisclosed company. Let's call them X as to not get us into trouble.
We are students and are doing our first pentest at an actual company instead of assignments at school. So we're very anxious. But today was a good day.
We found some servers with open ports so we checked a few of them out. I had a set of them with a bunch of open ports like ftp and... 8080. Time to check this out.
"please install flash player"... Security risk 1 found!

System seemed to be some monitoring system. Trying to log in using admin admin... Fucking works. Group loses it cause the company was being all high and mighty about being secure af. Other shit is pretty tight though.

Able to see logs, change password, add new superuser, do some searches for USERS_LOGGEDIN_TODAY! I shit you not, the system even had SUGGESTIONS for usernames to search for. One of which had something to do with sftp and auth keys. Unfortunatly every search gave a SQL syntax error. Used sniffing tools to maybe intercept message so we could do some queries of our own but nothing. Query is probably not issued from the local machine.

Tried to decompile the flash file but no luck. Only for some weird lines and a few function names I presume. But decompressing it and opening it in a text editor allowed me to see and search text. No GET or POST found. No SQL queries or name checks or anything we could think of.

That's all I could do for today. So we'll have to think of stuff for next week. We've already planned xss so maybe we can do that on this server as well.

We also found some older network printers with open telnet. Servers with a specific SQL variant with a potential exploit to execute terminal commands and some ftp and smb servers we need to check out next week.

Hella excited about this!

If you guys have any suggestions let us know. We are utter noobs when it comes to this.

The global joke of Information Security

So I broke my iPhone because the nuclear adhesive turned my display into a shopping bag.

This started the ride for my character arc in this boring dystopia novel:

Amazon is preventing me from accessing my account because they want my password, email AND mobile phone number in their TWO.STEP Verifivation.
Just because one too many scammers managed to woo one too many 90+y/o's into bailing their long lost WW2 comrades from a nigerian jail with Amazon gift cards and Amazon doesn't know what to do about anymore,

DHL is keeping my new phone in a "highly secure" vault 200m away from my place, waiting for a letter to register some device with a camera because you need to verify your identity with an app,

all the while my former car insurance is making regress claims of about 7k€ against me for a minor car accident (no-one hurt fortunately, but was my fault).

Every rep from each of the above had the same stupid bitchass scapegoat to create high-tech supra chargers to the account deletion request:

- Amazon: We need to verify your password, whether the email was yours and whether the phone number is yours.

They call it 2-step-verification.

Guess what Amazon requests to verify you before contacting customer support since you dont have access to your number? Your passwoooooord. While youre at it, click on that button we sent you will ya? ...

I call this design pattern the "dement Tupi-Guarani"

- DHL: We need an ID to verify your identity for the request for changing the delivery address you just made. Oh you wanted to give us ANOTHER address than the one written on your ID? Too bad bro, we can't help, GDPR

- Car Insurance: We are making regress claims against you, which might throw you back to mom's basement, oh and also we compensated the injured party for something else, it doesn't matter what it is but it's definitely something, so our claims against you just raised by 1.2k. Wait you want proof we compensated something to the injured at all? Nah mate we cant do that , GDPR. But trust me, those numbers are legit, my quant forecasted the cost of childrens' christmas wishes. You have 14 days or we'll see you in court haha

I am also their customer in a pension scheme. Something special to Germany, where you save some taxes but have to pay them back once you get the fund paid out. I have sent them a letter to terminate the contract.

Funniest thing is, the whole rant is my second take. Because when I hit the post button, devrant made me verify my e-mail. The text was gone afterwards. If someone from devRant reads this, you are free to quote this in the ticket description.

Fuck losing your virginity, or filing your first tax return, or by God get your first car, living through this sad Truman dystopia without going batshit insane is what becoming a true adult is.

I am grateful for all this though:

Amazon's safety measures prevented me from spending the money I can use to conclude the insurance odyssey, and DHLs "giving a fuck about customers" prevention policies made me support local businesses. And having ranted all this here does feel healthy too. So there's that.

Oh, cherry on top. I cant check my balance, because I can only verify my login requests to my banking account wiiiiiiith...?

So while exploring some new ideas, I decided to figure out if I could use variables in the known set to determine the bounds of variables in the unknown set.

The variables in question are algebraic identities derived from the semiprimes, so you already know where this is going.

The existing known set is 1194 identities.
And there are, if I recall, roughly two dozen unknowns.

Many knowns have the unknowns as their factors. The d4 product set for example is composed of variables d4a, d4u, d4z, d4z9, d4z4, d4alpha, d4theta, d4omega, etc.
The component variables themselves are unknown, just their products are known. Anyway.

What I've found interesting is if you know the minimum of some of these subsets, for example d4z is smallest out of the d4's for some semiprimes, then you know the upperbound of both the component variables d4 and z.

Unless of course either of them is < 1.

So the order of these variables, based on value, changes depending on the properties of the semiprime, which I won't get into. Most of the time the order change is minor, but for some variables they can vary a lot between semiprimes, rapidly shifting their rank in the known set. This makes it hard to do anything with them.

And what I found myself asking, over and over again, was if there was a way to lock them down? Think of it like a giant switch board, where flipping one switch lights up N number of others, apparently at random. But flipping some other switch completely alters how that first switch works and what lights it seemingly interacts with. And you have a board of them thats 1194^2 in total. So what do you do?

I'd had a similar notion a while back, where I would measure relative value in the known set, among a bunch of variables, assign a letter if the conditions were present, and generate a string, called a "haplotype."
It was hap hazard and I wrote a lot of code to do filtering, sorting, and set manipulation to find sets of elements in common, unique elements, etc. But the 'type' strings, a jumble of random letters, were only useful say, forty percent of the time. For example if a semiprime had a particular type starting with a certain series of letters, 40% of the time a certain known variable was guaranteed to be above a certain variable from the unknown set...40%~ of the time.
It was a lost cause it seemed.

But I returned to the idea recently and revamped the entire notion.

Instead what I would approach it from a more complete angle.
I'd take two known variables J and K, one would be called the indicator, and the other would be the 'target'.
Two other variables would be the 'component' variables (an element taken from the unknown set), and the constraint variable (could be from either the known or unknown set).

The idea was that relationships between the KNOWN variables (an indicator and a target variable) could be used to indicate the rank relationship between the unknown component variable and the constraint variable.

You'd think this wouldn't work either, but my intuition was there were so many seemingly 'random' rank changes of variables in the known set for any two semiprimes, that 1. no two semiprimes ever shared the same order for every variable, and 2. the order of the known variables had to be leaking information about the relationships of the unknown variables.

It turns out my intuition was correct.

Imagine you are picking a lock, and by knowing the order and position of the first two pins, you are able to deduce the relative position of two pins further back that you can't reach because of the locks security features. It doesn't let you unlock the lock directly, but by knowing this, if you can get past the lock's security features, you have a chance of using information about the third pin to get a better, if incomplete, understanding about the boundary position of the last pin.

I would initiate a big scoring list, one for each known element or identity. And then I would check it in tandem like so:

if component > constraint and indicator > target:
indicator[j]+= 1

This is a simplication, but the idea was to score ALL such combination of relationship, whether the indicator was greater than the target at the same time a component was greater than a constraint, or the opposite.
This worked out to four if checks and four separate score lists.

And by subtracting one scorelist from another, I could check for variables that were a bad fit: they'd have equal probability of scoring for example, where they were greater than the target one time, and then lesser than it for another semiprime.

So for any given relationship, greater or lesser between any unknown variable and constraint variable, I could find any indicator variable and target variable whose relationship strongly correlated to the unknown's.

Best toothpaste it will make your teeth extra white. As a bonus it’ll get you past border security while they check your temperature all that heat will be appropriately spread out to a cool 98.6F.

PHP code that didn't use sanitize, but manually checked if strings contained ' or ". Not even in a function, but manually implemented whenever the person writing that burning dumpsterfire thought it was a good idea to check for that.

Code also didn't report, it just exited without error code. Users would just get a white screen if that spaghetti code "security" system got tripped.

This was initially a reply to a rant about politics ruining the industry. Most of it is subjective, but this is how I see the situation.

It's not gonna ruin the industry. It's gonna corrupt it completely and fatally, and it will continue developing as a toxic sticky goo of selfishness and a mandatory lack of security until it chokes itself.

Because if something can get corrupted, it will get corrupted. The only way for us as a species to make IT into a worthy industry is to screw it up countless times over the course of a hundred years until it's as stable and reliable as it can possibly be and there are as many paradigms and individually reasonable standards as there can possibly be.

Look around, see the ridiculus amount of stupid javascript frameworks, most of which is just shitcode upon vulnerabilities upon untested dependencies. Does this look to you like an uncorrupted industry?

The entire tech is rotting from the hundreds of thousands of lines of proprietary firmware and drivers through the overgrown startup scene to fucking Node.js, and how technologies created just a few decades ago are unacceptable from a security standpoint. Check your drivers and firmware if you can, I bet you can't even see the build dates of most firmware you run. You can't even know if it was built after any vulnerability regarding that specific microcontroller or whatever.

Would something like this work in chemical engineering? Hell no! This is how fucking garage meth labs work, not factories or research labs. You don't fucking sell people things without mandatory independent testing. That's how a proper industry works. Not today's IT.

Of course it's gonna go down in flames. Greed had corrupted the industry, and there's nothing to be done about it now but working as much as we can, because the faster we move the sooner we'll get stuck and the sooner we can start over on a more reasonable foundation.

Or rely on layers of abstraction and expect our code to be compilable on anything the future holds for us.

Most unprofessional experience at work?

Check out my previous rants. With so many, it would be difficult to pick just one.

Not sure if I've told this one before. 'Caleb' was part of a team responsible for migrating financial data from a legacy (DOS-based) system to our new system.
Because of our elevated security (and the data being plain text) Caleb had access to the entire company's payroll (including VP salary, bonuses, etc).
Solidifying my belief that that salaries should be private between the employee and the employer, Caleb discovered he was making considerably less than his peers (even a few devs that he had seniority over), and the green monster 'Jealosly' took over his professionalism. Caleb decided to tell everyone making the same and less than him, the salaries of the other (higher paid) devs, managers and VPs.
Nobody understood at the time, but these folks started to behave erratically , like showing up late, making comments like "Why should I document that? Make 'money bags' over there do it", etc and so on.

Soon at review time, Caleb decided to use his newly discovered ammunition to 'barter' for a higher salary by telling the manager if he didn't make $$$, he would send an email to the entire company containing everyone's salary.

The manager fired Caleb on the spot and escorted him out the building (Caleb never had chance to follow thru with that threat)

When word got out about Caleb's firing (and everybody knew why), those other employees started showing up on time and stopped complaining about doing their job.

@linuxxx
Can you do a security / privacy check for ProtonVPN? All I know is that it is Switzerland based and pretty much secure.

Someone mentioned that client want to use wordpress instead of they current website because it is cheaper! Ok lets see how cheap it is.. each time wp release update after updating you need go through all website and check if nothing is broken.. plugins will need update as well because usually they run on specific wp version. Fixing theme and plugins requires dev time.. despite all those things.. have common sense. Maybe it is good for some type of business to host few pages without any business logic or use as blog without scare to loose everything and do not store users data.. someone mentioned that it is secure to run anything because updates are the best security to avoid security breaches. So why banks are not running on WP? Why health service is not using WP?

1. Sets up Airbnb listing for Mom
2. Domain check
3. Email check
4. Okay let’s setup a simple one-pager that we can share

*Uses html5 broilerplate and embeds Airbnb listing - simple*

Checks page, it comes up blank...

WTF!!!??? WHY!? *Checks Console: 1 million errors screaming about Content Security Policy*

Sigh, I can deal with logic errors in backend code. WebDev is just so full of esoterics and gotchas that have nothing to do with you business logic. They make really simple and trivial shit way more painful and harder than they need to be... Ugh

Have you ever thought to send a security code to the email the user put in the sign up form just to say him later "the password must contains at least 8 characters, etc." and ask him to fill the form again from scratch?

Who is so dumb to put the input check in this order? Honeywell.

- The email is correct?
- Ok, send a code and ask to confirm it
- The password meets the requirements?
- No, ask to confirm the email again just for fun.

I'll just ignore the waste of server resources to send N * Number of users emails for no reason.

This one happened to me two years ago:

Off on holiday overseas, just arrived and decide to check my Emails. Easy peasy..."Hey, we noticed you're logging in from a different country. We sent a security code to your backup account."

Welp, fine, login to my backup account: "Hey, we..." Can anybody guess the problem here? Yep, my primary account was the backup account for my backup. Lovely circular dependency.

Microsofts solution: Play the guessing game, where you name us Emails, Contacts and Folders to prove it's yours and we might unlock your account... or not (managed to get it back on the 2nd try)

Thank you Microsoft for ensuring my workfree, email-free holiday.

A thing that I am annoyed that people are getting wrong is security by obscurity.

You have heard of it and being told it is bad. It is so bad that it alone is a counter argument. Let me set you straight:

>>>Security by obscurity is the best security you will ever have<<<

There is an asterisk: It is probably not right for your business. But that is for the end.

Security by obscurity means to hide something away. Most security is based on hiding. You hide your private key or your password or whatever other secret there is. If you had a 2048 long sequence of port knocking, that would be fine, too.. Or it would be fine if it wasn't observable. You could write this down in your documentation and it wouldn't be security by obscurity. It would just be security. Weird, but fine.

The real meat of obscurity is: No one knows that there is someone. The server you port knock looks like a harmless server, but suddenly has an open port to a bad application for an IP, but only if that IP went to 25 other ports first.

In the animal kingdom, there are different survival strategies. One of them is being an apex predator or at least so big and lumbering that no predator wants a piece of you. That's our security. It is upstream security. It is the state.

But what is the rest of the animal kingdom going to do? Well, run away. That works. Not being caught. And those not fast enough? Hide! Just be invisible to the predators. They cannot triple check every leaf and expect to be done with the tree before starving. That's security by obscurity. Or hide in the group. Zebras. Easy to see, hard to track in the group. Look like everyone else.

There is a reason why drug smugglers don't have vaults in the carry-on. Arrive at the customs and just refuse to open the vault. If the vault is good enough. Nope, they lack the upstream security by the state. The state is there enemy, so they need obscurity rather than cryptographic safety.

And so, for a private person, having a port knocking solution or disguising a service as another service is a great idea.

Every cryptography course happily admits that the moment they can catch you physically, cryptography is useless. They also teach you about steganography. But they omit to tell you that obscurity is the second best solution to having a stronger army when you cannot rely on your state as upstream security.

Why did I say, not a good idea for companies?
1. It is self-defeating, since you have to tell it to all employees using it. A shared secret is no secret. And therefore it cannot be documented.
2. It makes working with different servers so much harder if there is a special procedure for all of them to access them. Even if it were documented. (See 1.)
3. You're a company, you are advertising your services. How to hide that you run them?

Do you see how those are not security relevant questions? Those are implementation relevant questions.

Here is an example:
Should you have your admins log into servers as normal users before elevating to root or is that just obscurity? Well, not for security purposes. Because that foothold is so bad, if compromised, it makes little difference. It is for logging purposes, so we have a better server log who logged in. Not only always root. But if our log could differentiate by the used private key, there is no issue with that.

If it is your private stuff, be creative. Hide it. Important skill. And it is not either, or. Encrypt it your backup, then hide it. Port knock, then required an elliptic curve private key to authenticate.

It is a lot of fun, if nothing else. Don't do it with your company. Downsides are too big. Cheaper to hire lawyers if needed.

So I figure since I straight up don't care about the Ada community anymore, and my programming focus is languages and language tooling, I'd rant a bit about some stupid things the language did. Necessary disclaimer though, I still really like the language, I just take issue with defense of things that are straight up bad. Just admit at the time it was good, but in hindsight it wasn't. That's okay.

For the many of you unfamiliar, Ada is a high security / mission critical focused language designed in the 80's. So you'd expect it to be pretty damn resilient.

Inheritance is implemented through "tagged records" rather than contained in classes, but dispatching basically works as you'd expect. Only problem is, there's no sealing of these types. So you, always, have to design everything with the assumption that someone can inherit from your type and manipulate it. There's also limited accessibility modifiers and it's not granular, so if you inherit from the type you have access to _everything_ as if they were all protected/friend.

Switch/case statements are only checked that all valid values are handled. Read that carefully. All _valid_ values are handled. You don't need a "default" (what Ada calls "when others" ). Unchecked conversions, view overlays, deserialization, and more can introduce invalid values. The default case is meant to handle this, but Ada just goes "nah you're good bro, you handled everything you said would be passed to me".

Like I alluded to earlier, there's limited accessibility modifiers. It uses sections, which is fine, but not my preference. But it also only has three options and it's bizarre. One is publicly in the specification, just like "public" normally. One is in the "private" part of the specification, but this is actually just "protected/friend". And one is in the implementation, which is the actual" private". Now Ada doesn't use classes, so the accessibility blocks are in the package (namespace). So guess what? Everything in your type has exactly the same visibility! Better hope people don't modify things you wanted to keep hidden.

That brings me to another bad decision. There is no "read-only" protection. Granted this is only a compiler check and can be bypassed, but it still helps prevent a lot of errors. There is const and it works well, better than in most languages I feel. But if you want a field within a record to not be changeable? Yeah too bad.

And if you think properties could fix this? Yeah no. Transparent functions that do validation on superficial fields? Nah.

The community loves to praise the language for being highly resilient and "for serious engineers", but oh my god. These are awful decisions.

Now again there's a lot of reasons why I still like the language, but holy shit does it scare me when I see things like an auto maker switching over to it.

The leading Ada compiler is literally the buggiest compiler I've ever used in my life. The leading Ada IDE is literally the buggiest IDE I've ever used in my life. And they are written in Ada.

Side note: good resilient systems are a byproduct of knowledge, diligence, and discipline, not the tool you used.

Yesterday, the Project Manager forwarded an email from a staff member who worked on a donations campaign. Staff member was confused about a Cloudflare challenge that appeared before the user was sent to the donation page. It’s a less than 5 second JavaScript check. He thought it looked fishy.

I had to explain that it’s a security measure that’s been up for almost a month. PM knows this but left it to me to explain because ownership of the site is on me. The donations page and api gets hit by a lot of bots because it’s a public api and there are no security measures like captchas to deter the bots. I’m inheriting this website and I didn’t build it.

Staff member says other staff want to know if the Cloudflare page can be customized so it looks more legit. Um, Cloudflare is a widely known legit service. Google it.

A few thoughts pop into my head:

1. Engineering communicated to stakeholders about the Cloudflare messaging a month ago.

2. Wow, stakeholders don’t share relevant info with their staff who aren’t on these emails.

3. Woooow, stakeholders and staff don’t look at the website that often.

I'm a brand-new employee for my college's IT service. During my training, I was given a briefing on their security system. After something broke, he tapped into an administrative database on his chromebook, then he went to go check something while leaving the chromebook alone with someone he just met for over 30 minutes.

Losing faith in Netflix and their awesome open source projects.

Had a hard time trying to install Security Monkey : poor quality quickstart Ubuntu-only, almost no documentation, same instructions for latest (aka dev) and stable (aka prod) version, no depencies list ... oh and the UI display well only on Chrome ..

Then you surrender and just want to check the dockerized version they provide : it doesn't work neither (build fail or back end process just shut down) !!

I'm done ...

Mini witch hunt going on with broken builds last couple of weeks. Change satellite assembly/project A, breaks random unit test that hasn’t been changed for months and the TFS nazi sends out emails demanding the “broken” projects be fixed. Doesn’t matter the unit/integration tests are likely out dated and team responsible for the tests needs to fix it.
Yesterday I deleted some logging code out of a security assembly, broke an integration test that hasn’t needed to be ran since January (test database didn’t exist anymore).
I would have had to re-create the database, re-import the test data (not trivial), re-deploy a service using the test database…blah. All because I removed some logging code.
I deleted the gated check-in TFS build definition. Code check in … no sirens …whew! I win!

After two years of being in (metaphorical) jail, I once again was given the a privilege of unlocking and rooting my phone. Damn. Frick Huawei, never coming back to that experience.

I gotta say, rooting... Feels a tad less accessible nowadays than when I last practiced it. All this boot image backup, patch, copy, reflash is crying to be automised, only reason I can think of why that changed and magisk can no longer patch itself into the phone's initrd is that it's somehow locked? Was it a security concern? Or can sideloaded twrp no longer do that?

Oh, and the war... The war never changes, only exploits do - fruck safety net... Good for Google that they now have an *almost* unfoolable solution (almost). The new hardware-based check is annoying af, but luckily, can still be forced to downgrade back to the old basic check that can be fooled... Still, am I the only one who feels Google is kinda weird? On one hand, they support unlocking of their own brand of phones, but then they continuously try to come up with frameworks to make life with a rooted or unlocked phone more annoying...

On the other hand, I do like having my data encrypted in a way that even sideloading twrp doesn't give full access to all my stuff, including password manager cache...

Any recommendations what to install? I do love the basic tools like adaway (rip ads), greenify (yay battery life!), viper4android (More music out of my music!) and quite honestly even lucky patcher for apps where the dev studio practices disgust me and don't make me want to support them...

I happened to purchase a multi currency card as I was preparing to travel abroad. I enquired a few non tech friends of mine about a bunch of providers/lenders and I got a consistent suggestion of how company XXX is safe and user friendly. I took a leap of faith and went with them, since I didn't have any time left to do my own research.

Met the vendor, loaded some money and all is well. At least so far.

I went to their website to create an account for checking my balance and to do a bunch of stuff online.

Nothing unusual so far.

I fill up the new user register page. At the end I get a message which says "SUCCESS" and asks me to check my email.

VOILA!

I have an email with my user id, password and security questions in CLEAR TEXT sitting in my inbox.

Good job XXX.

I thought: Okay lets update this open source software the day right before my exam. What could go wrong? All previous updates worked without a problem and this is an urgent security fix for RCX.

Of course: It failed. I spend the whole night searching for the error in my config files etc. The error was: A missing null check in start sequence. Had to fix and build it myself as I required the files stored there for the exam.

I learned a lot that day/night about updating only when you have the time to deal with errors...

Apparently you need to pay microsoft in order to have access to some security features, such as removing managing connected oauth apps.

What a fucking joke, I need to check a fucking screen of yours that our client has deemed as a bug.

Get your shit together and stop bring such a greedy whore microshit

That moment when you in Computer Security Management and the Professor shows you the different between

Alt+ Tab and Windows + Tab.

Professor: did you guys know about these shortcuts?
Me: of course how else do I code, write a post and check one on Stack Overflow, Google help on a code, check my work email for the boss response, and see how the codes runs on a browser?

Telegram or Signal? Got essentially blocked from Messenger because I was stupid enough to fold to peer pressure to get it for robotics and since I enabled it with a GV number they stopped allowing its use for specifically security checks while allowing it even to reset a password, and I somehow got a security check triggered, with no customer support and no ability to call with code, so I'm looking to switch. Even if I get Facebook back, I want to move to something at least that doesn't randomly trigger security checks and then has no customer support.

!rant
Why everyone who claim to know a lot about web security and encryptions is not able to help me check if my system is secure :/
And some try to charge me afterwards -.-"

Edit:
If they expect payment they should state that at beginning and be able to actually do something...

Facebook rant incoming!

I'm so pissed off with Facebook right now, woke up this morning to check Facebook and it asked me to submit a photo of myself (it's not like Facebook doesn't already have many photos of me), then after submitting it logs me out "for security reasons". The only thing I've done different since the last time I was on Facebook was add someone.... If Facebook doesn't approve my photo I will just say fuck it and stay off Facebook.

For someone not deep-into-security, can someone tell me why "encrypted"/"non-compromised" communication is hard?

Wouldn't a private server that holds conversation in-memory (imagine Dictionary holding U2U GUID-GUID list of 'msg' objs) suffice?
Incoming IP info is disregarded and nothing gets written on-disk ever

Need to erase everything? just reboot the server, it's all in memory anyway

To avoid man-in-the-middle, pre-handshake check cert integrity by exposing the certificate-fingerprint by another endpoint, if the fingerprints match, proceed to switch to websocket
Wouldn't this be wayyyy more secure for actual anti-establishment talks than all the fancy probably-backdoored software that exists today? .-.

Hell it's easy enough that someone could make it go live in a few days, keep it up accessible if you know the IP and port to communicate and close-and-delete when done

One of the worst practices in programming is misusing exceptions to send messages.

This from the node manual for example:

> fsPromises.access(path[, mode])

> fsPromises.access('/etc/passwd', fs.constants.R_OK | fs.constants.W_OK)
> .then(() => console.log('can access'))
> .catch(() => console.error('cannot access'));

I keep seeing people doing this and it's exceptionally bad API design, excusing the pun.

This spec makes assumptions that not being able to access something is an error condition.

This is a mistaken assumption. It should return either true or false unless a genuine IO exception occurred.

It's using an exception to return a result. This is commonly seen with booleans and things that may or may not exist (using an exception instead of null or undefined).

If it returned a boolean then it would be up to me whether or not to throw an exception. They could also add a wrapper such as requireAccess for consistent error exceptions.

If I want to check that a file isn't accessible, for example for security then I need to wrap what would be a simple if statement with try catch all over the place. If I turn on my debugger and try to track any throw exception then they are false positives everywhere.

If I want to check ten files and only fail if none of them are accessible then again this function isn't suited.

I see this everywhere although it coming from a major library is a bit sad.

This may be because the underlying libraries are C which is a bit funky with error handling, there's at least a reason to sometimes squash errors and results together (IE, optimisation). I suspect the exception is being used because under the hood error codes are also used and it's trying to use throwing an exception to give the different codes but doesn't exist and bad permissions might not be an error condition or one requiring an exception.

Yet this is still the bane of my existence. Bad error handling everywhere including the other way around (things that should always be errors being warnings), in legacy code it's horrendous.

Some of my previous rants mention a web application that I wrote for my then-employer. As it is still in use and I have the whole code, too, I figured to check on security a little with a friend. It's all fine, except for one page, were I was sloppy and didn't escape strings, thus allowing for SQL injection.
This is however only possible if already logged in, which has shown to be secure (and the tool is for employees only).
Nobody is ever going to find out, as the only one who knew what injection even is was me. I left 2 years ago.

I'm fucking tired of my computer having random
2 seconds latency on any basic action and being slow as fuck regardless of powerful processor, ssd and 32GB RAM. Music via bluetooth is basically unusable since every few seconds the music stops for a 0.2s then plays again. I installed this system (opensuse tumbleweed) in February this year and it's just sad that I have reinstall again (any ideas for distro) ?

I made a dummy mistake of buying a CPU without internal graphics and this resulted in having to buy a GPU. So I got myself Nvidia(another mistake) since i though i would be using CUDA on the university. Turnes out CUDA cannot be installed for some retarded reason.
With Nvidia GPU the screens on my two monitors are swapping every time I use a hdmi switch to use other computer. On AMD GPU this problem does not exist. AMD GPU pro drivers are impossible to install. Computers barely fucking work, change my mind. Shit is breaking all the time. Everything is so half assed.

The music player that i use sometimes swaps ui with whatever was below it like for example the desktop background and i need to kill the process and start again to use the program. WTF.

Bluetooth seems to hate me. I check the bluetooth connected devices on my computer, it says headphones connected. BULLSHIT. The headphones are fucking turned OFF. How the fuck can they be connected you dumbass motherfucker computer. So I turn on the headphones. And I cannot connect them since the system thinks that they are already connected. So I have to unpair them and pair them again. WTF. Who fucking invents this bullshit?
Let's say i have headphones connected to the computer. I want to connect them to phone. I click connect from the phone settings. Nothing happens. Bullshit non telling error "could not connect". So I have to unpair from computer to pair to phone. Which takes fucking minutes, because reasons. VERY fucking convenient technology.
The stupid bluetooth headphones have a loud EARRAPE voice when turning them on "POWER ON!!! PAIRING", "CONNECTED", "DISCONNECT". Loudness of this cannot be modified. The 3 navigation buttons are fucking unrecognizable so i always take few seconds to make sure i click the correct button.

Fucking keyboard sometimes forgets that I remapped esc key to caps lock and then both keys don't work so i need to reconnect the keyboard cable. At least it's not fucking bluetooth.

The only reason why hdmi switches exist is because monitor's navigation menus have terrible ui and/or infrared activated, non-mechanical buttons.
Imagine the world where monitors have a button for each of it's inputs. I click hdmi button it switches it's input to hdmi. I click display port button - it switches to display port. But nooo, you have to go through the OSD menu.

My ~ directory has hundred of files that I never put there. Doesn't feel like home, more like a crackhead crib.

My other laptop (also tumbleweed) I click on hibernate option and it shuts down. WTF. Or sometimes I open the lid and screen is black and when i click keyboard nothing happens so i have to hold power button and restart.

We've been having computers for 20 + years and they still are slow, unreliable and barely working.

Is there a cure? I'm starting to think the reason why everything is working so shitty and unreliable, is because the foundations are rotten. The systems that we use are built with c, ridden with cryptic abbreviated code, undefined behavior and security vulnerabilities. The more I've written c programs the more convinced I am, that we should have abandoned it for something better long ago. Why haven't we? And honestly what would be better? Everything fucking sucks. The rust seems to be light in the tunnel but I don't know if this is only hype or is it really better. I'm sure it can't be worse than c or c++. Either we do something with the foundations or we're doomed.

Checking for root is maintaining a false façade of security. By the definition of root it can always be bypassed and we should be designing workflows to discourage logging in from an untrusted device unless you have 2fa.

Gf asked me to help her with getting science articles. She had some page that her university suggested students to use, but had troubles with downloading documents.

At first I was like "Hey, it says use IE, other browsers are not supported. Thats bad but.. whatever". Then it popped that she needs Java enabled - well, I guess we have to... Even updated it cause it was needed.
Restarted IE, clicked download again and... Java security blocked web app... Eh, I don't trust it but whatever, just let's check what if I whitelist it.
Got some basic view, 1 dropdown list for "file name format" (like anybody cares), path selection where to save file, and some checkbox. Lame, but let's just leave it behind.
Downloaded, it turned out to be html file, not pdf, fishy that it was single file, but hoped for some text styled with css, so I opened it and got redirected to page where I clicked download.
Checked that file content - html with empty body and script tag containing js that redirects on load.

Srsly?😐

Using AWS S3 web ui to copy a big folder from one to another and in the middle of copying, I got a pop up that your session has expired please refresh the page and task failed because of this.
What kind of security is this ? Can you check if any task is currently running.
Second who uses browser alert these days... wasted my one hour.

So i am at an MNC as a summer internship, me along with 18 other students from my university cleared this hackathon and got selected for this internship,
Few things you should know
1. Amongst all the other candidates i had the most work experience
2. I had worked with a lot of python and JavaScript
3. I legit have more skills then almost everyone working in my team

So, I don't know how but the HR decided i should go to this team, where there are no developers and are people of age 30 who have no idea what django is,

I was fucking frustrated but i let it go, thinking i will just solve this problem and will change my team, calm down

They told me about the project. I said okay give me access i will just finish it.

5 days no signs of access anyhow, so, i sucked it up and tracked all the network request and made my own api,

Then I was happy i get rid of this project,
But then they had bigger plans they ask me to add features on this project but there is a catch you have no access to any accounts, do it on your own,

Like What the Fuck, before giving an intern any project don't you have the responsibility to check weather the fucking project is possible i am just wasting my summer internship. I thought I got a big company it will help me grow i will get job security, but noo wtf, i am hell of frustrated

Many times in life I experienced situations that are depressing to me yet I'm not partially or totally conscious about it.

I have a very good example that I'm actually experiencing right now: me reporting the progress of a task to my boss and getting no response from him.

He has gone on these "ignoring sprees" in the past already and for the current one, it's been like four consecutive ignores.

I guess it's depressing for two reasons:

1) I feel like my work has no importance or value, which drags me down.
2) Sometimes he also tries to rush which I consider pretty hypocritical of him. because I have to basically not complain about it to not endanger this job relationship my family dearly depends on, I have to shut up and feel frustrated. (keep in mind i'm a south am person working for a us company and I was very lucky to get this job).

For some reason I just don't notice as easily how awful it makes me feel, but I wished I could fucking tell this straight into his fucking face:

You wanna be a boss? Be a fucking boss and check on my fucking progress.

I'm considering getting into security and going for bug bounties online.

So i'm currently working on my PiStation..
(look at my previous post if you're interested)
I'm imaging over RetroPie over to the SD card, screw back together the housing, and it boots up fine. As soon as i configured my XBOX-controller i got to the wifi-settings. And when i try to access my wifi, guess what, it doesn't connect to my f**kin wifi. So i double check my wifi-settings in the router i just bought to get over my roommates paranoia (that's a whole another story. Just in short, he's got no idea of IT-security and tries to be an admin, which results in a HUGE amount of bulls**t), confirm that the settings are alright, double check the PSK too, anything is fine. So i go through the whole process again, download the image (from their goddamn slow servers), open up the PiStation, image it over to the SD card, close it back up, anything boots up fine and works, except this f**king wifi. And the thing is, i COULD connect it with a patchcable, but i dont want cables going anywhere through my room. Currently imaging over recalbox OS, will keep you updated. I just want to play some old retro games ._.

Evaluating an app for a customer to ensure compatibility. It's in MS Store... so I better get it then. I'm logged in, should be fast.
"Enter the code we sent to yyy.zzz@maily.sss"
......
.....
...
..
It's been an hour. I can allow for some delay but please, it's a mail, not an NSA security check... or?

I had so much faith in this company that I invested $90,000 without a second thought. My investment grew to an impressive $200,150. I decided to withdraw a portion to help out. After countless so-called verifications, they shockingly demanded I pay 20 percent of the total amount upfront before any transaction could proceed. What seemed like a great experience turned sour until a friend recommended **HACKINGPROFESSIONAL3 AT G MA IL . C OM**. Their top-notch security architecture swiftly came to my rescue, and within a few days, I recovered my entire investment. . Make sure to check out

ETH-BTC-USDT RECOVERY EXPERT VISIT -- SPARTAN TECH GROUP RETRIEVAL

Running a small business comes with its own set of challenges, but nothing prepared me for the ordeal of losing access to my Bitcoin wallet. I had set aside CAD 187,000 in Bitcoin as a safety net, trusting a friend to help manage my finances. One day, I logged in to check my balance, only to find the wallet empty. My heart sank as I realized my friend had betrayed my trust. The betrayal was devastating—not just financially, but emotionally. Losing that amount of money could have crippled my business. In my desperation, I stumbled upon Spartan Tech Group Retrieval through this Email: spartantechretrieval (@) g r o u p m a i l . c o m while browsing an online forum. Skeptical yet with nothing to lose, I decided to reach out to them also on WhatsApp:+1 (206) 719 - 7295. From our first conversation, I felt a sense of relief. The team was not only professional but also incredibly empathetic, understanding the emotional toll this situation had taken on me. They assured me they would do everything in their power to help. What stood out was their thorough approach; they focused on recovering my funds while educating me on securing my assets moving forward. After what felt like an eternity of waiting, I received the news that my funds had been recovered. The relief was overwhelming. It wasn’t just about the money; it was about regaining control over my business and my peace of mind. Spartan Tech Group Retrieval saved me not only financially but also restored my confidence. This experience taught me a valuable lesson: never entrust your financial security entirely to someone else. Thanks to Spartan Tech Group Retrieval, I was able to recover from a potentially devastating loss and emerge stronger on the other side. Their dedication and expertise provided me with a lifeline when all seemed lost. If you ever find yourself in a similar situation, don’t hesitate to contact them. They truly are the lifeline you need.
COMPANY INFORMATOIN : Telegram:+1 581 286 8092

RECOVERING LOST BITCOIN DIGITAL TECH GUARD RECOVERY STEP-BY-STEP PROCESS

When Trust Becomes Deception: My Bitcoin Investment Saga and Resurrection Dealing with Digital Tech Guard Recovery

What started as a promising investment opportunity quickly turned into a nightmare of deception and broken trust. I had heard the hype about Bitcoin and the potential for massive returns, so I decided to take the plunge and invest a significant portion of my savings. Lured in by promises of easy riches and assured of the security of my funds, I entrusted my hard-earned money to an online platform that claimed to be a reputable Bitcoin exchange. Little did I know that I was about to embark on a harrowing journey filled with betrayal, loss, and a desperate search for a way to recover my stolen assets.

As I logged in to check on my investment, I was met with the devastating realization that my account had been cleaned out, the balance reduced to zero. Panic and disbelief set in as I grappled with the harsh truth - the platform I had trusted had been nothing more than a sophisticated scam, designed to fleece unsuspecting investors like myself. With my funds vanished and no clear path forward, I felt utterly powerless and betrayed, my dreams of financial security shattered in an instant. The journey that followed was a rollercoaster of emotions, filled with uncertainty, frustration, and glimmers of hope when I was directed to Digital Tech Guard Recovery. The Digital's methods were shrouded in mystery, and progress seemed painfully slow, but I clung to the belief that they would ultimately succeed. After what felt like an eternity of waiting and uncertainty, the Digital finally announced a breakthrough – they had managed to trace the stolen Bitcoin and were in the process of recovering it, piece by painstaking piece. As the final pieces of the puzzle fell into place, I found myself on the precipice of a remarkable resurrection, my lost investment slowly but surely being restored to me. The sense of relief and gratitude I felt was palpable, a testament to the power of perseverance and the unwavering determination to right the wrongs that had been done. This harrowing ordeal had taught me a valuable lesson about the importance of trust and the consequences of placing it in the wrong hands, but it had also shown me the remarkable resilience of the human spirit in the face of adversity. You can reach out to Digital Tech Guard Recovery through email: digital tech guard . com Telegram: digital tech guard recovery . com website link :: https : // d i g i t a l t e c h g u a r d . c o m  WhatsApp +1 (443) 859 - 2886  

What's the point of having a 'Check for updates' if it doesn't tell you there is a security update? And why do I always have to download and install updates manually?