An incident which made a Security Researcher cry
--------------------------------------------------------
I was working on my laptop finishing up my code while waiting for the flight which was late . Meanwhile two guys (I'm gonna call them Fellas) in black suit and shades came to me

Fella : Sir you have to come with us .
Me : *goes along with them*
Fella : Sir please proceed *points towards the door . The room has a round table with some guys discussing something *
Fella 1 : Your passport please
Me : *Hands over the passport*
Fella 1 : Where are you traveling to sir?
Me : India
Fella 1 : Put your laptop in the desk sir.
Me : Sure thing
Fella 2 : What were you doing there? *Taps the power button*
Me : Just finishing up my work .
Fella 1 : Or hacking our systems?
Me : Seriously?
Fella 2 : The password please .
Me : Here you go
*5 minutes have passed and​ he still can't figure out how to use the machine*
Fella 2 : Which Windows is this?
Me : It's Linux
Fella 1 : So you are a hacker .
Me : Nope
Fella 1 : You are using Linux
Me : Does it matters?
Fella 1 : Where do you work?
Me : *I won't mention here but I told him*
Fella 2 : So what do you do there?
Me : I'm a Security Researcher
Fella 1 : What's your work?
Me : I find security holes in their systems .
Fella 1 : That means you are a hacker .
Me : Not at all .
Fella 2 : But they do the same and they use Linux .
Me : You can call me one .
*After 15 minutes of doo-laa-baa-dee-doo-ra-ba-doo amongst them I dunno what they were talking , they shutdown the computer and handed over it to me*
Fella 2 - So you are somewhat like a hacker .
Me - *A bit frustrated* Yes.

##And now the glorious question appeared like an angel from river ##

Can you hack Facebook?
Me - 😭😭😭

Mother of god, was listening to the US govt hearing of zuckerberg about the recent scandals. The amount of very fucking simple obvious questions he 'could not' answer normally...

Govt person: Would you be willing to change Facebook's business model if this was required for the security and privacy of Facebook users' accounts?

Zuck: I don't understand your question.

Sorry, WHAT?! You don't need particular rocket science to understand what's being asked here. A combination of common sense and knowing the English language and English grammar in combination with maybe having finished some form of education should be enough to understand this ridiculously easy question.

Do you need it written on a golden plate with fucking blue letters in Facebook's font with the S letters as dollar signs while drinking 10 gallons of 'fuck every persons privacy'?!

Or maybe shoving it up your ass in the form of heated/glowing metal letters of 10+ inches in height? We could arrange that as well.

My mentor/guider at my last internship.

He was great at guiding, only 1-2 years older than me, brought criticism in a constructive way (only had a very tiny thing once in half a year though) and although they were forced to use windows in a few production environments, when it came to handling very sensitive data and they asked me for an opinion before him and I answered that closed source software wasn't a good idea and they'd all go against me, this guy quit his nice-guy mode and went straight to dead-serious backing me up.
I remember a specific occurrence:
Programmers in room (under him technically): so linuxxx, why not just use windows servers for this data storage?
Me: because it's closed source, you know why I'd say that that's bad for handling sensitive data
Programmers: oh come on not that again...
Me: no but really look at it from my si.....
Programmers: no stop it. You're only an intern, don't act like you know a lot about thi....
Mentor: no you shut the fuck up. We. Are. Not. Using. Proprietary. Bullshit. For. Storing. Sensitive. Data.
Linuxxx seems to know a lot more about security and privacy than you guys so you fucking listen to what he has to say.
Windows is out of the fucking question here, am I clear?

Yeah that felt awesome.

Also that time when a mysql db in prod went bad and they didn't really know what to do. Didn't have much experience but knew how to run a repair.
He called me in and asked me to have a look.
Me: *fixed it in a few minutes* so how many visitors does this thing get, few hundred a day?
Him: few million.
Me: 😵 I'm only an intern! Why did you let me access this?!
Him: because you're the one with the most Linux knowledge here and I trust you to fix it or give a shout when you simply can't.

Lastly he asked me to help out with iptables rules. I wasn't of much help but it was fun to sit there debugging iptables shit with two seniors 😊

He always gave good feedback, knew my qualities and put them to good use and kept my motivation high.

Awesome guy!

Recently had an interview with a company. At some point an SELinux question came up and while I didn't provide the best answer ever (I'm hardly familiar with SELinux and mentioned that as well beforehand so they knew), it was technically correct and the reaction of the interviewers was funny.

TI (technical interviewer): say your php script isn't executed and after a while you find out that SELinux is blocking php script execution, how can you fix that?
Me: setenforce 0...? (essentially disabling SELinux at all)
TI: disabling it entirely for getting php execution to work?! That doesn't sound like a good solu...
HRI (HR (non technical) interviewer, also present): *turns to TI* - but, would it solve the problem?
TI: 😐 well, yes, but... That's a bad thing to do so I wouldn't count is corre..
HRI: *still aiming towards TI* but you simply asked him for a way to solve the php execution issue, would his answer work? Regardless of whether it's the best or worst solution, would it be a solution which works?
TI: well... yes...
HRI: then he answered correctly I'd say, next!

(yes, I'm aware that my answer wasn't good as for security at all but it would have solved that problem which is what was asked)

Lads, I will be real with you: some of you show absolute contempt to the actual academic study of the field.

In a previous rant from another ranter it was thrown up and about the question for finding a binary search implementation.

Asking a senior in the field of software engineering and computer science such question should be a simple answer, specifically depending on the type of job application in question. Specially if you are applying as a SENIOR.

I am tired of this strange self-learner mentality that those that have a degree or a deep grasp of these fundamental concepts are somewhat beneath you because you learned to push out a website using the New Boston tutorials on youtube. FOR every field THAT MATTERS a license or degree is hold in high regards.
"Oh I didn't go to school, shit is for suckers, but I learned how to chop people up and kinda fix it from some tutorials on youtube" <---- try that for a medical position.

"Nah it's cool, I can fix your breaks, learned how to do it by reading blogs on the internet" <--- maintenance shop

"Sure can write the controller processing code for that boing plane! Just got done with a low level tutorial on some websites! what can go wrong!"

(The same goes for military devices which in the past have actually killed mfkers in the U.S)

Just recently a series of people were sent to jail because of a bug in software. Industries NEED to make sure a mfker has aaaall of the bells and whistles needed for running and creating software.

During my masters degree, it fucking FASCINATED me how many mfkers were absolutely completely NEW to the concept of testing code, some of them with years in the field.

And I know what you are thinking "fuck you, I am fucking awesome" <--- I AM SURE YOU BLOODY WELL ARE but we live in a planet with billions of people and millions of them have fallen through the cracks into software related positions as well as complete degrees, the degree at LEAST has a SPECTACULAR barrier of entry during that intro to Algos and DS that a lot of bitches fail.

NOTE: NOT knowing the ABSTRACTIONS over the tools that we use WILL eventually bite you in the ASS because you do not fucking KNOW how these are implemented internally.

Why do you think compiler designers, kernel designers and embedded developers make the BANK they made? Because they don't know memory efficient ways of deploying a product with minimal overhead without proper data structures and algorithmic thinking? NOT EVERYTHING IS SHITTY WEB DEVELOPMENT

SO, if a mfker talks shit about a so called SENIOR for not knowing that the first mamase mamasa bloody simple as shit algorithm THROWN at you in the first 10 pages of an algo and ds book, then y'all should be offended at the mkfer saying that he is a SENIOR, because these SENIORS are the same mfkers that try to at one point in time teach other people.
These SENIORS are the same mfkers that left me a FUCKING HORRIBLE AND USELESS MESS OF SPAGHETTI CODE

Specially to most PHP developers (my main area) y'all would have been well motherfucking served in learning how not to forLoop the fuck out of tables consisting of over 50k interconnected records, WHAT THE FUCK

"LeaRniNG tHiS iS noT neeDed!!" yes IT fucking IS

being able to code a binary search (in that example) from scratch lets me know fucking EXACTLY how well your thought process is when facing a hard challenge, knowing the basemotherfucking case of a LinkedList will damn well make you understand WHAT is going on with your abstractions as to not fucking violate memory constraints, this-shit-is-important.

So, will your royal majesties at least for the sake of completeness look into a couple of very well made youtube or book tutorials concerning the topic?

You can code an entire website, fine as shit, you will get tested by my ass in terms of security and best practices, run these questions now, and it very motherfucking well be as efficient as I think it should be(I HIRE, NOT YOU, or your fucking blog posts concerning how much MY degree was not needed, oh and btw, MY degree is what made sure I was able to make SUCH decissions)

This will make a loooooooot of mfkers salty, don't worry, I will still accept you as an interview candidate, but if you think you are good enough without a degree, or better than me (has happened, told that to my face by a candidate) then get fucking ready to receive a question concerning: BASIC FUCKING COMPUTER SCIENCE TOPICS

* gays away into the night

Today my roomate told me about his classmate who asked a really nice question " why do we need a MAC address in a WINDOWS machine". They are in a masters course for network security.

If the below is you, please stop. I'm starting a revolution called #AnswerTheQuestion

A: Hey, just checked your code, you have a huge security issue in XYZ, you should really address that.

B: Oh god I had no idea, how do I fix it?

A: Well it depends on how you *want* to fix it, no one solution is always the right one.

B: ... Ok, well could you give me some advice?

A: Well, there are many ways to approach this kind of work, but all I can say is that this way, is definitely not the correct one.

B: ... Ok, well how would you do it?

A: That would depend on the customer requirements.

B: ... the requirements is to have a website that isn't easily hackable, what do I do?

A: Nowadays, its pretty hard to make a website completely not hackable.

B: ALL THE SERVERS ARE SHOWING RED, PLEASE HELP ME!!!

A: ........ you really shouldn't prejudge colours. The colour red doesn't always mean danger, depends purely on the use case.

Seriously fuck mandatory security questions, these are my options:

What year did you meet your spouse?
I'm single.
What is your favorite book as a child?
I didn't have a favorite book. (and still, don't)
In which city did you meet your spouse?
I'm single
What is the first name of the first person you went to prom with?
Didn't go to prom.
Which state did you first visit (outside of your birth state)?
I've been to about 43 states and can't remember when I started traveling, how the fuck am I supposed to know?
In which city was your spouse born?
Again I'm single.
In which city did your oldest sibling get married?
I don't have any siblings.

C'mon, at least let me create my own question because right now I have no choice but to make up random shit and write it down in LastPass as a note.

Following a conversation with a fellow devRanter this came to my mind ago, happened a year or two ago I think.

Was searching for an online note taking app which also provided open source end to end encryption.

After searching for a while I found something that looked alright (do not remember the URL/site too badly). They used pretty good open source JS crypto libraries so it seemed very good!

Then I noticed that the site itself did NOT ran SSL (putting the https:// in front of the site name resulted in site not found or something similar).

Went to the Q/A section because that's really weird.

Saw the answer to that question:

"Since the notes are end to end encrypted client side anyways, we don't see the point in adding SSL. It's secure enough this way".

😵

I emailed them right away explaing that any party inbetween their server(s) and the browser could do anything with the request (includingt the cryptographic JS code) so they should start going onto SSL very very fast.

Too badly I never received a reply.

People, if you ever work with client side crypto, ALWAYS use SSL. Also with valid certs!

The NSA for example has this thing known as the 'Quantum Insert' attack which they can deploy worldwide which basically is an attack where they detect requests being made to servers and reply quickly with their own version of that code which is very probably backdoored.

This attack cannot be performed if you use SSL! (of course only if they don't have your private keys but lets assume that for now)
Luckily Fox-IT (formerly Dutch cyber security company) wrote a Snort (Intrustion Detection System) module for detecting this attack.

Anyways, Always use SSL if you do anything at all with crypto/sensitive data! Actually, always use it but at the very LEAST really do it when you process the mentioned above!

Security question setup:

Question: Your father's second name
Input: Carl
Error: Please provide at least 5 characters

You failed me, father.

Chase Bank Burning by Alex Schaefer

"This is a "plein air" painting which means I set up my easel right across the street of this Chase bank in my city and painted it like it had caught fire. The police questioned me on the spot. Three weeks later Homeland Security was knocking on the door to my home. The question they kept asking me was "Do you hate these banks?" I can honestly say yes."

M - Me
F - Family member

F: So you study computer science... Could you recover my Gmail login data? I don't remember my email address, password or security question. (7th request to me like that from the same person, they don't bother to write down the recovered pw)
M: I can't do it if I don't know any of the above
F: Wow, I thought you're a good student... Could you at least create a new account for me?
M: But you won't even remember the new... [gets interrupted]
F: So, are you going to talk trash or get to work? You would have already been 50% done

PLEASE I'M SO TIRED OF IT. HOW DO I DEAL WITH THESE OTHER THAN TELLING THEM WHAT I THINK ABOUT THEM. I SEEK HELP

I'm fixing a security exploit, and it's a goddamn mountain of fuckups.

First, some idiot (read: the legendary dev himself) decided to use a gem to do some basic fucking searching instead of writing a simple fucking query.

Second, security ... didn't just drop the ball, they shit on it and flushed it down the toilet. The gem in question allows users to search by FUCKING EVERYTHING on EVERY FUCKING TABLE IN THE DB using really nice tools, actually, that let you do fancy things like traverse all the internal associations to find the users table, then list all users whose password reset hashes begin with "a" then "ab" then "abc" ... Want to steal an account? Hell, want to automate stealing all accounts? Only takes a few hundred requests apiece! Oooh, there's CC data, too, and its encryption keys!

Third, the gem does actually allow whitelisting associations, methods, etc. but ... well, the documentation actually recommends against it for whatever fucking reason, and that whitelisting is about as fine-grained as a club. You wanna restrict it to accessing the "name" column, but it needs to access both the "site" and "user" tables? Cool, users can now access site.name AND user.name... which is PII and totally leads to hefty fines. Thanks!

Fourth. If the gem can't access something thanks to the whitelist, it doesn't catch the exception and give you a useful error message or anything, no way. It just throws NoMethodErrors because fuck you. Good luck figuring out what they mean, especially if you have no idea you're even using the fucking thing.

Fifth. Thanks to the follower mentality prevalent in this hellhole, this shit is now used in a lot of places (and all indirectly!) so there's no searching for uses. Once I banhammer everything... well, loads of shit is going to break, and I won't have a fucking clue where because very few of these brainless sheep write decent test coverage (or even fucking write view tests), so I'll be doing tons of manual fucking testing. Oh, and I only have a week to finish everything, because fucking of course.

So, in summary. The stupid and lazy (and legendary!) dev fucked up. The stupid gem's author fucked up, and kept fucking up. The stupid devs followed the first fuckup's lead and repeated his fuck up, and fucked up on their own some more. It's fuckups all the fucking way down.

Question regarding implementing two factor authentication.

I want to implement 2FA for at least one service I'm writing but I'm wondering, next to email, what services/implementations could I use?

I know that email isn't the best when it comes to security but I also don't want to force (a-technical) users to install an app specifically for 2FA so keeping email as an option as well.

But except for email, any ideas? Anything related to Google/facebook (prism integrated services) are a no go anyways (this has, as mentioned before, nothing to do with my ego or giving myself 'a pat on the back')

As for costs, I don't mind a little bit of money but the service will be free at first and I'm not rich :)

Looking forward to the comments!

CLIENT "So my nephew who does stuff with computers built it and we are ok with how it all works so don't worry about changing that. "

DEV "so like you have a public form with no input filtering, spam mitigation let alone sanitization or remote concern for security. Basically you have a Json flat file that is 34mbs of links to, viagra, replica watches, nock off name brands and one real estate company. It is getting about 15 submissions an hour. Since you don't want me changing how it works are you happy to just leave all that ?"

CLIENT "no no we don't want all that but we have no route to delete it, can you just stop all the spam and let us continue on?"

DEV "ok so back to my first question can we rebuild all of this properly, or do you really want to just leave it all"

:/ FML

I've been away, lurking at the shadows (aka too lazy to actually log in) but a post from a new member intrigued me; this is dedicated to @devAstated . It is erratic, and VERY boring.
When I resigned from the Navy, I got a flood of questions from EVERY direction, from the lower rank personnel and the higher ups (for some reason, the higher-ups were very interested on what the resignation procedure was...). A very common question was, of course, why I resigned. This requires a bit of explaining (I'll be quick, I promise):
In my country, being in the Navy (or any public sector) means you have a VERY stable job position; you can't be fired unless you do a colossal fuck-up. Reduced to non-existent productivity? No problem. This was one of the reasons for my resignation, actually.
However, this is also used as a deterrent to keep you in, this fear of lack of stability and certainty. And this is the reason why so many asked me why I left, and what was I going to do, how was I going to be sure about my job security.
I have a simple system. It can be abused, but if you are careful, it may do you and your sanity good.
It all begins with your worth, as an employee (I assume you want to go this way, for now). Your worth is determined by the supply of your produced work, versus the demand for it. I work as a network and security engineer. While network engineers are somewhat more common, security engineers are kind of a rarity, and the "network AND security engineer" thing combined those two paths. This makes the supply of my work (network and security work from the same employee) quite limited, but the demand, to my surprise, is actually high.
Of course, this is not something easy to achieve, to be in the superior bargaining position - usually it requires great effort and many, many sleepless nights. Anyway....
Finding a field that has more demand than there is supply is just one part of the equation. You must also keep up with everything (especially with the tech industry, that changes with every second). The same rules apply when deciding on how to develop your skills: develop skills that are in short supply, but high demand. Usually, such skills tend to be very difficult to learn and master, hence the short supply.
You probably got asleep by now.... WAKE UP THIS IS IMPORTANT!
Now, to job security: if you produce, say, 1000$ of work, then know this:
YOU WILL BE PAID LESS THAN THAT. That is how the company makes profit. However, to maximize YOUR profit, and to have a measure of job security, you have to make sure that the value of your produced work is high. This is done by:
- Producing more work by working harder (hard method)
- Producing more work by working smarter (smart method)
- Making your work more valuable by acquiring high demand - low supply skills (economics method)
The hard method is the simplest, but also the most precarious - I'd advise the other two. Now, if you manage to produce, say, 3000$ worth of work, you can demand for 2000$ (numbers are random).
And here is the thing: any serious company wants employees that produce much more than they cost. The company will strive to pay them with as low a salary as it can get away with - after all, a company seeks to maximize its profit. However, if you have high demand - low supply skills, which means that you are more expensive to be replaced than you are to be paid, then guess what? You have unlocked god mode: the company needs you more than you need the company. Don't get me wrong: this is not an excuse to be unprofessional or unreasonable. However, you can look your boss in the eye. Believe me, most people out there can't.
Even if your company fails, an employee with valuable skills that brings profit tends to be snatched very quickly. If a company fires profitable employees, unless it hires more profitable employees to replace them, it has entered the spiral of death and will go bankrupt with mathematical certainty. Also, said fired employees tend to be absorbed quickly; after all, they bring profit, and companies are all about making the most profit.
It was a long post, and somewhat incoherent - the coffee buzz is almost gone, and the coffee crash is almost upon me. I'd like to hear the insight of the veterans; I estimate that it will be beneficial for the people that start out in this industry.

Published a new blog article last weekend (finally) and had the idea to make a privacy/security Q&A one this weekend.

I'd make an email address for it to which you can email (a) question(s).

What do you people think?

Every time I got a mandatory security question, I type in "go fuck yourself with a cactus". There's only one answer for all of them.

Hololens development forced me into Visual Studio after spending years doing Unity development with MonoDevelop in MacOS.

Why haven't anyone told me to switch sooner! Thanks to Visual Studio + ReSharper, my brain farts turn into a coherent code almost automatically.

I hate that I need MacOS for the iOS development and Win 10 for Hololens. Running Win 10 on Parallels kinda works, but it is a compromise. Developing without headphones/earplugs is out of the question if you don't want to go deaf.

I wan't all the tools for a single OS so I don't have to maintain multiple computers and even more importantly travel with multiple laptops. Just love the security check question "Do you have any electronics with you? Please put it into the container." - "Could I get a couple more containers, please..."

My security knowledge is so bad. But I don't know where should I start.😖
My coworkers know about this, so I don't get involved on related topics.🤤
Last time I asked same question, someone gave me link, and it all about DIY welding metal tubes into a security door.🤦‍♂️
Any better suggestion?

Hey there!

So during my internship I learned a lot about Linux, Docker and servers and I recently switched from a shared hosting to my own VPS. On this VPS I currently have one nginx server running that serves a static ReactJs application. This is temponarily, I SFTP-ed the build files to the server and added a config file for ssl, ciphers and dhparams. I plan to change it later to a nextjs application with a ci/di pipeline etc. I also added a 'runuser' that owns the /srv/web directory in which the webserver files are located. Ssh has passwords disabled and my private keys have passphrases.

Now that I it's been running for a few days I noticed a lot of requests from botnets that tried to access phpmyadmin and adminpanels on my server which gave me quite a scare. Luckily my website does not have a backend and I would never expose phpmyadmin like that if I did have it.

Now my question is:
Do you guys know any good articles or have tips and tricks for securing my server and future projects? Are there any good practices that I should absolutely read and follow? (Like not exposing server details etc., php version, rate limiting). I really want to move forward with my quest for knowledge and feel like I should have a good basis when it comes to managing a server, especially with the current privacy laws in place.

Thanks in advance for enduring my rant and infodump 😅

I was working in a manufacturing facility where I had hundreds of industrial computers and printers that were between 0 and 20 years old. They were running on their own clean network so that someone has to be in the manufacturing network to access them. The boss announced that the executives will be pushing a “zero trust” security model because they need IoT devices. I told him “A computer running Windows 98 can’t be on the same VLAN as office computers. We can’t harden most of the systems or patch the vulnerabilities. We also can’t reprogram all of the devices to communicate using TLS or encrypt communications.“ Executives got offended that I would even question the decision and be so vocal about it. They hired a team to remove the network hardware and told me that I was overreacting. All of our system support was contracted to India so I was going to be the on-site support person.

They moved all the manufacturing devices to the office network. Then the attacks started. Printers dumped thousands of pages of memes. Ransomware shut down manufacturing computers. Our central database had someone change a serial number for a product to “hello world” and that device got shipped to a customer. SharePoint was attacked in many many ways. VNC servers were running on most computers and occasionally I would see someone remotely poking around and I knew it wasn’t from our team because we were all there.

I bought a case of cheap consumer routers and used them in manufacturing cells to block port traffic. I used Kali on an old computer to scan and patch network vulnerabilities daily.

The worst part was executives didn’t “believe” that there were security incidents. You don’t believe in what you don’t understand right?

After 8 months of responding to security incident after security incident I quit to avoid burning out. This is a company that manufactures and sells devices to big companies like apple and google to install in their network. This isn’t an insignificant company. Security negligence on a level I get angry thinking about.

> Worst work culture you've experienced?

It's a tie between my first to employers.

First: A career's dead end.
Bosses hardly ever said the truth, suger-coated everything and told you just about anything to get what they wanted. E.g. a coworker of mine was sent on a business trip to another company. They had told him this is his big chance! He'd attend a project kick-off meeting, maybe become its lead permanently. When he got there, the other company was like "So you're the temporary first-level supporter? Great! Here's your headset".

And well, devs were worth nothing anyway. For every dev there were 2-3 "consultants" that wrote detailed specifications, including SQL statements and pseudocode. The dev's job was just to translate that to working code. Except for the two highest senior devs, who had perfect job security. They had cooked up a custom Ant-based build system, had forked several high-profile Java projects (e.g. Hibernate) and their code was purposely cryptic and convoluted.
You had no chance to make changes to their projects without involuntarily breaking half of it. And then you'd have to beg for a bit of their time. And doing something they didn't like? Forget it. After I suggested to introduce automated testing I was treated like a heretic. Well of course, that would have threatened their job security. Even managers had no power against them. If these two would quit half a dozen projects would simply be dead.

And finally, the pecking order. Juniors, like me back then, didn't get taught shit. We were just there for the work the seniors didn't want to do. When one of the senior devs had implemented a patch on the master branch, it was the junior's job to apply it to the other branches.

Second: A massive sweatshop, almost like a real-life caricature.
It was a big corporation. Managers acted like kings, always taking the best for themselves while leaving crumbs for the plebs (=devs, operators, etc). They had the spacious single offices, we had the open plan (so awesome for communication and teamwork! synergy effects!). When they got bored, they left meetings just like that. We... well don't even think about being late.
And of course most managers followed the "kiss up, kick down" principle. Boy, was I getting kicked because I dared to question a decision of my boss. He made my life so hard I got sick for a month, being close to burnout. The best part? I gave notice a month later, and _he_still_was_surprised_!
Plebs weren't allowed anything below perfection, bosses on the other hand... so, I got yelled at by some manager. Twice. For essentially nothing, things just bruised his fragile ego. My bosses response? "Oh he's just human". No, the plebs was expected to obey the powers that be. Something you didn't like? That just means your attitude needs adjustment. Like with the open plan offices: I criticized the noise and distraction. Well that's just my _opinion_, right? Anyone else is happily enjoying it! Why can't I just be like the others? And most people really had given up, working like on a production line.

The company itself, while big, was a big ball of small, isolated groups, sticking together by office politics. In your software you'd need to call a service made by a different team, sooner or later. Not documented, noone was ever willing to help. To actually get help, you needed to get your boss to talk to their boss. Then you'd have a chance at all.

Oh, and the red tape. Say you needed a simple cable. You know, like those for $2 on Amazon. You'd open a support ticket and a week later everyone involved had signed it off. Probably. Like your boss, the support's boss, the internal IT services' boss, and maybe some other poor sap who felt important. Or maybe not, because the justification for needing that cable wasn't specific enough. I mean, just imagine the potential damage if our employees owned a cable they shouldn't!

You know, after these two employers I actually needed therapy. Looking back now, hooooly shit... that's why I can't repeat often enough that we devs put up with way too much bullshit.

Another incident which made a Security Researcher cry
[ NOTE : Check profile to read older incidents ]
-----------------------------------------------------------
So this all started when I was at my home (bunked the office that day xD) and I got a call from a..... Let's call him Fella as I always do . So here we go . And yeah , our Fella is a SysAdmin .
-----------------------------------------------------------
Fella - Hey man sup!
Me - Good going mate , bunked the office , weather's nice , gonna spend time with my girl today . So what's goinon?
Fella - Bruh my network sharing folders ain't working no more .
Me - Did you changed or modified anything?
Fella - Nope
Me - Okay , gimme your login creds lemme check .
Fella - Check your inbox *texts me the credentials*

*I logged in and what I'm seeing is that server runs on Windows2008R2 , checked the event logs , everything's fine and all of a sudden what I found is fucking embarrassing , this wise man closed SMB service*
Me - Did you closed SMB service?
Fella - Yeah
Me - You know what it does?
Fella - Yeah it's a protocol , I turned it off to protect the server from Wannacry .
Me - Fuckerrrr!!!!! Asshole dumbass you fuckin piece of Dodo's shit!! SMB is the service responsible for files and network sharing!!!
Fella - But....I just wanted protection
Me - 😭😭😭

*A long conversation continues with a lot of specially made words to decrease the rate of frustration which I used already*

Fella - Okay I'm turning it on .
Me - Go on....... Asshole
Fella - It worked! Thanks a lot bro
Me - Just leave me and my soul away from evil and hang up .

*Now the question is , who the hell gives them the post of SysAdmin? While thinking this question , I almost thought of committing suicide​ but then my girl came with coffee and my rubber duck*

//Random Mr. Robot thought//
So this picture and this quote in general has been in my mind quite recently. The first time I saw this scene it just passed through my mind as just a wierd quirk of elliot. But upon further thinking, I question that given Elliot is someone who specializes in network security in a sense. A part of which focuses on finding exploits in networks or even software in general( basically finding the worst in them). And the more I think about that,the more I come to realisation that just like most programmers mix together logic in their life in dealing with people, this scene stands out as an example of just that happening with Elliot and what perhaps, makes him such a good hacker. Perhaps we could all learn from this, or perhaps I'm just looking too much into this. Eh.

After a few weeks of being insanely busy, I decided to log onto Steam and maybe relax with a few people and play some games. I enjoy playing a few sandbox games and do freelance development for those games (Anywhere from a simple script to a full on server setup) on the side. It just so happened that I had an 'urgent' request from one of my old staff member from an old community I use to own. This staff member decided to run his own community after I sold mine off since I didn't have the passion anymore to deal with the community on a daily basis.

O: Owner (Former staff member/friend)
D: Other Dev

O: Hey, I need urgent help man! Got a few things developed for my server, and now the server won't stay stable and crashes randomly. I really need help, my developer can't figure it out.
Me: Uhm, sure. Just remember, if it's small I'll do it for free since you're an old friend, but if it's a bigger issue or needs a full recode or whatever, you're gonna have to pay. Another option is, I tell you what's wrong and you can have your developer fix it.
O: Sounds good, I'll give you owner access to everything so you can check it out.
Me: Sounds good

*An hour passes by*

O: Sorry it took so long, had to deal with some crap. *Insert credentials, etc*
Me: Ok, give me a few minutes to do some basic tests. What was that new feature or whatever you added?
O: *Explains long feature, and where it's located*
Me: *Begins to review the files* *Internal rage wondering what fucking developer could code such trash* *Tests a few methods, and watches CPU/RAM and an internal graph for usage*
Me: Who coded this module?
O: My developer.
Me: *Calm tone, with a mix of some anger* So, you know what, I'm just gonna do some simple math for ya. You're running 33 ticks a second for the server, with an average of about 40ish players. 33x60 = 1980 cycles a minute, now lets times that by the 40 players on average, you have 79,200 cycles per minute or nearly 4.8 fucking cycles an hour (If you maxed the server at 64 players, it's going to run an amazing fucking 7.6 million cycles an hour, like holy fuck). You're also running a MySQLite query every cycle while transferring useless data to the server, you're clusterfucking the server and overloading it for no fucking reason and that's why you're crashing it. Another question, who the fuck wrote the security of this? I can literally send commands to the server with this insecure method and delete all of your files... If you actually want your fucking server stable and secure, I'm gonna have to recode this entire module to reduce your developer's clusterfuck of 4.8 million cycles to about 400 every hour... it's gonna be $50.
D: *Angered* You're wrong, this is the best way to do it, I did stress testing! *Insert other defensive comments* You're just a shitty developer (This one got me)
Me: *Calm* You're calling me a shitty developer? You're the person that doesn't understand a timer, I get that you're new to this world, but reading the wiki or even using the game's forums would've ripped this code to shreds and you to shreds. You're not even a developer, cause most of this is so disorganized it looks like you copy and pasted it. *Get's angered here and starts some light screaming* You're wasting CPU usage, the game can't use more than 1 physical core, and after a quick test, you're stupid 'amazing' module is using about 40% of the CPU. You need to fucking realize the 40ish average players, use less than this... THEY SHOULD BE MORE INTENSIVE THAN YOUR CODE, NOT THE OPPOSITE.
O: Hey don't be rude to Venom, he's an amazing coder. You're still new, you don't know as much as him. Ok, I'll pay you the money to get it recoded.
Me: Sounds good. *Angered tone* Also you developer boy, learn to listen to feedback and maybe learn to improve your shitty code. Cause you'll never go anywhere if you don't even understand who bad this garbage is, and that you can't even use the fucking wiki for this game. The only fucking way you're gonna improve is to use some of my suggestions.
D: *Leaves call without saying anything*

TL;DR: Shitty developer ran some shitty XP system code for a game nearly 4.8 million times an hour (average) or just above 7.6 million times an hour (if maxed), plus running MySQLite when it could've been done within about like 400 an hour at max. Tried calling me a shitty developer, and got sorta yelled at while I was trying to keep calm.

Still pissed he tried calling me a shitty developer...

I'm in 3rd year of my CS degree....
Fucking Indian Education System

I'm having a subject css(cryptography & system security)... The bitch who teaches us doesn't know shit.... She just picks random words from the ppt & blabber random bullshit...

Last week we had our unit tests...and the question was explain Working of deffie-helman. Just because I didn't use the names Alice & Bob in the example she didn't gave me marks....I mean wtf..that was just an example mentioned in the slides.....

I bet it wasn't required at all...
I knew most of the things they teach here..
These mofo professors have just a CS degree and they are here to teach the same course....

Alright lads here is the thing, have not been posting anything other than replies to things cuz I have been busy being miserable at school and dealing with work stuff.

Our manager left us back in February. Because she was leaving I decided that I wanted to try a different path and went on to become a programmer analyst for my institution, if anything I knew that it was going to be pretty boring work, but it came with nice monetary compensation and a foot in the door for other data science related jobs in the future. Thing is, the department head asked me to stay in the web technologies department because we had a lack of people there and hiring is hard as shit, we do not do remote jobs since our work usually requires a level of discretion and security. Thus I have been working in the web tech department since she left albeit with a different title since I aced the interview for the analyst position and the team there were more than happy to have me. I have done very few things for them, some reports here and there and mostly working directly with the DBA in some projects. One migration project would have costed my institution a total of 58k and we managed to save the cost by building the migration software ourselves.....honestly it was a fucking cake walk, if you had any doubts about the shaddyness of enterprise level applications regarding selling overpriced shit with different levels of complexity, keep them, enterprise is shaddy af indeed. But I digress.

I wrote the specification for the manager position along the previous manager, we had decided that the next candidate needed to be strong with development knowledge as well as other things as to properly understand and manage a software team, we made the academic requirement(fuck you, yes we did ask for academic requirements) to be either in the Computer Science/software engineering area or at least on the Business Administration side. We were willing to consider BA holders in exchange for having knowledge of the development process of different products and a complete understanding of what developers go through. NOT ONE SINGLE motherfucker was able to satisfy this, some of them were idiots that I knew from before that had ABSOLUTELY no business even considering applying to the position, the courage it took for some of these assholes to apply would have hurt their mothers, their God if they had one, and their country, they were just that fucking bad in their jobs as well as being overall shit people.

Then we had 1 candidate actually fall through the cracks enough to get an interview. My dude here was lying out of his ass through the interview process. According to him he had "lots of Laravel experience and experience managing Laravel projects" and mentioned repeatedly how it would be a technology that we should consider for our products. I was to interview him alongside the vice president of our institution due to the head of my department and the rest of the managers for I.T being on vacation leave all at the same bloody time.

Backstory before the interview:
Whilst I was going over the interview questions with the vice president literally offered me the job instead. I replied with honesty, reflecting how I did not originally wanted him but feeling that our institution was ready to settle on any candidate due to the lack of potentials. He was happy to do it since apparently both him and the HOD were expecting me to step up sooner or later. I was floored.

Regardless, out of kindness he wanted to go through the interview.
So, going back to the interview. As soon as the person in question referenced the framework I started to ask him about it, just simple questions, the first was "what are your thoughts on the Eloquent ORM? I am not too fond of it and want to know what you as a full time laravel dev think of it"
his reply: "I am sorry I am not too familiar with it, I don't know what that is" <--- I appreciated his honesty in this but thought it funny that someone would say that he was a Laravel developer whilst not knowing what an ORM was since you can't really get away from using it on the initial stages of learning about Laravel, maybe if one wanted to go through the hurdle of switching to something like doctrine...but even then, it was....odd.

So I met with the hod when he came back, he was stoked at the prospect of having me become the manager and I happily accepted the position. It will be hell, but I don't even need to hit the ground running since I have been the face of the department since ages. My team were ecstatic about it since we are all close friends and they have been following my directions without complaints(but the ocational eat a dick puto) for some time, we work well together and we are happy to finally have someone to stop the constant barrage that comes from people taking advantage of a missing manager.

Its gonna get good, its gonna get fun, and i am getting to see how shit goes.

this just happened a few seconds ago and I am just laughing at the pathetic site that is Facebook. xD
4 years ago:
So I was quite a noobie gamer/hacker(sort of) back then and i had a habit of having multiple gmail/fb accounts, just for gaming, like accounts through which i can log in all at once in the same poker room, so 4/5 players in the game are me, or just some multiple accounts for clash of clans for donations.
I had 7-8 accounts back then. one had a name that translated to "may the dead remain in peace "@yahoomail.com . it was linked to fb using same initials. after sometime only this and 2 of my main accs were all i cared about.even today when i feel like playing, i sometimes use those accs.

2 years ago.
My dad is a simple man and was quite naive to modern techs and used to hang around with physical button nokia phones.But we had a business change, my father was now in a partnership in a restaurant where his daily work included a lot of sitting job and and casual working. So he bought a smartphone for some time pass.
He now wanted to download apps and me to teach him.I tried a lot to get him his own acc, but he couldn't remember his login credentials.
so at the end i added one of my own fake ID's(maythedead...) so he could install from playstore, watch vids on youtube and whatever.

The Actual Adventure starts now
Today, 1 hour ago:
I had completely forgot about this incident, since my parents are now quite modern in terms of tech.
But today out of nowhere i recieved an email that someone has JUST CHAINGED MY FB PASSWORD FOR ONE OF MY FAKE ACCS!?!??
what the hell, i know it was just a useless acc and i never even check my fb from any acc these days, but if someone could login into that acc, its not very difficult to track my main accs, id's, etc so i immediately opened this fb security portal and that's where the stupidity starts:

1)To recover your account they FUCKIN ASKS FOR A PHYSICAL ID. yeah, no email, no security question you have to scan your driving license or passport to get back to your account.And where would I get a license for some person named "may the dead remain in peace"? i simply went back.
2) tried another hack that i thought that will work.Closed fb help page, opened fb again , tried to login with my old credentials, it says" old password has been changed,please enter new password", i click forget password and they send an otp. i thought yes i won, because the number and recover mail id was mine only so i received it.
when i added the otp, i was first sent to a password change page (woohoo, i really won! :)) but then it sends me again to the same fuckin physical id verification page.FFFFFFFFFuck

3)I was sad and terrified that i got hacked.But 10 mins later a mail comes ,"Your Facebook password was reset using the email address on Tuesday, April 10, 2018 at 8:24pm (UTC+05:30)."
I tried clicking the links attached, hoping that the password i changed(point<2>) has actually done something to account.NADA, the account still needs a physical license to open:/

4) lost, i just login to my main account and lookup for my lost fake account. the fun part:my account has the display pic of my father?!!?!
So apparently, my father wanted to try facebook, he used the fake account i gave him to create one, fb showed him that this id already has an fb account attached to it and he accidently changed my password.MY FATHER WAS THE HACKER THE WHOLE TIME xD.
but response from fb?" well sir, if you want your virtually shitty account back , you first will have to provide us with all details of your bank transactions or your voter id card, maybe trump will like it"

tldr: Fuck Apple AND Microsoft...

Tried to check my "me" email today (iCloud)... and well it's apparently "locked" for god only knows what reason, and they will only let me recover it through a Hotmail account that I haven't used in >10years.. So I tried that and after one login attempt outlook.com is telling me "you've entered too many wrong password attempts, you must reset your password"... ugh OK, so I hit the button and it's asking me "my" security question.. 'where did you and your spouse meet?'.. wtf? I'm not married now nor was I @12yrs old when I made this account....

Well thanks so I guess that's fucked for forever...

Who's the dumbass that decided you can't delete your PayPal account at all unless your balance is $0?

I am not giving you my card information for the $0.18 balance I have. For God sakes, I don't even bend over to pick that up if I see it on the ground.

It's one thing if it were like $100 or even $10. But it's eighteen fucking cents. Not even a a quarter of a fucking dollar.

At least make me put in my password and answer a security question or some shit, not straight up remove the option to delete it.

Fucking ridiculous.

Security Issues with Chrome:
My dad was just saying that his work wouldn't let him use Google Chrome because of its supposed 'security issuse'. Just wondered if anyone knew of any real 'security issuse' with chrome that are legitimate? Or is it all just rumours...

Let's talk about the cargo cult of N-factor authentication. It's not some magic security dust you can just sprinkle onto your app "for security purposes".

I once had a client who had a client who I did server maintenance for. Every month I was scheduled to go to the site, stick my fingerprint in their scanner, which would then display my recorded face prominently on their screens, have my name and purpose verified by the contact person, and only then would the guards let me in.

HAHA no of course not. On top of all of that, they ask for a company ID and will not let me in without one.

Because after all, I can easily forge my face, fingerprints, on-site client contact, appointment, and approval. But printing out and laminating a company ID is impossible.

---

With apologies to my "first best friend" in High School, I've forgotten which of the dozens of canonicalisations of which of your nicknames I've put in as my answer to your security question. I've also forgotten if I actually listed you as my first best friend, or my dog - which would actually be more accurate - and actually which dog, as there are times in my High School life that there were more tails than humans in the house.

I have not forgotten these out of spite, but simply because I have also forgotten which of the dozen services of this prominent bullshit computer company I actually signed up for way back in college, which itself has been more than a decade ago. That I actually apparently already signed up for the service before actually eludes me, because in fact, I have no love for their myriad products.

What I have NOT forgotten is my "end of the universe"-grade password, or email, or full legal name and the ability to demonstrate a clear line of continuity of my identity from wherever that was to now.

Because of previous security screwups in the past, this prominent bullshit company has forced its users to activate its second, third, and Nth factors. A possibly decade-old security question; a phone number long lost; whatever - before you can use your account.

Note: not "view sensitive data" about the account, like full name, billing address, and contact info. Not "change settings" of the account, such as changing account info, email, etc. Apparently all those are the lowest tier of security meant to be protected by mere "end of the universe"-grade passwords and a second factor such as email, which itself is likely to be sold by a company that also cargo cults N-factor auth. For REAL hard info, let's ask the guy who we just showed the address to "What street he lived in" and a couple others.

Explaining this to the company's support hotline is an exercise in...

"It's for your security."

"It's not. You're just locking me out of my account. I can show you a government ID corroborating all the other account info."

"But we can't, for security."

"It's not security. Get me your boss."

...

"It's for security."

TLDR; Default admin login on WEP encrypted WLAN router for getting free stuff at my hair stylist studio.

Free WLAN in my hair stylist studio: They had their WEP key laying around in the waiting area. Well, I am not very happy with WEP, thought that they never heard of security. Found the default GW address, typed it into my browser and pressed Enter, logged in with admin/1234 and voila, I was root on their ADSL router 😌 Even more annoyed now from such stupidity I decided to tell the manager. All I told him was: You use a default login on your router, you give the WiFi password for free, WEP is very very insecure and can be hacked in seconds, and do you know what criminals will do with your internet access? He really was shocked about that last question, blank horror, got very pale in just one sec. I felt a little bit sorry for my harsh statement, but I think he got the point 😉 Next problem was: he had no clue how to do a proper configuration (he even didn't knew the used ISP username or such things). Telled me that 'his brother' has installed it, and that he will call him as soon as possible. Told him about everything he should reconfigure now, and saw him writing down the stuff on a little post-it.

Well, he then asked me what he can pay me? Told him that I don't want anything, because I would be happy when he changes the security settings and that is pay enough. He still insisted for giving me something, so I agreed on one of a very good and expensive hairwax. Didn't used it once 😁

Some weeks later when I was coming back for another hair cut: Free WLAN, logged in with admin/1234, got access and repeated all I did the last time once more 😎

HOW CAN YOU NOT LEARN FROM FAILS??

Question

What server monitoring do you use, both for statistics and security?

--------------------
tl;dr ends here

Ideally I would like to have one clean dashboard that shows me all the nodes I have, proxmox already offers a great range of stats - but it is a page per container etc. so not ideal, I thought of having datadoghq, but their per host pricing is huge, since I have more than 5 hosts to track.

Question for Web Server Gurus and Security Ninjas.

How to prevent bots, crawlers, spammers sending various numerous requests to your web servers?

There have been numerous requests to routes like /admin /ssh /phpmyadmin etc etc and all kinds of stuff to the web server.

Is there a way to automatically block those stupid IPs :/

Fuck you Crapple.

I have to reset my password again just because I cant remember that one security question.

How the fuck am I supposed to know who my favourite primary school teacher is?

I inherited a nextjs project from an unknown guy and am fangirling the codebase

But the deeper I familiarise myself with it, the more the cracks begin to appear:

1) The dude Is incapable of grasping the basics of DRY concept. He actually setup a ton of stuff I may have done poorly if I'd started working straight out of the docs, so I feel like I owe him a shower of praise. I guess being new to nextjs makes it look more impressive than it actually is. He was paid off, yet getting the credit seems unearned to me. I'm just afraid reaching out to him might turn around to bite me in the ass
***

I had the above in my drafts, contemplating sending him a token to show some appreciation for unknowingly showing me the ropes. I was going to find him on LinkedIn using his commit names. But after doing everything I've done, undergoing the anxiety and severe pressure I faced at the hands of the project owners, I'm not sharing a farthing with anybody

Yes, I may not have known about zustand and persist middleware. Yes, he did all the ui. Yes, he created the base components and fancy wrappers around form and button html elements. For those, I'm grateful

But the amount of refactoring I had to do to, for an opportunity to implement my own target features, I'd say I can lay as much claim to the project as he does.

Side note #1: I have some newfound respect for front end devs. We used to discriminate against them for doing just css but that was only relevant in the jquery days. Now, they have to use cryptic css frameworks (sass, less, tailwind), they have to learn esoteric syntax of some js framework and write controllers/components as the case may be. They have to (the worst part), bind this data to an API, which would never make sense to me coming from a php ssr-natural world

Back rewarding the guy, some of the challenges I came back from were:

1) Next server outages: I still don't know the workaround this. The app terminates, browser giving an error about using up memory. I have to wait for about 10 minutes before I can access the app again

2) spring Webflux authentication not hydrating: I was unexpectedly asked to work on the back end too, where I got tortured with this horrifying condition. The most poorly documented framework for the Web has no upto date guide on how to implement jwt security measures. I opened a question on stackoverflow. A day later, both my question and the helpful answer got downvoted

3) Zustand not retrieving any data from localstorage once page reloads, until I miraculously stumbled on a hack: there's a config callback for reading state after rehydration or thereabout. So I interact with the state there. That's the only way content clearly in localstorage can get transmuted into dynamic format accessible by the code

4) Mongo database suddenly disconnecting: for no apparent reason, this bailed. Accessible on compass. This was even when I realised it was responsible for front end requests not going through. Eventually created a new database and requests surprisingly began connecting again. Thankfully, my laravel background taught me about seeders so I had them on standby from the onset. Wasn't difficult to just port to a fresh database after confirming the first one was inaccessible to the app

After this painful odyssey and the time constraints, threats of moving forward with someone else, I deserve every dime they deem me worthy of and more

A few days ago our server was compromised due to an outdated Jenkins version. The malicious user installed a crypto miner on the server... The same day that it was found I told management that I'm interested in helping out with the server. Since then, nothing happened... No updates, no security measures, no nothing (except for the removed crypto miner and updated Jenkins software)

Oh well only a matter of time before another hack...

Question to some (who work way way way longer than me) med - seniors, should I make a big deal out of this? And keep pressure on it. Or should I just leave it be and wait for the next comprised server? I know devrant is not a Q&A service, but some dev to dev advice is much appreciated.

- incognito

Dependency hell is the largest problem in Linux.

On Windows, I just download an executeable (.exe) file, and it just works like a charm! But Linux sometimes needs me to install dependencies.

At one point, I nearly broke my operating system while trying to solve dependencies. I noticed that some existing applications refused to start due to some GLIBC error gore. I thought to myself "that thing ain't gonna boot the next time", so I had to restore the /usr/lib/x86_64-linux-gnu/ folder from a backup.

And then there is a new level of lunacy called "conflicting dependencies". I never had such an error on Windows. But when I wanted to try out both vsftpd and proFTPd on Linux, I get this error, whereas on Windows, I simply download an .exe file and it WORKS! Even on Android OS, I simply install an APK file of Amaze File Manager or Primitive FTPd or both and it WORKS! Both in under a minute. But on Linux, I get this crap. Sure, Linux has many benefits, but if one can't simply install a program without encountering cryptic errors that take half a day to troubleshoot and could cause new whack-a-mole-style errors, Linux's poor market share is no surprise.

Someone asked "Why not create portable applications" on Unix/Linux StackExchange. Portable applications can not just be copied on flash drives and to other computers, but allow easily installing multiple versions on a system. A web developer might do so to test compatibility with older browsers. Here is an answer to that question:

> The major argument [for shared libraries] is security, that if there is a vulnerability in a commonly-used library, then only that library has to be updated […] you don't have to have 4 different versions of a library installed

I just want my software to work! Period. I don't mind having multiple versions of libraries, I simply want it to WORK! To hell with "good reasons" for why it doesn't, and then being surprised why Linux has a poor market share. Want to boost Linux market share? SOLVE THIS DAMN ISSUE!.

Understand that the average computer user wants stuff to work out of the box, like it does in Windows.

Hello everyone :)

So, I've recently switched from Windows 8 to Debian on my work (or study, rather) laptop, and so far it's been pretty intuitive and practical! But I'd like to explore the world ofr Linux a bit more in-depth, especially considering the fact that I'll "soon" head off to study Security in university. So, here's my question for y'all: does anybody happen to have good resources to share about linux system administration?
Thanks in advance! ^^

So while exploring some new ideas, I decided to figure out if I could use variables in the known set to determine the bounds of variables in the unknown set.

The variables in question are algebraic identities derived from the semiprimes, so you already know where this is going.

The existing known set is 1194 identities.
And there are, if I recall, roughly two dozen unknowns.

Many knowns have the unknowns as their factors. The d4 product set for example is composed of variables d4a, d4u, d4z, d4z9, d4z4, d4alpha, d4theta, d4omega, etc.
The component variables themselves are unknown, just their products are known. Anyway.

What I've found interesting is if you know the minimum of some of these subsets, for example d4z is smallest out of the d4's for some semiprimes, then you know the upperbound of both the component variables d4 and z.

Unless of course either of them is < 1.

So the order of these variables, based on value, changes depending on the properties of the semiprime, which I won't get into. Most of the time the order change is minor, but for some variables they can vary a lot between semiprimes, rapidly shifting their rank in the known set. This makes it hard to do anything with them.

And what I found myself asking, over and over again, was if there was a way to lock them down? Think of it like a giant switch board, where flipping one switch lights up N number of others, apparently at random. But flipping some other switch completely alters how that first switch works and what lights it seemingly interacts with. And you have a board of them thats 1194^2 in total. So what do you do?

I'd had a similar notion a while back, where I would measure relative value in the known set, among a bunch of variables, assign a letter if the conditions were present, and generate a string, called a "haplotype."
It was hap hazard and I wrote a lot of code to do filtering, sorting, and set manipulation to find sets of elements in common, unique elements, etc. But the 'type' strings, a jumble of random letters, were only useful say, forty percent of the time. For example if a semiprime had a particular type starting with a certain series of letters, 40% of the time a certain known variable was guaranteed to be above a certain variable from the unknown set...40%~ of the time.
It was a lost cause it seemed.

But I returned to the idea recently and revamped the entire notion.

Instead what I would approach it from a more complete angle.
I'd take two known variables J and K, one would be called the indicator, and the other would be the 'target'.
Two other variables would be the 'component' variables (an element taken from the unknown set), and the constraint variable (could be from either the known or unknown set).

The idea was that relationships between the KNOWN variables (an indicator and a target variable) could be used to indicate the rank relationship between the unknown component variable and the constraint variable.

You'd think this wouldn't work either, but my intuition was there were so many seemingly 'random' rank changes of variables in the known set for any two semiprimes, that 1. no two semiprimes ever shared the same order for every variable, and 2. the order of the known variables had to be leaking information about the relationships of the unknown variables.

It turns out my intuition was correct.

Imagine you are picking a lock, and by knowing the order and position of the first two pins, you are able to deduce the relative position of two pins further back that you can't reach because of the locks security features. It doesn't let you unlock the lock directly, but by knowing this, if you can get past the lock's security features, you have a chance of using information about the third pin to get a better, if incomplete, understanding about the boundary position of the last pin.

I would initiate a big scoring list, one for each known element or identity. And then I would check it in tandem like so:

if component > constraint and indicator > target:
indicator[j]+= 1

This is a simplication, but the idea was to score ALL such combination of relationship, whether the indicator was greater than the target at the same time a component was greater than a constraint, or the opposite.
This worked out to four if checks and four separate score lists.

And by subtracting one scorelist from another, I could check for variables that were a bad fit: they'd have equal probability of scoring for example, where they were greater than the target one time, and then lesser than it for another semiprime.

So for any given relationship, greater or lesser between any unknown variable and constraint variable, I could find any indicator variable and target variable whose relationship strongly correlated to the unknown's.

Legal Question regarding E-Commerce / Credit Card Payments.

The User sends his Credit Card Information (number/expiration Date/Safety Number) over email to vendor. Vendor types this info from the email into a Credit Card Terminal.

Is this even legal? I thought when listing Credit Card Payment you have to use a PSP (Payment Service Provider) that conforms to the security regulations etc.

I recently went to an office to open up a demat account

Manager: so your login and password will be sent to you and then once you login you'll be prompted to change the password

Me: *that's a good idea except that you're sending me the password which could be intercepted* ok

Manager: you'll also be asked to set a security question...

Me: *good step*

Manager: ...which you'll need to answer every time you want to login

Me: *lol what? Maybe that's good but kinda seems unnecessary. Instead you guys could have added two factor authentication* cool

Manager: after every month you'll have to change your password

Me : *nice* that's good

Manager: so what you can do change the password to something and then change it back to what it was. Also to remember it keep it something on your number or some date

Me: what? But why? If you suggest users to change it back to what it was then what is the point of making them change the password in the first place?

Manager: it's so that you don't have to remember so many different passwords

Me: but you don't even need to remember passwords, you can just use softwares like Kaspersky key manager where you can generate a password and use it. Also it's a bad practice if you suggest people who come here to open an account with such methods.

Manager: nothing happens, I'm myself doing that since past several years.

Me: *what a fucking buffoon* no, sir. Trust me that way it gets much easier to get access to your system/account. Also you shouldn't keep your passwords written down like that (there were some password written down on their whiteboard)

Manager: ....ok...so yeah you need sign on these papers and you'll be done

Me:(looking at his face...) Umm..ok

Hi everyone,

One question is constantly popping in my head and I keep fighting to figure out how to answer.

So here it is:
Are you for or agains a password manager to store all your passwords?

P.S.
I am using a paid password manager, but keep asking myself is it really worth it, and am I compromising all my passwords if someone is willing to spend some time and hack my vaults. On the other hand the convenience and benefit of having all passwords in one place and also using different strong passwords for each of my accounts protects me from a weak security implementation on any third party service I use, because I am not re-using the same password everywhere.

Challenge questions are so goddamn stupid.

Apparently I have an account with a certain online organization though I don't remember setting it up.

So naturally I had no idea of my username or password, so they asked me challenge questions.

It asked me the city of my birth, which is a place with a weird spelling. Because of that weird spelling, I never remember if I'm spelling it right (I was only there as a newborn infant) And I'm also supposed to remember if I capitalized it or not.

I hate challenge questions. And anyone doing any remotely simple research on me shouldn't have trouble learning what city I was born in so it seems to me it's a security vulnerability, nothing more.

And maybe I'm giving things away by saying it asks me that question, but it's a common security question any hacker would anticipate anyways.

Is it considered hacking if it may or may not be your account that you guessed the security question to?

The evolving of software engineering is highly dependent on hardware engineering.
If only software engineering would evolve then there would eventually be a point where theres nothing more to do due to the lack of hardware to develop software for.

So its more a question of how you see hardware engineering evolving.

I expect that there will be a point in the future where we have techology which in big scale does dangerous or time consuming tasks. Like for example at nuclear reactors or at other high level security and high risk locations. This of course requires highly sofisticated ai software.

Question - my field is information security (or cyber security if you want to think of me as a time lord), but I wanted to know;
Front end and back Devs, how much time do you spend on security issues and/or implementing security measures?

Avoided IoT(IoS - InternetOfShit) for a long time now, due to the security concerns with retail products.
Now I looked into 433 Transceiver + Arduino solutions.. to build something myself, just for the lolz.

Theory:
Smallest Arduino I found has 32 KByte of programmable memory, a tiny tiny crypto library could take around 4 KBytes...

Set a symetric crypto key for each homebrewn device / sensor / etc, send the info and commands (with time of day as salt for example) encrypted between Server <-> IoT gadget, ciphertext would have checksum appended, magic and ciphertext length prepended.

Result:
Be safe from possible drive-by attacks, still have a somewhat reliable communication?!
Ofc passionate hackers would be still able to crack it, no doubt.

Question: Am I thinking too simple? Am I describing just the standard here?

So I decided to install a third OS on my laptop and oh boy, I never thought I'd have to deal with so many issues!

First, I had to make space for the new OS, so I did the only feasible thing - Shrunk a windows partition (Used for gaming only), then installed the third OS into it. (For clarification, one OS was Windows, the second Debian for work and the new one was Kali for a course at school about security and ethical hacking)

Well... After I installed and tried out that the Kali worked... My Debian began to make problems. It would hang for almost a minute during start as it tried to mount a (for some reason) no longer existing Swap partition.

After it gave up and I found out... I, fortunately, fixed it after just a bit of googling. At least I learned to repack the ramfs.

It worked all fine and dandy... Only... My Debian now shared the swap with Kali.

Few weeks forward, last friday, I tried to boot up Kali at class... Only for it to... Stop at a black screen, weird.

Some minor detective work later, I found out nothing was... Wrong really.
But... For some mysterious reason, my complete GDM just.... No longer worked.

One LightDM and XFCE instal later (Thanks god that at least TTY still worked fine), it finally worked again, and this time, I booted back into Debian, shrunk the Kali partition a little more and dedicated it's own swap there. Setting and resetting everything, and finally had a working triple-boot laptop...

My only question is... Why?

Does sharing Swap really affect the system so much, besides hibernation ofc.

Done it once or twice when finishing up a feature for a presentation/delivery the next day.

I'm leaning on the side of Not Worth It because I'd rather not be sleep deprived and dumb in brainy brain when interacting with the client and demoing my other stuff.

I guess it's usually when my perfectionism flares up that I'm likely to do stuff like that.

Will consider an all-nighter if it's reeeally necessary but there's few scenarios I can imagine where that is warranted. Maybe when working on a very serious security flaw or something of that nature. Most stuff can wait a couple of days...

Edit: goddamn I guess I committed the sin of not really answering the question. There's no story here. Boooo. Permission to hate myself, captain?

It's 2016 and Android still doesn't support ODBC (let alone OLEDB). Every time somebody asks how to connect their app to a database directly, the groupthink brigade goes "dur hur, use JSON/SOAP/XML services cuz raisins!1one*." That wasn't the fucking question. I don't want your framework-cobbling make-work dependencies. Even the cretins at Xamarin, trying desperately to hook Windows C# programmers, only have SQL Server support because Microsoft fucking did it for them. WTF have Android developers done over 7 OS versions if basic features like database access are still fucking missing? No wonder the App Stores are full of Mickey Mouse garbage.

*raisins!1one = "I don't know how to secure a database so I'll just yell 'security!1one' so people think I r smrt"

To update or not to update, that is the question.

To update: Cool new features, fixes, and security patches.

Not to update: to debug issues majority of techtard users will face in older versions.

rants[0] =

"tl;dr: the account creation process at salesforce.com is really flawed.

In a lecture we were supposed to try out different CRM tools, one of them was salesforce. They are the worlds largest CRM software provider - not relevant for the rant, but it means they should have enough $$$ and competence to make something better.

When you create your account, you do not set a password. Instead they send you an email with a link, serving both as account activation and for setting your password. However, if you close the tab without setting a password, your account is still activated and the link in the email won't work anymore.

Alright, rather annoying, but that's why you can reset your password via email, right? Wrong. When you try to reset your password, they prompt you with a security question. Even when you never set them up. And obviously can't give the right answer. Who designed this logic?

On top of that, they nicely tell you to contact your sys admin if you are still having issues. My account is private. Not associated with any company.

So yeah, burned 3 emails until I figured that out and created 3 accounts I can never access again.";

I've been programming for 15 years now or more if I count my years I programmed as a hobby. I'm mostly self learned. I'm working in an environment of a few developers and at least the same amount of other people (managers, sales, etc). We are creating Magento stores for middle sized businesses. The dev team is pretty good, I think.

But I'm struggling with management a lot. They are deciding on issues without asking us or even if I was asked about something and the answer was not what they expect, they ask the next developer below me. They do this all the way to Junior. A small example would be "lets create a testing site outside of deployment process on the server". Now if I do this, that site will never be updated and pose a security risk on the server for eternity because they would forget about it in a week. Adding it to our deployment process would take the same time and the testing site would benefit from security patches, quick deployment without logging in to the server, etc. Then the manager just disappears after hearing this from me. On slack, I get a question in 30 minutes from a remote developer about how to create an SSH user for a new site outside of deployment. I tell him the same. Then the junior gets called upstairs and ending up doing the job: no deployment, just plain SSH (SFTP) and manually creating the database. I end up doing it but He is "learning" how to do it.

An other example would be a day I was asked what is my opinion about Wordpress. We don't have any experience with Wordpress, I worked with Drupal before and when I look at a Wordpress codebase, I'm getting brain damage. They said Ok. The next day, comes the announcement that the boss decided to use Wordpress for our new agency website. For his own health and safety, I took the day off. At the end, the manager ended up hiring an indian developer who did a moderately fair job. No HiDPI sprites, no fancy SASS, just plain old CSS and a simple template. Lightyears worse than the site it was about to replace. But it did replace the old site, so now I have to look at it and identify myself part of the team. Best thing? We are now offering Wordpress development.

An other example is "lets do a quick order grid". This meant to be a table where the customer can enter SKU and quantity and they can theoretically order faster if they know the SKU already. It's a B2B solution. No one uses it. We have it for 2 sites now and in analytics, we have 5 page hits within 3 years on a site that's receiving 1000 users daily... Mostly our testing and the client looked at it. And no orders. I mean none, 0. I presented a well formatted study with screenshots from Analytics when I saw a proposal to a client to do this again. Guess what happened? Someone else from the team got the job to implement it. Happy client? No. They are questioning why no one is using it.

What would you do as a senior developer?

- Just serve notice and quit
- Try to talk to the boss (I don't see how it would work)
- Just don't give a shit

I recently joined DevRants, and with me joining any new site or media where you can share I am usually the guy who is shy and likes to sit back and watch/read. However I wanted to post a question as I am trying to get a job within the Cyber Security field. I have a computer science degree and honestly I feel like I can't even code at a level I should be able to. I am also currently working/studying for my CompTIA Security+. It has been going good but, I always second guess myself and doubt my abilities. I guess this a a slight rant and question so far.

My question is how can I better improve both my skills (coding, linux, and security) and also my mental. I would say its imposter syndrome but I don't have a job so I don't think it would be fair to say it is. I just want to break into the job field and show people that if given the help and resources I can excel at the task given. I do learn fast and pick things up pretty good. Any help/recommendations is much appreciated, and I look forward to more talks.

How much of an asshole you have to be to say the poster doesn't know PHP and bitch about "security problems" in an answer to a clearly newbie question about forms and redirection on Quora?

Question for all the security/privacy nerds here. What is your opinion of the social network called Minds that pays you for your information basically.

(This is a very brief probably inaccurate summary but yeah, it’s basically reverse Facebook)

Questions more then a rant...

I've moved from being a lead on imploring DevOps and Agile practices in a large Telco to now working for a security consultancy... The team I'm with are s*** hot when it comes to SecOps (which is why I changed jobs) and I've been hired to he the automation and working practice expert on the team. Already got some of them learning Ansible which is a great start!

I've got delivery now being pushed to Git and all client work being tracked in Jira and properly documented and collaborated through HipChat and other CI tools on the way....

My question is this... Does anyone have some awesome resources to teach people Git, Jira, Jenkins, etc. quickly without forking or branching out on expensive training? Focus on being a technical but consultative team. Ideally just wanna pull some awesome guides and make. My own commits on them for the team... Please fire a story or epic away!

So, after studying software development and games programming, I ended up working as a Salesforce developer. Been doing it for over a year now, but it's still not something I'm passionate about.

I got invited to an interview for a different job. Games industry related, using golang to do backend work.

Switching from Salesforce to Engine. From frontend to backend. I have faith that I can do it, the question I'm struggling with is... Should I?

I have no idea what the pros and cons are, junior dev In both roles, pay is about the same but for the fields themselves, is being a backend dev better than frontend? Is golang a desired language? Do I have career security by learning these things?

Or should I stay where I am now, give up enjoying my job in favour of something I class incredibly easy?

Any advice would be greatly appreciated.

How many people on devRant are skilled with pentesting / Offensive Security? How long did it take you to understand it? How do you keep yourself from crossing over white hat territory into grey hat territory?

(Question/0.5Rant)

So I am working on a mixed API (aka reachable from anywhere, but also only accessible by specific allowed devices) and I am struggling with the security of it, its not managing anything hardcore (this API is "is the coffe ready?" kind of level) or I would have just enforced per device registration for example already, but the app that goes with that API is deployed remotely and has to be "ready to go!!!" out of the box, so I can't add any registration, verifications of devices etc.

The main thing I am afraid of is, that one of those agent retards will get his spaghetti phone blasted from the inside, so all the https calls will be read out by some random attacker, which then will be able to "abuse" the API via read out api-key, is there any way for me to have a rescue plan if one of those retards does get hacked and the system then get spammed or something, like if I log all devices that use the API I could just deny access from that device (until resolved) and issue a new app update via new api key.

What's the best way of handling this and is my idea really the only way to handle this? this shitfest is really causing shit ton of ideas in my head, which then I deny literally 20 seconds later, because there's a way to bypass it or once you have the old api key to get a new one by just monitoring it etc.

Yeah, so when you create an account just about anywhere nowadays, you need to choose a strong password. Fair enough. But then, some sites/services/systems require a second password, sort of a password hint as an extra security for retrieving your first password in case you forget it. Well OK...That hint question just becomes very *in*secure when you must choose from some extremely stupid presets like "In which town were you born?" or "What was your mother's maiden name?", all of which are trivia that for most people can be easily googled, or looked up on facebook ffs. And these "in which town did this or that happen?" questions? As there is only one town in my country it's not a long shot that I was born in Mariehamn, met my partner in Mariehamn and had my first job in Mariehamn. Security questions for imbecils.

A question to all software security specialists of devRant. Please, take it serious.

Is it fundamentally possible to restrict a SQL database like Postgres in a way that unintended SQL queries are impossible to execute? Perhaps in some kind of whitelist fashion. Is it possible to achieve the kind of security that will be just fine exposed to the outside world akin to "SQL queries in onClick handlers" scenario?

Or is this an uphill battle of never being able to moderate an infinite set of possible fraudulent queries?

I’m working on a new app I’m pretty excited about.

I’m taking a slightly novel (maybe 🥲) approach to an offline password manager. I’m not saying that online password managers are unreliable, I’m just saying the idea of giving a corporation all of my passwords gives me goosebumps.

Originally, I was going to make a simple “file encrypted via password” sort of thing just to get the job done. But I’ve decided to put some elbow grease into it, actually.

The elephant in the room is what happens if you forget your password? If you use the password as the encryption key, you’re boned. Nothing you can do except set up a brute-forcer and hope your CPU is stronger than your password was.

Not to mention, if you want to change your password, the entire data file will need to be re-encrypted. Not a bad thing in reality, but definitely kinda annoying.

So actually, I came up with a design that allows you to use security questions in addition to a password.

But as I was trying to come up with “good” security questions, I realized there is virtually no such thing. 99% of security question answers are one or two words long and come from data sets that have relatively small pools of answers. The name of your first crush? That’s easy, just try every common name in your country. Same thing with pet names. Ice cream flavors. Favorite fruits. Childhood cartoons. These all have data sets in the thousands at most. An old XP machine could run through all the permutations over lunch.

So instead I’ve come up with these ideas. In order from least good to most good:

1) [thinking to remove this] You can remove the question from the security question. It’s your responsibility to remember it and it displays only as “Question #1”. Maybe you can write it down or something.

2) there are 5 questions and you need to get 4 of them right. This does increase the possible permutations, but still does little against questions with simple answers. Plus, it could almost be easier to remember your password at this point.

All this made me think “why try to fix a broken system when you can improve a working system”

So instead,

3) I’ve branded my passwords as “passphrases” instead. This is because instead of a single, short, complex word, my program encourages entire sentences. Since the ability to brute force a password decreases exponentially as length increases, and it is easier to remember a phrase rather than a complicated amalgamation or letters number and symbols, a passphrase should be preferred. Sprinkling in the occasional symbol to prevent dictionary attacks will make them totally uncrackable.

In addition? You can have an unlimited number of passphrases. Forgot one? No biggie. Use your backup passphrases, then remind yourself what your original passphrase was after you log in.

All this accomplished on a system that runs entirely locally is, in my opinion, interesting. Probably it has been done before, and almost certainly it has been done better than what I will be able to make, but I’m happy I was able to think up a design I am proud of.

Soo since my last rant on my whole f'ed life last December, life has been going on for a while.

I've been married and FINALLY land on 2 part-time job ( both require on site but time is flexible), so I do both currently. But after 2 month or so, I start to have some problem with my health. I've been working 12 hrs a day, not mentioning average 2 hrs on college classes daily, and my body health starts to weaken overtime.

I've lost 7 kg of weight in a single month and another 5 in the second month. ( Granted I as m obese so this is quite a good thing).

While one of the work still under trial period for 3 months, but sign says that I would asked to stay longer. And I can't afford to stop working bcs I need both salaries to help my little family stays afloat.

Wish me luck

*Btw, oot Question, but had anyone here working with an SDK from Russian based Security video management system named Axxon? If yes I want ask some question regarding their SDKs...

There is something serious about web browser extensions and the risk your data might be compromised just because of a simple stupid extension. You might harden the security of your machine and forgot about what you have installed as extensions, alot of people do not realize the risk because they simply install and give permissions as is.

The question is how to spot a malicious extension?

Hey there, I've never really done anything like this but I'm in the second year of college.
I really want to go into the security area, not completely sure but pretty inclined to pentesting.

The question is, what, in your opinion, do you think is a good starting point so I'm pretty much ready to start working when I finish my 5 year course? My college doesn't have any or many security classes, so I'll have to do it all by myself.

Right now I know java, C and html, css and Javascript, which I'm learning by myself.

Does CPU (WAN) receive and send packets too? With what?

Since my question, in all likelihood, won't get answered on StackOverflow, I hope I can ask it here instead. I hope that's alright.

So, I am currently developing a Feathers + Nuxt boilerplate, and am using localStorage to store the jwt.
But I noticed if I set the localStorage with the jwt manually, it will act as if I'm logged in, bypassing the entire login-function. So I solved this by using an iframe with a script that clears localStorage (and log out the user, if logged in) when something changes in the localStorage (by using the eventListener "storage"). (I am also observing the iFrame if someone deletes it, in the console, and re-inserts itself).

My question is if this would carry any security risks? Like, would this be a bad thing to do, security wise? Is it alright to leave it alone and let users/visitors to set the jwt manually?

context i am 20 y/o student studying in mumbai uni college

SO RECNTLY I GRABBED A INTERNSHIP AT A BIG SOFTWARE COMPANY AS A SDE INTERN

so before all this i was that guy of college who was never been invited to parties or nightouts as i am not from a rich Bg they used to tease me on my style of clothing how i used to talk my english is fluent still i used to get bullied. I just had this female friend of mine which everytime used to support me let it be Leetcode question staying up late with me for studies but she was also teased because of me as i was not from a well known family or had money to show flashy things... she was so happy when i got this internship

PS it is my first day of my internship i went to the campus it was so prettty as i havent see anything pretty as this office campus so i clicked the picture standing next to the company logo the watchmen clicked it for me as i was too early to the campus there were no on, i was smiling like a dumb person that security guy was happy after knowing my story then i posted it on my IG and snapchat then i went it wait for onboarding stuff and then i got to meet my HR and she discussed everything she was sweet enough to explain me everything in detail too friends staff then when i checked my phone when the day was completed from office

guess what all those people who used to mock me and my friend for being nerds and used to mock me because of my financial bg now they were congratulating me and asking me how i got this and all
so i just want you to know please don't judge anyone or bully anyone just because of their bg they are always suffering in dark i will like to thank my close friend which was always with me

ty guys for reading till end

Is there an encryption/decryption algorithm that's guaranteed to have an output of less than 100 chars? Say to encrypt messages less than 50 chars in length

So first day on the job, I'm in the application security team. Any tips? Anything much appreciated!

hello folks, any help would appreciated :). serious question about designing/developing a rest backend.

here is a little insight: I want to reduce the endpoints for many CRUD operations as I can. So for that approach I defined a set of "dynamic" routes like /:moduleName/list, /:moduleName/update and so on.

Now I want to also reduce hardcoding as much stuff as I can for the front end. like I want forms/view/components to know which fields can be sent in the "/:moduleName/xxx" endpoints from above. So I'm thinking to make some /:moduleName/list/map, /:moduleName/update/map endpoints that tells the frontend which fields/keys can be sent for X or Y operation.

regarding design/security concerns Is that a good approach? do you know any other approach that's like to what I want to achieve?

A philosophical question about maintenance/updating.

There is no need to repeat the reasons we need to update our dependencies and our code. We know them/ especially regarding the security issues.
The real question is , "is that indicates a failure of automation"?

When i started thinking about code, and when also was a kid and saw all these sci fi universes with robots etc, the obvious thing was that you build an automation to do the job without having to work with it anymore. There is no meaning on automate something that need constant work above it.

When you have a car, you usually do not upgrade it all the time, you do some things of maintance (oil, tires) but it keeps your work on it in a logical amount.
A better example is the abacus, a calculating device which you know it works as it works.

A promise of functional programming is that because you are based on algebraic principles you do not have to worry so much about your code, you know it will doing the logical thing it supposed to do.
Unix philosophy made software that has been "updated" so little compared to all these modern apps.
Coding, because of its changeable nature is the first victim of the humans nature unsatisfying.

Modern software industry has so much of techniques and principles (solid, liquid, patterns, testing that that the air is air) and still needs so many developers to work on a project.
I know that you will blame the market needs (you cannot understand the need from the start, you have to do it agile) but i think that this is also a part of a problem .
Old devices evolved at much more slow pace. Radio was radio, and still a radio do its basic functionality the same war (the upgrades were only some memory functionalities like save your beloved frequencies and screen messages).

Although all answers are valid, i still feel, that we have failed. We have failed so much. The dream of being a programmer is to build something, bring you money or satisfaction, and you are bored so you build something completely new.

For any network security gurus, quick question

Does disabling NSAllowsArbitraryLoads on iOS add latency to network requests over http? if yes why?

Thinking to start smoking 🚬

Never tried it once in 26 years not even a sip even refused temptations from school friends

Now by starting a job, i have no security, ironically. I feel like i stepped at the leap of a bottomless pit and tomorrow i jump into it and fall... and fall....and fall..... No end.

I have no idea how to use ansible and rexify.org and thats what I'll need to use. I have no idea how to do devops with Azure, and thats what ill do. I only build devops with terraform on Aws.

The unknown of 9-5 is frightening me more than starting a business. Paradoxically, i think it would come as a relief to get fired within the first week from failing to complete literally everything

On top of that my blonde gf disappeared yesterday for 3-4 hours. No texts no phone calls. Called for 2 times no answer. Called 3rd time and got a voice message the phone was shut down. 3-4 hours later she said she was with mom at shopping and didnt have internet

I also caught her texting some random guy on instagram. They both have vanish mode enabled (texts delete themselves as soon as you leave the conversation). Confronted her today. She wont tell me the truth. Likes his pics on ig. Keeps lying. On a question "why do you have vanish mode enabled with him?" her answer is "well i guess married men always use vanish mode"

Im tired

Too much shit unraveling. The opening of 2024 already doesnt look good

Why do good people die in accidents or diseases but i dont and i live? Shits unfair. Why doesnt nature/God fucking kill me? I beg to die. I hope to die. I pray for something to kill me. It would come as such a relief.

This life is meaningless and empty to me. typeof(life) yields a void. I dont value it. Its shit. Whether succeed or fail its meaningless. Nihilism was right

I am literally a walking dead. Physically moving but spiritually dead. Mentally lost. I am the captain of a ship in the middle of the ocean who no longer knows where the ship is going

Why cant i just get cancer or something. Can cigarettes help me get it? Cause I'll start consuming that shit right away to speedrun that process

End it

Question: i'm doing my user management with js... Is this a good idea (security-wise)???

Hey. I'm still very new to CloudFlare and I have a question.

Let's say that I have 4 sub domains: a.test.com, b.test.com, c.test.com, d.test.com. They're all under the same domain (test.com).

I have a page rule setup specifically for a.test.com, where "Disable security" is set to On. I did this as a temporary solution so that I can figure out the problems that a.test.com has when the security is enabled (had users complaints regarding not being able to send requests with CF security On), so that it is still accessible while I try to fix it..

By turning disabling security for a.test.com, do I put others (b, c, d) at risk? I had someone telling me that it is possible for attackers to make use of a.test.con (unprotected by CF) in order to attack the other sub-domains. "a.test.com has no protection so attackers can use it to send requests to other secured subdomains, cross-site attack" or something along that line.

I don't get this. I thought page rule is supposed to be active only for the domain where it's being set up and the rest will still be secured, and that if attacker manages to attack the other subdomain its due to the others not having secure applications inside of it.

Dunno if that person was telling the truth or tried to mess around with me with their joke!

Thanks!

!rant question:
How does military level security can be achieved in a software company?
Do we really need two computers for each dev, one local and one for using internet? Is there any standard on setting up an infrastructure like that? Point me if you have any info please.

this afternoon, we got email from our pentester. He said that he got some security vulnerability in our project. He found .git/ folder in project directory in production server. He considered it as security vulnerability because user can see all git branch on remote repo. He recommend us to remove that folder but the problem is, we using CI/CD so we need that .git/ folder. My question is it bad practice to use git on production server?