*client calls in*

Me: good morning, how can I help you?
Client: my ip is blocked, could you unblock it for me?
Me: certainly! What's your ip address? Then I'll have a look.
Client: I'm not giving you my ip?! That's too privacy sensitive.
Me: 😶
Me: 😶
Me: 😶
Me: sir, I'm very keen on my privacy myself but without that information I can't do much for you 😬
Client: ah so you're refusing to help me?
Me: not like that, it's just very hard to lift an ip block for me when I don't know the ip address.
Client: you just don't want to help, fine.

*click*

😶

Meeting with asshole partner company CEO at restaurant.

Me: "I'm a bit worried about the bugs in your API. There are some ways to retrieve privacy sensitive info from public endpoints"

CEO: "Well, we're a rapidly growing startup!"

Me: "Uh... so?"

CEO: "So... Move Fast and Break Things! Priority is to improve our API further, and we'll fix bugs as they show up"

Me: "Maybe you should stop trying to emulate Zuckerberg in your management style. You know that even Facebook themselves admitted that their slogan was a retarded mistake"

Waiter shows up at table. CEO orders some overly expensive fish salad.

CEO: "Well, they have done something right... they're worth billions"

Waiter asks me: "And you sir, have you made your choice?"

Me: "Do you serve popcorn?"

CEO: "Popcorn for lunch?"

Me: "No, for your congressional hearing"

My mom got audited for storing sensitive client information in her gmail account without using a vpn or any other real security.

I had been telling her this was an issue for literally the last three years and shes brushed me off every time.

I got yelled at for not telling her I was serious.

My mentor/guider at my last internship.

He was great at guiding, only 1-2 years older than me, brought criticism in a constructive way (only had a very tiny thing once in half a year though) and although they were forced to use windows in a few production environments, when it came to handling very sensitive data and they asked me for an opinion before him and I answered that closed source software wasn't a good idea and they'd all go against me, this guy quit his nice-guy mode and went straight to dead-serious backing me up.
I remember a specific occurrence:
Programmers in room (under him technically): so linuxxx, why not just use windows servers for this data storage?
Me: because it's closed source, you know why I'd say that that's bad for handling sensitive data
Programmers: oh come on not that again...
Me: no but really look at it from my si.....
Programmers: no stop it. You're only an intern, don't act like you know a lot about thi....
Mentor: no you shut the fuck up. We. Are. Not. Using. Proprietary. Bullshit. For. Storing. Sensitive. Data.
Linuxxx seems to know a lot more about security and privacy than you guys so you fucking listen to what he has to say.
Windows is out of the fucking question here, am I clear?

Yeah that felt awesome.

Also that time when a mysql db in prod went bad and they didn't really know what to do. Didn't have much experience but knew how to run a repair.
He called me in and asked me to have a look.
Me: *fixed it in a few minutes* so how many visitors does this thing get, few hundred a day?
Him: few million.
Me: 😵 I'm only an intern! Why did you let me access this?!
Him: because you're the one with the most Linux knowledge here and I trust you to fix it or give a shout when you simply can't.

Lastly he asked me to help out with iptables rules. I wasn't of much help but it was fun to sit there debugging iptables shit with two seniors 😊

He always gave good feedback, knew my qualities and put them to good use and kept my motivation high.

Awesome guy!

Story time:

I was once working on a project that dealt with incredibly sensitive financial data.

We needed a client’s database to do a migration.

They wouldn’t send it over the internet because it was too big and they didn’t think it would be secure.

They opt to send it in the post on an encrypted usb drive.

(Fair enough thinks I)

USB drive arrives.
Is indeed encrypted.

MFW there’s a post it note in the envelope with the password on.

MFW this is a billion dollar multinational petrochem company.

MFW this same company’s ‘sysadmin’ and ‘dba’ once complained because a SQL script I sent them didn’t work - they’d pasted it twice and couldn’t work this out from the fucking “table already created” error message management studio was throwing at them.

Our current designer is convinced that 00FF44 bright green fits well with the rest of our soft purple/blue color scheme.

I am not a designer, but have worked in a color laboratory, so I've tried time and time again to explain CIE LAB color space, and how at least HCL is a good way to pick & group colors into palettes by using 2-3 luminances for equidistant hues while keeping chroma constant.

I've tried to tell him that the bright green almost physically makes my eyes bleed, because humans are quite sensitive to greens.

He just keeps using the phrase "but it makes the buttons pop nicely".

I just want to pop his skull open with my keyboard. 😫

To developers that make captchas case sensitive... Fuck you!

Dear Microsoft,

Thanks for not completely fucking up Github. At least you didn't integrate Office365, allow only Azure deployments, or force downloading repos through OneDrive or something.

But like most developers, I don't deal well with changes to familiar interfaces.

So please.... STOP FUCKING TWEAKING THE BUTTON PLACEMENTS AND TEXTS ALL OVER THE WEBSITE.

(or at least send me a bottle of cognac and a box of chocolates before every UI experiment, so I can deal with it emotionally. I'm a very sensitive boy, you know).

Fuck open office spaces.

A few months ago I landed a super sweet job as a senior full stack developer, mainly going to work with their Python microarchitecture. The company pays well, has a sweet balance between freedom and responsibility, 30 days vacation etc.

During the recruiting process they walked me around the office that was super cozy with 14 devs in on large room and 10 people from marketing in another. They also mentioned that they would move and merge office with operations and customer service (around 100 more people) in a few months.

Life was good in the old office, I thought that this is the company where I will work for a looooong time.

Now we are in the new office and its fucking shit. No walls or FUCKING CEILINGS between departments. Right above my head there is balcony with customer service talking loud as fuck 24/7. Everyone that is not a developer is just so fucking loud.

I have to use earplugs AND earmuffs to get silence, or blast my ears with way to loud music. Every day around lunch I'm completely done mentally.

I know I'm extra sensitive to noise because of my ADHD, but seriously who the fuck thought this was a good idea?

All the devs have told our boss what needs to be done. If they listen i don't know. In the meantime I will start looking for a new job....

At my previous job we had the rule to lock your PC when you leave. Makes sense of course.
We were not programmers but application engineers, still, we worked with sensitive data.

One colleague always claimed to be the most intelligent and always demanded the "senior" - title. Which he obviously did not deserve.

multiple times a day forgot to lock his workstation and we had to do it for him.
My last week working there, I've had it. He forgot it again... So I made a screenshot of his current environment. Closed everything. Set his new background with the screen shot and killed explorer (windows). Then finally I locked his PC.

When he came back he panicked that his PC froze. He couldn't do shit anymore. Not knowing what to do... 😂
Which makes him a senior of course.

But seriously, first thing I would do is open the task manager and notice that explorer wasn't running... Thus my background with the taskbar isn't real.... My colleagues must be pranking me!

Nope... The "senior" knew little

Password is not case sensitive, but requires at least two uppercase and two lowercase letters

Motherfucker. It's two thousand fucking seventeen. You can get a free ssl certificate for any website.

Then WHY are there still some fucking websites which contain login portals, sensitive information or anything that SHOULD be protected in transit WITHOUT FUCKING SSL?!

I hope that the people who manage those sites and are AWARE that they can get a free cert but don't do that die in agonising pain.

This really fucking pisses me off.

On another note, EVERY site should have SSL, it's free anyways and protects your visitors from a range of threats.-

Before anyone starts going batshit crazy, this is NOT a windows hate post. Just a funny experience imo.

So I was tasked with installing ProxMox on a dedicated server at my last internship. The windows admin was my guider (he could also do debian). (he was a really nice/chill guy)

So we were discussing what VM's we wanted and the boss (really cool dude by the way) said he wanted a VPS for storing some company stuff as well. Fair enough, what would we use? I suggested debian and centos. Then we started discussing what we'd do if the systems would fuck up etc (at installation or whatever).
So I didn't wanna look like a Linux Nazi so I suggested windows. Then the happy/positive guider/windows admin suddenly became dead serious (I was actually like 'woah' for a second) and said this:
No. We're not going to fucking use windows for this. For general servers etc sometimes, fair enough but we're talking about sensitive company data here. I don't want that data to be stored on a proprietary/closed source system, hell what if there's some kinda fucking backdoor build in, who can fucking verify that? We're using Linux, end of discussion.

😓

I was pretty flabbergasted as he's a nice guy and actually really likes windows!

Linux it became.

Not so much screaming as staring in disbelief, mumbling profanity in his direction...

When my department lead said "I don't think this unit testing hype or code reviews make much sense, it's more efficient to just make a checklist and test the application yourself"

This was the QA department of an aerospace company, we wrote NDT software to do image recognition on xrays of alloy welds and micrometer laser measurements on fuel tank surfaces. Software which is quite mission critical, a single misrecognized welding fault could literally cost up to half a billion dollars — not to mention that it's a very sabotage & espionage sensitive industry.

After raising some hell he was replaced though.

SO GUESS WHAT

IF YOUR SHITTY WIFI CRAPS OUT DURING A VISUAL STUDIO UPDATE, VISUAL STUDIO FUCKING COMMITS SUICIDE

MICROSOFT CAN SUCK A BIG, VEINY COCK. IM SO DONE WITH THEIR SENSITIVE, CONVOLUTED, SLOW IDE.

Humans!

The amount of sensitive, private, and secure information you can get just by asking someone for it is truly astounding.

Sometimes I wish I was allowed to just strangle my colleagues...

Example from the 'code base':

try:
do_something()
except Exception as e:
log(e)
do_something()

When I asked why they would redo the same call right after it failed I was told that 'It works the second time because it takes time to raise the Exception '.

Bitch, you've got a race condition in your sensitive banking software. You know it's there. Do you really want to trust the time needed to raise your exception will always be enough to synch that dumpster fire you call code?
Show some fucking respect for your craft and fix that shit. But of course they won't, because it will work flawlessly until it suddenly stops working. Taking down who knows what in this damn, undocumenred monolith with it....

Sometimes I'm honestly afraid to trust banks with my money.

"We don't need to invest in security - noone is going to hack us anyway" == "We don't need a fire department in our city - fire is not going to start here anyway"

We don't need to invest in security - everything is public anyway" == "We don't need a fire department in our city - our buildings are made out of straws anyway"

-- my thoughts after seing a line in client's spec: "sensitive data is transferred via a secure tcp channel (https) and all the public data is transferred via an unencrypted tcp (http) channel"

Devs: We need access to PROD DB in order to provide support you're asking us for.

Mgmt: No, we cannot trust you with PROD DB accesses. That DB contains live data and is too sensitive for you to fuck things up

Mgmt: We'll only grant PROD DB access to DBAs and app support guys

Mgmt: <hire newbies to app support>

App_supp: `update USER set invoice_directory = 54376; commit;`

----------------
I have nothing left to say....

Had a follow up meeting today to resolve the issue of Product ignoring our comments about possible issues, better ways to do it etc.

New rules:
- We are allowed to suggest to Product that they might be doing something wrong
- We are not allowed to tell product they are doing something wrong
- If Product don’t listen, that’s fine, we will document our comments to protect us later.

Conclusion:
Product are too sensitive to have a conversation with. We are now going to let them fuck everything up, make some notes and say “I told you so” at a later date.

Maturity at its finest ladies and gentlemen.

I remember that time my class (first year of software development) wrote a huge project for a real company as practice for irl stuff.

I was the only Linux user and it would be deployed on a Linux server.

Spent 10 weeks of development and then the moment of deployment on a Linux server began!

.
.
.
.
.

Nothing was case sensitive, everything was programmed for a windows architecture (backward slashes etc) and mssql was used while we would host it on a MySQL server.

The tree core guys spent three days or so to make the entire fucker compatible 😂

It was enjoyable to see them (literally) sweat 😊 (it had been known from the very beginning)

Worst legacy experience...

Called in by a client who had had a pen test on their website and it showed up many, many security holes. I was tasked with coming in and implementing the required fixes.

Site turned out to be Classic ASP built on an MS Access database. Due to the nature of the client, everything had to be done on their premises (kind of ironic but there you go). So I'm on-site trying to get access to code and server. My contact was *never* at her desk to approve anything. IT staff "worked" 11am to 3pm on a long day. The code itself was shite beyond belief.

The site was full of forms with no input validation, origin validation and no SQL injection checks. Sensitive data stored in plain text in cookies. Technical errors displayed on certain pages revealing site structure and even DB table names. Server configured to allow directory listing in file stores so that the public could see/access whatever they liked without any permission or authentication checks. I swear this was written by the child of some staff member. No company would have had the balls to charge for this.

Took me about 8 weeks to make and deploy the changes to client's satisfaction. Could have done it in 2 with some support from the actual people I was suppose to be helping!! But it was their money (well, my money as they were government funded!).

This is the GREAT ROLLING website that I ranted recently. I couldn't share more than this as other parts of the page contains sensitive information that is not out in the internet yet. The whole friggin page is like this. EVERYTHING ROLLS

My first testing job in the industry. Quite the rollercoaster.

I had found this neat little online service with a community. I signed up an account and participated. I sent in a lot of bug reports. One of the community supervisors sent me a message that most things in FogBugz had my username all over it.

After a year, I got cocky and decided to try SQL injection. In a production environment. What can I say. I was young, not bright, and overly curious. Never malicious, never damaged data or exposed sensitive data or bork services.

I reported it.

Not long after, I got phone calls. I was pretty sure I was getting charged with something.

I was offered a job.

Three months into the job, they asked if I wanted to do Python and work with the automators. I said I don't know what that is but sure.

They hired me a private instructor for a week to learn the basics, then flew me to the other side of the world for two weeks to work directly with the automation team to learn how they do it.

It was a pretty exciting era in my life and my dream job.

Root rents an office.

Among very few other things, the company I'm renting an office from (Regus) provides wifi, but it isn't even bloody secured. There's a captive portal with a lovely (not.) privacy policy saying they're free to monitor your traffic, but they didn't even bother using WEP, which ofc means everyone else out to the fucking parking lot four floors down can monitor my traffic, too.

Good thing I don't work for a company that handles sensitive data! /s But at least I don't have access to it, or any creds that matter.

So, I've been running my phone's connection through a tor vpn and sharing that with my lappy. It works, provides a little bit of security, but it's slow as crap. GET YOUR SHIT TOGETHER, REGUS.

AND WHILE YOU'RE AT IT, CLEAN THE SHIT OUT OF THE FUCKING BATHROOM FFS.

Ugh. $12/day to work in a freaking wind tunnel (thanks, a/c; you're loud as fuck and barely work), hear other people's phone conversations through two freaking walls, pee in a bathroom that perpetually smells like diarrhea, and allow anyone and everyone within a 50+ meter radius to listen to everything my computer says.

Oh, they also 'forgot' to furnish my office, like they promised. Three freaking times. At least I have a table and chair. 🙄

Desk? What desk?
Fucking hell.

It's not that I hate PHP, I just hate the lack of consistency in standard function naming and parameter order, nonsensical attribute access, nearly-meaningless comparison operators, reference handling, case (in)sensitivities, and more!

I mean, look at these functions:
strtoupper(...)
bin2hex(...)
strtolower(...)

And look at THESE FUNCTIONS:
array_search($needle, $haystack)
strpos($haystack, $needle)

array_filter($array, $callable)
array_map($callback, $array)
array_walk($array, $callable)

And let me jUST USE SOME ATTRIBUTES:
$object->attr = "No dollar sign...";
Class::$attr = "GOD WHY";

HOW ABOUT SOME COMPARISONS:
(NULL == 0) // true
(NULL < -1) // ALSO true

Functions AREN'T CASE SENSITIVE (at least variables are).

Wanna dereference? TOO BAD, YOU'LL HAVE TO GET OUT THE TNT.

Alright, yeah, I hate PHP.

Me: "Ugh. Soo insensitive.." *angry muttering*

Curious cousin: "Whom? What? Why?"

Me: "My stupid Mac is not case sensitive so I have to mount a Unix partition and reference it from somewhere else. Why wouldn't they just make a case sensitive filesystem like a proper Unix based OS?"

Clearly uninterested cousin: "seriously?! You called your laptop insensitive? I thought you were talking about a guy" ..

Filthy casuals.

The password field for our university website isn't case sensitive 🤣.

HR: Hey you really need to be more sensitive with what you say

Dev: What makes you bring this up?

HR: Well we had a concerned employee overhear you telling one of the interns that the Russian word for “approved” is “blyat”.

Dev: Ah.

Just wow. I am amazed by what just happened.

A year ago my parents decided to switch from desktop to laptop for convenience. Knowing their needs, i bought them one without an OS and installed Ubuntu 16.04 on it. The thing is that if you do a regular maintenance of the laptop once a year at their partner company, you get additional 4 years of warranty (this offer is amazing).

So today was the day I brought the laptop for this maintenance for the first time. They make you a profile on their support website where you can track shit regarding your device, super convenient. First thing I notice that the login page was not https. Awkward, but there is no sensitive data here so i let it pass. Naturally i forgot my password, so I requested a new one and guess what? I recieved it in plaintext via mail. A tech repair oriented company does this, my god.

I went there, gave them the laptop in question and got a piece of paper, where they wrote that the laptop is in their hands now, and the current physical state of the laptop, and blabla.

I got home and I read what the guy wrote among other things: THE OPERATING SYSTEM IS NOT LEGAL.

How the fuck is Ubuntu not legal??? What the fuck is this shit? I sure as hell didn't torrent it or bought a booteged copy on the streets.

The gift that keeps on giving... the Custom CMS Of Doom™
I've finally seen enough evidence why PHP has such a bad reputation to the point where even recruiters recommended me to remove my years of PHP experience from the CV.

The completely custom CMS written by company <redacted>'s CEO and his slaves features the following:
- Open for SQL injection attacks
- Remote shell command execution through URL query params
- Page-specific strings in most core PHP files
- Constructors containing hundreds of lines of code (mostly used to initialize the hundreds of properties
- Class methods containing more than 1000 lines of code
- Completely free of namespaces or package managers (uber elite programmers use only the root namespace)
- Random includes in any place imaginable
- Methods containing 1 line: the include of the file which contains the method body
- SQL queries in literally every source file
- The entrypoint script is in the webroot folder where all the code resides
- Access to sensitive folders is "restricted" by robots.txt 🤣🤣🤣🤣
- The CMS has its own crawler which runs by CRONjob and requests ALL HTML links (yes, full content, including videos!) to fill a database of keywords (I found out because the server traffic was >500 GB/month for this small website)
- Hundreds of config settings are literally defined by "define(...)"
- LESS is transpiled into CSS by PHP on requests
- .......

I could go on, but yes, I've seen it all now.

Had a discussion with a developer about security. His software transfers all user data (password and files) unencrypted, so anyone can grab them with wireshark. I told him that this is a severe issue. He said no its no problem because if you get hacked its your own fault, because you probably used an insecure network. NO ! YOU FUCKING MALADJUSTED SHEEP-MOLESTING OBJECT OF EXECRATION, YOU SHOULD ALWAYS ENCRYPT SENSITIVE USERDATA NO MATTER WHAT NETWORK YOU USE. FUCKING KILL ME ALREADY.
Not implementing encryption is one thing but then acting like its no problem is a fucking nother one. Why do people not understand that security of userdata is important???

!dev

Me *downloading some weird linux distro to test in VirtualBox - I only do this once a month for like 1 hour*
my brother: Oh my god! Are you downloading something again? Moooom he is downloading something non-stop

every day:
my brother *watching some series/YouTube videos/playing ping-sensitive multiplayer games - all the fucking time, everything he does all day is this + eating and sleeping*
me *retrying multiple times to load anything, including devRant* 😒😠

👀

5 years ago, in my first week of starting this particular job, the CTO casually mentioned they'd been struggling with a bug for years. Basically, in the last few days of the year, it seemed that records were jumping a year ahead, with no rhyme nor reason why. Happened every year, and wasn't linked with them deploying new code. (Their code was a mess with no sane way to unit test it, but that was a separate issue.)

I happened to know immediately what might be causing it - so I ran a case-sensitive search in the codebase for "YYYY", pointed out the issue, explained it, then committed a fix all in about 2 minutes.

I was told I'd officially passed my probation.

(Search for "week year vs year" if you're curious & the above doesn't ring any bells.)

I was told that I am too sensitive and afterwards a liability because I couldn’t concentrate in a working space where interns were constantly screaming, running around, hitting and farting each other, throwing shit around and playing games (instead of working)...

I was told by the HR person that “boys will be boys”...

Christmas lights were blinking randomly IN SECTIONS without any sort of "control brick", just with a plain wall plug and TWO wires coming out of it.

In this house we obey the laws of physics, I immediately called magic on this and started digging. I found out that was like five chains of lights wired in parallel, and every chain contained one special lamp that had a thin plate of some thermal-sensitive material inside. It heats up which makes it go straight, thus breaking its chain until it cools down enough to curl again and make the contacts touch.

Brilliant and really cheap way of making randomly blinking Christmas lights without any kind of controller, with just two wires and some physics. That's what I call "nocode".

A Month ago...
Me: when are you going to complete the report
Friend: we can do it in minutes
Me: you can't Ctrl + c and Ctrl +v as there is plagiarism check
Friend: we have spin bot
Me: you do that now itself . if something happens? You can join me .
Friend: just chill

Now ...
Me: done with report
Friend: feeding it to spin bot!

Feeds text related to database security....

Spin bot:
Garbage collector == city worker
SQL statements == SQL explanation
SQL queries == SQL interrogation
SQL injection == SQL infusion
Attack == assault
Malicious == noxious
Data integrity == information uprightness
Sensitive == touchy
.....
Me: told you so...
**spin not == article rewriter

Old story, and yeah, it's all true, I shit you not!

So here I am at about age 11 (more or less). At the time, I had an almost brand new 333MHz beast, with 8 MB RAM, 2 (!!!) MB video card and (I think) about 300 MB of storage (yeah, I'm old :)) ).

Connected to this monster was sitting a 14" CRT monitor, mechanical keyboard and a 2 button, ball "powered" mouse.

There was no optical tracking tech at the time.

One evening, I notice my mouse starts lagging. Test it to see if Win95 is stuck. Nope, just mouse problems...

Fiddle with it a little, and at some point it stops working at all.

My room was dark now, so I got up to turn on the lights, sat down in front of the PC, and moved the mouse by instinct.

Surprise! It's working again!

My brother comes in and turnes off the lights. Mouse non responsive.

I tell him to turn them on again, mouse works again.

At this point, we were both scratching our heads at this mystery...

I decided to confirm it again using a desc light.

Conclusion: my 2 button, ball tracking, non light sensitive mouse was working only if light was shining directly oh it AND on my 14" crt monitor at the same time!!!

To this day I have no ideea why.

I kept them both for posterity, and they are still there in my parent's attic.

Fin.

!rant
Our lead dev in the company seems to be a smart guy who's sensitive about code quality and best practices. The current project I'm working on (I'm an intern) has really bad code quality but it's too big an application with a very important client so there's no scope of completely changing it. Today, he asked me to optimize some parts of the code and I happily sat down to do it. After a few hours of searching, profiling and debugging, I asked him about a particular recurring database query that seemed to be uneccesarilly strewn across the code.
Me: "I think it's copy pasted code from somewhere else. It's not very well done".
Lead Dev: "Yeah, the code may not the be really beautiful. It was done hurriedly by this certain inexperienced intern we had a few years back".
Me: "Oh, haha. That's bad".
Lead Dev: "Yeah, you know him. Have you heard of this guy called *mentions his own name with a grin*?"
Me: ...
Lead Dev: "Yeah, I didn't know much then. The code's bad. Optimize it however you like. Just test it properly"
Me: respect++;

PM: Can we have it so the usernames are case-sensitive?

Me: uhh, sure I guess.. But thats like really pointless and adds no real usefulness.. In fact makes the whole logging in thing a tad more complicated for no reason..

PM: Well this one other product we have uses "Admin" for the login versus yours that used "admin" so it needs to be implemented.

(note that mine accepted "Admin" anyways...) *implemented it*

PM: So there's a problem with the username sort, it sorts by capitals then lowercase.. eg:
alpha
beta
Alpha

Me: Yeah, you asked for case-sensitive usernames..

PM: Well can you fix it?

Me: I could create a second field within the user data that is the username in all lowercase and sort by that. But that negates like all of the whole case-sensitive usernames thing.. OR I could drop all this actually important work I'm doing and do a whole bunch of work on a custom sort for this useless fucking feature you wanted me to put in..

*it's been 2 weeks and still no reply...*

So my boss booked me a spot at a conference about "the future of online payments" and I received an email with auto created account (there was no sign up) with a clear text password.

I'm feeling pretty confident that I can trust them to guide and advise me on best practices when it comes to handling sensitive information.

The deeper I go down the infosec rabbit hole, the more I worry about my doctors still using Windows XP. Why would you save sensitive patient info in those....shoe boxes?

My university has impeccable data management. I needed to ssh into their Linux server for an assignment but it refused to accept my login. Which was weird because I could login to the same account on one of our websites just fine. I typed my password into a text file and then copy and pasted it into both logins. The Linux one failed but the website succeeded. After some experimentation it turns out that the Linux server only recognized my username if I typed it in all lowercase, even though when I created the account it had uppercase characters as well.

So let me walk you through the sloppiness that had to have occurred for this to happen. When I first created the account it must have ignored what I entered and just saved the username in all lowercase without communicating that to me. Then the websites that use this account must either ignore case for usernames or lowercase the user input before querying the database. Finally, the Linux server, despite knowing that all the usernames are lowercase, is case sensitive and won't recognize the username as I originally typed it in.

Can you guess what department manages the account, website and Linux server? The Department of Computer and Information Science. Incredible.

All the cunts with their strong cologne mixed with cigarettes smell should have cut off their noses like Voldemort.

Well... I feel insanely stupid because I've been using windows for years an just realised that the file system isn't case sensitive... Mother fuckers...

(Yes judge me, I am a twat)

Finally fixed a major bug.....

FUCK YOU C# AND YOUR FUCKING CASE SENSITIVE BULLSHIT.

DAYS
THAT TOOK FUCKING DAYS AND AT NO POINT DUD VISUAL STUDIO BOTHER TO MENTION THAT FUCKING ERROR.

1 CHARACTER, ON ONE LINE, EFFECTIVELY BROKE THOUSANDS OF LINES OF CODE

fuck this, I quit. See you next time you contact the Microsoft live support chat!

Getting ready for GDPR at work. I had to explain to my bosses what it meant, especially regarding one of our project where we store a lot of user data. Then I heard it: "this crap doesn't regard us. we have no sensitive data. we only save out users' name and generalities.". I have no words.

Everyone is getting too sensitive. Soon enough you can’t call someone a noob or a junior.

So you want to collect and save sensitive data from psychologists sessions and use Wordpress. What can go wrong.

I can't believe people are willing to scan their faces, fingerprints, and retinas on their phones.

Such data is very sensitive as it can't be changed easily.
CCTV is now everywhere and everyone has his own scanner providing data for tracking people.

Am I too paranoid?

Watch out for these fucking bug bounty idiots.

Some time back I got an email from one shortly after making a website live. Didn't find anything major and just ran a simple tool that can suggest security improvements simply loading the landing page for the site.

Might be useful for some people but not so much for me.

It's the same kind of security tool you can search for, run it and it mostly just checks things like HTTP headers. A harmless surface test. Was nice, polite and didn't demand anything but linked to their profile where you can give them some rep on a system that gamifies security bug hunting.

It's rendering services without being asked like when someone washes your windscreen while stopped at traffic but no demands and no real harm done. Spammed.

I had another one recently though that was a total disgrace.

"I'm a web security Analyst. My Job is to do penetration testing in websites to make them secure."
"While testing your site I found some critical vulnerabilities (bugs) in your site which need to be mitigated."
"If you have a bug bounty program, kindly let me know where I should report those issues."
"Waiting for response."

It immediately stands out that this person is asking for pay before disclosing vulnerabilities but this ends up being stupid on so many other levels.

The second thing that stands out is that he says he's doing a penetration test. This is illegal in most major countries. Even attempting to penetrate a system without consent is illegal.

In many cases if it's trivial or safe no harm no foul but in this case I take a look at what he's sending and he's really trying to hack the site. Sending all kinds of junk data and sending things to try to inject that if they did get through could cause damage or provide sensitive data such as trying SQL injects to get user data.

It doesn't matter the intent it's breaking criminal law and when there's the potential for damages that's serious.

It cannot be understated how unprofessional this is. Irrespective of intent, being a self proclaimed "whitehat" or "ethical hacker" if they test this on a site and some of the commands they sent my way had worked then that would have been a data breach.

These weren't commands to see if something was possible, they were commands to extract data. If some random person from Pakistan extracts sensitive data then that's a breach that has to be reported and disclosed to users with the potential for fines and other consequences.

The sad thing is looking at the logs he's doing it all manually. Copying and pasting extremely specific snippets into all the input boxes of hacked with nothing to do with the stack in use. He can't get that many hits that way.

Am i the only one who is so sensitive about indentation? It really pisses me off when i see code with bad levels of indentation because it completely overtakes my years of programming experience and i understand nothing. Also indentation level should be 4, not 2. Who the hell uses 2 level indentation, you don't deserve a keyboard.

Inappropriate experience at work: One of our project managers got arrested one day for fraud. Apparently an employee had been in the middle of an online purchase and walked away from their desk. He happened to see the unmasked entry of the CC info (this was before websites cared about masking sensitive form inputs). I guess the temptation was too great…and he was too stupid to realize he’d get caught…and he jotted it all down. He made thousands of dollars in purchases which, naturally, eventually led back to him.

The same guy, before he got arrested, had made a joke when someone in an office team email said “Feel free to have some cake in the break room.” He replied “No need to do anything to me for the cake.” His first name was “Free”.

The company that I currently work for has a strict clean-desk policy. So strict, there's even have a little booklet that they have about 1000 copies of lying around the office everywhere. In the booklet is a playful description (with cartoons!) of what can go wrong when sensitive information is lying around, or shared with outsiders through careless talk, etcetera. Employees are encouraged to take a copy of the booklet home.

Also in the booklet is a description of the importance of having a good password. It mentions the required minimum (x) and maximum (x+1) length of passwords, mandatory character classes, and how often the passwords have to be changed.

Jesus Christ Reddit really is full of some sensitive ass basement dwelling retards. God forbid someone doesn't contribute to the circle jerk mentality that literally every fucking subreddit has.

I bet SO users spend their free time there.

WELL GEE, IF I KNEW WHAT MY ACCOUNT USERNAME WAS, I WOULD JUST SIGN IN YOU ASSHOLE. -.-

On top of that, they use these fucking anchent capchas that are fucking case sensitive and annoying as hell..

In their defence, I was trying to automate their website (one of those get paid to click sites) in an atempt to get some money, but still!

WTF!!!!! I officially have someone trying to extort me just had this in my email box this morning!

--------

Hello,

My name is [name removed], I'm an IT security expert and I found a security issue on your website.
This email is personal and in no way related to any of my employers.

I was able to access to a lot of files which contains sensitive data.
I attached a screenshot of the files I found to this email.

I would be happy to give you the method I used to access these files in order to let you fix it.
Would be a monetary compensation possible?

Please forward this email to the right person, if your are not responsible for the security of the website.

Best Regards,
[name removed]

---

He can basically see the contents of my wp-config.php. How has he managed this?

Trying to explain functions to my coworker and why they should be used even if powershell scrips don't 'need' functions
I've explained it 5 different ways across multiple meetings when they've gotten stuck on something.

At this point I've decided 1. I don't have the patience or brains to be a teacher..., 2. I'm going to have to review every script they ever fucking write, 3. I'm never letting them work on anything critical or time sensitive for big clients. (Small clients ehhh) I'll fight my boss to avoid that headache lol

So, among the ridiculously long list of password requirements, password is not case sensitive BUT it has to contain uppercase and lowercase letters?

Apparently USPS tracking numbers are case sensitive... I missed a delivery today so went online to check the status.

The code was RAxxxxxxxxxxxxxxxxxxxTR
x=numbers

I first typed the letters in lowercase and it said package not found...

Really???!!!!!! Don't you think all those numbers are already too long...

Using pokemon exeption handling on some very important and sensitive back end stuff to meet a deadline.

<supervisor>,

I would like to raise a concern of mine to your attention. I would urge you to inform <CIO> because I think he should know as well. In our recorded meeting this afternoon <bad_vendor> exposed another company’s credentials after failing to access our system, and proceeded to demo access into someone else’s system while exposing their client's sensitive data. Others noticed this as well. This is an alarming situation because not only did <bad_vendor> expose someones data to <us>, but to one of our vendors. While it is unlikely that <us> or <helpful_vendor> would abuse this situation, it could have easily been <us>’s data that was exposed to another company and their vendors had the situation been reversed. I understand we are all under tight deadlines and under a lot of stress — by no means am I trying to make waves — but nonetheless I felt compelled make light of this situation and felt in was echoed by <helpful_vendor> during the meeting as well.

Thank you

Did you hear that GitHub is planning to rename racially sensitive terms like "master"?

My two cents: rename master to daddy. xD

today i was asked to encrypt a public key, because "it's sensitive info".

a PUBLIC key.

smh

it's not even hard (literally 1 line of code), but come on...

So we have an API that my team is supposed send messages to in a fire and forget kind of style.

We are dependent on it. If it fails there is some annoying manual labor involved to clean that mess up. (If it even can be cleaned up, as sometimes it is also time-sensitive.)

Yet once in a while, that endpoint just crashes by letting the request vanish. No response, no error, nothing, it is just gone.

Digging through the log files of that API nothing pops up. Yet then I realize the size of the log files. About ~30GB on good old plain text log files.

It turns out that that API has taken the LOG EVERYTHING approach so much too heart that it logs to the point of its own death.

Is circular logging such a bleeding edge technology? It's not like there are external solutions for it like loggly or kibana. But oh, one might have to pay for them. Just dump it to the disk :/

This is again a combination of developers thinking "I don't need to care about space! It's cheap!" and managers thinking "100 GB should be enough for that server cluster. Let's restrict its HDD to 100GB, save some money!"

And then, here I stand trying to keep my sanity :/

mangodb's rant reminded me of smth.. Folks from my country might remember this story.

So we have a national e-health system. Millions have been invested, half of the money have never reached the project [disappeared smwhr in between] and its quality is not shiny. It works, sometimes even fast enough. But boy does it have bugs... Let's not get into that. It's politics.

So some time ago one IT guy spotted a bug that allowed him to get sensitive info of other patients. He informed e-health folks and waited for a fix. He waited for a few weeks but the fix had never been released. So he published his findings in soc media [yepp.. Stupid move]. That caused a national scandal. Not to mention he had been pressed with charges.

That guy and our health minister were invited in one of the tv debates. The guy was asked to explained how he found all this sensitive data. And he explained that he hit f12 in his browser, opened a network tab, issued a network request by clicking smth in the webpage analysed received data in the dev tools.

The minister looked somewhat happy, maybe a lil proud of himself - a person who has a "gotcha!" moment has that very glow he had. And he said: "what you did there was obvious hacking. I reckon you should know that true developers do not do those things you have just explained to us" [he was talking about dev tools].

I died inside a little bit.

We live in a world where WEAKNESS has become a virtue.

- I'm oppressed!
- My mental health!
- I need a helper!
- I'm sensitive!
- You're fatphobic!
- <INSERT SJW's IDENTITY term>

In today's world, you score more social points for describing yourself as weak & blaming 'oppressors' for your miserable life

Paranoia. Programming affected my life by making me paranoid. Creating a new account on any website that even needs rudimentary information about me has to go quite some vulnerability testing since I've seen enough hack jobs that throw around sensitive data because they're too incompetent to follow simple must dos.

My first interview ever for an internship. The interviewer asked me to rate myself in this language from 1 to 10 as if I'm applying for a lead engineer position at Google. I replied with a number that I thought was appropriate at the time (but now I know it wasn't accurate). The interviewer didn't say anything and moved to the next question. Later, I found out he ranted about my answer on his Twitter, again as if it's expected from an applicant intern at a low tier company to know. Still leaves a bitter taste in my mouth 7 years later.

One of my customers' laptop background (removed sensitive information and desktop icons).

Coworker: When you really love Chrome, but don't know what hi-res is!

"Let‘s make a service where the users can enter all of their secrets and sensitive data so that we can warn them if that data has been leaked elsewhere"

What could possibly go wrong?

"Unix filenames are case-sensitive?! Hur hur, that must be really confusing!"

Well, no, if you're not a fucking mouth-breathing cretin it isn't.

I have a few of these so I'll do a series.
(1 of 3) Public privates

We had a content manager that created a content type called "news item" on a Drupal site. There where two file fields on there. One called "attachments" and the other called "private attachments". The "private attachments" are only for members to see and may contain sensitive data. It was set to go trough Drupals security (instead of being directly hosted by the webserver) but because the permissions on the news items type where completely public everybody had access. So basically it was a slow public file field.

This might be attibuted to ow well Drupal is confusing. Howerver weeks earlier that same CM created a "private article". This actually had permissions on the content type correctly but had a file field that was set to public. So when a member posted the URL to a sensitive file trough unsafe means it got indexed by google and for all to read. When that happend I explained in detail how the system worked and documented it. It was even a website checklist item.

We had two very embarrassing data leaks :-(

This is from the 70s. It can easily be updated to the present day, but it has a certain charm just the way it is:

Three women sat discussing their husbands and their sex lives.

"My husband's a wrestler," said the first. "He's really strong and aggressive in bed."

"My husband's an artist," said the second. "He's really gentle and sensitive."

"My husband's an IBM salesman," said the third. "He sits on the edge of the bed and tells me how good it's going to be when I finally get it."

Our company is changing the default branch on our main repo from master to main.

We're literally on the verge of global genocide and a holocaust, and people are worried about over-sensitive people's feelings. I'm sure a branch change will end racism.

Whoever at Zoom decided that this button needed to be at this location on the Touch Bar ought to be fired.

Out of a cannon.

Into the sun.

Or at the very least doomed to have their desktop or webcam shared at random times during sensitive meetings. It is for the grace of God that the client didn’t catch me straining to hear the awful acoustics in their conference room.

Fuck you Intel.
Fucking admit that you're Hardware has a problem!

"Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data"

With Meltdown one process can fucking read everything that is in memory. Every password and every other sensible bit. Of course you can't change sensible data directly. You have to use the sensible data you gathered... Big fucking difference you dumb shits.

Meltown occurs because of hardware implemented speculative execution.
The solution is to fucking separate kernel- and user-adress space.
And you're saying that your hardware works how it should.
Shame on you.

I'm not saying that I don't tolerate mistakes like this. Shit happens.
But not having the balls to admit that it is because of the hardware makes me fucking angry.

DXB (airport)'s WiFi doesn't let you call through whatsapp or telegram or even discord. It also does not let you send a whatsapp voice message, which has me very puzzled.

And all I wanted to do was to call my mom. ☹️
(I might also be running a slight fever, which makes me very emotional and sensitive)

Some people are a little too sensitive about harmless practical jokes. 😒

Had a conference call and one of the guys said something along the lines of "I can handle the load (ticket load)" didn't even thought about it my mouth instinctively reacted with "that's what she said".

A couple of guys laughed but the other few just "wooooow"ed like if I had thrown a 9/11 joke.

This is not a rant perse, just a reminder that if I ever launch my own startup I shall look to hire "joke sensitive" people to make my scrum meetings as awkward as possible.

I don't want to put anyone to shame here, but this has been the most hilarious password reset in my life.

P.S.
It's an early service with no sensitive data, so I'm not concerned so much, but still, a system for automatic password reset, with the ability to change the temporary one, should be one of the first things in place before you go public. lol

Client: MY PASSWORD DOESN'T WORK
Me: our passwords are case-sensitive
Client: YES I USED CAPS LOCK

Interesting. A few hours ago I had a nice domestic conversation with my coleague about robot vacuum cleaners. He was talking about iRobot Roomba and I was talking about Xiaomi. Here's the result!

Interesting thing is that we talked in a *voice* conversation. Over Slack. Over Chrome. Over corporate VPN (openconnect).

Where's the spying link? Slack or Chrome?

My bet's on Chrome.

What does that tell you about the privacy of your sensitive conversations? :)
Hide behind VPNs all you like. If you have proprietary software (or hardware in the case of Huawei) - you're being watched and listened to.

EDIT: I'm on Linux, he's on MacOS

The self burn is real

Your guide to passive-aggressive false apologies:

- I’m sorry you’re so sensitive
- I’m sorry that you think I did something wrong
- I’m sorry if you’re mad
- I’m sorry that you made me do it
- I’m sorry you feel that way

And, my most favorite:

- I’m sorry that you’re making such a big deal out of this.

Renting a flat above a kindergarten.
I hate Christmas songs and I am very sensitive to high pitched noises.
It's a bad time in the year to be working from home...

pushing sensitive data to GitHub repo...not realising for days...and then going through the painful process of removing it again 😑

As usual a rather clickbait title, because only the chrome extensions (as always) seem to be vulnerable:

"Warning – 3 Popular VPN Services Are Leaking Your IP Address"

"Researchers found critical vulnerabilities in three popular VPN services that could leak users' real IP addresses and other sensitive data."

"VPN Mentor revealed that three popular VPN service providers—HotSpot Shield, PureVPN, and Zenmate"

"PureVPN is the same company who lied to have a 'no log' policy, but a few months ago helped the FBI with logs that lead to the arrest of a Massachusetts man in a cyberstalking case."

"Hijack all traffic (CVE-2018-7879) "
"DNS leak (CVE-2018-7878)"
"Real IP Address leak (CVE-2018-7880)"

Dont become a dev if you:

- Cant sit in the office for 8-10 hours a day

- Dont know how to google information/ errors, instead you interrupt your teammates with stupid questions every 5 minutes

- Are a perfectionist and don't like constant change.

- Are neurotic and give up easily. If you get triggered about broken or messy things to the point where it ruins your day to you and everyone else around you. You need to separate your work from your life.

- Don't have good communication skills. Worst I saw was a guy who speaks with a stutter(nobody understands him) and also writes very poorly (nobody understands his emails). Also he gets very angry when you ask additional questions to clarify what he said. How can you work with someone like that?

- Are very sensitive to critique. I prefer someone telling me that my code is shit and telling me why, instead of feeding me delusions and false validation.

- Dont know how to balance working in team and working solo. Nobody likes lone wolfs who are arrogant and not in sync with the team. But also nobody likes to drag teammates who cant think for themselves and even after years of spent in the field are required constant spoonfeeding because they are unable to google and teach themselves with trial and error.

I came around the corner in the corridor where a senior PM talked with an engineer.

PM: ... and that's why a good team is so important and we also need sensitive people.
Me: do we have some here?
PM: oh yes, I'm highly sensitive.
Me: one learns something new every day. :-)

Had anyone experienced with an impatient boss who require you to complete the project in the month you just recently got hired?

Here's the story, I recently got hired by a company, joined on 1st April 2022, the boss expect me to complete the app for Android and iOS by the end of this month. (An e-commerce applications exactly like shopee.com) Without providing me the Backend ApI , that they mentioned. They just gave me a and expect me to know what's happening at the backend.

He require me to give him a specific date that I can launch the app to play store and Apple store. (From my experience, it take days, weeks or months). He need a milestone of what I need , did , and will do (which predictably that they will reject any new ideas proposed) .

I even considering to quit, but I need opinions. Am I just too sensitive or there's something wrong?

A while back we had some time sensitive work I was doing in overtime, the work was purely functional and the front end had not yet been done. It went to QA to test the functionality and the only feedback I got was UX oriented.

I tried to explain on 3 occasions that the looks was not important in the slightest at this stage, and just try to break it. I then got a lecture that it wasn't an optimised layout and was shown the AA route finder as an example of how the tester thought it should look.

Long time no rant.

Rant::beginRant();

How do people who are, I think, supposed to have a knowledge of what the fuck they're doing, keep their work without knowing what the fuck they're doing?
You're telling me that you have been hired as a "full-stack developer", yet you can't build a motherfucking Vue page over SSH (not even talking about automated deployment, just the most bare bones approach)? You don't know how to deploy a Laravel project? You don't know that Linux server paths are case sensitive? You can't read the log files?!

Rant::commitRant();

Does anybody here know of some sort of blackout glasses? (which cover the entire eyes, not sunglasses which do exist in high filters, but leak sunlight at the bottom, top and sides)

My recent lifestyle has lead me to absolutely dying at the morning when I go sleep, because of the extreme sunlight, peaking through all cracks.

I am just fine during the day when I do my walks or drive to the store etc, but after a long night I just get very light and sound sensitive.

I think a decent amount of years ago, I saw somebody use some sort of small scale welding goggles for something similar, but I can't find any that are dark enough or aren't costing like buying a beach house in malibu.

Also "photophobia glasses", which actually seem to be for that purpose, cost like two malibu beach houses and a helicopter to top it off, because they abuse and cash on the fact that it has remote help to people that suffer from it.

I did also try just using blackout curtains for that purpose, but as said, there's always that one small crack where it leaks through and absolutely flashbangs me.

So it would be nice to have some glasses that filter pretty much 99% of light, but still allow me to navigate through my appartment, without having to break a leg or crack my neck (which would solve the problem atleast)

A good life lesson:
1. DON'T DELETE FILES YOU MAY WANT TO RECOVER

And if you DO delete them and then recover them, then
2. DON'T SEND THE RECOVERED FILES TO A·N·Y·O·N·E

Today I found a lost µSD card in the street. I did what every sane person would do -- plugged it into my laptop :)

There I found a directory with recovered pictures. I figured, some of them may contain the author's info in metadata, so I ran a quick plaintext search for @gmail.com.

Turns out, inside some of the recovered picture files I could find embedded company director's emails in plain-text. I mean, open the picture with a text editor and read through those emails - no problem! And these emails contain some quite sensitive info, e.g. login credentials (lots of them).

Bottom line, if you delete and recover your files, then do your best to keep them close: don't share them, don't lose them. You might be surprised what these recovered files may contain

I need someone to make me a list of things I am not allowed to say and who I’m not allowed to say them to at work. This is getting ridiculous. Every time I turn around someone is making this face at me 😬 and saying “Don’t say that to that team” or “Don’t say that to this person”. I can’t do my work right if I have to keep censoring myself on everything people find organizationally sensitive.

Speaking of.. What in your opinion would be an appropriate way to warn someone about security problems, like db passwords in git?

I once came across dozens of extremely sensitive services' infra accesses: alibaba/aliexpress, natuonal observatories, gov institutions, telecomms, etc. I had dozens [if not hundreds] routers' and firewalls' credentials along with addresses. I tried one to confirm validity - it worked. I wanted to warn them but did not want to get in trouble.

If it were servers, I'd set a motd or append some warning messages in .profile. But not sure how to do it for non-server devices

what would you do? How would you warn them?

P.S. Deleting that record was a smart move, buddy ;)

p.P.S. Sorry, wrong category... Can't edit now :(

When you’re use to dark theme and the lights in your car are too bright, you black electrical tape all the things...

I’m either more sensitive to light, or I’ve adapted to dark theme-ing all the things.

Do you know what angers me more than anything else ?

Wasted potential. Thats what. That there are people out there that look at their bank account and see a large number and spend large amounts of time finding ways to push people down during sensitive times where they could be learning and growing and have the right attitude and energy to do so, just because it makes their horrible selves feel secure knowing how 'superior' daddy made them, not to mention likely factories filled with half naked Chinese kids sewing shoes and soccer balls and separating out precious metals with blow torches.

I cannot help but think about this again as I'm frustrated that I had to relearn something just now which created more questions which I once everything is dashed to pieces again I won't think to or know to look into, if the information even exists, all so some easily duped younger people can form the next generation of well... us, and fall for the same tricks while I feel like I'm falling behind.

Having to rely on individuals who frequently use the words "thing" or "thingy" to convey important time sensitive information.

Nothing is more infuriating.

System.out.print
"S"
Case sensitive

Are rants time sensitive? 🙄

Ah transports

Minding my own business in a crowded train, listening to full blast music. As the song changes I sort of heard an announcement but didn't get the subject.

Guy in front of me does a 180° and starts talking to me. I thought he wanted some guidance, so I removed my headset and never did I regret more doing that, that guy just went on and on about his life and stuff that I don't care about, until he got off his stop. Ironically, before he left off he said "you know my mama always told me that you should ignore people you're not interested in" (Forest Gump Swiss edition? He didn't have a box of chocolates though)

I was like "yes, fuck off, not interested in your bullshit", but well, noticed he might be sensitive.

After he left some teens just came and pretended I didn't exist as they invaded my corporal space. Pushed one gently as he was leaning on to me a bit too much.

People must see me as a help point, you know those terminals where you can browse stuff... That's me. The Father of them all.

In today's episode of kidding on SystemD, we have a surprise guest star appearance - Apache Foundation HTTPD server, or as we in the Debian ecosystem call it, the Apache webserver!

So, imagine a situation like this - Its friday afternoon, you have just migrated a bunch of web domains under a new, up to date, system. Everything works just fine, until... You try to generate SSL certificates from Lets Encrypt.

Such a mundane task, done more than a thousand times already... Yet... No matter what you do, nothing works. Apache just returns a HTTP status code 403 - Forbidden.

Of course, what many folk would think of first when it came to a 403 error is - Ooooh, a permission issue somewhere in the directory structure!

So you check it... And re-check it to make sure... And even switch over to the user the webserver runs under, yet... You can access the challenge just fine, what the hell!

So you go deeper... And enable the most verbose level of logging apache is capable of - Trace8. That tells you... Not a whole lot more... Apparently, the webserver was unable to find file specified? But... Its right there, you can see it!

So you go another step deeper and start tracing the process' system calls to see exactly where it calls stat/lstat on the file, and you see that it... Calls lstat and... It... Returns -1? What the hell#2!

So, you compile a custom binary that calls lstat on the first argument given and prints out everything it returns... And... It works fine!

Until now, I chose to omit one important detail that might have given away the issue to the more knowledgeable right away. Our webservers have the URL /.well-known/acme-challenge/, used for ACME challenges, aliased somewhere else on the filesystem - To /tmp/challenges.

See the issue already?

Some *bleep* over at the Debian Package Maintainer group decided that Apache could save very sensitive data into /tmp, so, it would be for the best if they changed something that worked for decades, and enabled a SystemD service unit option "PrivateTmp" for the webserver, by default.

What it does is that, anytime a process started with this option enabled writes to /tmp/*, the call gets hijacked or something, and actually makes the write to a private /tmp/something/tmp/ directory, where something... Appeared as a completely random name, with the "apache2.service" glued at the end.

That was also the only reason why I managed fix this issue - On the umpteenth time of checking the directory structure, I noticed a "systemd-private-foobarbas-apache2.service-cookie42" directory there... That contained nothing but a "tmp" directory with 777 as its permission, owned by the process' user and group.

Overriding that unit file option finally fixed the issue completely.

I have just one question - Why? Why change something that worked for decades? I understand that, in case you save something into /tmp, it may be read by 3rd parties or programs, but I am of the opinion that, if you did that, its only and only your fault if you wrote sensitive data into the temporary directory.

And as far as I am aware, by default, Apache does not actually write anything even remotely sensitive into /tmp, so...

Why. WHY!
I wasted 4 hours of my life debugging this! Only to find out its just another SystemD-enabled "feature" now!

And as much as I love kidding on SystemD, this time, I see it more as a fault of the package maintainers, because... I found no default apache2/httpd service file in the apache repo mirror... So...

One of our customers wants our mobile app to log out the user after 15 minutes of inactivity because of SeCuRiTy…

Why? The phones protect the apps with their hardware encryption from any malicious access.
And we are not dealing with super sensitive data here like some banking app or so.

Why do some people want to have bad UX for no reason?

So today I found a file share containing some super super sensitive information accessible to what I think was our entire user base (6,500 users) if you knew the server name and had an interest in nosing around.

I reported it to our head of IT and heard nothing after, although 5 mins after reporting I could no longer access...

I suspect the infrastructure lead is going to be a dick (because his one of them awkward non team player kind of guys) and not thank me for preventing our company from being in national news papers... but try to spin it on why am I nosing around his servers in the first place..

I actually feel 50/50 about if I should of told or not.. but on flip side, I guess the access logs of me listing the files as I flick through to confirm my suspicions would of caused s bigger headache.

Fucking useless infrastructure engineers!

So new job started.
Just for context- old company was shit.
Promised the world but.
No benefits.
Terrible project management.
High pressure.
But green field interesting work (except by now it’s a few years in so it’s a ‘browning’ field but I was on it from the start).

New company first impressions..
Seems a fantastic company.
True to their word they have money for tools.
Making time for personal development.
Much bigger development community/department.
Seems like the term are under far less pressure so far at least.

But a MASSIVE amount of tech debt.
People seem to want to do the right thing and they’re making time to try and deal with it.
But one or two are very opinionated as to how to deal with it.

So this could go either way and only time will tell I guess.
Trying not to over analyse every little thing they say but I’m hyper sensitive to it at the minute while in the early days.

As always the real challenge in IT is the people not the tech. I count myself as part of the problem, sure I will form some opinions and sharing them too.

A conversation between an offshore developer and his manager at a fortune 500:

I'm a software developer and the company I work for is a vendor for $manager's and $offshore_dev's company. They provide endless hours of entertainment/terror. Recently, we've been trying to convince them that they need to stop sending sensitive information plaintext over HTTP and set up TLS/HTTPS which has led to tons of fun conversations such as this one they had during a conference call:

* $manager: "Did $offshore_dev implement TLS1.2?"
* $offshore_dev: "Yes, we enabled a parameter in the code to enable TLS1.2 in the code but according to $me's email, this requires HTTPS in order to work."
* $manager: "No this works, we're using TLS in $other_application right now."
* $offshore_dev: "Well, $manager, it's implemented but it currently doesn't encrypt anything as such."
* $manager: "Okay, HTTPS is in the roadmap in the next quarter, we can move forward without this for now."

I just remembered an annoying experience I once had,

Wanted to know cli version asap (due to some bug introduced in a certain version):

-v (output: view --help for command)
--version (output: view --help for command)
FUCK
--help (revealed: -version)

Wanted to know it's dependency version:

-version (output: view --help for command)
FUCK
--help (revealed: version)

You could call me lazy for not always typing --help first but there must be a standard for this time sensitive command.

When Amazon asks if my email address is all lower case... The desire to make it an informative moment that email addresses are not case sensitive is outweighed by my desire to resolve my issue as fast as possible.

!rant

I was playing with adb logcat some apps and I saw some sensitive info from my bank app. So I decided to go deeper , I saw my entire banking information , WHAT THE FUCK? I feel unsafe now using this bank.

Btw this bank is using react native and forgot to obscured their code in production

How it started:

Need to replace in a lot of SQL files certain stuff...

find . -type f -iname '*.sql' -exec sed -i 's|new|old|g' {} \;

12 hours later that find executed a shell script containing roughly 120 lines of text pipelining.

The jolly of inconsistent workflows.

Different SQL format stylings... Makes fun when single line string replace needs to be extended to multiline RegEx handling. Or matching SQL comment configuration..

Different line endings. MacOS, Windows, Unix, Bukkake.

Different charsets / collations. Anyone wants latin1_swedish_ci... utf8... utf16... :/

Realizing some people even left sensitive data inside the SQL files (e.g. API Tokens..... Yayyyyyyy).

...

Ugh. It's never a one liner. It's never easy. -.-

I hate cleaning up messy shit.

”We’re not going to shuffle you (devs) around from project to project and definitely not taking on any new time-sensitive projects with the limited resources we have, seriously understaffed as we are atm” - that was the promise.

So today I got assigned to a time-sensitive project (unconditional deadline by the end of the year) on a product I am not at all familiar with... I almost believed 2 projects underway was enough so that it would not get assigned to me. Oh well, there’s always room for a 3rd.

At least I get to pick my tools so I get to try out Fable... a silver lining there, and not really a thin one.

This codebase had 50+ main() functions and 80+ Material App. 5 of them are nested MaterialApp

Redundant widgets, security leaks, and print Sensitive information from the server to console without using (kDebugMode), therefore in prod, the data are leaked.

I refactored until I screamed.

So I left a gift inside.

Ibwish I had remembered this when the weekly theme was office pranks.

In the first or second year of high school we covered basic internet security. Stuff like don't follow suspicious urls, don't open suspicious emails and such.

Our teacher let us play around with some sort of simulated desktop environment, where we could execute some hacks like ad popups and such on each other's environment, if we fell for the trap.

Anyways, one hack I found interesting was a hack, that lockes a user out of their virual desktop, until he enters a password, that will be displayed on his environment.

Yes, a very interesting hack, because it contains two obvious yet major design flaws, which I could exploit 😈

1. It's case sensitive
In itself not a problem, but combined with #2, it's fatal.
2. "IlIlllIlI"
Depending on your font, you probably have no idea what exactly I just typed.

Let's just say, the font displayed uppercase i and lowercase L completely undifferentiable.

Guess whom I let suffer.

It was our teacher, who had to demonstrate us some things and who was connected to the same network.

I swear, nothing beats that feeling when your tearcher has go come to you and embarrassingly ask you to "unhack" them, because they can't type it 😂