A colleague and I spent a month building a Shopify app that allows merchants to give customers store credit.

Since Shopify's API is so limited, we were forced to augment it's functionality with a Chrome extension.

Now before you go throwing full wine bottles at your screen because of how wrong and disgusting that is, note that Shopify's official documentation recommends 5 different extensions to augment functionality in their admin panel, so as gross as it is, it seems to be the Shopify way...

Today we got a reply from their review team. They won't accept the app because it requires a Chrome extension to work properly and that is a security risk.

Are you fucking kidding me? So I guess Shopify is exempt from their own security standards. Good to know.

Not to mention the plethora of published apps that require a staff account's username and password to be provided in plain text upon setup so it can spoof a login and subsequent requests to undocumented endpoints.

Fuck you and your "security standard" Shopify!

Behold this gem I found at a local super market back in July!

Windows, God damn you piece of fucking shit.

Why the fuck can't you make networking fucking easy like literally every other fucking operating system in the goddamn fucking world?

Why the fuck can't I spoof mac addresses so that I have the same IP address regardless of if I'm on a hard line or wireless?

Who in their fucking right mind thought that the pro version of Windows wouldn't need to do that?

I don't even like using you at this point, I'm forced to use you for work.

There's literally not enough explicitives that I can chain together to sufficiently convey how much I fucking hate you Microsoft. So enjoy this seizure inducing tourette's mode compilation.

Fuck shit cock piss mother fucker asshole bitch mother fucker sick and tired of your fucking shit Microsoft you fucking cuck piece of shit nobody fucking likes you they only have to use you because no fucking business in their right mind is going to spend the millions of dollars it cost to fucking switch over to fucking Mac or Linux I hope you fucking choking a bag of HIV riddled flaming dicks you fucking piece of shit.

That feeling when your client connection is more stable than the connection of a fucking game server... Incompetent pieces of shit!!! BEING ABLE TO PUT A COUPLE OF SPRITES DOESN'T MAKE YOU A FUCKING SYSADMIN!!!

Oh and I sent those very incompetent fucks a mail earlier, because my mailers are blocking their servers as per my mailers' security policy. A rant from the old box - their mail servers self-identify a fucking .local!!! Those incompetent shitheads didn't even properly change the values from test into those from prod!! So I sent them an email telling them exactly how they should fix it, as I am running the same MTA on my mailers (Postfix), at some point had to fix my mailers against the exact same issue as well, and clearly noticed in-game that they have deliverability problems (they explicitly mention to unblock their domain). Guess why?! Because their server's shitty configuration triggers fucking security mechanisms that are built against rogue mailers that attempt to spoof themselves as an internal mailer, with that fucking .local! And they STILL DIDN'T CHANGE IT!!!! Your fucking domain has no issues whatsoever, it's your goddamn fucking mail servers that YOU ASOBIMO FUCKERS SHOULD JUST FIX ALREADY!!! MOTHERFUCKERS!!!!!

So apparently some genius motherfucker managed to allow Androids that are missing or have a bad/inaccurate/busted gyro to run VR apps as long as they have a magnetic sensor (compass) and an accelerometer, using both to spoof the gyro. It requires root, but goddamn is that smart... It's even potentially more accurate than a gyro in quite a few situations, since it uses the compass and can even be used to override the ACTUAL gyro, so if the gyro is busted, drifts like a motherfucker, is inaccurate, etc. it can alleviate the issue!

and google's always like "well this shit is impossible to do" then the community comes along a month later and does it

Everyone here deserves the worst.

No, really, you all deserve those dark juicy stories. So here's why I hate password systems that don't have the user experience in mind.

Recently my university went under a huge update, most of it good, but this is DevRant, so let me tell you what's just the worst.

They asked me to change my password, they do this every month or two. So I did it, but as I clicked "Ok" a wild error appeared! It told me I had to use a password that was not one of the FIFTEEN that I'd used previously...

I tried everything, and despite everything else being poorly programmed, or what not, I thought it would be easy to spoof. Nope. Unfortunately this seems to be the ONE thing they did right. Looks like I'll have to go back to basics. Just add a number on the end of my previous password, up to fifteen, and reset :]

I think this rant needs to turn into an email headed straight to them :)

It was an internship. They wanted me to spoof the government's digital signature on some online tax-filing documents by reverse engineering the government's application, just because the whole process of recieving authentic signatures would have taken time, and they wanted it _now_

If I exploit ms server 2012 through a wifi hotspot , but logged in to someone else's account (assume it was sniffed) , and I do it using msfconsole connected to the tor with torify command , also I spoof my mac ,
will I stay 100% anonymous ?
If not , what can be done ?

I've seen things...

Gotta love the IoT.

They set up a new surveillance camera in the company, that can stream live footage over the network and that little shit picked the IP adress of a coworker one day AFTER being set up.
Hurray for static routing. Hurray to the person who didn't disable DHCP on the router (Should probably configure my PC to use a static IP as well lel)

Anyways, this happened outta nowhere when I, the only guy who knows shit about IT and is usually present at yhe office, wasn't there and could not connect remotely.

The other, remote programmer, who set up the network, could guide the coworker to get a new IP but, he was worried that we got ourselves an intruder.

Since nobody told me yet that we (should) have static routing, I thought there was a mastermind at work who could get into a network without a wifi-access point and spoof the coworker in order to access the some documents.

The adrenaline rush was real 😨

Scanning the network with nmap solved the mystery rather quickly but thought me that I need to set up a secure way to get remote access on the network.

I would appreciate some input on the set up I thought of:
A raspberry Pi connected to a vpn that runs ssh with pw auth disabled and the ssh port moved.
Would set up the vpn in a similar fashion.

I wish that my previous company gets investigated. They probably got more violations if they are investigated. Here are a few examples:

The company is in the telecom business and they wanted to create AI summaries of their phone calls. So they used real private calls of their clients as test data without their knowledge & consent.

The CEO also made fun of someone handwritten CV on LinkedIn. Sure, he blurred out the obvious data but shit like certificates, past history & rough location was still present. It was not be hard to find who it was.

The 2FA of some IT services was still on the ex-CTOs private phone (now he is a consultant 1x a week)

One of their engineers moved back to Russia and has access to sensitive data. (aka call recording of insurances, banking, fire departments, ...)

Offering users to write a public review of the company for a discount if the review is positive. The "paid review" is not mentioned.

The reviews of their new feature are done by 'external' people but they all benefit from the companies success. The review is written from their own company but it was written by the external design company (CEOs wife under her own company), marketing consultant (under his own company).

They did fire an employee illegally (as in did not follow the legal procedures, the new COO thought she was a consultant, she was in fact not so she had more protections)

They did fire an employee for untrue reasons and waiting till he was on holiday & abroad (dick move but legal I think)

They did spy through the security cameras and made up a reason to fire someone. Company offered free soda during that time, employee did not like the offered soda and filled it with a diet-variant on their own dime. He then took his own bought diet-soda back home (not all) and got fired for stealing. (or idk, it might have been ice tea or fanta)

They did not report that an employee sold company data but he was let go.

They run cookies on their website but has no clause for cookie-consent.

Their features that they are promoting & selling is not working like expected

They lie about their server uptime or heavily manipulate it.

They sell a feature that is no longer supported and broke a few updates ago.

They are offering a product as a fix that is simply not longer supported by the development team

They have fired consultants and then refuse to pay their last month salary or only pays it partially. Happened as far as i know, 4 times (no proof).

Everyone had access to the full password vault including the login credentials for business routers and the credit card info of the CEO, CFO, CTO. It took me multiple times to report it to the IT admin for mine to be restricted.

Every new dev has access to production data within a few weeks or direct database access

Any person who has access to the admin-portal can spoof phonenumbers in a few clicks.

A colleague is blacklisted at the police portal for past crimes where they have to fulfil police orders. He did them pretending to be a different employee who was approved. Also, they do not keep track of the data needed to fill in the yearly report (idk why the company has to them but the police does not do it).

They forgot to implement a warning (legally needed) before someone hits their data limit. those people cannot be billed. Someone was watching 4k movies in Signapore and costed the company tens of thousands of Euro.

If I think of more, I'll add it comments lol

Sadly, I’m not a good enough developer to have clever and hacky solutions to anything. In college I did once use Visual Basic to spoof a Novell login screen and steal other students’ passwords and write them to a diskette, which I’d recover after they walked away from the machine. The worst I did to them was log into their messaging and send them messages from themselves. Oh, and I also set up an “underground” web site that the campus sysadmins didn’t discover for a while. I used it to set up a forum where students could sell their used textbooks for better prices than the buy back program at the campus bookstore.

This phising email I just received in my yahoo account almost got me fooled with the very convincing email design, but thankfully the culprit didn't smart enough to spoof his email address.
Ohh and they attach a suspicious pdf file too despite the message didn't say anything about attachment.
Apparently the spam detector in yahoo is not very good as this one was received in my main inbox.

(I'm not completely sure of what I'm saying here, so don't take this too seriously)

Settling on a language to write the api for ranterix is hard.

I'm finding a lot of things about elixir to be insanely good for a stable api.

But I'm having a lot of gripes with the most important elixir web framework, phoenix.

Take a look at this piece of code from the phoenix docs:

defmodule Hello.Repo.Migrations.CreateUsers do
use Ecto.Migration
def change do
create table(:users) do
add :name, :string
add :email, :string add :bio, :string
add :number_of_pets, :integer
timestamps()
end
end
end

Jesus christ, I hate this shit.

Wtf are create, add and timestamps. Add is somehow valid inside the create, how the fuck is that considered good code? What happens if you call timestamps twice? It's all obscure "trust me, it works" code.

It appears to be written by a child.

js may have a million problems. But one thing I like about CJS (require) or ESM (import) is that there's nothing unexplained. You know where the fuck most things come from.

You default export an eatShit() function on one file and import it from another, and what do you get?
The goddamn actual eatShit function.

require is a function the same way toString is a function and it returns whatever the fuck you had exported in the target file.

Meanwhile some dynamic langs are like "oh, I'll just export only some lang construct that i expect you to specify and put that shit in fucking global of the importing file".

Js is about the fucking freedom. It won't decide for you what things will files export, you can export whatever the fuck you want, strings, functions, classes, objects or even nothing at all, thanks to module.exports object or export statement.

And in js, you can spy on anything external, for example with (...args) => debugger; fnToSpyOn(...args)

You can spoof console.log this way to see what the fuck is calling it (note: monkey patching for debugging = GOOD, for actual programming = DOGSHIT)

To be fair though, that is possible because of being a dynamic lang and elixir is kind of a hybrid typed lang, fair enough.

But here's where i drop the shit.

Phoenix takes it one step further by following the braindead ruby style of code and pretty DSLs.

I fucking hate DSLs, I fucking hate abstraction addiction.

Get this, we're not writing fucking poetry here. We're writing programs for machines for them to execute.

Machines are not humans with emotions or creativity, nor feel.

We need some level of abstraction to save time understanding source code, sure.

But there has to be a balance. Languages can be ergonomic for humans, but they also need to be ergonomic for algorithms and machines.

Some of the people that write "beautiful" "zen" code are the folks that think that everyone who doesn't push the pretty code agenda is a code elitist that doesn't want "normal" people to get into programming.

Programming is hard, man, there's no fucking way around it.

Sometimes operating system or even hardware details bleed into code.

DSLs are one easy way to make code really really easy to understand, but also make it really fucking hard to debug or to lose "programming meaning".