I had a secondary Gmail account with a really nice short nickname (from the early invite/alpha days), forwarded to another of my mailboxes. It had a weak password, leaked as part of one of the many database leaks.

Eventually I noticed some dude in Brazil started using my Gmail, and he changed the password — but I still got a copy of everything he did through the forwarding rule. I caught him bragging to a friend on how he cracked hashes and stole and sold email accounts and user details in bulk.

He used my account as his main email account. Over the years I saw more and more personal details getting through. Eventually I received a mail with a plaintext password... which he also used for a PayPal account, coupled to a Mastercard.

I used a local website to send him a giant expensive bouquet of flowers with a box of chocolates, using his own PayPal and the default shipping address.

I included a card:

"Congratulations on acquiring my Gmail account, even if I'm 7 years late. Thanks for letting me be such an integral part of your life, for letting me know who you are, what you buy, how much you earn, who your family and friends are and where you live. I've surprised your mother with a cruise ticket as you mentioned on Facebook how sorry you were that you forgot her birthday and couldn't buy her a nice present. She seems like a lovely woman. I've also made a $1000 donation in your name to the EFF, to celebrate our distant friendship"

A devRant Update!

Hey everyone,

We thought now would be a great time for a devRant summer update on what we've added recently and what we've been working on.

Highlights since our last update:

- We launched devRant++, a supporter program for people who want to help us cover our costs while getting some cool extra features (a supporter badge on rants/comments/profile, reserved spot on our in-app supporter list, ability to edit rants/comments for up to 30 minutes instead of 5, and thanks to immediate user feedback, we also added the ability to post a rant every 1 hour instead of 2, and post comments that are up to 2,000 characters instead of 1,000!) We are extremely happy and thankful for the great response the program has gotten and we plan to continue to improve it using your feedback.

- We added the ability to subscribe to a user's rants. This makes it so you get a notification whenever that user posts a new rant!

- We added an "active discussions" feature (available in the "more" tab on the right). If you're looking to join a conversation happening in the moment, then this feature will help you discover those rants. It shows rants that have recently been commented on so if it's a topic that interests you, you can easily get in on the discussion!

Some stuff we have in the pipeline:

- More fun avatar stuff, including fun new OS/language-themed pets
- More perks for the devRant++ subscriber program - if you have anything you'd like to see, please let us know and we will try to make it happen!
- We will be testing some stuff to help classify rant types (rants, jokes, questions, etc.) in order to create a more personalized experience
- On that note, we're also going to take some more time to do some work on the algo as we haven't done much in terms of improvement since the initial smart algo launched
- Community projects page update - we've been slacking on updating the page and apologize for that. If you have created a devRant-related project and it's not on the community page, please resend it to david@hexicallabs.com (even if you sent it already) so we can make sure it gets added. Sorry about that!

A note on community etiquite regarding voting on content:

We've always believed that one of the most important and awesome experiences on devRant is getting your content noticed and appreciated by others. If you enjoy a piece of content, you should upvote it. If you enjoy 500 pieces of content, you should upvote them all. People really appreciate others enjoying their rants and comments so let them know if you do! If you don't like content, you can downvote it with the relevant reason. What we don't encourage is voting on content that you haven't actually looked at or spamming upvotes in mass for content you're not even actually reading/viewing. While we don't encourage that, it's not explicitly disallowed so we won't impose any penalty for it.

What is strictly prohibited and enforced is using scripts or automated procedures for voting on content. Anyone who is caught doing that will have their account deleted without warning. While very rare, we caught a couple of people doing that this week and both accounts in question were immediately deleted once discovered. To be clear, this is the practice of explicitly using a script or automation to mass vote on content. You will NEVER be banned/deleted for voting on a lot of content manually, even if you vote quickly and on lots of stuff. We just want to make that clear becuase this is not meant to discourage people from voting, it is only regarding votes not placed by humans. So if you're a human voting on content, you have nothing to worry about, we promise!

Please feel free to let us know if you have any questions or feedback on any of this. We love constructive feedback and in the past it has gone a very long way to improving and advancing the devRant community. And as always, thank you to everyone who contributed to the community in any way, we really appreciate it and want to keep making your experienfce better.

Happy ranting,
~David and Tim (Team devRant)
@dfox @trogus

Get ready for one of the biggest AMAZON rants EVER.
I dislike this company so much I can feel it in my bones.
They have NO, absolutely NO idea how user experience works.

PROBLEM #1.

If you have Amazon Prime / Video (ANOTHER FUCKED UP PROBLEM THAT CONFUSES A LOT OF PEOPLE) and you want to watch a movie on your Xbox using the Amazon App, You have to buy the movie ON YOUR COMPUTER FIRST, YOU CAN’T BUY IT DIRECTLY FROM THE APP.
WHAT THE SHIT AMAZON?

So.. go to your laptop, buy the movie, go back to your other device (Xbox or whatever), click “My movie library” and then you can watch it.

OH AND THERE’S ALSO A “MY WATCHLIST”, WHERE YOUR NEW PURCHASED / RENTED MOVIE DOES NOT SHOW UP.

Yes.. there is a “MY WATCHLIST” and “My movie library” or some shit.

HOW, WHY, WHY FUCKING AMAZON, WHY.

PROBLEM #2.

“WE HAVE A ZILLION ALEXA SKILLS NOW !!!1!!!!!11111! EINZ!!!!!”

Yeah, WELL, NOT THAT HARD WHEN YOU HAVE “Alexa Evangelist” traveling to every DAMN tech convention and having them make USELESS FUCKING SKILLS THAT NOBODY WANTS USING BOILER PLATE CRAP THAT ANYBODY CAN USE.

Oh and Alexa is DUMB AS SHIT.
I asked her "Play the song Starboy by the Weeknd" and she said: "I CAN'T FIND THAT SONG"
Then you go "Play me Starboy" and she goes: "HERE IS A SAMPLE OF STARBOY BY THE WEEKND"

Same with other songs: "YOU DONT HAVE IT IN YOUR PRIME MUSIC LIBRARY".
She doesn't even TRY to go to your fucking Spotify account, you have say: "Play Starboy by The Weeknd on Spotify" AND THEN she still has the FUCKING NERVES to say : "I Can't find that song on Spotify".
BUT YOU JUST FOUND IT ON YOUR OWN DAMN CRAPPY PRIME MUSIC.

"Hey Alexa, how many days till the end of the year?"
GUESS WHAT ,SHE CAN'T TELL YOU. (maybe now but not 2 months ago)

PROBLEM #3.

AUDIBLE.COM and AUDIBLE.CO.UK have DIFFERENT FUCKING DATABASES, THUS, YOU CAN END UP HAVING 2 ACCOUNTS AND HAVING 2 LIBRARIES, and.. THERE IS NO WAY TO FUSE THEM INTO 1 account.
OH MY GOD, HOW IS THAT EVEN POSSIBLE?
I FUCKING HATE that, how can ANYBODY think that is a GOOD IDEA?

PROBLEM #4.

Their website is a TOTAL FUCKING mess, really, who the FUCK designs that piece of SHIT.

Look up a movie, let’s say “SCHOOL OF ROCK”
First result?

“School Of Rock” - “Amazon Video”
So you can click on this and watch the movie.

Then click the second result.

“School of Rock Blu RAY” and next to the price-tag “PRIME”
You click on it, you can buy it, but HEY, LOOK, WHAT DOES IT SAY?

“Unlimited Streaming with Amazon Prime
Start your 30-day free trial to stream thousands of movies & TV shows included with Prime. Start your free trial”

WHAT, WHAT!!!! CAN I WATCH THIS WITH AMAZON PRIME? OR DO I NEED THE AMAZON VIDEO? I DON’T GET IT.

Put me in a room with all those FUCKWIT project managers and their fucked up company culture and I’ll rip them a new one, I can go on for DAYS about the SHIT they are doing.

Seriously, god bless Laravel and Taylor Otwell.

I've just had a customer foolishly delete all their user accounts. The customer was seriously stressed about this and as it usually goes, this stress was echoed in the call.

I explained how they can easily restore the deleted records in a single click as I have configured Laravel's "soft delete" functionality site wide. i.e. when they delete a record it isn't really deleted. Functionality to physically delete the record is hidden away outside the client's user level.

Customer was seriously grateful and paid for 2 hours of my time (even though the call took 15 mins) and generally gave me lots of kudos.

Laravel, awesome.

First rant, please take pity on the noob! 😐

Recently I've secured many of my user accounts spread throughout the internet. Using the same old password for everything is bad for security and for mental health! 😫

Since I was on the mood, I've tried to do a 'break glass' scenario, simulating an attacker that possessed my Gmail account credentials. "How bad can it be?" I've thought to myself...

... Bad. Very bad. Turns out not only I use lots of oauth based services, I also wasn't able to authenticate back to Google without my pass.

So when you get home today, try simulating what would happen if someone got to your Google or Facebook account.

Makes you consider the amount of control these big companies have over your life 😶

LinkedIn Manager to Satya Nadella: ‬

‪LM: Hey, how are you doing? At Linkedin we need to buy Github accounts. ‬

‪SN: Just a min... Yes. We bought Github for $7.5 billion. ‬

‪LM: Dude, we need github account for our developers. It’s just $21/user.‬

‪SN: WTF🤦🏻‍♂️

My first unintentional "hack" was in middle school, I had been programming for a couple years already and I was really bored.

My school had blocked facebook, twitter and so on because most students are lazy and think everything revolves around their "descrete" cleavage picture's likes. Any way, I thought most would be naive and desperate enough to fall into a "Facebook unblocked" app at the desktop, the program was fairly simple just a mimicking FB page done on C# ASP that saved user and passwords in an encrypted file.

I distributed it in around 5 computers and by the end of the month I had over 60 accounts, and what did I do? I used it to post a gay relationship between two of my friends on fb (one had a gf), it was dumb but boy did I laughed, after that I erased everything as it didn't seem so important.

This is not facebook, but somehow yhis site has attracted who are virtually, mentally incapable of differentiating between their script kiddy hacker facebook group and anything that can be called a social media platform.

Sorting by recent and daring to toggle on jokes/memes is a pure shitshow of freshly created accounts who post "memes" of the same purity as their mother. And to finish it off they add that super relatable comment "hahah", "funny" and a couple of emojis. Totally makes me wonder if I end up being called comedy god for posting "peepee poopoo" on the site they "shared" it from.
Yes, shared and not stolen for the sake of that little dopamine rush when they see that 4 other people who try to escape their shitty form of reality thought you deserve to be proud for those couple of finger movements you used to put this on devrant and not to jack off.

Not even that spares you from their awful humor, because thanks to their disability to red, they think they can just smash that big red button and post their garbage in the wrong category, yet somehow they have the obligation to add an absurd amount of tags telling you that they've tried to post a joke and I honestly feel sorry for the database table who has to store so variations of "jokes/meme" for this shit.

Thr quality of these memes degrades with each time I open devrant, just like my patience for these shitposters.

I've seen a couple of people who cancled their monthly subscription for devrant, to show their discontent with these user and my urge to do the same has gotten stronger recently.

DevRant as it is right now is on it best way to stray away further from what it meant to be every day

I'm fixing a security exploit, and it's a goddamn mountain of fuckups.

First, some idiot (read: the legendary dev himself) decided to use a gem to do some basic fucking searching instead of writing a simple fucking query.

Second, security ... didn't just drop the ball, they shit on it and flushed it down the toilet. The gem in question allows users to search by FUCKING EVERYTHING on EVERY FUCKING TABLE IN THE DB using really nice tools, actually, that let you do fancy things like traverse all the internal associations to find the users table, then list all users whose password reset hashes begin with "a" then "ab" then "abc" ... Want to steal an account? Hell, want to automate stealing all accounts? Only takes a few hundred requests apiece! Oooh, there's CC data, too, and its encryption keys!

Third, the gem does actually allow whitelisting associations, methods, etc. but ... well, the documentation actually recommends against it for whatever fucking reason, and that whitelisting is about as fine-grained as a club. You wanna restrict it to accessing the "name" column, but it needs to access both the "site" and "user" tables? Cool, users can now access site.name AND user.name... which is PII and totally leads to hefty fines. Thanks!

Fourth. If the gem can't access something thanks to the whitelist, it doesn't catch the exception and give you a useful error message or anything, no way. It just throws NoMethodErrors because fuck you. Good luck figuring out what they mean, especially if you have no idea you're even using the fucking thing.

Fifth. Thanks to the follower mentality prevalent in this hellhole, this shit is now used in a lot of places (and all indirectly!) so there's no searching for uses. Once I banhammer everything... well, loads of shit is going to break, and I won't have a fucking clue where because very few of these brainless sheep write decent test coverage (or even fucking write view tests), so I'll be doing tons of manual fucking testing. Oh, and I only have a week to finish everything, because fucking of course.

So, in summary. The stupid and lazy (and legendary!) dev fucked up. The stupid gem's author fucked up, and kept fucking up. The stupid devs followed the first fuckup's lead and repeated his fuck up, and fucked up on their own some more. It's fuckups all the fucking way down.

MySQL should have a recycle bin. I just deleted whole "user" table by mistake... Forgot to add where clause properly... Had to restore 2 days old backup copy. I just hope no accounts were created or someone changed their password in last 2 days....

I starten when I was 12 years old. I got bullied and got interested in computers. One day I crashed my dads computer and he reinstalled it. After that my dad made two accounts. The regular user (my account) and the Administrator user (my dads account). He also changed the language from Dutch to English. Gladly I could still use the computer by looking at the icons :')

Everytime I needed something installed I had to ask my dad first (for games mostly because there was no cable internet at that time). Then I noticed the other user account while looking over my dads shoulders. So I tried to guess the password and found out the password was the same as the label next to the password field "password".

At that point my interest in hacking had grown. So when we finally got cable internet and my own computer (the old one) MSN Messenger came around. I installed lots of stuff like flooders etc. Nobody I knew could do this and people always said; he is a hacker. Although it is not.

I learned about IP-address because we sometimes had trouble with the internet. So when my dad wasn't home he said to me. Click on this (command prompt) and type in; ipcondig /all. If you don't see an IP-address you should type in; ipconfig /renew.

Thats when I learned that every computer has a unique address and I started fooling around with hacking tools I found on internet (like; Subseven).

When I got older I had a new friend and fooled around with the hacking tools on his computer. Untill one day I went by my friend and he said; my neighbor just bought my old computer. The best part was that he didn't reinstall it. So we asked him to give us the "weird code on the website" his IP-Address and Subseven connected. It was awesome :'). (Windows firewall was not around back then and routers weren't as popular or needed)

At home I started looking up more hacking stuff and found a guide. I still remember it was a white page with only black letters like a text file. It said sometime like; To be a hacker you first need to understand programming. The website recommended Visual Basic 6 for beginners. I asked my parents to buy me a book about it and I started reading in the holliday.

It was hard for me but I really wanted to hack MSN accounts. When I got older I just played around and copy -> pasted code. I made my own MSN flooders and I noticed hacking isn't easy.

I kept programming and learned and learned. When I was 16/17 I started an education in programming. We learned C# and OOP (altho I hated OOP at first). I build my own hacking tool like "Subseven" and thats when I understood you need a "server" and "client" for a successful connection.

I quit the hacking because it was getting to difficult and after another education I'm now a fulltime back-end developer in C#.

That's my story in short :)

My wife saw me posting on Dev Rant raging about my boss, and suggested I ought to use a different user name instead of my usual one... considering he spends all day using social media I think she might be right... passed the advice on to some friends we are all now paranoid and have new accounts. <3

This one's for all the SysAdmins out there.

About 4 years ago I was asked to take over a dental offices systems administration (~20 machines) after their previous guy had allowed their servers RAID 1 to fail and hadn't done any updates or general maintenance. (please take note this office is my parents dental office).

I since have been recovering from his poor configuration and setup by instating an active directory environment and installing up to date software as well as updating machines on the domain to Windows 10 since windows 7 is no longer supported. I have also been properly licensing everything.

My bosses (my parents) are annoyed with this because "it's more expensive" and "it's too complicated we don't know how to manage it" and I don't know how to explain to them that they aren't fucking systems admins. They asked why they could do it before and I tried to explain that now it's secure and things need to be rolled out on the network level. They had every user running full local admin on every workstation plus the server.

Some people don't fucking understand that just because it's simple doesn't make it a good fucking idea. And because it's cheap doesn't mean it will always be (just wait till Microsoft audits you).

Oh and they also don't understand fucking CAL licensing and refuse to pay for gsuite for all their staff who use it. Instead they just have two gsuite accounts and give everyone the fucking password.

I'm going to have an aneurysm

Taking IT classes in college. The school bought us all lynda and office365 accounts but we can't use them because the classroom's network has been severed from the Active Directory server that holds our credentials. Because "hackers." (The non-IT classrooms don't have this problem, but they also don't need lynda accounts. What gives?)

So, I got bored, and irritated, so I decided to see just how secure the classroom really was.

It wasn't.

So I created a text file with the following rant and put it on the desktop of the "locked" admin account. Cheers. :)

1. don't make a show of "beefing up security" because that only makes people curious.
I'm referring of course to isolating the network. This wouldn't be a problem except:

2. don't restrict the good guys. only the bad guys.
I can't access resources for THIS CLASS that I use in THIS CLASS. That's a hassle.
It also gives me legitimate motivation to try to break your security.

3. don't secure it if you don't care. that is ALSO a hassle.
I know you don't care because you left secure boot off, no BIOS password, and nothing
stopping someone from using a different OS with fewer restrictions, or USB tethering,
or some sort malware, probably, in addition to security practices that are
wildly inconsistent, which leads me to the final and largest grievance:

4. don't give admin priveledges to an account without a password.

seriously. why would you do this? I don't understand.
you at least bothered to secure the accounts that don't even matter,
albeit with weak and publicly known passwords (that are the same on all machines),
but then you went and left the LEAST secure account with the MOST priveledges?
I could understand if it were just a single-user machine. Auto login as admin.
Lots of people do that and have a reason for it. But... no. I just... why?

anyway, don't worry, all I did was install python so I could play with scripting
during class. if that bothers you, trust me, you have much bigger problems.

I mean you no malice. just trying to help.

For real. Don't kick me out of school for being helpful. That would be unproductive.
Plus, maybe I'd be a good candidate for your cybersec track. haven't decided yet.

-- a guy who isn't very good at this and didn't have to be
have a nice day <3

oh, and I fixed the clock. you're welcome.

As stated in a previous story, I just started an internship using angular and am learning it on the job.

The other day, one of the admins posted an issue in gitlab about how easy it was to delete user accounts via the front end.

He wanted someone to add further confirmation to prevent accidentally deleting anyone. Literally just had to hit the X icon and poof they're gone.

I was like, I can do that! Of course, as I was looking at the platforms account page, accidentally deleted that admins account 😅

He thanked me for resolving the issue, and it became a joke around the office about the irony of the situation.

Highlights from my week:

Prod access: Needed it for my last four tickets; just got it approved this week. No longer need it (urgently, anyway). During setup, sysops didn’t sync accounts, and didn’t know how. Left me to figure out the urls on my own. MFA not working.

Work phone: Discovered its MFA is tied to another coworker’s prod credentials. Security just made it work for both instead of fixing it.

My merchant communication ticket: I discovered sysops typo’d my cronjob so my feature hasn’t run since its release, and therefore never alerted merchants. They didn’t want to fix it outside of a standard release. Some yelling convinced them to do it anyway.

AWS ticket: wow I seriously don’t give a crap. Most boring ticket I have ever worked on. Also, the AWS guy said the project might not even be possible, so. Weee, great use of my time.

“Tiny, easy-peasy ticket”: Sounds easy (change a link based on record type). Impossible to test locally, or even view; requires environments I can’t access or deploy to. Specs don’t cover the record type, nor support creating them. Found and patched it anyway.

Completed work: Four of my tickets (two high-priority) have been sitting in code review for over a month now.

Prod release: Release team #2 didn’t release and didn’t bother telling anyone; Release team #1 tried releasing tickets that relied upon it. Good times were had.

QA: Begs for service status page; VP of engineering scoffs at it and says its practically impossible to build. I volunteered. QA cheered; VP ignored me.

Retro: Oops! Scrum master didn’t show up.

Coworker demo: dogshit code that works 1 out of 15 times; didn’t consider UX or user preferences. Today is code-freeze too, so it’s getting released like this. (Feature is using an AI service to rearrange menu options by usage and time of day…)

Micromanager response: “The UX doesn’t matter; our consumers want AI-driven models, and we can say we have delivered on that. It works, and that’s what matters. Good job on delivering!”

Yep.
So, how’s your week going?

Client stores all user accounts in a publicly accessible google spreadsheet in case the user forgets their login. It includes user name, plain text password, and just in case, the hashed password....

That feeling when the business wants you to allow massive chunks of data to simply be missing or not required for "grandfathered" accounts, but required for all new accounts.

Our company handles tens of thousands of accounts and at some point in the past during a major upgrade, it was decided that everyone prior to the upgrade just didn't need to fill in the new data.

Now we are doing another major upgrade that is somewhat near completion and we are only just now being told that we have to magically allow a large set of our accounts to NOT require all of this new required data. The circumstances are clear as mud. If the user changes something in their grandfathered account or adds something new, from that point on that piece of data is now required.
But everything else that isn't changed or added can still be blank...
But every new account has to have all the data required...

WHY?!

During the first few months of my first professional development role, I had a really odd bug on a live WordPress site that I couldn't replicate locally, despite having the same code and dependency setup. Using WordPress was a mistake but not the one I'm writing about.

I decided to copy live site and its database. Then I thought it best to delete all the users from the copy of the database (I'm not sure why I thought I should do that) and I did so via the WordPress admin UI.

What I wasn't aware of was there was a custom function to email the user before they get deleted.

I got inundated with hundreds of confused/angry/hysterical users about their accounts being deleted, even though they hadn't actually been, and a telling off from the boss.

The security on my school computers is a joke.
The standard student accounts have no user rights, but the "guest" account has admin rights???
The teachers private data is not secured, it's just hidden from explorer, so if you manually type in the folder location into the explorer bar, you can access the teacher's data. Not to mention everything is running on Windows 7 machines from 10 years ago.

Aaaaaaaargh!! Fing ashole!!
I got a major blocker reported, tried to connect to client, two of the user accounts were locked out because some genious used the last months password too many times.. FUUUU!! This happens almost every month!! FU! I go to the support dpt to check WTH is with those user accounts and got told the VPN is fucked up anyway so I will not be able to connect in any casr (disconnecting, bad transfer rate, it has a flue or prebirth cramps...whatever...). Ok, I ask if anyone notified our network admins and theirs.. And in response one guy mumbles something... I asked really really pissed off (due to the seriousnrs of the situation, we have max 8h to fix blockers and must check what is going on in minutes) if he is talking to me and answering my question or just talking to himself. He then a little bit more audiably said: we all are unable to work, you are not the only one with this problem & if you have a solutio... I already stormed out. Yes, everyone has problems connecting, no not everyone has a fucking blocker assigned to them!! Mayor malfunction on our system is not the same as archiving old processing data!!!

Simple yes or no question: did anyone notify our network admins & client's network admins?! And client's management that we have technical problems and cannot check the blocker situation immediately?! And I get a mumbling incompetents guy response... OmFG yes, I have a solution for you!! Go and jump of of the terrace!!

Oohhh, dropbox... You are pathetic.

I'm a long time dbx user. 10+ years ago they had a programme saying that each new dbx user created using my ref link [on different machines] grants me 500M or 1G of additional space in my acct. Around that time I used to actively fix/reinstall/setup others' computers, so I had an easy access to different machines. This way I boosted my dbx capacity to 27G. For free.

Since ~5 years ago dbx started spamming me with "you're almost out of storage" emails [I'm using ~80% of my 27G]. Annoying, but I understand - they have to keep with the sales. I can live with this occasional spam.

Now, since I got my new laptop, I'm setting up dbx on it. And dbx is SO desperate with their sales, that now they only allow sync on 3 devices max. I had to unlink other 17 devices I've ever logged in from before I could continue.

What's the next step of despair? Free accounts can only sync on weekends?

Come on. This looks ridiculous. Dropbox, get your shit together!

Stakeholder: Users are connecting invalid memberships to their web accounts. They shouldn’t be able to do that.

Me: Their memberships were valid when they set up the account. Your team’s record de-duping project is the issue here. You decided to mark those memberships as invalid.

I’m real tired of this stakeholder acting like this is a website issue or user error. Plus, this chaos could have been avoided if they and other involved stakeholders had just cc’d me on this de-duping project. I would have said their approach was not a good idea. But they didn’t because they want to do what’s convenient for them. If they want to be a reliable source of truth for our data, then they need to be responsible with how they’re handling that data.

Rails gems are like heroine. Addicting as fuck and dangerous when you stop using them.

Just the other day I was explaining user accounts explanations to a coworker when he asked me "what if for some reason you cannot use that package"

My brain froze for a minute trying to remember how would one go about doing that without devise.

Dangerous man.

Do arcade games (Pac-Man, Donkey Kong, Berserk) count? I got my allowance in quarters.

Atari 2600? Ti/99 with a tape drive to play a game at my friend's house?

Having to buy a 5.25" floppy in the HS bookstore for typing class on the TRaSh-80s and finding a way to put a break in the program and save it to disk so I got top score on assignments?

Tron. That's what really did it for me. To this day, I like to imagine there is a vast world inside the computer.

After a BASIC programming class in HS, I got an Apple IIGS and started writing my own load menus for these little games I'd find around FIDO and newsgroups. Instead of "PR#6, brun gumball" a nice styled menu would show where you could press the number of the game you wanted to play.

I bought a book on Apple assembler and promptly got disillusioned with full blown programming (in 1988), instead sticking to BASIC and, later, JavaScript, HTML, PHP, CSS, and Python.

Who remembers sharing hacked PCP accounts to dial out of state BBSes?

Applied Engineering customers and 300 baud chatroom lurkers represent.

User #243, God's Country chat

Operations: Can you exclude some user records for the website? These are obsolete and we don’t want users to access these anymore.

Me: So what are you using to indicate the record is obsolete?

Ops: We changed the last name field to say “shell record - do not use.” Sometimes it’s in the first name. Actually, it gets truncated to “shell record - do not u”.

Me: A…text field…and you’re totally ok with breaking user accounts…ok ok cool cool

Not cool 😳😬🤬 I’m not causing more chaos because your record keeping has gotten messy

I have a VP constantly harassing my people about some reports that we need to do as per federal law.

The thing is, these live inside of such system that I get to see exactly how many "hits" they get on a yearly basis. The only traffic we have on those sections is of people going ahead and putting the information from our reports there.

That's it, literally. Our user base does not go there. Federal agencies do not go there. No one gives two blips of shit about those sections. Yet she continuously acts like they are the most important thing in the fucking world. To make it better, I was told not to generate actual analytical data from said reports, since people with PHDs will come down on me to ask me who the fuck do I think I am from gauging them with such systems. So shit is a mute point on all fucking accounts.

I told my VP I can generate traffic information to let them know that shit is not really the most important thing in the fucking universe. His eyes glowed.

I don't want to see head rolls, but from staying till the next morning awake trying to give the best to our userbase, and just to be called out on shit like this as if I did not do enough for our people just.....well....it fucking hits man.

The worse part was me literally getting 30 minutes of sitting down after an all nighter, doing something for my users, to get to a meeting the next morning (I should not have driven there honestly) to hear this bitch complain about us not doing enough or not caring or whatever other bullshit she would spew.

I was livid, lack of sleep makes me dangerous. I turned to say something when my boss stopped me and took care of business. I seriously love this man. By all accounts and generational gaps a boomer, but one of the few good golden ones.

I just hate how unappreciated the realm of software development is by people that think that our shit is as simple as making a fucking powerpoint presentation.

Consolidate that with a director from another department taking all fucking glory during a major event of an application that I built by myself with 2 fucking weeks of no sleeping. And shit just gets glorious.

I have considered moving to other places, and heck, have gotten amazing offers, what with having a degree with a big fucking GPA and having the credentials of a senior, lead, full stack and manager role, the sky is the limit. But i know that if I leave then my users suffer, and I just can't fucking have that.

I have heard them speaking about doing something with X app that I built (with my department) I have even heard one of them saying "how is this made?" and a part of me hoped that it would be a good time to grab them and tell them of the field and the things that they can do. But I don't like announcing myself that way, always seemed to presumptuous, so I just smile, fuck yeah, my users are doing their thing with what I built to better their lives, what more can I have?

I have gotten criticisms from them, one recognized me, told me about his pain points and how it makes it hard for him to do what he must. Getting the data from the user base in an effort to make shit better for them drives me, my challenge being "how about this? better eh?"

But fucking execs man, think only of themselves, not the users, they forget about the users. Much like a shitty rock band forgetting about the music, about the fans.

I can't let that slide. But this fucking field. I sometimes fucking hate it, and I hate it because of the normies that don't understand and do not want to understand.

I do way too much, my guys do way too much and all I want is for the recognition to go to them. They do not need the ego boost, but to see my guys sitting in a meeting in which some dumb fuck is trying to drill us for taking to long, not doing something and what not, it fucking pisses me off. As their boss I always stand up and tell bitches off, but instead of learning, the bitches just keep pressing on their already defeated points.

Everything in human life gets fucking erradicated by: humans. People really do fucking suck.

I sometimes wish to go back, redo my diesel tech license and just work there, where I think one would be better of talking to an engine. But no, even then you get people, you have to interact with people, deal with people, and I am so far up my game and in my field that starting from scratch is a fucking mute point.

Maybe I need to keep fucking with stocks, get rich and just keep investing on bullshit. Whatever the fuck it takes me from having to feel the urge to choke a motherfucker in public.

I am making an LDAP user manager and porting application for my workplace.

The thing is, i made the first version of it in PHP already. Shit works fine and it without an issue.

But

I had an itch to redesign it using another tech stack that would be speedier, more tested and using a more established platform.

Enter Clojure, a Lisp dialect for the JVM. In a single day I managed to get 80% of the application done. We have about 80k users inside of our ldap system(maybe more) and I tested it with 150 accounts, so far so good.

If this works I will be the first person to deploy a Clojure application, not only for my organization, but for the city as a whole while simultaneously being able to say that I got a Lisp app deployed and working :D

I am loving this. Really wanna have a Lisp app out there and add it to my resume.

The head of my department, an old timer and really ancient dev smiled heavily when I showed him the codebase. Not only is it minimal, it is concise and elegant :D

I love Clojure

And Texas

Social Captain (a service to increase a user's Instagram followers) has exposed thousands of Instagram account passwords. The company says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. Users are asked to enter their Instagram username and password into the platform to get started.

According to TechCrunch : Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain text, as they had connected their account to the platform. A website bug allowed anyone access to any Social Captain user's profile without having to log in ; simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account and their Instagram login credentials. Because the user account IDs were for the most part sequential, it was possible to access any user's account and view their Instagram password and other account information easily. The security researcher who reported the vulnerability provided a spreadsheet of about 10,000 scraped user accounts to TechCrunch.

Omg how stupid some people are... Today at my university I used the first time one of the computers in the computer room and there is a portable Firefox installed in a shared space on the computer and that is also where it saved settings etc. So this is the same for every user on that particular computer.

And when I checked the security settings I found that about 10 different accounts were saved and accessible with website username and password.

So of course the shared space Firefox is bad, but you still shouldn't save you password on a public computer :S

PS: If anyone needs a webmail account or an account for the german university network contact me :P

Saw this sent into a Discord chat today:

"Warning, look out for a Discord user by the name of "shaian" with the tag #2974. He is going around sending friend requests to random Discord users, and those who accept his friend requests will have their accounts DDoSed and their groups exposed with the members inside it becoming a victim as well. Spread the word and send this to as many discord servers as you can. If you see this user, DO NOT accept his friend request and immediately block him. Discord is currently working on it. SEND THIS TO ALL THE SERVERS YOU ARE IN. This is IMPORTANT: Do not accept a friend request from shaian#2974. He is a hacker.

Tell everyone on your friends list because if somebody on your list adds one of them, they'll be on your list too. They will figure out your personal computer's IP and address, so copy & paste this message where ever you can. He is going around sending friend requests to random discord users, and those who accept his requests will have their accounts and their IP Addresses revealed to him. Spread the word and send this to as many discord servers as you can. If you see this user, DO NOT accept his friend request and immediately block him. Saw this somewhere"

I was so angry I typed up an entire feature-length rant about it (just wanted to share my anger):

"1. Unless they have access to Discord data centres or third-party data centres storing Discord user information I doubt they can obtain the IP just by sending friend requests.

2. Judging by the wording, for example, 'copy & paste this message where ever you can' and 'Spread the word and send this to as many discord servers as you can. If you see this user, DO NOT accept his friend request and immediately block him.' this is most likely BS, prob just someone pissed off at that user and is trying to ruin their reputation etc.. Sentences equivalent to 'spread the word' are literally everywhere in this wall of text.

3. So what if you block the user? You don't even have their user ID, they can change their username and discrim if they want. Also, are you assuming they won't create any alts?

4. Accounts DDoSed? Does the creator of this wall of text even understand what that means? Wouldn't it be more likely that 'shaian' will be DDoSing your computer rather than your Discord account? How would the account even be DDoSed? Does that mean DDoSing Discord's servers themselves?

5. If 'shaian' really had access to Discord's information, they wouldn't need to send friend requests in order to 'DDoS accounts'. Why whould they need to friend you? It doesn't make sense. If they already had access to Discord user IP addresses, they won't even have to interact with the users themselves. Although you could argue that they are trolling and want to get to know the victim first or smth, that would just be inefficient and pointless. If they were DDoSing lots of users it would be a waste of time and resources.

6. The phrase 'Saw this somewhere' at the end just makes it worse. There is absolutely no proof/evidence of any kind provided, let along witnesses.

How do you expect me to believe this copypasta BS scam? This is like that 'Discord will be shutting down' scam a while back.

Why do people even believe this? Do you just blindly follow what others are doing and without thinking, copy and paste random walls of text?

Spreading this false information is pointless and harmful. It only provides benefits to whoever started this whole thing, trying to bring down whoever 'shaian' is.

I don't think people who copy & paste this sort of stuff are ready to use the internet yet.

Would you really believe everything people on the internet tell you?

You would probably say 'no'.

Then why copy & paste this? Do you have a reason?

Or is it 'just because of 'spread the word''?

I'm just sick of seeing people reposting this sort of stuff

People who send this are probably like the people who click 'Yes' to allow an app to make changes in the User Account Control window without reading the information about the publisher's certificate, or the people who click 'Agree' without actually reading the terms and conditions."

Our employee management system, for some reason, stored Testlists (I work in QA) linked to the user accounts that created them. Now after an colleague who worked there for five years left pretty much all our data was suddenly down the drain and nobody backed the fricking server up because, hey, whats the fun in that. Now all the tests need to be rewritten and other than the whole gui test automation of our product, maintenance of the same for another product, manually testing dev issues and training my new code monkeys to frickin not commit non working code to the trunk I have now also "Make a better Employee management system" (roughly translated those are the specs I've got) on my plate... I can remember back to the care free days of just before my boss asked me if I wanted to try to automate some of the test cases... How did I ever survive this paralyzing tranquility. Ha, surprise.
!rant, I fucking love the stress and juggling a shit ton of problems at the same time keeps ine on edge.

When I was in 11th class, my school got a new setup for the school PCs. Instead of just resetting them every time they are shut down (to a state in which it contained a virus, great) and having shared files on a network drive (where everyone could delete anything), they used iServ. Apparently many schools started using that around that time, I heard many bad things about it, not only from my school.
Since school is sh*t and I had nothing better to do in computer class (they never taught us anything new anyway), I experimented with it. My main target was the storage limit. Logins on the school PCs were made with domain accounts, which also logged you in with the iServ account, then the user folder was synchronised with the iServ server. The storage limit there was given as 200MB or something of that order. To have some dummy files, I downloaded every program from portableapps.com, that was an easy way to get a lot of data without much manual effort. Then I copied that folder, which was located on the desktop, and pasted it onto the desktop. Then I took all of that and duplicated it again. And again and again and again... I watched the amount increate, 170MB, 180, 190, 200, I got a mail saying that my storage is full, 210, 220, 230, ... It just kept filling up with absolutely zero consequences.
At some point I started using the web interface to copy the files, which had even more interesting side effects: Apparently, while the server was copying huge amounts of files to itself, nobody in the entire iServ system could log in, neither on the web interface, nor on the PCs. But I didn't notice that at first, I thought just my account was busy and of course I didn't expect it to be this badly programmed that a single copy operation could lock the entire system. I was told later, but at that point the headmaster had already called in someone from the actual police, because they thought I had hacked into whatever. He basically said "don't do again pls" and left again. In the meantime, a teacher had told me to delete the files until a certain date, but he locked my account way earlier so that I couldn't even do it.
Btw, I now own a Minecraft account of which I can never change the security questions or reset the password, because the mail address doesn't exist anymore and I have no more contact to the person who gave it to me. I got that account as a price because I made the best program in a project week about Java, which greatly showed how much the computer classes helped the students learn programming: Of the ~20 students, only one other person actually had a program at the end of the challenge and it was something like hello world. I had translated a TI Basic program for approximating fractions from decimal numbers to Java.
The big irony about sending the police to me as the 1337_h4x0r: A classmate actually tried to hack into the server. He even managed to make it send a mail from someone else's account, as far as I know. And he found a way to put a file into any account, which he shortly considered to use to put a shutdown command into autostart. But of course, I must be the great hacker.

Not being able to persuade the client that storing plain text passwords so that they can send them to their users when they forget them is not the best way to handle user accounts.

This happened in 2012 but it still hunts me like it was yesterday.

Before you all demand to ban me from devRant, I’d like to say that we impelemented an alternative (unpaid!) for this, but were requested to disable it.

So a few days ago windows decides to update. No alerts, nothing. Just a random update. 4 HOURS LATER it's still going "hi, we have a new update for you". By hour 5 it's finally done. My wonderful new desktop is a black screen with broken keyboard drivers (mouse still works somehow) and the other user accounts are also broken (but explorer somehow still loads). Then these motherfuckers have the nerve to send a dialog saying "congratulations on updating Windows to the latest version" ...... ;-;

reinstalled windows and everything works again. just need to download ~500Gb of programs on a >1mb/s connection.

fml

ps. this is my first rant, sorry if it's a bit incoherent.

You all like WoW? I developed a MUD (Multi User Dungeon, the first real mmorpg's) server from scratch using telnet and nodejs.
You can create accounts and characters with different classes/races and dive into a world full of quests, monsters and lots of loot :)

Multi User, One Account, and other shit

I'm gonna rant about something as a user, and someone who makes stupid web stuff.

My bank has been updating their web banking over time and they decided that every individual on an account, should have their own login. They really want to push this on their users, I suspect specifically folks like me and my wife who share one login for the joint accounts we have at the bank together.

Why share one login, because it's the only sure fire way I know that I and my wife can see all the same shit no doubt about it.

The banks never tell you what you can see or can't with joint accounts, I doubt it is even documented on their end, but in every damn case something is hidden or different in some weird way.

Messages to the bank people? If I send it, my wife often can't. I get that for security reasons that's a thing, but it makes no sense for a joint account.

ANY difference to me breaks online banking ENTIRELY. Joint accounts are supposed to be... well one account that is the same.

Other banks we used where we had different logins for the joint account, each login actually had separate bill pay accounts per user. So if I went to bill pay and scheduled something to be paid, my wife had no idea, same if she did.

Right fucking there, banking is just broken entirely!

So no Mr. Bank, fuck you we're both logging in via the same login.

Fast forward to N00bPancakes making a thing.

So my employer has a customer (Direct Customer). Direct Customer wants a thing that makes communication with their customer (Indirect Customer) easier.

The worst thing about making something for your customer's customer is that Direct Customer always imagines that Indirect Customer is gonna be super ninja power users....

But no, that's not the case... in fact almost nobody is a power user, and absolutely nobody WANTS to be a power users.

Worse yet in my case the only reason this tool exists is because Direct Customer and Indirect Customer can't communicate well enough anyway... that should tell you something about the amount of effort Indirect Customer is willing to expend.

So with that tool, this situation constantly comes up:

Direct Customer thinks it would be great if every user from Indirect Company had some sort of custom messaging, views, and etc in of Cool Communication Tool. The reason is because that's what Direct Customer loves about Ultra Complex Primary Tool that they use ....

Then I have to fight the constant fight of:

NOBODY WANTS TO BE A POWER USER, NOBODY EVEN WANTS TO DO MUCH OF ANYTHING ON THE INTERNET THAT ISN'T SCREAMING AT OTHER PEOPLE OR POST MEMES OR WATCH SHITTY VIDEOS. THE MOMENT ANYONE AT INDIRECT COMPANY LOGS IN AND SEES ANY INFO THAT IS DIFFERENT FROM THEIR COWORKER THEY'LL SHIT THEMSELVES, FLOOD EVERYONE WITH 'OH GAWD SOME NON SPECIFIED THING IS WRONG' AND RESPOND TO EMAILS LIKE A JELLYFISH DROPPED OFF IN NEW MEXICO... AND NOTHING WILL GET DONE!!!

God damn it people.

Also side rant while I'm busy fighting the good fight to keep shit simple and etc:

People bitch about how horrible the modern web is and then bitch at web devs like we're rulers of the internet or something.... What really pisses me off about that is other devs who do that.... like bro, do you make policy at your company? You decide not to sell some info or whatever shit your company sells? Like fuck off with your 'man I miss html' because you got scared by some shitty JS error and ran back to your language of choice and just poked your head out of the the basement and got scared... and you shit on another developer about that? Fuck you.

User: If we use Oauth2, can we audit exactly where this data is going and who sends it there, and in addition cam we audit who grabs that data from the Authenticating app and make sure it doesn't violate our requirements?

Me: No

User: Why not?

Me: Because thats like asking us to audit whether or not a user accessed files and then uploaded them to their personal drive instead of corporate. We don't mandate that application owners take responsibility for their data outside of their application, why would we require that in this case???

User: Uhhhhh

FFS the lack of understanding of application accounts here boggles my mind. I understand that the security concerns are real but throwing out all permissible contexts based on a mandate that we dont even apply to extremely permissive accounts (i.e. users compared to apps) is folly

The university I used to study CSE, they had some OLD computers with Windows XP in them. Also, all those computers had TWO user accounts. One with the admin access and another one with normal access. Until this, it was fine.
But the browsers installed there were so old, even normal website struggles to load properly. and so many outdated apps, kept bugging us for update, but every time we click on UPDATE, they ask for the admin password, which we didn't have. So, most of the students were frustrated about this, but nobody took any action! :/
So, I hacked one of the computers' admin password. the password was "BRIGHT". I'm like, these people are never gonna set different passwords in different computers and remember them for eternity. Definitely all passwords have to be the same, and they were! Which saved my time.
So, I shared the password with everyone in my class and now they can install any apps they want. Which made me so happy!
But You know, words travel fast! Just one day after the hacking incident, the Seniors ( & the juniors ) came to me with their laptops to find their forgotten password, which made me earn some money & eat some delicious foods, also got to meet some beautiful girls of our campus ^_^
& I used to go to other classes to hack those Admin passwords for fun ^_^ But I never told them the password until they pay me or feed me something delicious! ^_^

I miss those good old days! ^_^

A grammar analyzer for Twitter accounts. Basically trying to see how well or poor the grammar of a particular Twitter user is by analyzing their tweets.

There are a couple:

A system that updates user accounts to connect them into our wifi system by parsing thousands of processing files written in Clojure. The project was short lived and mainly experimental, It has complete test cases and the jar generated from it is still purring silently on the main application. It was used to replace an $85k vendor application that made no fucking sense. The code has not been touched in 2 years and the jar is still there. The dba mentioned the solution to the vendor, the vendor tried buying it from me, but being that it belongs to the institution nothing was touched, still, it got the VP's attention that I can make programs that would be bought for that level, it caught his attention even more when I showed him the codebase and he recognized a Lisp variant (he is old, and was back in the day a Fortran and Cobol developer)

A small Python categorical ML program that determines certain attributes of user generated data and effectively places them on the proper categories on the main DB. The program generates estimates of the users and the predictions have a 95% correctness rate. The DBA still needs to double check the generated results before doing the db updates. I don't remember how I coded it because I was mostly drunk when I experiment on the scenario. It also got the attention of the VP and director since the web tech manager was apparently doing crazy ML shit that they were not expecting me to do, it made them paranoid that I would eventually leave for a ML role somewhere, still here, but I want more moneys!!

A program that generates PDF documentation from user data, written in Go, Python and Perl (yes Perl) I even got shit from the lead developer since I used languages outside of their current scope of work. Dude had no option but to follow along with it :P since I am his boss

Many more. I am normally proud of my work code. But my biggest moment is my current ntural language processing unit that I am trying to code for my home, but I don't have enough power to build it with my computers, currently, my AI is too stupid, but sometimes it does reply back to my commands and does the things I ask it to do (simple things, opening a browser, search for a song etc) but 7 times out of ten it wont work :P

-4 Domain Administrators in my organization-

Me, a Doman Administrator: "Boy, I sure hope the FDIC IT Audit goes well!"

Braindead FDIC Examiner: "So let me get this straight, you use your administrator account to do things on a day-to-day basis?"

Me: "Uhh, I'm an admin so yeah, my account has admin privileges."

Examiner: *gives disapproving glare* "And your personal account has administrative rights?"

Me: "...I'm an admin... So I thought that'd be fairly obvious."

Examiner: "I'm sorry, but that is unacceptable. How can we tell which admin made what change when?"

Me: *dumbfounded* "...I'm sorry, what?"

Examiner: "You're going to need separate accounts, 1 normal user account and 1 admin account per domain admin."

Me: "You do realize that everything I do while I'm working requires elevation of SOME kind, don't you?"

Examiner: "I'm sorry, but you need to make this change. Thank you."

Me: *stares at the short pile of braindead shit as he walks away*

Just went to my accounts in Google. And happen to go across my activity section. I had no fucking idea I was tracked so much! It even lists the app I have opened at particular time. It stores every frigging thing I do with my phone. Goddamnit! Yes, I understand I have agreed to share my information with you. But you just take everything.

Go to myaccount.google.com and head towards the my activity section. You'll know what I'm talking about if you are heavy android user.

Accidentally cleared user accounts table that connects mobile apl accounts with main system accounts. Almost had a heart attack​ but luckily Azure had point in time restore 😌

Me: You decided some records in system A should be obsolete, but the records are tied to active user accounts on the website. Now, I have users emailing and asking why their profile’s last name field says “shell record - do not use.”

Stakeholder: Oh…can’t you stop those profiles from loading? Or redirect the users to the right record in system A? In system A, we set up a relationship between the shell record and the active one.

Me: 😵 Um, no and no. If I stop a user’s profile from on the website, that’s just going to cause more confusion. And the only way to identify those shell record is to look at the last name field, a text field, for that shell record wording. Also, the website uses an API to query data from system A by user id. Whatever record relationship you established isn’t reflected in the vendor’s API. The website can’t get the right record from system A if it doesn’t have the right user id.

We were in the process of signing up an enterprise company. We sent them a spreadsheet requesting a list of all of their staff so that we can create user accounts for all of them. That dumb shit at the company printed out the spreadsheet and then filled out the printouts using her pen and then took a photograph of it and emailed it back to us.

This was at my first job, a site that sold magazine subscriptions during the dot com boom.

Times got rough during the bust. First sign, free snacks disappeared. Everyone started worrying, and checking fuckedcompany.com to see if we were on it. One day everyone's machines shut down, and someone walks around saying company meeting in the cafeteria. My Russian coworker asks if I have a screwdriver so he can liberate his hard drive. Go to the meeting. Most of the company is being laid off immediately. You have to hang around having interviews with your boss to see if you still have a job. I don't.

2 weeks later they call and ask if I'd like to come back. Turns out trying to run with 1 programmer wasn't working out for them. I go back.

First problem we try to tackle - the shopping cart is slow. We put in a hack SQL file to delete carts older than 1 week. Gets better. Then gets slower again. Rinse and repeat 2 times. Finally digging through the source in the perl folder (not what the main site was in) we find what scheduled job was supposed to do this. Dig in. What do we find out? sa_scheduled_tasks user account was deactivated, because only user accounts belonging to people who still had a job were left active.

Fuuuuuuuuuuuck.

South Africa Release notes version v3.0.2

In 1994 SA underwent one of the biggest system upgrades since 1948. In this new rolling release since the system update called apartheid the system has been annexing resources, locking it down, making it closed source, closing it off community updates and from global updates and minimizing services across the board. On 27 April 1994, the new democratic system update was released with a new system monitor, release resources and balancing efficiency in the system. Though there were remnants of the old code in the system, it was being rewritten by a new generation of users, open source resources were established, giving users the right to choose among themselves how to grow the system , and how to better the experience for all.

In 1999 a new system monitor was created by the users, it wasnt as popular as the ground breaking Madiba release but it was a choice by the community to move forward and grow. The system was stable for a few years, new users were able to develop more on the system, making it more lucrative monetary wise. There were still remnants of the apartheid code but the new generation of developers worked with it making it there own, though they had not yet had admin rights to help change the system, they created a developer culture of their own. A new system resources balancer was introduced called BBEE, that allowed previous disadvantage users more admin rights to other system resources, helping the user base to grow. Though the balancer was biased, and flawed it has helped the system overall to grow and move forward. It has major holes in security and may flood some aspects of the system with more outdated software patches, users have kept it in its system releases until the resource balancer moved the system into a more stable position.

The next interim system monitor release was unexpected, a quiet release that most users did not contribute towards. The system monitor after that nearly brought the system down to a halt, as it was stealing resources from users, using resources for its own gain, and hasn't released any of it back to the system.

The latest user release has been stable. It has brought more interest from users from other countries, it had more monetary advantages than all other releases before. Though it still has flaws, it has tried to balance the system thus far.

Bug report as of 16 Feb 2018
*User experience has been unbalanced since the 1994 release, still leaving some users at a disadvantage.
*The three tier user base that the 1948 release established, creating three main user groups, created a hierarchy of users that are still in effect today, thought the 1994 release tried to balance it out, the user based reversed in its hierarchy, leaving the middle group of users where they were.
*System instability has been at an all time low, allowing users to disable each others accounts, effectively
killing" them off
*Though the infrastructure of the system has been upgraded to global standards ( in some aspects ) expansions are still at an all time low
*Rogue groups of users have been taking most of the infrastructure from established users
*Security services have been heightened among user groups though admins were still able to do as they pleased without being reprimanded
*Female users have been kicked off the system at an alarming rate, the security services have only kicked in recently, but the system admins and system monitor has not done anything about it yet

Bug fixes for a future release:
*Recreating the overall sysadmin team. Removing some admins and bringing others in
*Opening the system more globally to stabilize it more
*Removing and revamping the BBEE system, replacing it with more user documentation, equalizing the user base
*Giving more resources to users that were at a disadvantage during the first release
*Giving the middle group of users more support, documentation and advantages in the system, after removing the security protocols from the user base
*Giving new users who grew up with the post 1994 release more opportunities to help grow the system on a level playing field.
*Establishing the Madiba release principles more efficiently in the current system

I got 15 reserved user accounts after posting that #mystartup post, this is why I love you guys.

The conversations that come across my DevOps desk on a monthly basis.... These have come into my care via Slack, Email, Jira Tickets, PagerDuty alerts, text messages, GitHub PR Reviews, and phone calls. I spend most of my day just trying to log the work I'm being asked to do.

From Random People:
* Employee <A> and Contractor <B> are starting today. Please provision all 19 of their required accounts.
* Oh, they actually started yesterday, please hurry on this request.

From Engineers:
* The database is failing. Why?
* The read-only replica isn't accepting writes. Can you fix this?
* We have this new project we're starting and we need you to set up continuous integration, deployment, write our unit tests, define an integration test strategy, tell us how to mock every call to everything. We'll need several thousand dollars in AWS resources that we've barely defined. Can you define what AWS resources we need?
* We didn't like your definition of AWS resources, so we came up with our own. We're also going to need you to rearchitect the networking to support our single typescript API.
* The VPN is down and nobody can do any work because you locked us all out of connecting directly over SSH from home. Please unblock my home IP.
* Oh, looks like my VPN password expired. How do I reset my VPN password?
* My GitHub account doesn't have access to this repo. Please make my PR for me.
* Can you tell me how to run this app's test suite?
* CI system failed a build. Why?
* App doesn't send logs to the logging platform. Please tell me why.
* How do I add logging statements to my app?
* Why would I need a logging library, can't you just understand why my app doesn't need to waste my time with logs?

From Various 3rd party vendors:
* <X> application changed their license terms. How much do you really want to pay us now?

From Management:
* <X> left the company, and he was working on these tasks that seem closely related to your work. Here are the 3 GitHub Repos you now own.
* Why is our AWS bill so high? I need you to lower our bill by tomorrow. Preferably by 10k-20k monthly. Thanks.
* Please send this month's plan for DevOps work.
* Please don't do anything on your plan.
* Here's your actual new plan for the month.
* Please also do these 10 interruptions-which-became-epic-projects

From AWS:
* Dear AWS Admin, 17 instances need to be rebooted. Please do so by tomorrow.
* Dear AWS Admin, 3 user accounts saw suspicious activity. Please confirm these were actually you.
* Dear AWS Admin, you need to relaunch every one of your instances into a new VPC within the next year.
* Dear AWS Admin, Your app was suspiciously accessing XYZ, which is a violation of our terms of service. You have 24 hours to address this before we delete your AWS account.

Finally, From Management:
* Please provide management with updates, nobody knows what you do.

From me:
Please pay me more. Please give me a team to assist so I'm not a team of one. Also, my wife is asking me to look for a new job, and she's not wrong. Just saying.

Why does nobody talk about security, even as basal on user accounts?

Its rare when i find a a framework/tool/talk/library/spec where the docs give an explanation, and more important an example of doing it the right way, and i mean without going into the history of ancient Greece and their scytale stick

Client be like:
Pls, could you give the new Postgres user the same perms as this one other user?

Me:
Uh... Sure.

Then I find out that, for whatever reason, all of their user accounts have disabled inheritance... So, wtf.

Postgres doesn't really allow you to *copy* perms of a role A to role B. You can only grant role A to role B, but for the perms of A to carry over, B has to have inheritance allowed... Which... It doesn't.

So... After a bit of manual GRANT bla ON DATABASE foo TO user, I ping back that it is done and breath a sigh of relief.

Oooooonly... They ping back like -- Could you also copy the perms of A on all the existing objects in the schema to B???

Ugh. More work. Lets see... List all permissions in a schema and... Holy shit! That's thousands of tables and sequences, how tf am I ever gonna copy over all that???

Maybe I could... Disable the pager of psql, and pipe the list into a file, parse it by the magic of regex... And somehow generate a fuckload of GRANT statements? Uuuugh, but that'd kill so much time. Not to mention I'd need to find out what the individual permission letters in the output mean... And... Ugh, ye, no, too much work. Lets see if SO knows a solution!

And, surprise surprise, it did! The easiest, simplest to understand way, was to make a schema-only dump of the database, grep it for user A, substitute their name with B, and then input it back.

What I didn't expect is for the resulting filtered and altered grant list to be over 6800 LINES LONG. WHAT THE FUCK.

...And, shortly after I apply the insane number of grants... I get another ping. Turns out the customer's already figured out a way to grant all the necessary perms themselves, and I... No longer have to do anything :|

Joy. Utter, indescribable joy.

Is there any actual security reason for disabling inheritance in Postgres? (14.x) I'd think that if an account got compromised, it doesn't matter if it has the perms inherited or not, cuz you can just SET ROLE yourself to the granted role with the actual perms and go ham...

Friends, gather round for a story of "the user".

Two days ago I assisted a friend in reviving their scammed Instagram account with final confirmation it was back in their possession yesterday. I stated "make sure you clean out phone numbers, emails and change the password. WHATEVER YOU DO DON'T USE THE SAME PASSWORD"....I bet you know where this is going....

Queue 6:45am: "HELP! THEY DID IT AGAIN! THEY TOOK MY FACEBOOK THIS TIME TOO!" as a safety measure, I told her to link them for recoverability.....not thinking you just created a bridge to the facebook...

Now We're going through EVERY account BY HAND and changing EVERY password for EVERY service and enabling MFA. We've also learned the power that the forgot password button wields for everyone.

ProTip: If your friend was "hacked" be patient, friendly and soft to get every detail...sometimes you learn more and can position them better.

Now I'm upset with myself because I couldn't save their accounts and at this point we've lost the only footing we had to them. Social Media is a curse.

Guys I need your help.
Recently there has been questions on whether there's a developer oriented dating service which made me think of buiding one.
On research I noticed that people have tried but you always end up with more people from the outside.
So I decided to make my service as developer friendly and user unfriendly as possible.
it's more command based rather than normal click and touch inteefaces.
More like the shortcuts on your ide or the terminal commands.
As part of my research involved talking to other developers and came the desire for more opinions.
here's what I have:
- Github sign in/up only
- Link github stats to account
- Messages (obviously )
- links to your social accounts
- use of devrant avatar
What am looking for is:
+ what do you guys need from a dating service.
+ name you musts, avoid the ones named by others
+ name what you expect to know about the person on the other side before talking to them and before meeting with them.

Been way too long since I did something that wasn't WordPress, so I decided to take some spare time this weekend to scratch-build something and get around to finally learning how to transition from Foundation 5 to 6 while I'm at it (since jQuery compatibility requirements mandate I finally make that jump going forward...).

Started off with a plan for a custom-designed CMS built around a personal research project I've been doing. Worked it all out mentally. Then got started and realized I probably want to start by securing the system and provisioning for user accounts, so I've been working on that all weekend so far...

On the plus side, I've written a pretty nice user management module for any future personal projects, and have *finally* gotten around to learning how to do prepared statements in MySQLi.

On the neutral side, I still haven't gotten around to building any of the substantive stuff I set out to work on this weekend because I've been helping a friend out IRL with some non-programming stuff.

Such is the way it goes, eh? Hoping tonight I'll finally finish up with the administrative items and be able to get down to building the actual meat of the project.

Fair / Not Fair
I hate when an interviewer would ask me to code something for them for technical interview.( happy to show non propitiatory previous work) So now that I am the one doing the interviewing, I am doing what I would have wanted, and I have to say it is working out. I thought I would share my experience so far and find out if the community at large sees this practice as fair or not fair.

People reply to the job post then I call and do quick phone interview ask a few key questions. After I find somone I think should go the next level I direct them to freelancer site and give them a paid project.

most recent project: Build simple(i mean really simple) ASP.net Core MVC web application (code first) that remotely connects to SQL server and can be published in linux ubuntu.
bla bla user accounts/ subscription bla bla. But it must me completed in 10 days. reward $1000.00 us dollars.

I build the SQL server for them and put blank database in and provide connection details.

To be fair
I have already built this app my self it and it took me 5 days.

So, Fair / not Fair

Few months ago we move into a new Building, Company buys new Polycoms for 2 of the boardrooms - fancy ones with the Skype for Business and stuff.
Provision the boardroom accounts get them set up and all is working well.
Director asks if we can swap 2 boardroom phones around because their dept. just got a remote user and video calling would be awesome.
I set to work changing sign in details, provisioning accounts, assigning licenses, etc which is a long process because 365 needs to update throughout.
Finally get everything right, time to login... Failed...
Login fails on the Polycom, my laptop & an android tab - all 3 with different errors.
Decide to test account by logging into the web version in OWA - logs in perfectly.

Why Microsoft?? Why must you make it so hard? Why not just work?

Me: I am your fucking senior engineer...!
Co-founder: well, I still think there's nothing wrong with creating unsolicited user accounts and sending them mails unless you can quote a word-class source

I’m having this issue for the online marketplace I’m working on the side. It’s blockchain tech where you can purchase normal goods and services(no, not like Amazon or Fiverr, eww, this one’s more inclined with promoting organic growth for small businesses and freelancers).

I’m stuck with what solution is in the best interest of the user and the business for the long-term.

The dilemma about anonymity, online freedom and privacy is yes, it protects users from predators and attackers, but then, it’s harder for authorities to hunt down people who uses platforms for malicious intent, and also, digital footprint is helpful during litigation as evidence.

You don’t know who to trust.

-There is nothing to differentiate normal users with spammers, scammers, etc.
-There is no accountability for if they break the rules. They can easily delete and create a new account.

Platforms, communities big or small are plagued with these.
There are a lot of people out there who would rather project their insecurities on other people than to seek therapy.

Also, how platforms uses psychology tricks to make platforms addicting, it’s safe to assume that it’s bound to get toxic. Fixation on these platforms, leads to other needs being neglected or people forget to stay present.

Another thing, automated moderation is not that effective as there are still biases in data and human verification is still required. But then, human moderators get exposed to extreme violence, gore, etc that leads to poor mental health. (see Facebook got sued by moderators)

Also, I’ve had a recent experience where some unstable dev was stalking and harassing me. During that turmoil, I’ve found the many loopholes in every platform out there and how crappy their support is. Like they’ll just say, “make your account more secure”, bitch it’s your platform not providing enough security, your blocking feature means nothing coz anyone can still create accounts and message anyone.
It happened like February-August (it ended coz I quit going online and made private all my accounts). UGH I MISS ALL MY FRIENDS THO. FUCK THAT DUDE. He deserves to be in jail TBH

Lol if this product booms, now u know the back story lololol

#Suphle Rant 9: a tsunami on authenticators

I was approaching the finish line, slowly but surely. I had a rare ecstatic day after finding a long forgotten netlify app where I'd linked docs deployment to the repository. I didn't realise it was weighing down on me, the thought of how to do that. I just corrected some deprecated settings and saw the 93% finished work online. Everything suddenly made me happier that day

With half an appendix chapter to go, I decided to review an important class I stole from my old company for clues when I need to illustrate something involved using a semblance of a real world example (in the appendix, not abstract foo-bar passable for the docs)

It turns out, I hadn't implemented a functionality for restricting access to resources to only verified accounts. It just hasn't been required in the scheme of things. No matter, should be a piece of cake. I create a new middleware and it's done before I get to 50 lines. Then I try to update the documentation but to my surprise, user verification status turns out to be a subset of authentication locking. Instead of duplicating bindings for both authentication and verification, dev might as well use one middleware that checks for both and throws exceptions where appropriate.

BUT!

These aspects of the framework aren't middleware, at all. Call it poor design but I didn't envisage a situation where the indicators (authentication, path based authorisation and a 3rd one I don't recall), would perform behaviour deviating from the default. They were directly connected to their handlers and executed after within the final middleware. So there's no way to replace that default authentication scheme with one that additionally checks for verification status.

Whew

You aren't going to believe this. It may seem like I'm not serious and will never finish. I shut my system down for that day, even unsure how those indicators now have to refactored to work as middleware, their binding and detachment, considering route collections are composed down a trie

I'm mysteriously stronger the following day, draw up designs, draft a bunch of notes, roll my sleeves, and the tsunami began. Was surprisingly able to get most of previous middleware tests passing again before bed, with the exception of reshuffled classes. So I guess we can be optimistic that those other indicators won't cause more suffering or take us additional days off course

This weeks a joke right 😂, the recent day 0 Microsoft bug that allows anyone to get hacked, and allow someone to do whatever the hell they want.(as you can pretend to be any program on the computer)

Or the super user hack on Linux recently patched... Day 0....

The fact 80% of devs implement oauth incorrectly... So their user accounts are hackable...
Need I go on?

Today I've realized that the previous dev for the time working on this project has decided to create brand new table in Db called 'Customers' and put all new user registrations there. So far sounds ok, if we ignore the fact that there already exists 'users' table with a few thousand accounts and not telling anyone for this 'minor' change.

After finding SQLi on an internal application during its security review:

DB team: Well it's a remote database, so you're just seeing HTML...wait why do you see user accounts in that web field?

I'm trying to improve my email setup once again and need your advice. My idea is as follows:
- 2-5 users
- 1 (sub)domain per user with a catchall
- users need to be able to also send from <any>@<subdomain>.<domain>
- costs up to 1€ per user (without domain)
- provider & server not hosted in five eyes and reasonably privacy friendly
- supports standard protocols (IMAP, SMTP)
- reliable
- does not depend on me to manage it daily/weekly
- Billing/Payment for all accounts/domains at once would be nice-to-have, but not necessary

I registered a domain with wint.global the other day and I actually managed to get this to work, but unfortunately their hosting has been very underwhelming.. the server was unreachable for a few minutes yesterday not only once, but roughly once an hour, and I'd really rather be able to actually receive (and retrieve) my mail. Also their Plesk is quite slow. To be fair for their price it's more like I pay for the domain and get the hosting for free, but I digress..

I am also considering self hosting, but realistically that means running it on a VPS and keeping at secure and patched, which I'd rather outsource to a company who can afford someone to regularly read CVEs and keep things running. I don't really want to worry about maintaining servers when I'm on holiday for example and while an unpatched game server is an acceptable risk, I'd rather keep my email server on good shape.

So in the end the question is: Which provider can fulfill my email dreams?

My research so far:
1. Tutanota doesn't offer standard protocols. I get their reasons but that also makes me depended on their service/software, which I wouldn't like. Multiple domains only on the business plans.
2.With Migadu I could easily hit their limits of incoming mails if someone signs up for too many newsletters and I can't (and don't want to) micromanage that.
3. Strato: Unclear whether I can create mails for subdomains. Also I don't like the company for multiple reasons. However I can access a domains hosted there and could try...
4. united-domains: Unclear whether I can create mails for subdomains.
5. posteo: No custom domains allowed.

I'm getting tired.. *sigh*

Relatively often the OpenLDAP server (slapd) behaves a bit strange.

While it is little bit slow (I didn't do a benchmark but Active Directory seemed to be a bit faster but has other quirks is Windows only) with a small amount of users it's fine. slapd is the reference implementation of the LDAP protocol and I didn't expect it to be much better.

Some years ago slapd migrated to a different configuration style - instead of a configuration file and a required restart after every change made, it now uses an additional database for "live" configuration which also allows the deployment of multiple servers with the same configuration (I guess this is nice for larger setups). Many documentations online do not reflect the new configuration and so using the new configuration style requires some knowledge of LDAP itself.
It is possible to revert to the old file based method but the possibility might be removed by any future version - and restarts may take a little bit longer. So I guess, don't do that?

To access the configuration over the network (only using the command line on the server to edit the configuration is sometimes a bit... annoying) an additional internal user has to be created in the configuration database (while working on the local machine as root you are authenticated over a unix domain socket). I mean, I had to creat an administration user during the installation of the service but apparently this only for the main database...

The password in the configuration can be hashed as usual - but strangely it does only accept hashes of some passwords (a hashed version of "123456" is accepted but not hashes of different password, I mean what the...?) so I have to use a single plaintext password... (secure password hashing works for normal user and normal admin accounts).

But even worse are the default logging options: By default (atleast on Debian) the log level is set to DEBUG. Additionally if slapd detects optimization opportunities it writes them to the logs - at least once per connection, if not per query. Together with an application that did alot of connections and queries (this was not intendet and got fixed later) THIS RESULTED IN 32 GB LOG FILES IN ≤ 24 HOURS! - enough to fill up the disk and to crash other services (lessons learned: add more monitoring, monitoring, and monitoring and /var/log should be an extra partition). I mean logging optimization hints is certainly nice - it runs faster now (again, I did not do any benchmarks) - but ther verbosity was way too high.

The worst parts are the error messages: When entering a query string with a syntax errors, slapd returns the error code 80 without any additional text - the documentation reveals SO MUCH BETTER meaning: "other error", THIS IS SO HELPFULL... In the end I was able to find the reason why the input was rejected but in my experience the most error messages are little bit more precise.

I'm building a web application, and I'm currently working on the account registration code, and I could use some design advice. In your opinion, is it better to say "username/email address in use" when one or both are in use, or would it be best to specify whether the username or email address are in use? Why?

Not the 'most embarrassing' part but not my proud moment either.

My sir have recently put me alongside him as the teacher assistant in this summer's batch. Last week he had to go somewhere so he asked me to take a github session with the class( well not exactly asked, but i just voluntarily commented) . mind you am myself a novice, never done anything beyond pushing data commits and pull requests. (But sir was fine with it , saying he wants the students to atleast enough knowledgeable to submit there homeworks.)

Fast forward to Night before class and i am trying to sleep but couldn't. I had all ppts prepared, hell i even prepared a transcript( hell i uploaded it to pastebin thinking i will look at it and read ).

But worst shit always has to happen when you do a presentation.

When the class started, the wify was not working. Those guys had never had done anything related to it so first thing we did was to make sure every of them gets git installed(with lots of embarrassments and requesting everyone to share their hotspots.not my faluts, tbh).

Then again, am a Windows-linux user with noobie linux and null mac experience. So when this 1 girl with mac got problems installing, i was like, "please search on SO" 🐣 .
So after half an hour, almost everyone had their git/github accounts ready to work, so i started woth explaining open source and github's working. In the middle of session, i wanted to show them meaning of github's stars ("shows how appreciated a repo is"), nd i had thought of showing them the react js repo . And when i tried searching it i couldn't find it (its name is just react, not reactjs ) so ,again :🐥🐥🐣

So somehow this session of 1-1.5 hour got completed in 4 hours with me repeating myself many many many times.
And the most stupid thing: our institute has every session recorded, so my awkward presentation is definitely in their computers 🐣🐣🐥🐥

Hey guys, I have almost developed the backend of an app like reddit. My question is about authentication. How should I authenticate my user. Is phone number necessary to add phone otp?Because I don't want to get any legal trouble if someone posts objectionable content on the platform. Most of the apps today need phone number, I dont know why except reducing spam accounts.

Or shall I verify email by otp. But its hard to track disposable emails. I cant go for only gmail too as its banned in china. Email domains of china are weird.

Can I get into legal trouble for objectionable content posted by any evil user?

I dont want to go for auth.

Windows is a shameful dev enviro but when you stuck in Africa, you gotto work with what you have. I dabble in node, R and hadoop and setting up environment and building modules on windows is a walk on hot ash in a desert.

To go around setting up of different dev enviros, i use a windows pre installed hack specially meant for that purpose. A new user account for each dev job. Kips my machine clean and sane while avoiding the blue screen.

After all, who still shares laptops today enough to use different user accounts😂😂

Are you kidding me? windows-build-tools developers does not know that devs like me would run npm update -g from a standard user account? Don't tell me that they use system administrator accounts for their day to day dev and qa tasks

hello i'm trying to do a loop to all of our users account and see if they have already a partner or pair but the problem is after 2 user, the loop just stops and won't loop to all user accounts that's available. Please don't leave me hanging or leaving comments with no solution just like stack overflow.
<?php
$sqlo = mysqli_query($conn, "SELECT `username` FROM users");
$i=1;
$counter = array();
while ($h=mysqli_fetch_assoc($sqlo)) {
$counter[$i] = $h['username'];
$i++;
}

for($i = 1; $i <= Fixed_count($counter); $i++){

$b = $counter[$i];

$query1 = mysqli_query($conn2, "select * from `$b` where username='$newuser'");
$query2 = mysqli_query($conn2, "select * from `$b` where `status`='yes'");

$user1 = array();
$user2 = array();

while($result = mysqli_fetch_array($query1)){

$user1['username'] = $result['username'];
$user1['status'] = $result['status'];
/*more user info*/

while($result2 = mysqli_fetch_array($query2)){

$user2['username'] = $result2['username'];
$user2['status'] = $result2['status'];
/*more user info*/

if($temp_counter < 4){
if($user1['username'] != $user2['username'] && $user1['status'] == "yes" && $user2['status'] == "yes"){
if(/*more condition*/){
/*if condition's are met execute process*/
echo "Success!";
continue 2;
}
}else{
continue 2;
}
}

}
}
}
echo "Loop stopped at user: ".$i;
?>