Client: We have a HUGE security problem.

Me: *thinks about any possible vulnerabilities* What is it?

Client: A user can take a picture of our website and steal our content.

I’m done for today.

New Dutch (or european?) law requiring https for any website with a contact form or higher is going into effect very soon. Were contacting customers so they can still be on time with this, this is how most convo's go:

Collegue: *explains*
Client: Im sure my security is good enough...
Collegue: i'd really recommend it, we've got free options as well!
Client: its just a secure connection, whats the big deal...
Collegue: *more arguments*
Client: I just don't see the point, security.... well.... does it really matter that much...
Collegue: Google might place you lower in the search results if you don't get a secure connection.

Client: 😶😥😵 uhm so what were the https options again? 😅

I hope they all die a painful death 😠

Me wanting to board Plane,
Goes through security Check...
"Sorry sir Laptops are not allowed."
Me
"Why?"
Security
"It could be a modified bomb"
Me
"But this is a Tablet!"
Security
"No sir, it has a Keyboard and Trackpad attached to it, its also running Windows..."
Me
"Excuse me, but this is clearly a Tablet"
*Detatches Keyboard from Surface Book*
"See? Tablet."
Security,
"Sorry sir, but no. You cant board the plane with this, only Tablets and Smartphones"
Me
"WTF? you dont allow Laptops because they could be bombs but A FUCKING SMARTPHONE IS ALLOWED? AND TABLETS TOO?!"
Security
"Yes, because the Battery is not removable..."
Me
"But my Laptop Battery is also not Removable..."
Security
"I dont have anymore Time for an Argument"
Me
"So I can board the Plane?"
Security
"No, the Ticket will be refunded"

WHO THE FUCK CAME UP WITH THIS BULLSHIT? LIKE RLY? WHO!!
I MEAN WHAT THE FUCK IS ALLOWED?!

An incident which made a Security Researcher cry
--------------------------------------------------------
I was working on my laptop finishing up my code while waiting for the flight which was late . Meanwhile two guys (I'm gonna call them Fellas) in black suit and shades came to me

Fella : Sir you have to come with us .
Me : *goes along with them*
Fella : Sir please proceed *points towards the door . The room has a round table with some guys discussing something *
Fella 1 : Your passport please
Me : *Hands over the passport*
Fella 1 : Where are you traveling to sir?
Me : India
Fella 1 : Put your laptop in the desk sir.
Me : Sure thing
Fella 2 : What were you doing there? *Taps the power button*
Me : Just finishing up my work .
Fella 1 : Or hacking our systems?
Me : Seriously?
Fella 2 : The password please .
Me : Here you go
*5 minutes have passed and​ he still can't figure out how to use the machine*
Fella 2 : Which Windows is this?
Me : It's Linux
Fella 1 : So you are a hacker .
Me : Nope
Fella 1 : You are using Linux
Me : Does it matters?
Fella 1 : Where do you work?
Me : *I won't mention here but I told him*
Fella 2 : So what do you do there?
Me : I'm a Security Researcher
Fella 1 : What's your work?
Me : I find security holes in their systems .
Fella 1 : That means you are a hacker .
Me : Not at all .
Fella 2 : But they do the same and they use Linux .
Me : You can call me one .
*After 15 minutes of doo-laa-baa-dee-doo-ra-ba-doo amongst them I dunno what they were talking , they shutdown the computer and handed over it to me*
Fella 2 - So you are somewhat like a hacker .
Me - *A bit frustrated* Yes.

##And now the glorious question appeared like an angel from river ##

Can you hack Facebook?
Me - 😭😭😭

!dev

It was late night after work I went into Macdonald's take-away:

Me: Can I have a Maharaja Mac Medium Meal with extra regular fries?

Guy: Yes sir, that will XX.XX amt.

Me: Gives him my card.

Guys: So what's the pin?

Me: What??

Guys: The Pin sir.

Me: Are you ok? Who the hell shares a pin with you?

Guy: Sir, we don't have a wireless swipe machine.

Me: So why is it a take-away if I have to come inside and drop my pin anyways?

*Guy looks awkwardly at other employees. :/

I had to finally get out of the vehicle and I took another 15 mins seperately explaining him why cards have a security pin and that the word security isn't a joke before the pin. With this, I might have also slipped in some GDPR cookie policy along with it. and why Microsoft bought GitHub. Good Lad. He will learn.

Definitely my security teacher. He actually expected us to actively learn the stuff and put effort into our education. He guided us through malware analysis and reverse engineering, simplifying it without insulting us.

We had students who thought they knew everything and he corrected them. We had arrogant students he put in place.

He treated us like adults and expected us to act like adults.

That's the only class I enjoyed studying for, because he would tell us exactly what wasn't on the exams (it was an intro course, didn't need to know the math). There were no trick questions.

I told him about the shitty teacher and he helped me through that confidence block. He helped me realize I *can* make it through the workforce as a female in security because I will work my ass off to be the best I can be. He reminded me why I love computers and why I want to go into forensics.

He's been a great mentor and role model and hiring him is one of the few things my department did right.

Tldr :
Office Building : 1
Population: 5000
Number of PC users: 5000
No of Spare mice: 0

Day 1:
Training period commences.
My mouse laser sensor doesn't work.

Solution: Use this mouse to log in to your system.
Open the company portal.
Connect to vpn.
Enter username password.
Create a ticket for mouse replacement.
Done.

Day 3
I bring my own mouse.
Confiscated at security.
Becomes a security violation.

Day 9
I get a call from helpdesk.
Agent- what is the problem?
Me- my mouse is not working.
Agent- why?
Me- what do you mean? Something is wrong with the sensor.
Agent- clean the sensor.
Disconnects call.
Marks ticket as resolved.
Me- WTF just happened!

Naturally, I escalate the issue.

Day 15
Level 2 Agent- what happened? Why have you escalated the issue?
Me- I need a mouse, waiting since 2 weeks.
Him- No mouse is available
Me- you don't have a single spare mouse available in an office with 5000 PC users?
Him- no they're out of stock.
Me- when will it be back in stock?
Him- we will 'soon' launch a tender for quotations from sellers.
Me- time?
Him- 1 week.

Day 34

I email the head of supplies for the city office. Next day I get a used super small mouse, which doesn't have a left button. Anyways, I've given up hope now.

Day 45
I become a master at keyboard shortcuts.
Finish my training.
Get transferred to another city.
No mouse till date.

Surprisingly, this was one of the top recruiters in my country. Never knew, MNCs can be so so inefficient for such simple tasks.
Start-ups are way better in this regard. Latest tech, small community, minimal bureaucracy and a lot of respect and things to learn.

I ranted about this guy before who thought he was a security expert while hardly knowing what the word is probably. Today I met him again at a party.

Holy fucking shit, this guy.

"we use the best servers of the netherlands"
"we use a separate server for each website and finetune them"
"we always put clusters under servers, that way we have a fallback mechanism"
"companies mostly use bv ssl certificates"
"you're on call for a week? I'm full-time on call. Why I'm drinking alcohol then? Because fuck the clients hahaha"

😥🔫

Me: *enters password on phone (long PIN)*
Person next to me is looking at my phone WHILE I enter my password, and as I look at him, he doesn't even turn away and even has the nerve to say:
"Wow, why do you have such a long password!"
Μy answer: "Because of security reasons."
What I actually wanted to say:
"Because of pieces of SHIT like you who can't keep their eyes to themselves, even when PASSWORDS are involved, you FUCK! Guess why everytime I enter a password in public, I have to dim my screen and turn my screen sideways? Because of fuckheads like you, not knowing shit about privacy and security! Fuck you!"

Storytime!

Manager: Hey fullstackchris, the maps widget on our app stopped working recently...

Dev: (Skeptical, little did he know) Sigh... probably didn't raise quota or something stupid... Logs on to google cloud console to check it out...

Google Dashboard: Your bill.... $5,197 (!!!!!!) Payment method declined (you think?!)

Dev: 😱 WTF!?!?!! (Calls managers) Uh, we have HUGE problem, charges for $5000+ in our google account, did you guys remove the quota limits or not see any limit reached warnings!?

Managers: Uh, we didn't even know that an API could cost money, besides, we never check that email account!

Dev: 🤦‍♂️ yeah obviously you get charged, especially when there have literally been millions of requests. Anyway, the bigger question is where or how our key got leaked. Somewhat started hammering one of the google APIs with one of our keys (Proceeds to hunt for usages of said API key in the codebase)

Dev: (sweating 😰) did I expose an API key somewhere? Man, I hope it's not my fault...

Terminal: grep results in, CMS codebase!

Dev: ah, what do we have here, app.config, seems fine.... wait, why did they expose it to a PUBLIC endpoint?!

Long story short:

The previous consulting goons put our Angular CMS JSON config on a publicly accessible endpoint.

WITH A GOOGLE MAPS API KEY.

JUST CHILLING IN PLAINTEXT.

Though I'm relieved it wasn't my fault, my faith in humanity is still somewhat diminished. 🤷‍♂️

Oh, and it's only Monday. 😎

Cheers!

I guess that is what you get for bringing up security issues on someones website.

Not like I could read, edit or delete customer or company data...

I mean what the shit... all I did was try to help and gives me THIS? I even offered to help... maybe he got angry cause I kind of threw it in his face that the whole fucking system is shit and that you can create admin accounts with ease. No it's not a framework or anything, just one big php file with GET parameters as distinction which function he should use. One fucking file where everything goes into.

Newspaper: This CEO is one of the top entrepreneurs in the country, a true tech visionary shaping the future.

--- 3 months previous ---

Lead dev: O2 have said they are will pre-install the app on all their Androids but they need documentation from us.

CEO: documentation? on what?

Lead dev: Our unit test coverage, bugs found / fixed, security scan results, performance assessment, if and where its storing any data etc.

CEO: Ah were not doing any of that crap, bloody unit tests, its not necessary, tell them no.

lead dev: ..... eh ok

O2: *approved*

... true visionary, well done to everyone involved.

Another incident which made a Security Researcher cry 😭😭😭
[ NOTE : Check my profile for older incident ]
-----------------------------------------------------------
I was invited by a fellow friend to a newly built Cyber Security firm , I didn't asked for any work issues as it was my friend who asked me to go there . Let's call it X for now . It was a good day , overcast weather , cloudy sky , everything was nice before I entered the company . And the conversation is as follows :

Fella - Hey! Nice to see you with us .
Me - Thanks! Where to? *Asking for my work​ area*
Fella - Right behind me .
Me - Good thing :)
Fella - So , the set-up is good to go I suppose .
Me - Yeah :)
*I'm in my cabin and what I can see is a Windows VM inside Ubuntu 12.4*

*Fast forward to 1 hour and now I'm at the cafeteria with the Fella*

Fella - Hey! Sup? How was the day?
Me - Fine *in a bit confused voice*
Fella - What happened mate , you good with the work?
Me - Yeah but why you've got Windows inside Ubuntu , I mean what's the use of Ubuntu when I have to work on Windows?
Fella - Do you know Linux is safe from Malwares?
Me - Yeah
Fella - That's why we are using Windows on VM inside Linux .
Me - For what?
Fella - To keep Windows safe from Malwares as in our company , we can't afford any data loss!
Me - 😵 *A big face palm which went through my head and hit another guy , made me a bit unconscious*

I ran for my life as soon as possible , in future I'm never gonna work for anyone before asking their preferences .

It was fun to watch my entire high school (~1200 people) freak out when I ran "net send * Big brother is watching you..." on what I found to be an insecure computer in my high school's library. Every single computer in the building displayed the pop up message. The town's IT director even showed up to figure out what happened.

I was caught, but they were more happy it wasn't a hacker, and that I discovered that the IT firm the town hired totally botched properly implementing network security, so I was let off the hook.

Got invited to a "roundtable", where we will discuss email security and the future and direction of where it is going.
Only 10 people in Sweden got a chair

I feel exclusive but also scared that they will find out what a noob I am lol

"Hey nephew, why doesn't the FB app work. It shows blank white boxes?"
- It can't connect or something? (I stopped using the FB app since 2013.)

"What is this safe mode that appeared on my phone?!"
- I don't know. I don't hack my smartphone that much. Well, I actually do have a customised ROM. But stop! I'm pecking my keyboard most of the time.

"Which of my files should I delete?"
- Am I supposed to know?

"Where did my Microsoft Word Doc1.docx go?"
- It lets you choose the location before you hit save.

"What is 1MB?"
- Search these concepts on Google. (some of us did not have access to the Internet when we learned to do basic computer operations as curious kids.)

"What should I search?"
- ...

"My computer doesn't work.. My phone has a virus. Do you think this PC they are selling me has a good spec? Is this Video Card and RAM good?"
- I'm a programmer. I write code. I think algorithmically and solve programming problems efficiently. I analyse concepts such as abstraction, algorithms, data structures, encapsulation, resource management, security, software engineering, and web development. No, I will not fix your PC.

If the below is you, please stop. I'm starting a revolution called #AnswerTheQuestion

A: Hey, just checked your code, you have a huge security issue in XYZ, you should really address that.

B: Oh god I had no idea, how do I fix it?

A: Well it depends on how you *want* to fix it, no one solution is always the right one.

B: ... Ok, well could you give me some advice?

A: Well, there are many ways to approach this kind of work, but all I can say is that this way, is definitely not the correct one.

B: ... Ok, well how would you do it?

A: That would depend on the customer requirements.

B: ... the requirements is to have a website that isn't easily hackable, what do I do?

A: Nowadays, its pretty hard to make a website completely not hackable.

B: ALL THE SERVERS ARE SHOWING RED, PLEASE HELP ME!!!

A: ........ you really shouldn't prejudge colours. The colour red doesn't always mean danger, depends purely on the use case.

So I've been looking for a Linux sysadmin job for a while now. I get a lot of rejections daily and I don't mind that because they can give me feedback as for what I am doing wrong. But do you know what really FUCKING grinds my FUCKING gears?

BEING REJECTED BASED ON LEVEL OF EDUCATION/NOT HAVING CERTIFICATIONS FOR CERTAIN STUFF. Yes, I get that you can't blindly hire anyone and that you have to filter people out but at least LOOK AT THEIR FUCKING SKILLSET.

I did MBO level (the highest sub level though) as study which is considered to be the lowest education level in my country. lowest education level meaning that it's mostly focused on learning through doing things rather than just learning theory.

Why the actual FUCK is that, for some fucking reason, supposed to be a 'lower level' than HBO or Uni? (low to high in my country: MBO, HBO, Uni). Just because I learn better by doing shit instead of solely focusing on the theory and not doing much else does NOT FUCKING MEAN THAT I AM DUMBER OR LESS EDUCATED ON A SUBJECT.

So in the last couple of months, I've literally had rejections with reasons like
- 'Sorry but we require HBO level as people with this level can analyze stuff better in general which is required for this job.'. - Well then go fuck yourself. Just because I have a lower level of education doesn't FUCKING mean that I can't analyze shit at a 'lower level' than people who've done HBO.

- 'You don't seem to have a certificate for linux server management so it's a no go, sorry!' - Kindly go FUCK yourself. Give me a couple of barebones Debian servers and let me install a whole setup including load balancers, proxies if fucking neccesary, firewalls, web servers, FUCKING Samba servers, YOU FUCKING NAME IT. YES, I CAN DO THAT BUT SOLELY BECAUSE I DON'T HAVE THAT FUCKING CERTIFICATE APPEARANTLY MEANS THAT I AM TOO INCOMPETENT TO DO THAT?! Yes. I get that you have to filter shit but GUESS WHAT. IT'S RIGHT THERE IN MY FUCKING RESUME.

- 'Sorry but due to this role being related to cyber security, we can't hire anyone lower than HBO.' - OH SO YOUR LEVEL OF EDUCATION DEFINES HOW GOOD YOU ARE/CAN BE AT CYBER SECURITY RELATED STUFF? ARE YOU MOTHERFUCKING RETARDED? I HAVE BEEN DOING SHIT RELATED TO CYBER SECURITY SINCE I WAS 14-15 FUCKiNG YEARS OLD. I AM FAMILIAR WITH LOADS OF TOOLS/HACKING TECHNIQUES/PENTESTING/DEFENSIVE/OFFENSIVE SECURITY AND SO ON AND YOU ARE TELLING ME THAT I NEED A HIGHER LEVEL OF FUCKING EDUCATION?!?!? GO FUCKING FUCK YOURSELF.

And I can go on like this for a while. I wish some companies I come across would actually look at skills instead of (only) study levels and certifications. Those other companies can go FUCK THEMSELVES.

I have spent 20 minutes explaining to a contractor how to stage a file in git and what a filepath is.

It's moments like this where I stop worrying about my job security

Seriously fuck mandatory security questions, these are my options:

What year did you meet your spouse?
I'm single.
What is your favorite book as a child?
I didn't have a favorite book. (and still, don't)
In which city did you meet your spouse?
I'm single
What is the first name of the first person you went to prom with?
Didn't go to prom.
Which state did you first visit (outside of your birth state)?
I've been to about 43 states and can't remember when I started traveling, how the fuck am I supposed to know?
In which city was your spouse born?
Again I'm single.
In which city did your oldest sibling get married?
I don't have any siblings.

C'mon, at least let me create my own question because right now I have no choice but to make up random shit and write it down in LastPass as a note.

So just recently my school blocked the following for unknown reasons websites
Github
Gitlab
Amazons aws
stack exchange
Bitbucket
Heroku
The hacker news
DuckDuckGo
The Debian package repositories yea all of em
And all domains that end in .io
Now some of you out there are probably just saying "well just use a vpn" the answer to that is I can't the only device I have a locked down school iPad can't install apps cannot delete apps cannot change vpn or proxy setting's I cannot use Safari private tab they have google safe search restricted to "on" they even have "safari restricted mode which lets safari choose what it wants to block" and even when I'm on my home wifi it's s still blocked as they use Cisco security connector THIS IS HELL

Also this is my first post :)

In few hours I was with client showing his website after long time coding and designing.

Client: I think this is it, here your final $$

Me: Me thanks sir and bye

A guy came in.

Client: Oh! Wait, this guy is our it expert let see if he have any advise.

Me: Oops! Okay

Guy: So this website will showcase our products

Me: Yes,

Guy: What about security because I just got news that Russian hacked one big company.

Me: I don’t think Russian have time to hack your one page website

Out of the door...

I can't believe this company.

They want to stop using Certificates because it bothers the customer.

I had to use https because we were using service workers for a PWA.

I tried explaining we need them for the product to work, and also it's a basic security measure.

They were removing the certificates without my knowledge.

I found out because a colleague wanted a way to disable the service worker and asked me for help.

The manager said your not the boss of the company, it's not your company to make decisions.

Just do what they say, he tried to justify the decision from above, I said ok when was the last time you installed a certificate? he said never.
Ok, then what the fuck are you talking about, its 10 minutes to get a certificate letscrypt HELLO.

This company is very hierarchical 1900 style, I'm the person who does innovation in the organization, that's the most fucked up part, they say no to everything.
OMG, I'm going to quit.

There just asking to get hacked, this is just the tip of the iceberg.

Is this common or are they morons?

(The PM is pretty technical)
One day:
Me: Could you create this subdomain?
PM: Sure, just a sec.
Me: Ohh and could you add a letsencrypt cert? (one click thingy)
PM: Why would you need that on this kinda site...
Me: Well in general for security...
PM: Nahh.
*walks away*

Next day:
(referring to my internship manager/guider as Bob)
Bob: Hey... we have a new subdomain!
Me: Yup!
Bob: Wait why is there no letsencrypt certificate installed...?!?
Me: Well, the PM didn't find that neccesary...
Bob: (Oo) of course it is... are we going for security by default or what?
Me: Yup agreed.
Bob: *creates cert and sets everything up in under a minute*

It wasn't a high profile site (tiny side project) but why not add SSL when you can for free?

So this chick has been super nice to me for the past few months, and has been trying to push me towards a role in security. She said nothing but wonderful things about it. It’s easy, it’s not much work, it’s relaxing, etc.

I eventually decided I’m burned out enough that something, anything different would be good, and went for it. I’m now officially doing both dev and security. The day I started, she announced that she was leaving the security team and wouldn’t join any other calls. Just flat-out left.

She trained me on doing a security review of this release, which basically amounted to a zoom call where I did all of the work and she directed me on what to do next, ignored everything I said, and treated me like an idiot. It’s apparently an easy release. The work itself? Not difficult, but it’s very involved, very time consuming, and requires a lot of paper trail — copying the same crap to three different places, tagging lots of people, copying their responses and pasting them elsewhere, filing tickets, linking tickets, copying info back and forth to slack, signing off on things, tagging tickets in a specific way, writing up security notes in a very specific format etc. etc. etc. It’s apparently usually very hectic with lots of last-minute changes, devs who simply ignore security requests, etc.

I asked her at the end for a quick writeup because I’m not going to remember everything and we didn’t cover everything that might happen.

Her response: Just remember what you did here, and do it again!

I asked again for her to write up some notes. She said “I would recommend.. you watch the new release’s channel starting Thursday, and then review what we did here, and just do all that again. Oh, and if you have any questions, talk to <security boss> so you get in the habit of asking him instead of me. Okay, bye!”

Fucking what.
No handoff doc?
Not willing to answer questions after a day and a half of training?

A recap
• She was friendly.
• She pushed me towards security.
• She said the security role was easy and laid-back.
• I eventually accepted.
• She quit the same day.
• The “easy release” took a day and a half of work with her watching, and it has a two-day deadline.
• She treated (and still treats) me like a burden and ignores everything I said or asked.
• The work is anything but laid-back.
• She refuses to spend any extra time on this or write up any notes.
• She refuses to answer any further questions because (quote) “I should get in the habit of asking <security boss> instead of her”

So she smiled, lied, and stabbed me in the back. Now she’s treating me like an annoyance she just wants to go away.

I get that she’s burned out from this, but still, what a fucking bitch. I almost can’t believe she’s acting this way, but I’ve grown to expect it from everyone.

But hey, at least I’m doing something different now, which is what I wanted. The speed at which she showed her true colors, though, holy shit.

“I’m more of a personal motivator than anything,” she says, “and I’m first and foremost a supporter of women developers!” Exactly wrong, every single word of it.

God I hate people like this.

I'm seeing people defending clearly-injectable code and I'm just stunned.

And this person in particular is supposed to be responsible (at least partially) for finding security flaws.

I don't know what to say.

!rant
*me logging into the demo system*
Me: so what is the login data?
Boss: we are a security company, what do you think?
Me: admin admin?
Boss: admin admin.

Fucking crunchyroll hardcodes their access tokens in a Constants Class in their APK, technically that is a security issue.

What the actual fuck Crunchyroll!? No fucking wonder you got DNS Hijacked so quick, security is literally your second priority you dumbed down twats, get some real devs and some real QAs for fucking god sakes, you're tearing down your own system by inviting exploits.

Me: So what you are doing in the IT field?
Him: I am hacking bank websites.
Me: OK, that's cool. It is good in free time. What is your actual job?
Him: I am seriously hacking the bank Web site!
Me: Trust me, if you seriously doing that you will never ever mentioned it...
Him: No, I am doing it legally... The bank hiring me to try to hack the website...
Me: OK, you mean that you are cyber security tester?
Him: That is almost the same...
Me: So you are tester?
Him: I am hacking bank's websites...
Me:....

No, MD5 hash is not a safe way to store our users' passwords. I don't care if its been written in the past and still works. I've demonstrated how easy it is to reverse engineer and rainbow attack. I've told you your own password for the site! Now please let me fix it before someone else forces you to. We're too busy with other projects right now? Oh, ok then, I'll just be quiet and ignore our poor security. Whilst I'm busy getting on with my other work, could you figure out what we're gonna do with the tatters of our client's business (in which our company owns a stake) in the aftermath of the attack?

For an ostensibly security-focused financial company, these people really don't know what they're doing. Everything I've seen thus far is so hacked-together that I feel like i'm looking at code written by high schoolers.

Seriously, some of API Guy's code is better than this.

And they even make a point to remind me of ultra basics like `.to_a`, `.map`, or "a good command to keep on hand is `rake db:migrate`" -- like seriously? Those are in bloody "Intro to Rails" tutorials (and it's `rails db:migrate` as of Rails 5). For an ostensibly all-senior team, these devs are awfully junior.

Had a discussion with a developer about security. His software transfers all user data (password and files) unencrypted, so anyone can grab them with wireshark. I told him that this is a severe issue. He said no its no problem because if you get hacked its your own fault, because you probably used an insecure network. NO ! YOU FUCKING MALADJUSTED SHEEP-MOLESTING OBJECT OF EXECRATION, YOU SHOULD ALWAYS ENCRYPT SENSITIVE USERDATA NO MATTER WHAT NETWORK YOU USE. FUCKING KILL ME ALREADY.
Not implementing encryption is one thing but then acting like its no problem is a fucking nother one. Why do people not understand that security of userdata is important???

* How other sites charge for a domain name
- The domain (abc.com) is available
---- Price => $14

* How AWS charges
- Your domain (abc.com) is available
--- Domain name => $18.99
--- DNS resolution => $17.88
--- Hosted zone (1) => $10.97
--- Route53 Interface => $45.67
--- Network ACL => $63.90
--- Security Group => $199.78
--- NAT Gateway (1) => $78.99
--- IP linking => $120.89
--- Peer Connection => $67.00
--- Reverve Endpoint => $120.44
--- DNS Propagation => $87.00
--- Egress Gateway => $98.34
--- DNS Queries (1m) => $0.40
--------------------------------
---- TOTAL => $2903.99
(Pay for what you use... learn more)
--------------------------------

Typical TSA (Airport Security)

Security: Please put all of your handheld objects and your outer clothes in this basket.
Me: (puts my bag, in flight luggage, and takes out laptop, bluetooth speaker, bluetooth mouse, bluetooth keyboard, tablet, android phone, dongle bag, and windows phone)
S: (stares at me as if I am a rich kid)
M: May I go through?
S: (nods)
M: (smirks, and goes through metal detector)
BeepBeepBeep!
M: (oh shit.)
Scanning Officer: Raise your hand!
M: Mmmhmm
S: (Hovers the detection stick around my body, but it doesn't ring, tells me to pass through the detector again. Still rings. Super confused. Asks me to do this 2-3 times more. Still same.)
M: Aha! I have my bluetooth earphones here! Sorry!
S: (stares at me, as if he is saying what a f****** weirdo)
My stuff comes out. I put my devices in the bag. The scanning officer stares at me.
M: (smirks)

To be continued....

I've got a confession to make.

A while ago I refurbished this old laptop for someone, and ended up installing Bodhi on it. While I was installing it however, I did have some wicked thoughts..

What if I could ensure that the system remains up-to-date by running an updater script in a daily cron job? That may cause the system to go unstable, but at least it'd be up-to-date. Windows Update for Linux.

What if I could ensure that the system remains protected from malware by periodically logging into it and checking up, and siphoning out potential malware code? The network proximity that's required for direct communication could be achieved by offering them free access to one of my VPN servers, in the name of security or something like that. Permanent remote access, in the name of security. I'm not sure if Windows has this.

What if I could ensure that the system remains in good integrity by disabling the user from accessing root privileges, and having them ask me when they want to install a piece of software? That'd make the system quite secure, with the only penetration surface now being kernel exploits. But it'd significantly limit what my target user could do with their own machine.

At the end I ended up discarding all of these thoughts, because it'd be too much work to implement and maintain, and it'd be really non-ethical. I felt filthy from even thinking about these things. But the advantages of something like this - especially automated updates, which are a real issue on my servers where I tend to forget to apply them within a couple of weeks - can't just be disregarded. Perhaps Microsoft is on to something?

Something I probably shouldn't talk about:

One of the projects at work has a specific path you can visit. The """security""" is that nobody should know the path. But I can guaran-fucking-tee you it's not difficult to guess.

On this page, ***without a login***, you can view some user information. Well, you can view all of it, but only certain fields.

And if you perform a specific action on this page, you can get their password, plaintext.

This project is not mine. But learning all of this made me super uneasy. I had to share it.

Alright so the security blog is coming up soon (as in, days probably) and I'm working hard together with 404response on the privacy site.

I do want to gain some insight into visitor numbers and so on but OF COURSE, commercial/closed source options are a no-go for me!

I am thinking about maybe using Piwik with all the privacy options enabled Also self hosted obviously. What do you guys/gals think?

What is this ?
U call this wireless security??

Anyway what is the best way of securing hotspots in the airports , hotels , ... ?

Because the RSS feed is still down, hereby.

The post about what I personally take for security and privacy measures is up.

Hopefully you can learn something from it or even email me some tips!

Just got a new TV, 4K... it’s one of those smart ones, by Samsung.

Anyone want to explain what the fuck “McAfee Security for TV” is, and why the fuck it is necessary!?

What kind, of absolute waster madman goes “I know what I’ma do today, write a virus for a tv”!?

Take that shit elsewhere McAfee.

Now accepting any links to known Smart TV 0-days and attacks...

And I had to sign in to 5 different fucking accounts to get to the fucking tv.

The world is broke as fuck. Roll on the apocalypse.

I've been away, lurking at the shadows (aka too lazy to actually log in) but a post from a new member intrigued me; this is dedicated to @devAstated . It is erratic, and VERY boring.
When I resigned from the Navy, I got a flood of questions from EVERY direction, from the lower rank personnel and the higher ups (for some reason, the higher-ups were very interested on what the resignation procedure was...). A very common question was, of course, why I resigned. This requires a bit of explaining (I'll be quick, I promise):
In my country, being in the Navy (or any public sector) means you have a VERY stable job position; you can't be fired unless you do a colossal fuck-up. Reduced to non-existent productivity? No problem. This was one of the reasons for my resignation, actually.
However, this is also used as a deterrent to keep you in, this fear of lack of stability and certainty. And this is the reason why so many asked me why I left, and what was I going to do, how was I going to be sure about my job security.
I have a simple system. It can be abused, but if you are careful, it may do you and your sanity good.
It all begins with your worth, as an employee (I assume you want to go this way, for now). Your worth is determined by the supply of your produced work, versus the demand for it. I work as a network and security engineer. While network engineers are somewhat more common, security engineers are kind of a rarity, and the "network AND security engineer" thing combined those two paths. This makes the supply of my work (network and security work from the same employee) quite limited, but the demand, to my surprise, is actually high.
Of course, this is not something easy to achieve, to be in the superior bargaining position - usually it requires great effort and many, many sleepless nights. Anyway....
Finding a field that has more demand than there is supply is just one part of the equation. You must also keep up with everything (especially with the tech industry, that changes with every second). The same rules apply when deciding on how to develop your skills: develop skills that are in short supply, but high demand. Usually, such skills tend to be very difficult to learn and master, hence the short supply.
You probably got asleep by now.... WAKE UP THIS IS IMPORTANT!
Now, to job security: if you produce, say, 1000$ of work, then know this:
YOU WILL BE PAID LESS THAN THAT. That is how the company makes profit. However, to maximize YOUR profit, and to have a measure of job security, you have to make sure that the value of your produced work is high. This is done by:
- Producing more work by working harder (hard method)
- Producing more work by working smarter (smart method)
- Making your work more valuable by acquiring high demand - low supply skills (economics method)
The hard method is the simplest, but also the most precarious - I'd advise the other two. Now, if you manage to produce, say, 3000$ worth of work, you can demand for 2000$ (numbers are random).
And here is the thing: any serious company wants employees that produce much more than they cost. The company will strive to pay them with as low a salary as it can get away with - after all, a company seeks to maximize its profit. However, if you have high demand - low supply skills, which means that you are more expensive to be replaced than you are to be paid, then guess what? You have unlocked god mode: the company needs you more than you need the company. Don't get me wrong: this is not an excuse to be unprofessional or unreasonable. However, you can look your boss in the eye. Believe me, most people out there can't.
Even if your company fails, an employee with valuable skills that brings profit tends to be snatched very quickly. If a company fires profitable employees, unless it hires more profitable employees to replace them, it has entered the spiral of death and will go bankrupt with mathematical certainty. Also, said fired employees tend to be absorbed quickly; after all, they bring profit, and companies are all about making the most profit.
It was a long post, and somewhat incoherent - the coffee buzz is almost gone, and the coffee crash is almost upon me. I'd like to hear the insight of the veterans; I estimate that it will be beneficial for the people that start out in this industry.

Finally got a new job, but it's already a horror story not even 2 hours in (making this while on break)

Everyone here is an Intern, IT? Interns, Designers? Interns, HR? Interns.

The Person who I should've worked with got fired yesterday, and now I have to work all of his shit up from 0, Documentation? Fragmental, a few things here and there, but nothing really.

IT security also doesn't exist in the slightest, there is an Excel sheet called "Master_Passwords" and every single password is in Plaintext, written out for everyone to see. (at least they used "strong" passwords)

And the place also looks run down, theres PC's, Laptops, Mics, Cables etc. lying literally everywhere no-one knows what works and what doesn't (since everyone is an intern)

Not to mention the "Server Room" is an absolute mess itself, cables hanging from literally anywhere, powerstrips are ontop of servers, each rack has like 2 or 3 2U Servers, (in a 40u Rack) and there are 10 of them!

TIL that TI has no goddamn chill

Texas Instruments released the TI-83+ calculator model in 1996. The Z80 was not at all stock and has the following features:

- 3 access levels (priveleged kernel, kernel, user)
- Locking Flash (R/O when locked for most pages, some pages protected and unreadable as well, only unlockable from protected Flash pages by reading a certain order of bits then setting a port)
- Locking hardware ports (lock state always the same as flash)
- Customizable execution whitelist range (via locked ports)
- Configurable hardware (Flash/RAM size changeable in software via locked ports, max RAM is 8MB which is fucking mental compared to the 64k in the thing)
- Userland virtualization (always-on)
- Reset on violation of security model
- Multithreading
- Software-overclockable CPU
- Hardware MD5 and cert handling

TI made a calculator in 1996 with security features PCs wouldn't see until like 2010 what the *actual* fuck

I think the hardest thing about being a programmer in college with a security emphasis is when I approach a business for a penetration test or for a vulnerability analysis (your pick) is that they almost always say, "you are pretty young don't you think?"

Ummmm not sure what that has to do with it. If it would make you feel better I have claimed bug bounties from an antivirus company, a bank, several local businesses in my area and I do this for work at my 9-5.

And this week I got this, "I think I would like someone older so we can define the goals better."

Oh so rules of engagement, yeah of course I understand that and that's something we would discuss and draw up a contract for...

"Well we really need someone more skilled."

---- End of story ----

I don't understand, you haven't asked about certifications or schooling and you glanced at my resume for exactly 5 seconds what the hell do you want? Me to double my age over night?

Can someone explain to me why the fuck I should even care about the fact, that some companies collect, use and sell my data? I'm not famous, I'm not a politician and I'm not a criminal, I think most of us aren't and won't ever be. We aren't important. So what is this whole bullshittery all about? I seriously don't get it and I find it somewhat weird that especially tech guys and IT "experts" in the media constantly just make up these overly creepy scenarios about big unsafe data collecting companies "stealing" your "private" information. Welcome to the internet, now get the fuck over it or just don't be online. It's your choice, not their's.

I honestly think, some of these "security" companies and "experts" are just making this whole thing bigger than it actually is, because it's a damn good selling point. You can tell people that your app is safe and they'll believe you and buy your shit app because they don't understand and don't care what "safe" or "unsafe" means in this context. They just want to be secure against these "evil monster" companies. The same companies, which you portrayed them as "evil" and "unfair" and "mean" and "unrepentant" for over a decade now.

Just stop it now. All your crappy new "secure" messenger apps have failed awesomely. Delete your life now, please. This isn't about net neutrality or safety on the internet. This is all about you, permanently exaggerating about security and permanently training people to be introverted paranoid egoistic shit people so that they buy your elitist bullshit software.

Sorry for my low english skills, but please stop to exist, thank you.

So my boss is staring a new security oriented product and he asked one of my colleagues to prepare a presentation about the possible attacks on the product.

During the presentation there was a section on DoS attacks. The boss didn't know what DoS was and after a brief explanation, he interrupted the presentation and said DDoS is not a threat because there is no data stolen. This is a webapp.

Boss calls: "Can you give me more bandwith?"
Me: "I can, but the other coworkers will have issues"
Boss: "Doesn't matter, and please, lift up the proxy too"
Me: "I am sorry, but I can't, that could compromise our security"
Boss: "I am giving you an order..."
Me: "Ok then..."
Me: *proceeds to give boss more bandwith and lifts up proxy (all is lost now)*

I go to see what is the boss doing with the bandwith...he was downloading League of Legends in his personal notebook...

TL;DR: Boss asks to put company at risk for the sake of a game...

"You've been working on this for 6 weeks, and I don't see any changes. What have you done?"
"I completely overhauled the backend, now everything makes more sense and we're using more modern APIs"
"But nothing's changed at all! The front-end looks exactly the same!!"
"*sigh* The new backend is also more secure.. "
"Oh, so it's a security upgrade, that's good, but why did it take six weeks?"
-_-

We got DDoS attacked by some spam bot crawler thing.

Higher ups called a meeting so that one of our seniors could present ways to mitigate these attacks.

- If a custom, "obscure" header is missing (from api endpoints), send back a basic HTTP challenge. Deny all credentials.

- Some basic implementation of rate limiting on the web server

We can't implement DDoS protection at the network level because "we don't even have the new load balancer yet and we've been waiting on that for what... Two years now?" (See: spineless managers don't make the lazy network guys do anything)

So now we implement security through obscurity and DDoS protection... Using the very same machines that are supposed to be protected from DDoS attacks.

I start with the features I want for sure and then i start looking at what data I really really need to store. Then I start looking at what data I don't have to store because of privacy reasons anyways.

Next stop is looking at the security.

When that all looks good, I simply start programming!

DEAR CTOs, PLEASE ASK THE DEVELOPER OF THE SOFTWARE WHICH YOU ARE PLANNING TO BUY IN WHAT LANGUAGE AND WHAT VERSION THEY ARE WRITTEN IN.

Background: I worked a LONG time for a software company which developed a BIG crm software suite for a very niche sector. The softwary company was quite successfull and got many customers, even big companies bought our software. The thing is: The software is written in Ruby 1.8.7 and Rails 2. Even some customer servers are running debian squeeze... Yes, this setup is still in production use in 2022. (Rails 7 is the current version). I really don't get it why no one asked for the specific setup, they just bought it. We always told our boss, that we need time to upgrade. But he told every time, no one pays for an tech upgrade... So there it is, many TBs of customer data are in systems which are totally old, not updated and with possibly security issues.

THE FUCK WHY did the company which made the website I'm maintaining now ADD CUSTOM FACEBOOK LIKES AND TWITTER FOLLOWER WIDGETS - IN A SUBDIRECTORY OF THE THEME?

Guess what, you motherfuckers: One year after you made that damn page the Facebook API changed and your stinking widget is broken REQUIRING ME TO REWRITE MOST OF IT!

Also WHO THE FUCK LEFT HIS BRAIN ON HIS BEDSIDE TABLE the day he decided to HARDCODE ASSETS WITH AN http:// (no tls) URL? YES, browsers will block that shift if the website itself is delivered over tls, because it's a GAPING SECURITY HOLE!

People who sells websites that have user management and thus request authentication without AT LEAST OFFERING FUCKING STANDARD TLS SHOUD BE TARRED AND FEATHERED AND THEN PUT IN A PILLORY IN FRONT OF @ALEXDELARGE'S HOUSE!

Maybe I should be a bit more thankful - I mean I get payed to fix their incompetence. But what kind of doctor is thankful for the broken bones of his patient?

Manager: You want a promotion? To senior? Ha. Well, build this web app from scratch, quickly, while still doing all your other duties, and maybe someone will notice and maybe they’ll think about giving you a promotion! It’ll give you great visibility within the company.

Your first project is adding SSO using this third party. It should take you a week.

Third party implementation details: extremely verbose, and assumes that you know how it works already and have most of it set up. 👌🏻

Alternative: missing half the details, and vastly different implementation from the above

Alternative: missing 80%; a patch for an unknown version of some other implementation, also vastly different.

FFS.
Okay, I roll my own auth, but need creds and a remote account added with the redirects and such, and ask security. “I’m building a new rails app and need to set up an SSO integration to allow employees to log in. I need <details> from <service>.” etc. easy request; what could go wrong?

Security: what’s a SSO integration do you need to log in maybe you don’t remember your email I can help you with that but what’s an integration what’s a client do you mean a merchant why do merchants need this

Security: oh are you talking about an integration I got confused because you said not SSO earlier let me do that for you I’ve never done it before hang on is this a web app

Security: okay I made the SSO app here you go let me share it hang on <sends …SSL certificate authority?>

Boss: so what’s taking so long? You should be about done now that you’ve had a day and a half to work on this.

Abajdgakshdg.

Fucking room temperature IQ “enterprise security admin.”
Fucking overworked.
Fucking overstressed.

I threw my work laptop across the room and stepped on it on my way out the door.
Fuck this shit.

Who's at fault for the recent Wanna Cry virus: The companies affected or Microsoft/NSA?

Personally, I think it's the companies affected. This is what happens when you try and be cheap when it comes to cyber security​.

I live in zurich switzerland one of the most expensive places to live. And i work as a jack of all trades graphic ux/ui designer/copy writer/marketeer in IT security.
I earn about $3800 a month, but every salery calculator says I should earn above $7000. With a median salery of $9300. But this seems so much money and I suffer from low self esteem. So what should I do? (Quitting is not an option because I like it there)

Cyber security. Deep knowledge of cyber security and networks is what I wish I had. The math stuff that no one bothers with, specifically.

Can https be decrypted easily?
(Or even by spending some time)
Plus what other security methods banks apply to prevent theft of sensible data?
Do they encrypt data using thair own private key thet is changed automatically?

It's a new semester and the introductory class for a General Ed is going on.
Prof: What do you want to be when you are done with engineering?
Me: I'd like to be in the security domain but I'm still not sure.
Prof: Then why are you doing Computer Science? You can just get a job as a security personnel.
FML.

I am amazed how specific everyone is being about security vulnerabilities at their employers. Hopefully no one social engineers what company you work at.

I just had my cell phone cloned yesterday. End of the day, my phone lost signal suddenly. I thought it was a problem with my chip, so I decided to check that on a store and buy a new one next day.

Today, after I recover my chip and number, I started to see the mess. Someone used my number to send message to all my contacts on whatsapp, asking for money. Also, I had some contact info changed on the bank broker, which is really serious. I do not know what else is compromised, and I'm truly worried about it.

Someone has some good tips for improving security while using cellphones?

This isn’t gonna be a random because I do eventually get to a Tech and YouTube related topic.

YouTube is actually killing itself with all of the dumbass rules they’re implementing. Trying to child proof or limit educational content is genuinely a shit policy. The reason so many gaming channels are switching to twitch because it doesn’t try to censor you.

But now I don’t know if you’ve heard but YouTube updated their guidelines and they’re no longer allowing content that teaches people about Hacking essentially (and I hate putting it like that but I can’t remember the exact words they used Hacking just summarizes it) which is fucking ridiculous like what the fuck else, are they gonna stop allowing lock picking videos?

YouTube has always been an amazing FREE resource for people learning Programming, Cyber Security, IT related fields, and even shit like lock picking, cooking, car stuff, and all that stuff. Even sometimes when the tutorials aren’t as detailed or helpful to me they might be exactly what someone else needed. And Cyber Security can be a difficult topic to learn for free. It’s not impossible far from it, but YouTube being there was always great. And to think that a lot of those could be taken down and all of the Security based channels could either lose all revenue or just be terminated is terrifying for everyone but more so them.

A lot of people and schools rely on YouTube for education and to learn from. It’s not like YouTube is the only resource and I understand they don’t want to be liable for teaching people that use these skills for malicious purposes but script kiddies and malicious people can easily get the same knowledge. Or pay someone to give them what they want. But that’s unfair to the people that don’t use the information maliciously.

It’s the same for the channels of different topics can’t even swear and it’s ridiculous there’s so many better options than just banning it. Like FUCK kids nowadays hear swearing from their older siblings, parents, friends, and TV it’s inevitable whether someone swears or not and YouTube is not our parents, they aren’t CBS, so stop child proofing the fucking site and let us learn. Fuck.

TLDR YouTube is banning educational hacking videos and are being retarded with rules in general

I """""accidentally"""'" found some security holes in my school's Windows public computer setup.

Every student and teacher has a personal Active Directory, obviously they should be able to only see their own right?
oh wait the directory up button in explorer shows me all of them and I have r/w access to teacher and student ADs.

That's cool.

Also, the command prompt, Run prompt ad Explorer path bar are disabled...

...but batch scripts work.

Sweet.

Surely I can't do something dumb like--- oh, regedit's blocked but not the reg command.

They use the-- WHY IS GPEDIT NOT BLOCKED

Well what the fuck.

(All of this was responsibly handled by emailing the tech department. They have an email just for this! ...got a bounceback "this person is no longer employed at XYZ School.")

Today, the security department stopped our new project and told us to work on the last project instead because of a top-secret security flaw.

Problem is, they are not allowed to tell us what the problem is. FML

I think what would help is to teach them these things:
- awareness for security in code
- how to use a fucking VCS like Git and how it works

Someone ask to me as a security engineer.

Bro : what do you think about most secure way to authenticate, i read news using fingerprint no longer safe?
Me : yes they can clone your fingerprint if you take a photo with your fingerprint to camera.
Bro : so what is the other way to authenticate more secure and other people can't see in picture ?
Me : D*ck authentication is more secure now, other people can't see your d*ck pattern right?

“Fullstack dev morphs into a security expert”

We have a simple user registration system. Get the user details, generate an OTP, save in Oracle, email the OTP. The SMTP host is configured to send emails only to people who have an existing @a_very_famous_bank.com email address.

As a part of an enhancement request, the other day, we were trying to register a non-bank email address. As expected, it failed.

Manager: Meeting... meeting... meeting

Me: (Explained the problem)

Fullstack dev: so the thing is.. it’s like.. (doesn’t falter to open with these lines)...what I can do is...I can send you an HTTP security header in the HTTP request. It’ll work!

Me: (I hope an adult giraffe fucks you in your belly button)

More to come!

Send over the entire directory for a WordPress site we completely overhauled with new plugins, custom theme, redid content with visual composer, etc. I tell him to backup his site and then put everything I give you as fresh. He tells me he can't just wipe out his entire site that's unacceptable. I ask him what's the problem? he rambles on and says a lot of words that don't really mean anything then says security. so I call him out on it, what security issues do you have? well we have users and permissions setup he says. I explain That I copied his users table over when we did the redesign, so it's the exact same stuff. so I say again, why can't we just replace everything? well that's just not acceptable he says. I ask him again, what EXACTLY is your problem with replacing the site since I already addressed your security concern. he couldn't answer me so now we have another conference call tomorrow morning with more people from their team. I'll let you know how it goes.

tldr; clients are idiots, call them out for the dumb shit they say and have no response.

Reported an important security vulnerability inside our organization, right before getting off work. A security team member contacts me over chat asking for some details on my investigation. At the end, he tells me: "thanks, I will copy and paste this conversation on the ticket so that everyone can see".

What I imagined: he would copy and paste the conversation as is, so that every line written by me is prefixed with my name.

What he does: he writes a summary of our conversation, barely mentioning my name, making it look like that part of the investigation was done by him.

Now I have so much anger inside of me that my internal organs are boiling.

Making electronics more difficult to repair with security fasteners and ultrasonically welded plastic nightmares and what have you.. what's the point? The argument from manufacturers is that "users don't want to get in there anyway". But, it's not like even if they could, they'd want to, right? Which type of person that doesn't know electronics very well and has an interest in repairing it would go and look at a board, and say "this is how it works, this and that is broken and this is how it should be repaired"? Not many users can repair their own devices regardless. So why? To preserve IP? Not like the Chinese bootleggers care about that. To preserve sales? Users can't repair their stuff anyway. To keep those who want to peek inside out, just for the hell of it? Anyone determined enough will be willing to break it in the process anyway.

I was working in a manufacturing facility where I had hundreds of industrial computers and printers that were between 0 and 20 years old. They were running on their own clean network so that someone has to be in the manufacturing network to access them. The boss announced that the executives will be pushing a “zero trust” security model because they need IoT devices. I told him “A computer running Windows 98 can’t be on the same VLAN as office computers. We can’t harden most of the systems or patch the vulnerabilities. We also can’t reprogram all of the devices to communicate using TLS or encrypt communications.“ Executives got offended that I would even question the decision and be so vocal about it. They hired a team to remove the network hardware and told me that I was overreacting. All of our system support was contracted to India so I was going to be the on-site support person.

They moved all the manufacturing devices to the office network. Then the attacks started. Printers dumped thousands of pages of memes. Ransomware shut down manufacturing computers. Our central database had someone change a serial number for a product to “hello world” and that device got shipped to a customer. SharePoint was attacked in many many ways. VNC servers were running on most computers and occasionally I would see someone remotely poking around and I knew it wasn’t from our team because we were all there.

I bought a case of cheap consumer routers and used them in manufacturing cells to block port traffic. I used Kali on an old computer to scan and patch network vulnerabilities daily.

The worst part was executives didn’t “believe” that there were security incidents. You don’t believe in what you don’t understand right?

After 8 months of responding to security incident after security incident I quit to avoid burning out. This is a company that manufactures and sells devices to big companies like apple and google to install in their network. This isn’t an insignificant company. Security negligence on a level I get angry thinking about.

So I need to "fix" a false-positive security warning (mass-assignment of a foreign key). Do I "fix" it by...

A) Setting it manually and double-saving the object?
B) Rewriting the mass-assignment so the linter doesn't realize what I'm doing?

Both options suck.
But security is going to complain if I don't do it.

Guess what?
I'm not doing it.

SMD you ducks.

This is not fucking security, it's obscurity! What the fuck is a memorable word without any context! It drives me up the fucking wall. This doesnt help anyone it just promotes people to put silly shit like password or something so they won't forget but it just makes their account weaker.

I am really getting sick of recruiters contacting me with "great opportunities" then when I ask questions about the post they just give me the answers they think I want to hear. I know when you're lying because if you knew the answer you would have led with that. At least say you'll find out more and then give me a follow up response.

Recruiter: Would it be possible for you to deliver hacking training?
Me: You mean pentesting?
R: Yes, that.
Me: Well, what will it be used for? Breaking into peoples networks and spying on them?
R: Yes, they'll want it to be able to spy on people.
Me: Well, that's unethical, I'm only interested in defensive security practices.
R: Yes, they'll only want it for ethical reasons like defence and against bad guys.
Me: *dirtiest look I could muster*

I mean there's gullible and then there's what ever it is you think I am.

Howdy this is a daily reminder on why you can't trust anyone with shared information.

I am back home from uni for the holidays and like any computer person who is back in town became responsible for fixing every tech problem that has occurred since my last visit. But what caught my eye when I approached the family computer is not the problem with the computer itself, it's the paper in front of the computer that, in giant lettering, has not only the passwords and account names of my mom and brother's AOL (She's old ok) and FAFSA account respectively but also someone's social security number. Any goddam baffoon who looks through the window or is able to take literally three goddam steps past the front door now has enough information to commit identity theft or just take over one of their accounts. I know it's not that likely but I still had a heart attack when I saw that.

How badly have I failed them?

Recruiter: I have an open position for lead DevSecOps role.

Me: Tell me more

Recruiter: It’s an AI company , where the AI is making clinical medical decisions. It’s really cool. They need somebody to help them pass government audits and you’d be solely responsible for the systems security, AWS accounts, and also all of DevOps, which they’ve never heard of before but I told them they needed and they though it was cool.

Also, they use AWS but not sure what services inside AWS, they think it’s AWS storage and AWS servers or something like that .

Me: That’s a big hell no. 👎 Got any other positions though ?

Client: We need to deploy some Windows 2003 servers.

Us: Sure thing, Mr. Client. Your money is more important than the security and stability of our systems.

What we should have said: Sure, but you need to stop in our office, put your dick in a vice and we'll take turns cranking that bitch closed until you agree to use something more modern.

watching the online course for CEH... dude used the Death Star as a tangible example of how exploits work.
IDK if I should love it for the nerdiness, or be slightly sad that someone needs that type of example of what a vulnerability vs an exploit is, when they're going for the Certified Ethical Hacker certification...
Might be better in an introduction to Network Security class?

Also, while discussing the security, usability, and functionality triangle, he reference the Staples "Easy Button" - does one thing, not very secure, and not very functional (in that it has more than one function)...

I wanna make you feel what you have brought into my house!!

I was working with security cameras once in a home automation project. One of those camera particularly stand out by offering a cgi without password request to view and change the current passwort and username.

Seriously wtf is wrong with you? I mean this thing automatically connects to an internet service offering everyone to connect to it with that passwort and username. And I know some of you might say "hey chill the cgi is only available on the wifi" - dammit no. Security is a lifestyle do it complete or get the fuck out. God knows what other mistakes there might be hidden in that thing screaming out to everyone to watch me taking a shit.

But that's not the end of it. My company arranged a call to the technical support of that camera so that I can explain the problem and a patch gets released. Those guys didn't give a shit about it and were even laughing at me. Fuck you!

So whoever is responsible - I will find you - and you will never see me coming.

I submitted a security report some days ago.

It is well written, it explains what is happening and what is the impact providing an example. I give some advice about how to handle this situation, it's about concurrency issues and it's pretty tricky to debug.

Answer from the reviewer:
"Please, can you tell me what are the implications?"

...
...

FUCK.
IT'S LITERALLY FUCKING WRITTEN,
CAN U EVEN READ IT?
THERE ARE PICTURES DESCRIBING THE ISSUE, I EVEN ATTACHED A FILE YOU CAN USE TO DEBUG.

...

This is the last time I report vulnerabilities.

What you are expected to learn in 3 years:

power electronics,
analogue signal,
digital signal processing,
VDHL development,
VLSI debelopment,
antenna design,
optical communication,
networking,
digital storage,
electromagnetic,
ARM ISA,
x86 ISA,
signal and control system,
robotics,
computer vision,
NLP, data algorithm,
Java, C++, Python,
javascript frameworks,
ASP.NET web development,
cloud computing,
computer security ,
Information coding,
ethical hacking,
statistics,
machine learning,
data mining,
data analysis,
cloud computing,
Matlab,
Android app development,
IOS app development,
Computer architecture,
Computer network,
discrete structure,
3D game development,
operating system,
introduction to DevOps,
how-to -fix- computer,
system administration,
Project of being entrepreneur,

and 24 random unrelated subjects of your choices

This is a major called "computer engineering"

FUCK!
After submitting a registration form I noticed the site is served over plain HTTP. Their marketing site is served encrypted, but login and register are not! What the fuck!!!

Fuck everyone who does this stupid fucking shit with disregard to basic security features! Their goddamn bullshit privacy policy is bragging about how it's top priority to protect their customers' information and shit like that. Get the fuck out, cunts!!

I contacted them so I might have a continuation to this rant if I'm not satisfied with their answers.

Goddamn it!

So this just happened. Some background before I begin: We're understaffed, my desk is in the back of the building, and there's no one really at the front to greet people. No security either...

Guy walks in wearing a flannel jacket (no shirt under it), pajama pants, and sandals. He looks like hell. Explains he was just released from a hospital and his apartment is locked. I let him use my phone to call his sister.

When I talk to his sister, she barely wants to speak with him. Tells me his apartment is locked for a reason and he's not allowed back. I'm just like: "So... what would you have us do for him?" At this point if his sister won't help, I was going to ask him to leave. Oh, and that hospital was a drug rehab.

So it ends with him waiting for a ride, but he ends up napping on the couch in the front of our office. CEO/Owner and his business partner walk right past and say nothing. They go into a meeting. I'm trying to figure out if I ask him to leave, wait outside for his ride... I'm a developer, this isn't my job.

A good 45-60 minutes later, after the guy walked outside and then came back in and laid back down on the couch, he leaves with his ride. Shortly after the owner walks out of his meeting, so I ask him what to do in this situation - more hoping he'd realize the need for more security.

If this story isn't crazy enough, the business partner pipes up - absolutely serious - and says he didn't say anything because he thought the guy was a developer.

So I've learned that we've got extremely low hygiene standards for developers here, with a relaxed dress code and are allowed nap times on the front couch.

Thankfully our CYBER security is better than our PHYSICAL security. :|

Wow the security by captcha!

Guess what? IIT Kharagpur is considered one of the best institute in India to study Computer Science and its major in research include image processing

Can you really trust the security features on your device?

Can you really verify that no one is looking at what you're doing all day, in your house or out and about?

What if I am the one looking at your naked ass right now?

Holy fcuk! Can anyone here help me understand how this domain is possible?

WARNING: obviously its a spam site. Take necessary security precautions if you are going to visit.

the following domain opens a cluster fuck domain name! >> secret.ɢoogle.com

That ɢ is not what it looks like. How is such domains possible to exist? Even more surprising, how is this sub domain -ception possible?

I'm convinced this is going to be wildly unpopular, but hey...

Please stop writing stuff in C! Aside from a few niche areas (performance-critical, embedded, legacy etc. workloads) there's really no reason to other than some fumbled reason about "having full control over the hardware" and "not trusting these modern frameworks." I get it, it's what we all grew up with being the de-facto standard, but times have moved on, and the number of massive memory leaks & security holes that keep coming to light in *popular*, well-tested software is a great reason why you shouldn't think you're smart enough to avoid all those issues by taking full control yourself.

Especially, if like most C developers I've come across, you also shun things like unit tests as "something the QA department should worry about" 😬

So someone decides that the employees need to do these stupid Web-based training's that not even high school kids should be looking into.
What is about ?
Security and Cryptography, and now event the real stuff.

What it covers?
Alice and Bob, Bob and Alice.
Alice wants Bob some pics/messages that she suspects someone else will see. DDDDDDAAAAAAAFFFFFFFAAAAAAAAAKKKKKK

A total of 7 useless time wasting interactive and annoying training's, 20+ min each.

But someone forgot that please do not send this shit to engineers of your company, specially Software/Network engineers. Oh another subset, specially not to those who work deeper into the domain.

I'm getting paid to do this time wasting activity, and still.

I also may come back and remove this BUT FOR NOW I NEED TO RANT.

I freelanced for a startup one time, and found out they had ten of thousands of records stored in their DB about dental patients, inducing name, address, social security #, some medical history, etc. All in plain text. Worst part is they hired me after a 20 min phone call, and didn't even sign a NDA!

Makes me paranoid to use the Internet knowing what some of these companies do.

Well, I have a friend working on a major bank in my city. Yesterday we went for a coffee when he told me that the wifi connection that the costumers can use is the same as the network they work in. Like, are you fucking me? Do they know what security means? Jesus Wallace, wake up!
And they have a fucking "web security guy" working there. Doing what? Installing ccleaner on pcs? This shit gets me mad. And that's why I don't trust banks.

"we have add a lot of cost partly due to currency exchange rate, but we also added some services and servers, we'll have a meeting and see what we can cancel or re-arrange."

So now....
- JIRA is gone
- SEO tools are gone
- budget for site security & SSL undecided
- Servers are too expensive.
$800 for twelve 2-24gb ram servers with backup, I call that bargain

Can't wait to see the websites falling apart. Now where are my popcorns?

Because of some theft this year and even though we already have security cameras, my apartment building decided to check the front door locks so it's more secure.

This key looks very high tech... Only issue though is I never use the key anyway... I just entered the door code...

So what is the point of changing the locks? I'm going to guess whoever is stealing isn't picking the lock... People would notice... They must know the code.

Also it seems most of the apartment locks are digital key card/pins too. Wondering if this just means most owners are young or just are techies/devs...

tldr: Fuck Apple AND Microsoft...

Tried to check my "me" email today (iCloud)... and well it's apparently "locked" for god only knows what reason, and they will only let me recover it through a Hotmail account that I haven't used in >10years.. So I tried that and after one login attempt outlook.com is telling me "you've entered too many wrong password attempts, you must reset your password"... ugh OK, so I hit the button and it's asking me "my" security question.. 'where did you and your spouse meet?'.. wtf? I'm not married now nor was I @12yrs old when I made this account....

Well thanks so I guess that's fucked for forever...

Many advantages of being a dev:
- You can work on multiple projects simultaneously.
- You solve problems for a living, how cool is that!
- Job security (Even if you get fired or something, you can still earn your bread with your skills)
- Even if you are bed ridden or get in an accident or get old, you can still work(kind of a pessimist).

But the best part is, you get to do what you love(for me its true).

IPAY88 is the worst payment integration. They parse html data and encoded it into xml for return the data, it is not even singlet or server to server communication , tey called it the ADVANCED BACKEND SYSTEM (My arse!) For security, they ENCODE THE STRING into BASE64 and called it ENCRYPTION ! WHAT THE FUCK?
Encoding is not encryption! I qas expecting they used diffie hellman or AES or RSA etc. THEY TOLD BE ENCODING IS ENCRYPTION? WHAT THE FUCK?

Don't think I could love IT anymore then I do now! Currently and intern and was stressing a small bit about what I wanted to do after college (i.e. web development, mobile development, security) then came to the realisation that I can do whatever i want. I don't think any other profession has such a freedom within industry and that is why love IT so much. Looking forward to many more years of learning and developing my skills

At a previous job I bumped heads with the IT person a lot because he would spread misinformation about technology so the owners would never replace him. This was conversation with the VP:

VP: Hey I just got a new security setup at my house and I can monitor everything with my phone.
Me: That's cool.
VP: I'm rethinking it because [IT guy] said it was very dangerous to have, what do you think?
Me: ....? What did he say was dangerous about it?
VP: He said hackers could then gain access to cameras and plan the perfect time to rob me since it's in the cloud.
Me: I seriously doubt anyone is planning an Ocean's 11 heist to steal your TV.
VP: Yea I thought it sounded weird when he told me.

Client doesn't want me to use internet, while connecting to their vpn to code. It's a security 'violation', it seems. Do they think I am Denise Richie to code without internet? And the catch is I code for OpenFlow with OpenNetworkLinux+OpenNIE. I mean, do they even understand what Open means in all these?

Wow so much hate for WordPress. Le me to the rescue 💀

Yes WP is bloated and crappy and full of security issues etc etc. Agreed. That doesn't mean it is useless though.

It is alright to use for someone who is not really good with web, someone who just needs a blog, someone who just needs a home page, about page and contact form with a possibility of updating photo and text once or two times a month.

It is not suitable for e-commerce nor lots of transactions/forms involving websites.

As long as you know what kind of horse/vehicle you are on, you won't end up in the dirt.

Every week in my intro to information security class we are asked about what security stuff has gone down in the past week. Equifax is making it incredibly easy to not have to do much research.

Don't you just love it when an official Docker image suddenly switches from one base image to another, and they automatically update all existing tags? Oh you've had it locked to v1.2.3, guess what, v1.2.3 now behaves slightly differently because it's been compiled with OpenSSL 3. Yeah, we updated a legacy version of the software just to recompile it with the latest version of OpenSSL, even though the previous version of OpenSSL is still receiving security fixes.

I don't think it's the image maintainers or Docker's fault though. Docker images are expected to be self-contained, and updating the base image is necessary to get the latest security fixes. They had two options: to keep the old base image which has many outdated and vulnerable libraries, or to update the base image and recompile it with OpenSSL 3.

What really bothers me about the whole thing is that this is the exact fucking problem containers were supposed to solve. But even with all the work that goes into developing and maintaining container images, it still isn't possible to do anything about the fact that the entire Linux ecosystem gives exactly zero fucks about backwards compatibility or the ability to run legacy software.

My university has a internal developed system, where everything is managed from e-mails, exams to personal data.

What I'd like most about it, they talk all day about Internet Security and store our passwords in plain text and if you press the "I've forgott my Password button", they even send your password unencrypted, plaintext via e-mail. (Hello Wiresharks)

I don't know how to feel about this, it just hurts :(

I started to work in the CreditCard / Bank business a year ago.
Now they stopped the hole server migration project, so I leave again. They could have had it all. Server 2016, SQL 2016, Citrix, Surface Books and so on.
But no, the new shitty projects are more important than security or on what technology the system is build on.

Seems like the FTP Server will run on Windows 2003 forever...

Impossible deadline experience?
A few, but this one is more recent (and not mine, yet)

Company has plans to build a x hundred thousand square feet facility (x = 300, 500, 800 depending on the day and the VP telling the story)

1. Land is purchased, but no infrastructure exists (its in a somewhat rural area, no water or sewage capable of supporting such a large facility)
2. No direct architectural plans (just a few random ideas about layout, floor plans, parking etc)
3. Already having software dev meetings in attempt to 'fix' all the current logistical software issues we have in the current warehouse and not knowing any of the details of the new facility.

One morning in our stand-up, the mgr says

Mgr: "Plans for the new warehouse are moving along. We hope to be in the new building by September."
Me: "September of 2022?"
<very puzzled look>
Mgr: "Um, no.