Client: We have a HUGE security problem.

Me: *thinks about any possible vulnerabilities* What is it?

Client: A user can take a picture of our website and steal our content.

I’m done for today.

New Dutch (or european?) law requiring https for any website with a contact form or higher is going into effect very soon. Were contacting customers so they can still be on time with this, this is how most convo's go:

Collegue: *explains*
Client: Im sure my security is good enough...
Collegue: i'd really recommend it, we've got free options as well!
Client: its just a secure connection, whats the big deal...
Collegue: *more arguments*
Client: I just don't see the point, security.... well.... does it really matter that much...
Collegue: Google might place you lower in the search results if you don't get a secure connection.

Client: 😶😥😵 uhm so what were the https options again? 😅

I hope they all die a painful death 😠

Me wanting to board Plane,
Goes through security Check...
"Sorry sir Laptops are not allowed."
Me
"Why?"
Security
"It could be a modified bomb"
Me
"But this is a Tablet!"
Security
"No sir, it has a Keyboard and Trackpad attached to it, its also running Windows..."
Me
"Excuse me, but this is clearly a Tablet"
*Detatches Keyboard from Surface Book*
"See? Tablet."
Security,
"Sorry sir, but no. You cant board the plane with this, only Tablets and Smartphones"
Me
"WTF? you dont allow Laptops because they could be bombs but A FUCKING SMARTPHONE IS ALLOWED? AND TABLETS TOO?!"
Security
"Yes, because the Battery is not removable..."
Me
"But my Laptop Battery is also not Removable..."
Security
"I dont have anymore Time for an Argument"
Me
"So I can board the Plane?"
Security
"No, the Ticket will be refunded"

WHO THE FUCK CAME UP WITH THIS BULLSHIT? LIKE RLY? WHO!!
I MEAN WHAT THE FUCK IS ALLOWED?!

An incident which made a Security Researcher cry
--------------------------------------------------------
I was working on my laptop finishing up my code while waiting for the flight which was late . Meanwhile two guys (I'm gonna call them Fellas) in black suit and shades came to me

Fella : Sir you have to come with us .
Me : *goes along with them*
Fella : Sir please proceed *points towards the door . The room has a round table with some guys discussing something *
Fella 1 : Your passport please
Me : *Hands over the passport*
Fella 1 : Where are you traveling to sir?
Me : India
Fella 1 : Put your laptop in the desk sir.
Me : Sure thing
Fella 2 : What were you doing there? *Taps the power button*
Me : Just finishing up my work .
Fella 1 : Or hacking our systems?
Me : Seriously?
Fella 2 : The password please .
Me : Here you go
*5 minutes have passed and​ he still can't figure out how to use the machine*
Fella 2 : Which Windows is this?
Me : It's Linux
Fella 1 : So you are a hacker .
Me : Nope
Fella 1 : You are using Linux
Me : Does it matters?
Fella 1 : Where do you work?
Me : *I won't mention here but I told him*
Fella 2 : So what do you do there?
Me : I'm a Security Researcher
Fella 1 : What's your work?
Me : I find security holes in their systems .
Fella 1 : That means you are a hacker .
Me : Not at all .
Fella 2 : But they do the same and they use Linux .
Me : You can call me one .
*After 15 minutes of doo-laa-baa-dee-doo-ra-ba-doo amongst them I dunno what they were talking , they shutdown the computer and handed over it to me*
Fella 2 - So you are somewhat like a hacker .
Me - *A bit frustrated* Yes.

##And now the glorious question appeared like an angel from river ##

Can you hack Facebook?
Me - 😭😭😭

!dev

It was late night after work I went into Macdonald's take-away:

Me: Can I have a Maharaja Mac Medium Meal with extra regular fries?

Guy: Yes sir, that will XX.XX amt.

Me: Gives him my card.

Guys: So what's the pin?

Me: What??

Guys: The Pin sir.

Me: Are you ok? Who the hell shares a pin with you?

Guy: Sir, we don't have a wireless swipe machine.

Me: So why is it a take-away if I have to come inside and drop my pin anyways?

*Guy looks awkwardly at other employees. :/

I had to finally get out of the vehicle and I took another 15 mins seperately explaining him why cards have a security pin and that the word security isn't a joke before the pin. With this, I might have also slipped in some GDPR cookie policy along with it. and why Microsoft bought GitHub. Good Lad. He will learn.

Definitely my security teacher. He actually expected us to actively learn the stuff and put effort into our education. He guided us through malware analysis and reverse engineering, simplifying it without insulting us.

We had students who thought they knew everything and he corrected them. We had arrogant students he put in place.

He treated us like adults and expected us to act like adults.

That's the only class I enjoyed studying for, because he would tell us exactly what wasn't on the exams (it was an intro course, didn't need to know the math). There were no trick questions.

I told him about the shitty teacher and he helped me through that confidence block. He helped me realize I *can* make it through the workforce as a female in security because I will work my ass off to be the best I can be. He reminded me why I love computers and why I want to go into forensics.

He's been a great mentor and role model and hiring him is one of the few things my department did right.

Tldr :
Office Building : 1
Population: 5000
Number of PC users: 5000
No of Spare mice: 0

Day 1:
Training period commences.
My mouse laser sensor doesn't work.

Solution: Use this mouse to log in to your system.
Open the company portal.
Connect to vpn.
Enter username password.
Create a ticket for mouse replacement.
Done.

Day 3
I bring my own mouse.
Confiscated at security.
Becomes a security violation.

Day 9
I get a call from helpdesk.
Agent- what is the problem?
Me- my mouse is not working.
Agent- why?
Me- what do you mean? Something is wrong with the sensor.
Agent- clean the sensor.
Disconnects call.
Marks ticket as resolved.
Me- WTF just happened!

Naturally, I escalate the issue.

Day 15
Level 2 Agent- what happened? Why have you escalated the issue?
Me- I need a mouse, waiting since 2 weeks.
Him- No mouse is available
Me- you don't have a single spare mouse available in an office with 5000 PC users?
Him- no they're out of stock.
Me- when will it be back in stock?
Him- we will 'soon' launch a tender for quotations from sellers.
Me- time?
Him- 1 week.

Day 34

I email the head of supplies for the city office. Next day I get a used super small mouse, which doesn't have a left button. Anyways, I've given up hope now.

Day 45
I become a master at keyboard shortcuts.
Finish my training.
Get transferred to another city.
No mouse till date.

Surprisingly, this was one of the top recruiters in my country. Never knew, MNCs can be so so inefficient for such simple tasks.
Start-ups are way better in this regard. Latest tech, small community, minimal bureaucracy and a lot of respect and things to learn.

I ranted about this guy before who thought he was a security expert while hardly knowing what the word is probably. Today I met him again at a party.

Holy fucking shit, this guy.

"we use the best servers of the netherlands"
"we use a separate server for each website and finetune them"
"we always put clusters under servers, that way we have a fallback mechanism"
"companies mostly use bv ssl certificates"
"you're on call for a week? I'm full-time on call. Why I'm drinking alcohol then? Because fuck the clients hahaha"

😥🔫

Me: *enters password on phone (long PIN)*
Person next to me is looking at my phone WHILE I enter my password, and as I look at him, he doesn't even turn away and even has the nerve to say:
"Wow, why do you have such a long password!"
Μy answer: "Because of security reasons."
What I actually wanted to say:
"Because of pieces of SHIT like you who can't keep their eyes to themselves, even when PASSWORDS are involved, you FUCK! Guess why everytime I enter a password in public, I have to dim my screen and turn my screen sideways? Because of fuckheads like you, not knowing shit about privacy and security! Fuck you!"

Storytime!

Manager: Hey fullstackchris, the maps widget on our app stopped working recently...

Dev: (Skeptical, little did he know) Sigh... probably didn't raise quota or something stupid... Logs on to google cloud console to check it out...

Google Dashboard: Your bill.... $5,197 (!!!!!!) Payment method declined (you think?!)

Dev: 😱 WTF!?!?!! (Calls managers) Uh, we have HUGE problem, charges for $5000+ in our google account, did you guys remove the quota limits or not see any limit reached warnings!?

Managers: Uh, we didn't even know that an API could cost money, besides, we never check that email account!

Dev: 🤦‍♂️ yeah obviously you get charged, especially when there have literally been millions of requests. Anyway, the bigger question is where or how our key got leaked. Somewhat started hammering one of the google APIs with one of our keys (Proceeds to hunt for usages of said API key in the codebase)

Dev: (sweating 😰) did I expose an API key somewhere? Man, I hope it's not my fault...

Terminal: grep results in, CMS codebase!

Dev: ah, what do we have here, app.config, seems fine.... wait, why did they expose it to a PUBLIC endpoint?!

Long story short:

The previous consulting goons put our Angular CMS JSON config on a publicly accessible endpoint.

WITH A GOOGLE MAPS API KEY.

JUST CHILLING IN PLAINTEXT.

Though I'm relieved it wasn't my fault, my faith in humanity is still somewhat diminished. 🤷‍♂️

Oh, and it's only Monday. 😎

Cheers!

I guess that is what you get for bringing up security issues on someones website.

Not like I could read, edit or delete customer or company data...

I mean what the shit... all I did was try to help and gives me THIS? I even offered to help... maybe he got angry cause I kind of threw it in his face that the whole fucking system is shit and that you can create admin accounts with ease. No it's not a framework or anything, just one big php file with GET parameters as distinction which function he should use. One fucking file where everything goes into.

Newspaper: This CEO is one of the top entrepreneurs in the country, a true tech visionary shaping the future.

--- 3 months previous ---

Lead dev: O2 have said they are will pre-install the app on all their Androids but they need documentation from us.

CEO: documentation? on what?

Lead dev: Our unit test coverage, bugs found / fixed, security scan results, performance assessment, if and where its storing any data etc.

CEO: Ah were not doing any of that crap, bloody unit tests, its not necessary, tell them no.

lead dev: ..... eh ok

O2: *approved*

... true visionary, well done to everyone involved.

Another incident which made a Security Researcher cry 😭😭😭
[ NOTE : Check my profile for older incident ]
-----------------------------------------------------------
I was invited by a fellow friend to a newly built Cyber Security firm , I didn't asked for any work issues as it was my friend who asked me to go there . Let's call it X for now . It was a good day , overcast weather , cloudy sky , everything was nice before I entered the company . And the conversation is as follows :

Fella - Hey! Nice to see you with us .
Me - Thanks! Where to? *Asking for my work​ area*
Fella - Right behind me .
Me - Good thing :)
Fella - So , the set-up is good to go I suppose .
Me - Yeah :)
*I'm in my cabin and what I can see is a Windows VM inside Ubuntu 12.4*

*Fast forward to 1 hour and now I'm at the cafeteria with the Fella*

Fella - Hey! Sup? How was the day?
Me - Fine *in a bit confused voice*
Fella - What happened mate , you good with the work?
Me - Yeah but why you've got Windows inside Ubuntu , I mean what's the use of Ubuntu when I have to work on Windows?
Fella - Do you know Linux is safe from Malwares?
Me - Yeah
Fella - That's why we are using Windows on VM inside Linux .
Me - For what?
Fella - To keep Windows safe from Malwares as in our company , we can't afford any data loss!
Me - 😵 *A big face palm which went through my head and hit another guy , made me a bit unconscious*

I ran for my life as soon as possible , in future I'm never gonna work for anyone before asking their preferences .

It was fun to watch my entire high school (~1200 people) freak out when I ran "net send * Big brother is watching you..." on what I found to be an insecure computer in my high school's library. Every single computer in the building displayed the pop up message. The town's IT director even showed up to figure out what happened.

I was caught, but they were more happy it wasn't a hacker, and that I discovered that the IT firm the town hired totally botched properly implementing network security, so I was let off the hook.

Got invited to a "roundtable", where we will discuss email security and the future and direction of where it is going.
Only 10 people in Sweden got a chair

I feel exclusive but also scared that they will find out what a noob I am lol

If the below is you, please stop. I'm starting a revolution called #AnswerTheQuestion

A: Hey, just checked your code, you have a huge security issue in XYZ, you should really address that.

B: Oh god I had no idea, how do I fix it?

A: Well it depends on how you *want* to fix it, no one solution is always the right one.

B: ... Ok, well could you give me some advice?

A: Well, there are many ways to approach this kind of work, but all I can say is that this way, is definitely not the correct one.

B: ... Ok, well how would you do it?

A: That would depend on the customer requirements.

B: ... the requirements is to have a website that isn't easily hackable, what do I do?

A: Nowadays, its pretty hard to make a website completely not hackable.

B: ALL THE SERVERS ARE SHOWING RED, PLEASE HELP ME!!!

A: ........ you really shouldn't prejudge colours. The colour red doesn't always mean danger, depends purely on the use case.

"Hey nephew, why doesn't the FB app work. It shows blank white boxes?"
- It can't connect or something? (I stopped using the FB app since 2013.)

"What is this safe mode that appeared on my phone?!"
- I don't know. I don't hack my smartphone that much. Well, I actually do have a customised ROM. But stop! I'm pecking my keyboard most of the time.

"Which of my files should I delete?"
- Am I supposed to know?

"Where did my Microsoft Word Doc1.docx go?"
- It lets you choose the location before you hit save.

"What is 1MB?"
- Search these concepts on Google. (some of us did not have access to the Internet when we learned to do basic computer operations as curious kids.)

"What should I search?"
- ...

"My computer doesn't work.. My phone has a virus. Do you think this PC they are selling me has a good spec? Is this Video Card and RAM good?"
- I'm a programmer. I write code. I think algorithmically and solve programming problems efficiently. I analyse concepts such as abstraction, algorithms, data structures, encapsulation, resource management, security, software engineering, and web development. No, I will not fix your PC.

So I've been looking for a Linux sysadmin job for a while now. I get a lot of rejections daily and I don't mind that because they can give me feedback as for what I am doing wrong. But do you know what really FUCKING grinds my FUCKING gears?

BEING REJECTED BASED ON LEVEL OF EDUCATION/NOT HAVING CERTIFICATIONS FOR CERTAIN STUFF. Yes, I get that you can't blindly hire anyone and that you have to filter people out but at least LOOK AT THEIR FUCKING SKILLSET.

I did MBO level (the highest sub level though) as study which is considered to be the lowest education level in my country. lowest education level meaning that it's mostly focused on learning through doing things rather than just learning theory.

Why the actual FUCK is that, for some fucking reason, supposed to be a 'lower level' than HBO or Uni? (low to high in my country: MBO, HBO, Uni). Just because I learn better by doing shit instead of solely focusing on the theory and not doing much else does NOT FUCKING MEAN THAT I AM DUMBER OR LESS EDUCATED ON A SUBJECT.

So in the last couple of months, I've literally had rejections with reasons like
- 'Sorry but we require HBO level as people with this level can analyze stuff better in general which is required for this job.'. - Well then go fuck yourself. Just because I have a lower level of education doesn't FUCKING mean that I can't analyze shit at a 'lower level' than people who've done HBO.

- 'You don't seem to have a certificate for linux server management so it's a no go, sorry!' - Kindly go FUCK yourself. Give me a couple of barebones Debian servers and let me install a whole setup including load balancers, proxies if fucking neccesary, firewalls, web servers, FUCKING Samba servers, YOU FUCKING NAME IT. YES, I CAN DO THAT BUT SOLELY BECAUSE I DON'T HAVE THAT FUCKING CERTIFICATE APPEARANTLY MEANS THAT I AM TOO INCOMPETENT TO DO THAT?! Yes. I get that you have to filter shit but GUESS WHAT. IT'S RIGHT THERE IN MY FUCKING RESUME.

- 'Sorry but due to this role being related to cyber security, we can't hire anyone lower than HBO.' - OH SO YOUR LEVEL OF EDUCATION DEFINES HOW GOOD YOU ARE/CAN BE AT CYBER SECURITY RELATED STUFF? ARE YOU MOTHERFUCKING RETARDED? I HAVE BEEN DOING SHIT RELATED TO CYBER SECURITY SINCE I WAS 14-15 FUCKiNG YEARS OLD. I AM FAMILIAR WITH LOADS OF TOOLS/HACKING TECHNIQUES/PENTESTING/DEFENSIVE/OFFENSIVE SECURITY AND SO ON AND YOU ARE TELLING ME THAT I NEED A HIGHER LEVEL OF FUCKING EDUCATION?!?!? GO FUCKING FUCK YOURSELF.

And I can go on like this for a while. I wish some companies I come across would actually look at skills instead of (only) study levels and certifications. Those other companies can go FUCK THEMSELVES.

I have spent 20 minutes explaining to a contractor how to stage a file in git and what a filepath is.

It's moments like this where I stop worrying about my job security

Seriously fuck mandatory security questions, these are my options:

What year did you meet your spouse?
I'm single.
What is your favorite book as a child?
I didn't have a favorite book. (and still, don't)
In which city did you meet your spouse?
I'm single
What is the first name of the first person you went to prom with?
Didn't go to prom.
Which state did you first visit (outside of your birth state)?
I've been to about 43 states and can't remember when I started traveling, how the fuck am I supposed to know?
In which city was your spouse born?
Again I'm single.
In which city did your oldest sibling get married?
I don't have any siblings.

C'mon, at least let me create my own question because right now I have no choice but to make up random shit and write it down in LastPass as a note.

So just recently my school blocked the following for unknown reasons websites
Github
Gitlab
Amazons aws
stack exchange
Bitbucket
Heroku
The hacker news
DuckDuckGo
The Debian package repositories yea all of em
And all domains that end in .io
Now some of you out there are probably just saying "well just use a vpn" the answer to that is I can't the only device I have a locked down school iPad can't install apps cannot delete apps cannot change vpn or proxy setting's I cannot use Safari private tab they have google safe search restricted to "on" they even have "safari restricted mode which lets safari choose what it wants to block" and even when I'm on my home wifi it's s still blocked as they use Cisco security connector THIS IS HELL

Also this is my first post :)

I can't believe this company.

They want to stop using Certificates because it bothers the customer.

I had to use https because we were using service workers for a PWA.

I tried explaining we need them for the product to work, and also it's a basic security measure.

They were removing the certificates without my knowledge.

I found out because a colleague wanted a way to disable the service worker and asked me for help.

The manager said your not the boss of the company, it's not your company to make decisions.

Just do what they say, he tried to justify the decision from above, I said ok when was the last time you installed a certificate? he said never.
Ok, then what the fuck are you talking about, its 10 minutes to get a certificate letscrypt HELLO.

This company is very hierarchical 1900 style, I'm the person who does innovation in the organization, that's the most fucked up part, they say no to everything.
OMG, I'm going to quit.

There just asking to get hacked, this is just the tip of the iceberg.

Is this common or are they morons?

In few hours I was with client showing his website after long time coding and designing.

Client: I think this is it, here your final $$

Me: Me thanks sir and bye

A guy came in.

Client: Oh! Wait, this guy is our it expert let see if he have any advise.

Me: Oops! Okay

Guy: So this website will showcase our products

Me: Yes,

Guy: What about security because I just got news that Russian hacked one big company.

Me: I don’t think Russian have time to hack your one page website

Out of the door...

(The PM is pretty technical)
One day:
Me: Could you create this subdomain?
PM: Sure, just a sec.
Me: Ohh and could you add a letsencrypt cert? (one click thingy)
PM: Why would you need that on this kinda site...
Me: Well in general for security...
PM: Nahh.
*walks away*

Next day:
(referring to my internship manager/guider as Bob)
Bob: Hey... we have a new subdomain!
Me: Yup!
Bob: Wait why is there no letsencrypt certificate installed...?!?
Me: Well, the PM didn't find that neccesary...
Bob: (Oo) of course it is... are we going for security by default or what?
Me: Yup agreed.
Bob: *creates cert and sets everything up in under a minute*

It wasn't a high profile site (tiny side project) but why not add SSL when you can for free?

So this chick has been super nice to me for the past few months, and has been trying to push me towards a role in security. She said nothing but wonderful things about it. It’s easy, it’s not much work, it’s relaxing, etc.

I eventually decided I’m burned out enough that something, anything different would be good, and went for it. I’m now officially doing both dev and security. The day I started, she announced that she was leaving the security team and wouldn’t join any other calls. Just flat-out left.

She trained me on doing a security review of this release, which basically amounted to a zoom call where I did all of the work and she directed me on what to do next, ignored everything I said, and treated me like an idiot. It’s apparently an easy release. The work itself? Not difficult, but it’s very involved, very time consuming, and requires a lot of paper trail — copying the same crap to three different places, tagging lots of people, copying their responses and pasting them elsewhere, filing tickets, linking tickets, copying info back and forth to slack, signing off on things, tagging tickets in a specific way, writing up security notes in a very specific format etc. etc. etc. It’s apparently usually very hectic with lots of last-minute changes, devs who simply ignore security requests, etc.

I asked her at the end for a quick writeup because I’m not going to remember everything and we didn’t cover everything that might happen.

Her response: Just remember what you did here, and do it again!

I asked again for her to write up some notes. She said “I would recommend.. you watch the new release’s channel starting Thursday, and then review what we did here, and just do all that again. Oh, and if you have any questions, talk to <security boss> so you get in the habit of asking him instead of me. Okay, bye!”

Fucking what.
No handoff doc?
Not willing to answer questions after a day and a half of training?

A recap
• She was friendly.
• She pushed me towards security.
• She said the security role was easy and laid-back.
• I eventually accepted.
• She quit the same day.
• The “easy release” took a day and a half of work with her watching, and it has a two-day deadline.
• She treated (and still treats) me like a burden and ignores everything I said or asked.
• The work is anything but laid-back.
• She refuses to spend any extra time on this or write up any notes.
• She refuses to answer any further questions because (quote) “I should get in the habit of asking <security boss> instead of her”

So she smiled, lied, and stabbed me in the back. Now she’s treating me like an annoyance she just wants to go away.

I get that she’s burned out from this, but still, what a fucking bitch. I almost can’t believe she’s acting this way, but I’ve grown to expect it from everyone.

But hey, at least I’m doing something different now, which is what I wanted. The speed at which she showed her true colors, though, holy shit.

“I’m more of a personal motivator than anything,” she says, “and I’m first and foremost a supporter of women developers!” Exactly wrong, every single word of it.

God I hate people like this.

I'm seeing people defending clearly-injectable code and I'm just stunned.

And this person in particular is supposed to be responsible (at least partially) for finding security flaws.

I don't know what to say.

!rant
*me logging into the demo system*
Me: so what is the login data?
Boss: we are a security company, what do you think?
Me: admin admin?
Boss: admin admin.

Fucking crunchyroll hardcodes their access tokens in a Constants Class in their APK, technically that is a security issue.

What the actual fuck Crunchyroll!? No fucking wonder you got DNS Hijacked so quick, security is literally your second priority you dumbed down twats, get some real devs and some real QAs for fucking god sakes, you're tearing down your own system by inviting exploits.

No, MD5 hash is not a safe way to store our users' passwords. I don't care if its been written in the past and still works. I've demonstrated how easy it is to reverse engineer and rainbow attack. I've told you your own password for the site! Now please let me fix it before someone else forces you to. We're too busy with other projects right now? Oh, ok then, I'll just be quiet and ignore our poor security. Whilst I'm busy getting on with my other work, could you figure out what we're gonna do with the tatters of our client's business (in which our company owns a stake) in the aftermath of the attack?

Me: So what you are doing in the IT field?
Him: I am hacking bank websites.
Me: OK, that's cool. It is good in free time. What is your actual job?
Him: I am seriously hacking the bank Web site!
Me: Trust me, if you seriously doing that you will never ever mentioned it...
Him: No, I am doing it legally... The bank hiring me to try to hack the website...
Me: OK, you mean that you are cyber security tester?
Him: That is almost the same...
Me: So you are tester?
Him: I am hacking bank's websites...
Me:....

For an ostensibly security-focused financial company, these people really don't know what they're doing. Everything I've seen thus far is so hacked-together that I feel like i'm looking at code written by high schoolers.

Seriously, some of API Guy's code is better than this.

And they even make a point to remind me of ultra basics like `.to_a`, `.map`, or "a good command to keep on hand is `rake db:migrate`" -- like seriously? Those are in bloody "Intro to Rails" tutorials (and it's `rails db:migrate` as of Rails 5). For an ostensibly all-senior team, these devs are awfully junior.

Had a discussion with a developer about security. His software transfers all user data (password and files) unencrypted, so anyone can grab them with wireshark. I told him that this is a severe issue. He said no its no problem because if you get hacked its your own fault, because you probably used an insecure network. NO ! YOU FUCKING MALADJUSTED SHEEP-MOLESTING OBJECT OF EXECRATION, YOU SHOULD ALWAYS ENCRYPT SENSITIVE USERDATA NO MATTER WHAT NETWORK YOU USE. FUCKING KILL ME ALREADY.
Not implementing encryption is one thing but then acting like its no problem is a fucking nother one. Why do people not understand that security of userdata is important???

* How other sites charge for a domain name
- The domain (abc.com) is available
---- Price => $14

* How AWS charges
- Your domain (abc.com) is available
--- Domain name => $18.99
--- DNS resolution => $17.88
--- Hosted zone (1) => $10.97
--- Route53 Interface => $45.67
--- Network ACL => $63.90
--- Security Group => $199.78
--- NAT Gateway (1) => $78.99
--- IP linking => $120.89
--- Peer Connection => $67.00
--- Reverve Endpoint => $120.44
--- DNS Propagation => $87.00
--- Egress Gateway => $98.34
--- DNS Queries (1m) => $0.40
--------------------------------
---- TOTAL => $2903.99
(Pay for what you use... learn more)
--------------------------------

Typical TSA (Airport Security)

Security: Please put all of your handheld objects and your outer clothes in this basket.
Me: (puts my bag, in flight luggage, and takes out laptop, bluetooth speaker, bluetooth mouse, bluetooth keyboard, tablet, android phone, dongle bag, and windows phone)
S: (stares at me as if I am a rich kid)
M: May I go through?
S: (nods)
M: (smirks, and goes through metal detector)
BeepBeepBeep!
M: (oh shit.)
Scanning Officer: Raise your hand!
M: Mmmhmm
S: (Hovers the detection stick around my body, but it doesn't ring, tells me to pass through the detector again. Still rings. Super confused. Asks me to do this 2-3 times more. Still same.)
M: Aha! I have my bluetooth earphones here! Sorry!
S: (stares at me, as if he is saying what a f****** weirdo)
My stuff comes out. I put my devices in the bag. The scanning officer stares at me.
M: (smirks)

To be continued....

I've got a confession to make.

A while ago I refurbished this old laptop for someone, and ended up installing Bodhi on it. While I was installing it however, I did have some wicked thoughts..

What if I could ensure that the system remains up-to-date by running an updater script in a daily cron job? That may cause the system to go unstable, but at least it'd be up-to-date. Windows Update for Linux.

What if I could ensure that the system remains protected from malware by periodically logging into it and checking up, and siphoning out potential malware code? The network proximity that's required for direct communication could be achieved by offering them free access to one of my VPN servers, in the name of security or something like that. Permanent remote access, in the name of security. I'm not sure if Windows has this.

What if I could ensure that the system remains in good integrity by disabling the user from accessing root privileges, and having them ask me when they want to install a piece of software? That'd make the system quite secure, with the only penetration surface now being kernel exploits. But it'd significantly limit what my target user could do with their own machine.

At the end I ended up discarding all of these thoughts, because it'd be too much work to implement and maintain, and it'd be really non-ethical. I felt filthy from even thinking about these things. But the advantages of something like this - especially automated updates, which are a real issue on my servers where I tend to forget to apply them within a couple of weeks - can't just be disregarded. Perhaps Microsoft is on to something?

Something I probably shouldn't talk about:

One of the projects at work has a specific path you can visit. The """security""" is that nobody should know the path. But I can guaran-fucking-tee you it's not difficult to guess.

On this page, ***without a login***, you can view some user information. Well, you can view all of it, but only certain fields.

And if you perform a specific action on this page, you can get their password, plaintext.

This project is not mine. But learning all of this made me super uneasy. I had to share it.

Alright so the security blog is coming up soon (as in, days probably) and I'm working hard together with 404response on the privacy site.

I do want to gain some insight into visitor numbers and so on but OF COURSE, commercial/closed source options are a no-go for me!

I am thinking about maybe using Piwik with all the privacy options enabled Also self hosted obviously. What do you guys/gals think?

Just got a new TV, 4K... it’s one of those smart ones, by Samsung.

Anyone want to explain what the fuck “McAfee Security for TV” is, and why the fuck it is necessary!?

What kind, of absolute waster madman goes “I know what I’ma do today, write a virus for a tv”!?

Take that shit elsewhere McAfee.

Now accepting any links to known Smart TV 0-days and attacks...

And I had to sign in to 5 different fucking accounts to get to the fucking tv.

The world is broke as fuck. Roll on the apocalypse.

Because the RSS feed is still down, hereby.

The post about what I personally take for security and privacy measures is up.

Hopefully you can learn something from it or even email me some tips!

What is this ?
U call this wireless security??

Anyway what is the best way of securing hotspots in the airports , hotels , ... ?

I think the hardest thing about being a programmer in college with a security emphasis is when I approach a business for a penetration test or for a vulnerability analysis (your pick) is that they almost always say, "you are pretty young don't you think?"

Ummmm not sure what that has to do with it. If it would make you feel better I have claimed bug bounties from an antivirus company, a bank, several local businesses in my area and I do this for work at my 9-5.

And this week I got this, "I think I would like someone older so we can define the goals better."

Oh so rules of engagement, yeah of course I understand that and that's something we would discuss and draw up a contract for...

"Well we really need someone more skilled."

---- End of story ----

I don't understand, you haven't asked about certifications or schooling and you glanced at my resume for exactly 5 seconds what the hell do you want? Me to double my age over night?

I've been away, lurking at the shadows (aka too lazy to actually log in) but a post from a new member intrigued me; this is dedicated to @devAstated . It is erratic, and VERY boring.
When I resigned from the Navy, I got a flood of questions from EVERY direction, from the lower rank personnel and the higher ups (for some reason, the higher-ups were very interested on what the resignation procedure was...). A very common question was, of course, why I resigned. This requires a bit of explaining (I'll be quick, I promise):
In my country, being in the Navy (or any public sector) means you have a VERY stable job position; you can't be fired unless you do a colossal fuck-up. Reduced to non-existent productivity? No problem. This was one of the reasons for my resignation, actually.
However, this is also used as a deterrent to keep you in, this fear of lack of stability and certainty. And this is the reason why so many asked me why I left, and what was I going to do, how was I going to be sure about my job security.
I have a simple system. It can be abused, but if you are careful, it may do you and your sanity good.
It all begins with your worth, as an employee (I assume you want to go this way, for now). Your worth is determined by the supply of your produced work, versus the demand for it. I work as a network and security engineer. While network engineers are somewhat more common, security engineers are kind of a rarity, and the "network AND security engineer" thing combined those two paths. This makes the supply of my work (network and security work from the same employee) quite limited, but the demand, to my surprise, is actually high.
Of course, this is not something easy to achieve, to be in the superior bargaining position - usually it requires great effort and many, many sleepless nights. Anyway....
Finding a field that has more demand than there is supply is just one part of the equation. You must also keep up with everything (especially with the tech industry, that changes with every second). The same rules apply when deciding on how to develop your skills: develop skills that are in short supply, but high demand. Usually, such skills tend to be very difficult to learn and master, hence the short supply.
You probably got asleep by now.... WAKE UP THIS IS IMPORTANT!
Now, to job security: if you produce, say, 1000$ of work, then know this:
YOU WILL BE PAID LESS THAN THAT. That is how the company makes profit. However, to maximize YOUR profit, and to have a measure of job security, you have to make sure that the value of your produced work is high. This is done by:
- Producing more work by working harder (hard method)
- Producing more work by working smarter (smart method)
- Making your work more valuable by acquiring high demand - low supply skills (economics method)
The hard method is the simplest, but also the most precarious - I'd advise the other two. Now, if you manage to produce, say, 3000$ worth of work, you can demand for 2000$ (numbers are random).
And here is the thing: any serious company wants employees that produce much more than they cost. The company will strive to pay them with as low a salary as it can get away with - after all, a company seeks to maximize its profit. However, if you have high demand - low supply skills, which means that you are more expensive to be replaced than you are to be paid, then guess what? You have unlocked god mode: the company needs you more than you need the company. Don't get me wrong: this is not an excuse to be unprofessional or unreasonable. However, you can look your boss in the eye. Believe me, most people out there can't.
Even if your company fails, an employee with valuable skills that brings profit tends to be snatched very quickly. If a company fires profitable employees, unless it hires more profitable employees to replace them, it has entered the spiral of death and will go bankrupt with mathematical certainty. Also, said fired employees tend to be absorbed quickly; after all, they bring profit, and companies are all about making the most profit.
It was a long post, and somewhat incoherent - the coffee buzz is almost gone, and the coffee crash is almost upon me. I'd like to hear the insight of the veterans; I estimate that it will be beneficial for the people that start out in this industry.

Finally got a new job, but it's already a horror story not even 2 hours in (making this while on break)

Everyone here is an Intern, IT? Interns, Designers? Interns, HR? Interns.

The Person who I should've worked with got fired yesterday, and now I have to work all of his shit up from 0, Documentation? Fragmental, a few things here and there, but nothing really.

IT security also doesn't exist in the slightest, there is an Excel sheet called "Master_Passwords" and every single password is in Plaintext, written out for everyone to see. (at least they used "strong" passwords)

And the place also looks run down, theres PC's, Laptops, Mics, Cables etc. lying literally everywhere no-one knows what works and what doesn't (since everyone is an intern)

Not to mention the "Server Room" is an absolute mess itself, cables hanging from literally anywhere, powerstrips are ontop of servers, each rack has like 2 or 3 2U Servers, (in a 40u Rack) and there are 10 of them!

TIL that TI has no goddamn chill

Texas Instruments released the TI-83+ calculator model in 1996. The Z80 was not at all stock and has the following features:

- 3 access levels (priveleged kernel, kernel, user)
- Locking Flash (R/O when locked for most pages, some pages protected and unreadable as well, only unlockable from protected Flash pages by reading a certain order of bits then setting a port)
- Locking hardware ports (lock state always the same as flash)
- Customizable execution whitelist range (via locked ports)
- Configurable hardware (Flash/RAM size changeable in software via locked ports, max RAM is 8MB which is fucking mental compared to the 64k in the thing)
- Userland virtualization (always-on)
- Reset on violation of security model
- Multithreading
- Software-overclockable CPU
- Hardware MD5 and cert handling

TI made a calculator in 1996 with security features PCs wouldn't see until like 2010 what the *actual* fuck

Can someone explain to me why the fuck I should even care about the fact, that some companies collect, use and sell my data? I'm not famous, I'm not a politician and I'm not a criminal, I think most of us aren't and won't ever be. We aren't important. So what is this whole bullshittery all about? I seriously don't get it and I find it somewhat weird that especially tech guys and IT "experts" in the media constantly just make up these overly creepy scenarios about big unsafe data collecting companies "stealing" your "private" information. Welcome to the internet, now get the fuck over it or just don't be online. It's your choice, not their's.

I honestly think, some of these "security" companies and "experts" are just making this whole thing bigger than it actually is, because it's a damn good selling point. You can tell people that your app is safe and they'll believe you and buy your shit app because they don't understand and don't care what "safe" or "unsafe" means in this context. They just want to be secure against these "evil monster" companies. The same companies, which you portrayed them as "evil" and "unfair" and "mean" and "unrepentant" for over a decade now.

Just stop it now. All your crappy new "secure" messenger apps have failed awesomely. Delete your life now, please. This isn't about net neutrality or safety on the internet. This is all about you, permanently exaggerating about security and permanently training people to be introverted paranoid egoistic shit people so that they buy your elitist bullshit software.

Sorry for my low english skills, but please stop to exist, thank you.

So my boss is staring a new security oriented product and he asked one of my colleagues to prepare a presentation about the possible attacks on the product.

During the presentation there was a section on DoS attacks. The boss didn't know what DoS was and after a brief explanation, he interrupted the presentation and said DDoS is not a threat because there is no data stolen. This is a webapp.

Boss calls: "Can you give me more bandwith?"
Me: "I can, but the other coworkers will have issues"
Boss: "Doesn't matter, and please, lift up the proxy too"
Me: "I am sorry, but I can't, that could compromise our security"
Boss: "I am giving you an order..."
Me: "Ok then..."
Me: *proceeds to give boss more bandwith and lifts up proxy (all is lost now)*

I go to see what is the boss doing with the bandwith...he was downloading League of Legends in his personal notebook...

TL;DR: Boss asks to put company at risk for the sake of a game...

We got DDoS attacked by some spam bot crawler thing.

Higher ups called a meeting so that one of our seniors could present ways to mitigate these attacks.

- If a custom, "obscure" header is missing (from api endpoints), send back a basic HTTP challenge. Deny all credentials.

- Some basic implementation of rate limiting on the web server

We can't implement DDoS protection at the network level because "we don't even have the new load balancer yet and we've been waiting on that for what... Two years now?" (See: spineless managers don't make the lazy network guys do anything)

So now we implement security through obscurity and DDoS protection... Using the very same machines that are supposed to be protected from DDoS attacks.

I start with the features I want for sure and then i start looking at what data I really really need to store. Then I start looking at what data I don't have to store because of privacy reasons anyways.

Next stop is looking at the security.

When that all looks good, I simply start programming!

"You've been working on this for 6 weeks, and I don't see any changes. What have you done?"
"I completely overhauled the backend, now everything makes more sense and we're using more modern APIs"
"But nothing's changed at all! The front-end looks exactly the same!!"
"*sigh* The new backend is also more secure.. "
"Oh, so it's a security upgrade, that's good, but why did it take six weeks?"
-_-

DEAR CTOs, PLEASE ASK THE DEVELOPER OF THE SOFTWARE WHICH YOU ARE PLANNING TO BUY IN WHAT LANGUAGE AND WHAT VERSION THEY ARE WRITTEN IN.

Background: I worked a LONG time for a software company which developed a BIG crm software suite for a very niche sector. The softwary company was quite successfull and got many customers, even big companies bought our software. The thing is: The software is written in Ruby 1.8.7 and Rails 2. Even some customer servers are running debian squeeze... Yes, this setup is still in production use in 2022. (Rails 7 is the current version). I really don't get it why no one asked for the specific setup, they just bought it. We always told our boss, that we need time to upgrade. But he told every time, no one pays for an tech upgrade... So there it is, many TBs of customer data are in systems which are totally old, not updated and with possibly security issues.

THE FUCK WHY did the company which made the website I'm maintaining now ADD CUSTOM FACEBOOK LIKES AND TWITTER FOLLOWER WIDGETS - IN A SUBDIRECTORY OF THE THEME?

Guess what, you motherfuckers: One year after you made that damn page the Facebook API changed and your stinking widget is broken REQUIRING ME TO REWRITE MOST OF IT!

Also WHO THE FUCK LEFT HIS BRAIN ON HIS BEDSIDE TABLE the day he decided to HARDCODE ASSETS WITH AN http:// (no tls) URL? YES, browsers will block that shift if the website itself is delivered over tls, because it's a GAPING SECURITY HOLE!

People who sells websites that have user management and thus request authentication without AT LEAST OFFERING FUCKING STANDARD TLS SHOUD BE TARRED AND FEATHERED AND THEN PUT IN A PILLORY IN FRONT OF @ALEXDELARGE'S HOUSE!

Maybe I should be a bit more thankful - I mean I get payed to fix their incompetence. But what kind of doctor is thankful for the broken bones of his patient?

Manager: You want a promotion? To senior? Ha. Well, build this web app from scratch, quickly, while still doing all your other duties, and maybe someone will notice and maybe they’ll think about giving you a promotion! It’ll give you great visibility within the company.

Your first project is adding SSO using this third party. It should take you a week.

Third party implementation details: extremely verbose, and assumes that you know how it works already and have most of it set up. 👌🏻

Alternative: missing half the details, and vastly different implementation from the above

Alternative: missing 80%; a patch for an unknown version of some other implementation, also vastly different.

FFS.
Okay, I roll my own auth, but need creds and a remote account added with the redirects and such, and ask security. “I’m building a new rails app and need to set up an SSO integration to allow employees to log in. I need <details> from <service>.” etc. easy request; what could go wrong?

Security: what’s a SSO integration do you need to log in maybe you don’t remember your email I can help you with that but what’s an integration what’s a client do you mean a merchant why do merchants need this

Security: oh are you talking about an integration I got confused because you said not SSO earlier let me do that for you I’ve never done it before hang on is this a web app

Security: okay I made the SSO app here you go let me share it hang on <sends …SSL certificate authority?>

Boss: so what’s taking so long? You should be about done now that you’ve had a day and a half to work on this.

Abajdgakshdg.

Fucking room temperature IQ “enterprise security admin.”
Fucking overworked.
Fucking overstressed.

I threw my work laptop across the room and stepped on it on my way out the door.
Fuck this shit.

I live in zurich switzerland one of the most expensive places to live. And i work as a jack of all trades graphic ux/ui designer/copy writer/marketeer in IT security.
I earn about $3800 a month, but every salery calculator says I should earn above $7000. With a median salery of $9300. But this seems so much money and I suffer from low self esteem. So what should I do? (Quitting is not an option because I like it there)

Who's at fault for the recent Wanna Cry virus: The companies affected or Microsoft/NSA?

Personally, I think it's the companies affected. This is what happens when you try and be cheap when it comes to cyber security​.

I am amazed how specific everyone is being about security vulnerabilities at their employers. Hopefully no one social engineers what company you work at.

It's a new semester and the introductory class for a General Ed is going on.
Prof: What do you want to be when you are done with engineering?
Me: I'd like to be in the security domain but I'm still not sure.
Prof: Then why are you doing Computer Science? You can just get a job as a security personnel.
FML.

Can https be decrypted easily?
(Or even by spending some time)
Plus what other security methods banks apply to prevent theft of sensible data?
Do they encrypt data using thair own private key thet is changed automatically?

Cyber security. Deep knowledge of cyber security and networks is what I wish I had. The math stuff that no one bothers with, specifically.

I just had my cell phone cloned yesterday. End of the day, my phone lost signal suddenly. I thought it was a problem with my chip, so I decided to check that on a store and buy a new one next day.

Today, after I recover my chip and number, I started to see the mess. Someone used my number to send message to all my contacts on whatsapp, asking for money. Also, I had some contact info changed on the bank broker, which is really serious. I do not know what else is compromised, and I'm truly worried about it.

Someone has some good tips for improving security while using cellphones?

Today, the security department stopped our new project and told us to work on the last project instead because of a top-secret security flaw.

Problem is, they are not allowed to tell us what the problem is. FML

This isn’t gonna be a random because I do eventually get to a Tech and YouTube related topic.

YouTube is actually killing itself with all of the dumbass rules they’re implementing. Trying to child proof or limit educational content is genuinely a shit policy. The reason so many gaming channels are switching to twitch because it doesn’t try to censor you.

But now I don’t know if you’ve heard but YouTube updated their guidelines and they’re no longer allowing content that teaches people about Hacking essentially (and I hate putting it like that but I can’t remember the exact words they used Hacking just summarizes it) which is fucking ridiculous like what the fuck else, are they gonna stop allowing lock picking videos?

YouTube has always been an amazing FREE resource for people learning Programming, Cyber Security, IT related fields, and even shit like lock picking, cooking, car stuff, and all that stuff. Even sometimes when the tutorials aren’t as detailed or helpful to me they might be exactly what someone else needed. And Cyber Security can be a difficult topic to learn for free. It’s not impossible far from it, but YouTube being there was always great. And to think that a lot of those could be taken down and all of the Security based channels could either lose all revenue or just be terminated is terrifying for everyone but more so them.

A lot of people and schools rely on YouTube for education and to learn from. It’s not like YouTube is the only resource and I understand they don’t want to be liable for teaching people that use these skills for malicious purposes but script kiddies and malicious people can easily get the same knowledge. Or pay someone to give them what they want. But that’s unfair to the people that don’t use the information maliciously.

It’s the same for the channels of different topics can’t even swear and it’s ridiculous there’s so many better options than just banning it. Like FUCK kids nowadays hear swearing from their older siblings, parents, friends, and TV it’s inevitable whether someone swears or not and YouTube is not our parents, they aren’t CBS, so stop child proofing the fucking site and let us learn. Fuck.

TLDR YouTube is banning educational hacking videos and are being retarded with rules in general

I think what would help is to teach them these things:
- awareness for security in code
- how to use a fucking VCS like Git and how it works

I """""accidentally"""'" found some security holes in my school's Windows public computer setup.

Every student and teacher has a personal Active Directory, obviously they should be able to only see their own right?
oh wait the directory up button in explorer shows me all of them and I have r/w access to teacher and student ADs.

That's cool.

Also, the command prompt, Run prompt ad Explorer path bar are disabled...

...but batch scripts work.

Sweet.

Surely I can't do something dumb like--- oh, regedit's blocked but not the reg command.

They use the-- WHY IS GPEDIT NOT BLOCKED

Well what the fuck.

(All of this was responsibly handled by emailing the tech department. They have an email just for this! ...got a bounceback "this person is no longer employed at XYZ School.")

Someone ask to me as a security engineer.

Bro : what do you think about most secure way to authenticate, i read news using fingerprint no longer safe?
Me : yes they can clone your fingerprint if you take a photo with your fingerprint to camera.
Bro : so what is the other way to authenticate more secure and other people can't see in picture ?
Me : D*ck authentication is more secure now, other people can't see your d*ck pattern right?

“Fullstack dev morphs into a security expert”

We have a simple user registration system. Get the user details, generate an OTP, save in Oracle, email the OTP. The SMTP host is configured to send emails only to people who have an existing @a_very_famous_bank.com email address.

As a part of an enhancement request, the other day, we were trying to register a non-bank email address. As expected, it failed.

Manager: Meeting... meeting... meeting

Me: (Explained the problem)

Fullstack dev: so the thing is.. it’s like.. (doesn’t falter to open with these lines)...what I can do is...I can send you an HTTP security header in the HTTP request. It’ll work!

Me: (I hope an adult giraffe fucks you in your belly button)

More to come!

Making electronics more difficult to repair with security fasteners and ultrasonically welded plastic nightmares and what have you.. what's the point? The argument from manufacturers is that "users don't want to get in there anyway". But, it's not like even if they could, they'd want to, right? Which type of person that doesn't know electronics very well and has an interest in repairing it would go and look at a board, and say "this is how it works, this and that is broken and this is how it should be repaired"? Not many users can repair their own devices regardless. So why? To preserve IP? Not like the Chinese bootleggers care about that. To preserve sales? Users can't repair their stuff anyway. To keep those who want to peek inside out, just for the hell of it? Anyone determined enough will be willing to break it in the process anyway.

I was working in a manufacturing facility where I had hundreds of industrial computers and printers that were between 0 and 20 years old. They were running on their own clean network so that someone has to be in the manufacturing network to access them. The boss announced that the executives will be pushing a “zero trust” security model because they need IoT devices. I told him “A computer running Windows 98 can’t be on the same VLAN as office computers. We can’t harden most of the systems or patch the vulnerabilities. We also can’t reprogram all of the devices to communicate using TLS or encrypt communications.“ Executives got offended that I would even question the decision and be so vocal about it. They hired a team to remove the network hardware and told me that I was overreacting. All of our system support was contracted to India so I was going to be the on-site support person.

They moved all the manufacturing devices to the office network. Then the attacks started. Printers dumped thousands of pages of memes. Ransomware shut down manufacturing computers. Our central database had someone change a serial number for a product to “hello world” and that device got shipped to a customer. SharePoint was attacked in many many ways. VNC servers were running on most computers and occasionally I would see someone remotely poking around and I knew it wasn’t from our team because we were all there.

I bought a case of cheap consumer routers and used them in manufacturing cells to block port traffic. I used Kali on an old computer to scan and patch network vulnerabilities daily.

The worst part was executives didn’t “believe” that there were security incidents. You don’t believe in what you don’t understand right?

After 8 months of responding to security incident after security incident I quit to avoid burning out. This is a company that manufactures and sells devices to big companies like apple and google to install in their network. This isn’t an insignificant company. Security negligence on a level I get angry thinking about.

Reported an important security vulnerability inside our organization, right before getting off work. A security team member contacts me over chat asking for some details on my investigation. At the end, he tells me: "thanks, I will copy and paste this conversation on the ticket so that everyone can see".

What I imagined: he would copy and paste the conversation as is, so that every line written by me is prefixed with my name.

What he does: he writes a summary of our conversation, barely mentioning my name, making it look like that part of the investigation was done by him.

Now I have so much anger inside of me that my internal organs are boiling.

Send over the entire directory for a WordPress site we completely overhauled with new plugins, custom theme, redid content with visual composer, etc. I tell him to backup his site and then put everything I give you as fresh. He tells me he can't just wipe out his entire site that's unacceptable. I ask him what's the problem? he rambles on and says a lot of words that don't really mean anything then says security. so I call him out on it, what security issues do you have? well we have users and permissions setup he says. I explain That I copied his users table over when we did the redesign, so it's the exact same stuff. so I say again, why can't we just replace everything? well that's just not acceptable he says. I ask him again, what EXACTLY is your problem with replacing the site since I already addressed your security concern. he couldn't answer me so now we have another conference call tomorrow morning with more people from their team. I'll let you know how it goes.

tldr; clients are idiots, call them out for the dumb shit they say and have no response.

watching the online course for CEH... dude used the Death Star as a tangible example of how exploits work.
IDK if I should love it for the nerdiness, or be slightly sad that someone needs that type of example of what a vulnerability vs an exploit is, when they're going for the Certified Ethical Hacker certification...
Might be better in an introduction to Network Security class?

Also, while discussing the security, usability, and functionality triangle, he reference the Staples "Easy Button" - does one thing, not very secure, and not very functional (in that it has more than one function)...

Client: We need to deploy some Windows 2003 servers.

Us: Sure thing, Mr. Client. Your money is more important than the security and stability of our systems.

What we should have said: Sure, but you need to stop in our office, put your dick in a vice and we'll take turns cranking that bitch closed until you agree to use something more modern.

So I need to "fix" a false-positive security warning (mass-assignment of a foreign key). Do I "fix" it by...

A) Setting it manually and double-saving the object?
B) Rewriting the mass-assignment so the linter doesn't realize what I'm doing?

Both options suck.
But security is going to complain if I don't do it.

Guess what?
I'm not doing it.

SMD you ducks.

Recruiter: I have an open position for lead DevSecOps role.

Me: Tell me more

Recruiter: It’s an AI company , where the AI is making clinical medical decisions. It’s really cool. They need somebody to help them pass government audits and you’d be solely responsible for the systems security, AWS accounts, and also all of DevOps, which they’ve never heard of before but I told them they needed and they though it was cool.

Also, they use AWS but not sure what services inside AWS, they think it’s AWS storage and AWS servers or something like that .

Me: That’s a big hell no. 👎 Got any other positions though ?

Howdy this is a daily reminder on why you can't trust anyone with shared information.

I am back home from uni for the holidays and like any computer person who is back in town became responsible for fixing every tech problem that has occurred since my last visit. But what caught my eye when I approached the family computer is not the problem with the computer itself, it's the paper in front of the computer that, in giant lettering, has not only the passwords and account names of my mom and brother's AOL (She's old ok) and FAFSA account respectively but also someone's social security number. Any goddam baffoon who looks through the window or is able to take literally three goddam steps past the front door now has enough information to commit identity theft or just take over one of their accounts. I know it's not that likely but I still had a heart attack when I saw that.

How badly have I failed them?

This is not fucking security, it's obscurity! What the fuck is a memorable word without any context! It drives me up the fucking wall. This doesnt help anyone it just promotes people to put silly shit like password or something so they won't forget but it just makes their account weaker.

I wanna make you feel what you have brought into my house!!

I was working with security cameras once in a home automation project. One of those camera particularly stand out by offering a cgi without password request to view and change the current passwort and username.

Seriously wtf is wrong with you? I mean this thing automatically connects to an internet service offering everyone to connect to it with that passwort and username. And I know some of you might say "hey chill the cgi is only available on the wifi" - dammit no. Security is a lifestyle do it complete or get the fuck out. God knows what other mistakes there might be hidden in that thing screaming out to everyone to watch me taking a shit.

But that's not the end of it. My company arranged a call to the technical support of that camera so that I can explain the problem and a patch gets released. Those guys didn't give a shit about it and were even laughing at me. Fuck you!

So whoever is responsible - I will find you - and you will never see me coming.

I submitted a security report some days ago.

It is well written, it explains what is happening and what is the impact providing an example. I give some advice about how to handle this situation, it's about concurrency issues and it's pretty tricky to debug.

Answer from the reviewer:
"Please, can you tell me what are the implications?"

...
...

FUCK.
IT'S LITERALLY FUCKING WRITTEN,
CAN U EVEN READ IT?
THERE ARE PICTURES DESCRIBING THE ISSUE, I EVEN ATTACHED A FILE YOU CAN USE TO DEBUG.

...

This is the last time I report vulnerabilities.

What you are expected to learn in 3 years:

power electronics,
analogue signal,
digital signal processing,
VDHL development,
VLSI debelopment,
antenna design,
optical communication,
networking,
digital storage,
electromagnetic,
ARM ISA,
x86 ISA,
signal and control system,
robotics,
computer vision,
NLP, data algorithm,
Java, C++, Python,
javascript frameworks,
ASP.NET web development,
cloud computing,
computer security ,
Information coding,
ethical hacking,
statistics,
machine learning,
data mining,
data analysis,
cloud computing,
Matlab,
Android app development,
IOS app development,
Computer architecture,
Computer network,
discrete structure,
3D game development,
operating system,
introduction to DevOps,
how-to -fix- computer,
system administration,
Project of being entrepreneur,

and 24 random unrelated subjects of your choices

This is a major called "computer engineering"

Can you really trust the security features on your device?

Can you really verify that no one is looking at what you're doing all day, in your house or out and about?

What if I am the one looking at your naked ass right now?

FUCK!
After submitting a registration form I noticed the site is served over plain HTTP. Their marketing site is served encrypted, but login and register are not! What the fuck!!!

Fuck everyone who does this stupid fucking shit with disregard to basic security features! Their goddamn bullshit privacy policy is bragging about how it's top priority to protect their customers' information and shit like that. Get the fuck out, cunts!!

I contacted them so I might have a continuation to this rant if I'm not satisfied with their answers.

Goddamn it!

Wow the security by captcha!

Guess what? IIT Kharagpur is considered one of the best institute in India to study Computer Science and its major in research include image processing

So this just happened. Some background before I begin: We're understaffed, my desk is in the back of the building, and there's no one really at the front to greet people. No security either...

Guy walks in wearing a flannel jacket (no shirt under it), pajama pants, and sandals. He looks like hell. Explains he was just released from a hospital and his apartment is locked. I let him use my phone to call his sister.

When I talk to his sister, she barely wants to speak with him. Tells me his apartment is locked for a reason and he's not allowed back. I'm just like: "So... what would you have us do for him?" At this point if his sister won't help, I was going to ask him to leave. Oh, and that hospital was a drug rehab.

So it ends with him waiting for a ride, but he ends up napping on the couch in the front of our office. CEO/Owner and his business partner walk right past and say nothing. They go into a meeting. I'm trying to figure out if I ask him to leave, wait outside for his ride... I'm a developer, this isn't my job.

A good 45-60 minutes later, after the guy walked outside and then came back in and laid back down on the couch, he leaves with his ride. Shortly after the owner walks out of his meeting, so I ask him what to do in this situation - more hoping he'd realize the need for more security.

If this story isn't crazy enough, the business partner pipes up - absolutely serious - and says he didn't say anything because he thought the guy was a developer.

So I've learned that we've got extremely low hygiene standards for developers here, with a relaxed dress code and are allowed nap times on the front couch.

Thankfully our CYBER security is better than our PHYSICAL security. :|

So someone decides that the employees need to do these stupid Web-based training's that not even high school kids should be looking into.
What is about ?
Security and Cryptography, and now event the real stuff.

What it covers?
Alice and Bob, Bob and Alice.
Alice wants Bob some pics/messages that she suspects someone else will see. DDDDDDAAAAAAAFFFFFFFAAAAAAAAAKKKKKK

A total of 7 useless time wasting interactive and annoying training's, 20+ min each.

But someone forgot that please do not send this shit to engineers of your company, specially Software/Network engineers. Oh another subset, specially not to those who work deeper into the domain.

I'm getting paid to do this time wasting activity, and still.

I also may come back and remove this BUT FOR NOW I NEED TO RANT.

Holy fcuk! Can anyone here help me understand how this domain is possible?

WARNING: obviously its a spam site. Take necessary security precautions if you are going to visit.

the following domain opens a cluster fuck domain name! >> secret.ɢoogle.com

That ɢ is not what it looks like. How is such domains possible to exist? Even more surprising, how is this sub domain -ception possible?

I'm convinced this is going to be wildly unpopular, but hey...

Please stop writing stuff in C! Aside from a few niche areas (performance-critical, embedded, legacy etc. workloads) there's really no reason to other than some fumbled reason about "having full control over the hardware" and "not trusting these modern frameworks." I get it, it's what we all grew up with being the de-facto standard, but times have moved on, and the number of massive memory leaks & security holes that keep coming to light in *popular*, well-tested software is a great reason why you shouldn't think you're smart enough to avoid all those issues by taking full control yourself.

Especially, if like most C developers I've come across, you also shun things like unit tests as "something the QA department should worry about" 😬

tldr: Fuck Apple AND Microsoft...

Tried to check my "me" email today (iCloud)... and well it's apparently "locked" for god only knows what reason, and they will only let me recover it through a Hotmail account that I haven't used in >10years.. So I tried that and after one login attempt outlook.com is telling me "you've entered too many wrong password attempts, you must reset your password"... ugh OK, so I hit the button and it's asking me "my" security question.. 'where did you and your spouse meet?'.. wtf? I'm not married now nor was I @12yrs old when I made this account....

Well thanks so I guess that's fucked for forever...

Because of some theft this year and even though we already have security cameras, my apartment building decided to check the front door locks so it's more secure.

This key looks very high tech... Only issue though is I never use the key anyway... I just entered the door code...

So what is the point of changing the locks? I'm going to guess whoever is stealing isn't picking the lock... People would notice... They must know the code.

Also it seems most of the apartment locks are digital key card/pins too. Wondering if this just means most owners are young or just are techies/devs...

"we have add a lot of cost partly due to currency exchange rate, but we also added some services and servers, we'll have a meeting and see what we can cancel or re-arrange."

So now....
- JIRA is gone
- SEO tools are gone
- budget for site security & SSL undecided
- Servers are too expensive.
$800 for twelve 2-24gb ram servers with backup, I call that bargain

Can't wait to see the websites falling apart. Now where are my popcorns?

Well, I have a friend working on a major bank in my city. Yesterday we went for a coffee when he told me that the wifi connection that the costumers can use is the same as the network they work in. Like, are you fucking me? Do they know what security means? Jesus Wallace, wake up!
And they have a fucking "web security guy" working there. Doing what? Installing ccleaner on pcs? This shit gets me mad. And that's why I don't trust banks.

I freelanced for a startup one time, and found out they had ten of thousands of records stored in their DB about dental patients, inducing name, address, social security #, some medical history, etc. All in plain text. Worst part is they hired me after a 20 min phone call, and didn't even sign a NDA!

Makes me paranoid to use the Internet knowing what some of these companies do.

IPAY88 is the worst payment integration. They parse html data and encoded it into xml for return the data, it is not even singlet or server to server communication , tey called it the ADVANCED BACKEND SYSTEM (My arse!) For security, they ENCODE THE STRING into BASE64 and called it ENCRYPTION ! WHAT THE FUCK?
Encoding is not encryption! I qas expecting they used diffie hellman or AES or RSA etc. THEY TOLD BE ENCODING IS ENCRYPTION? WHAT THE FUCK?

Every week in my intro to information security class we are asked about what security stuff has gone down in the past week. Equifax is making it incredibly easy to not have to do much research.

My university has a internal developed system, where everything is managed from e-mails, exams to personal data.

What I'd like most about it, they talk all day about Internet Security and store our passwords in plain text and if you press the "I've forgott my Password button", they even send your password unencrypted, plaintext via e-mail. (Hello Wiresharks)

I don't know how to feel about this, it just hurts :(

Wow so much hate for WordPress. Le me to the rescue 💀

Yes WP is bloated and crappy and full of security issues etc etc. Agreed. That doesn't mean it is useless though.

It is alright to use for someone who is not really good with web, someone who just needs a blog, someone who just needs a home page, about page and contact form with a possibility of updating photo and text once or two times a month.

It is not suitable for e-commerce nor lots of transactions/forms involving websites.

As long as you know what kind of horse/vehicle you are on, you won't end up in the dirt.

Many advantages of being a dev:
- You can work on multiple projects simultaneously.
- You solve problems for a living, how cool is that!
- Job security (Even if you get fired or something, you can still earn your bread with your skills)
- Even if you are bed ridden or get in an accident or get old, you can still work(kind of a pessimist).

But the best part is, you get to do what you love(for me its true).

Don't think I could love IT anymore then I do now! Currently and intern and was stressing a small bit about what I wanted to do after college (i.e. web development, mobile development, security) then came to the realisation that I can do whatever i want. I don't think any other profession has such a freedom within industry and that is why love IT so much. Looking forward to many more years of learning and developing my skills

Client doesn't want me to use internet, while connecting to their vpn to code. It's a security 'violation', it seems. Do they think I am Denise Richie to code without internet? And the catch is I code for OpenFlow with OpenNetworkLinux+OpenNIE. I mean, do they even understand what Open means in all these?

At a previous job I bumped heads with the IT person a lot because he would spread misinformation about technology so the owners would never replace him. This was conversation with the VP:

VP: Hey I just got a new security setup at my house and I can monitor everything with my phone.
Me: That's cool.
VP: I'm rethinking it because [IT guy] said it was very dangerous to have, what do you think?
Me: ....? What did he say was dangerous about it?
VP: He said hackers could then gain access to cameras and plan the perfect time to rob me since it's in the cloud.
Me: I seriously doubt anyone is planning an Ocean's 11 heist to steal your TV.
VP: Yea I thought it sounded weird when he told me.

Don't you just love it when an official Docker image suddenly switches from one base image to another, and they automatically update all existing tags? Oh you've had it locked to v1.2.3, guess what, v1.2.3 now behaves slightly differently because it's been compiled with OpenSSL 3. Yeah, we updated a legacy version of the software just to recompile it with the latest version of OpenSSL, even though the previous version of OpenSSL is still receiving security fixes.

I don't think it's the image maintainers or Docker's fault though. Docker images are expected to be self-contained, and updating the base image is necessary to get the latest security fixes. They had two options: to keep the old base image which has many outdated and vulnerable libraries, or to update the base image and recompile it with OpenSSL 3.

What really bothers me about the whole thing is that this is the exact fucking problem containers were supposed to solve. But even with all the work that goes into developing and maintaining container images, it still isn't possible to do anything about the fact that the entire Linux ecosystem gives exactly zero fucks about backwards compatibility or the ability to run legacy software.

So i am a diabetic and carry an insulin pump. Now being in India, the pump is not covered by insurance (for some god forsaken reason that I don’t know) and therefore is not a common sight here (contradictoraly India has a major diabetes problem). So I was at the metro station going through security check and the security personnel asks me what the pump was and asked me to show it to him. Now since insulin pumps are uncommon here I understood his concern and showed it to him. Now I like to carry the pump under my shirt with a clip pouch. So naturally I had to lift up my shirt to show it to him. But this isn’t the highlight of the story.
The guy behind me rised above and started peeking over my shoulder and constantly repeating like a 2 year old child what is this. And that too with my fucking abdomen exposed. I went into rage mode there and then like wtf dude, none of your business just step back a little.
Now my issue is that I do not understand that in their own curiosity, why do people forget to respect others privacy. And a very big problem with medical equipment manufacturing organisations (yeah you medtronic). Why are you only concerned with sales and why not awareness? I mean spreading awareness will only help your sales as more people will become aware about your product and it will be less awkward and concerning for people like me to wear your device out in the public

I started to work in the CreditCard / Bank business a year ago.
Now they stopped the hole server migration project, so I leave again. They could have had it all. Server 2016, SQL 2016, Citrix, Surface Books and so on.
But no, the new shitty projects are more important than security or on what technology the system is build on.

Seems like the FTP Server will run on Windows 2003 forever...

Wtf? What kind of user agent header is that? Why don't you go ahead and insert my fucking social security number in there, Android? According to amiunique, this is literally a unique header ON ITS OWN.

When i was younger, lesser experienced and more naive than now; i got away with a lot of things. By lot of things i mean security flaws in my applications and overall architecture. I realise now i could've so easily been pawned.

Not that i claim to be totally secure even now, or would ever. It is a process, slow and painful one - Learning.

What i wish to point out is the role of favorable probability (non believers would call it luck). Security is so much about it. You get away with so many things for so long. And bang one day the roll of dice is unfavorable. On such rare occasions, just look back and wonder - damn i should've been breached long ago.

Had this life not turned out the way it is. Had you not been a dev, what would you imagine you would have been?

I'll go first.. i would probably have been a librarian or a security guard. Someone with lot of time at hand to read.

Fucking fuck fuck fuck outdated superiors that know jack shit about how software development works. Dnt even know about git, docker, cloud services. Everything is done on premise with network that is fucking crap and when an app is down "hey why is it down?" ask the fucking server and network admin how the fuck am i supossed to know? i have to create workaround codes when other devs just need to deploy their app and its fucking running as it should be. why the fuck do i need to spend my time debugging Ping timeouts? im a fucking dev. I have done designs, analyze requirements, build frontend, backend, optimize codes, paying attention to security and now i have to fix network problems as well? fuck off

Create Innovation my fucking arse. you just Keep saying that but then wondering "what is this new thing youre trying? its new and different why do that?" because you asked for innovation you fuck. If i copied some other concept its not innovation is it pricks.

Fuck them and all the brown nosers as well.

Look, I get it. Wordpress sucks. It’s bloated. It’s slow. It’s not elegant. It’s a nightmare to debug and code for. The plugin ecosystem is an insecure, confusing mess of outdatedness and issues.

We can all agree that in a perfect world all power to determine everything about a website, from the code to the content, would be in our power as developers. But we don’t live in a perfect world. People want convenience, even at the cost of performance and security, and they will inevitably resent technologists who refuse to give it to them. We do ourselves and our customers a disservice when we only do what we feel is in our own best interests or preferences and not what will help them with their realities.

Yes, it sucks. Yes, it’s a pain. Yes, it’s in demand and there’s nothing any of us can do to change that.

And that’s all I have to say about that.

I sent money to a scammer 😔
They said it is a security deposit and I didn't think twice. I thought I was smarter than this but clearly I am not.
I got too greedy, lazy and desperate for money.
This is what happens when you isolate yourself from reality.
I feel terrible. 😣

Why does email suck so much oh my god, I don't want a fucking lesson in the kinds of domain records, I can set a TXT to prove that I control the DNS record, I have a TLS certificate, what the fuck else would I possibly need to prove!? None of this is contributing anything to security! Just fucking figure it out, it's the internet, not an international border, jesus.

Let's talk about the cargo cult of N-factor authentication. It's not some magic security dust you can just sprinkle onto your app "for security purposes".

I once had a client who had a client who I did server maintenance for. Every month I was scheduled to go to the site, stick my fingerprint in their scanner, which would then display my recorded face prominently on their screens, have my name and purpose verified by the contact person, and only then would the guards let me in.

HAHA no of course not. On top of all of that, they ask for a company ID and will not let me in without one.

Because after all, I can easily forge my face, fingerprints, on-site client contact, appointment, and approval. But printing out and laminating a company ID is impossible.

---

With apologies to my "first best friend" in High School, I've forgotten which of the dozens of canonicalisations of which of your nicknames I've put in as my answer to your security question. I've also forgotten if I actually listed you as my first best friend, or my dog - which would actually be more accurate - and actually which dog, as there are times in my High School life that there were more tails than humans in the house.

I have not forgotten these out of spite, but simply because I have also forgotten which of the dozen services of this prominent bullshit computer company I actually signed up for way back in college, which itself has been more than a decade ago. That I actually apparently already signed up for the service before actually eludes me, because in fact, I have no love for their myriad products.

What I have NOT forgotten is my "end of the universe"-grade password, or email, or full legal name and the ability to demonstrate a clear line of continuity of my identity from wherever that was to now.

Because of previous security screwups in the past, this prominent bullshit company has forced its users to activate its second, third, and Nth factors. A possibly decade-old security question; a phone number long lost; whatever - before you can use your account.

Note: not "view sensitive data" about the account, like full name, billing address, and contact info. Not "change settings" of the account, such as changing account info, email, etc. Apparently all those are the lowest tier of security meant to be protected by mere "end of the universe"-grade passwords and a second factor such as email, which itself is likely to be sold by a company that also cargo cults N-factor auth. For REAL hard info, let's ask the guy who we just showed the address to "What street he lived in" and a couple others.

Explaining this to the company's support hotline is an exercise in...

"It's for your security."

"It's not. You're just locking me out of my account. I can show you a government ID corroborating all the other account info."

"But we can't, for security."

"It's not security. Get me your boss."

...

"It's for security."

Update on the bank I’m working for: their security is shit and the way they manage customer data and credentials is sickening. On top of it all, there’s about 10 windows XP computers still online not to mention the ATM is running Windows XP. What the flying fuck.

Fuck stupid managers.

My current agency tried to create a bundle of generic Microservices with the hope of save time and money on future projects. That was two years ago (i was working here from 4 months ago).

What they have now? well, a sort of distributed monolyth were if one service goes down, everything else fails, infinite technical debt, no security policies (yeah, all the apis are open!!!) Business rules on the frontend . . .

And what the stupid manager say? "Everything must be ok because i designed it very well, i research a lot for this"

Stupid boomer.

PD: Yeah, despite the fact he is judt a manager, he take the responsibility to design the full architecture, idk why no one srops him.

I've noticed looking at the card exit of a building that most people a) just carry their laptop without putting it in the backpack because the carpark is a jump away anyway, b) that stickers on said laptops can leak your infrastructure

No idea what made me interested in that, but if you take the average of people's laptop stickers (sadly not everybody had their laptop or maybe even a laptop at all, so I've got just 20) - you could probably tell what tools and what services the company is running.

Could be a funny coincidence and I was able to verify later by googling their company, but it's an interesting non trackable way to know what services and tools need to be exploited/emulated to possibly gain access to some high security network.

I feel like somebody had to have a talk/presentation about this, so I wonder, had anybody else seen something like that? or how far could this actually go?

I don't know why is that everytime you guys find a security bug or a data leak or that someone is saving plain passwords on their database, you try to cover and censor the company name. Listen people, fuck the company and their name and their brand if someone's data might be in danger. Everybody should be aware of what is happening with their personal information.

Also, maybe would be great if devRant would let users to post anonymous rants for this kind of issues or a special thread with latest news about our online security.

This is fucking mental. Nextjs is a fucking unoptimized piece of fucking trash framework. When i dont touch it for several days magically everything breaks and no longer works. What the FUCK is this garbage framework.

Also i just npm run dev after 3 days of not touching the project, when it started routing is fucking dead, freezes and loading forever, getting stuck at UI, checked activity monitor just to see this piece of fucking cum eat 330-390% of my fucking CPU

Powered by Shitcel

Nextjs unstable cum gargled bullshit garbage framework for script kiddies who think they know shit about programming but they're mindless retards who know nothing about security, jwt tokens or even devops infrastructure or IaC. Fucking useless overexaggerated trillions of dollars of marketing budget for Shitcel's framework called nextjs is not as good as the fake marketing campaign portrayed it to be. It was all a fabricated lie. A fascade. A hollywood shitshow. A faked moon landing type of framework. A fucking meme framework. Fucking pissed off for wasting my time learning it

So this post by @Cyanide had me wondering, what does it take to be a senior developer, and what makes one more senior than the other?

You see, I started at my current company about three or four years ago. It was my first job, and I got it before even having started any real programming education. I'd say that at this point I was beyond doubt a junior. The thing is that the team I joined consisted of me and my colleague, who was only working 50%. Together we built a brand new system which today is the basis on which the company stands on.

Today I'm responsible for a bunch of consultants, handle contact during partnerships with other companies, and lead a lot of development work. I'm basically doing the exact same things as my colleague, and also security and server management. So except for the fact that he's significantly older than me the only things that I can think of that differentiates the seniority in the team are experience and code quality.

In terms of experience a longer life obviously means more opportunities to gather experiences. The thing is that my colleague seems to be very experienced in 10 year old technologies, but the current stuff is not his strong side. That leaves code quality, and if you've ever read my previous rants I think you know what I'm thinking...

So what in the world makes a person senior? If we hired a new colleague now I'm not sure it'd be instantly clear who should guide and teach them.

Recently, one of my customers filed a ticket because some iFrame he got from another company wouldn't display after putting it into the content editor.
I told her it won't work because the (third-party) editor prohibits JavaScript inside iFrame tags and their attributes for security reasons.
She said ok. She said she'd understood the problem. And then, she reopened the ticket four (4!!!) times for the exact same reason, once because she tried to use a fixed iFrame tag the other company sent to her... still containing JavaScript, of course.

But, yeah... She understood what the problem was. Is clear.

Sigh OK, so, my friend we'll call him z has told me he's visiting the deep Web with tor. So I immediately start asking him about what security he uses (which is 3 VPNs tired through each other).

Like no z! You don't go to the deep Web, that's where the bad things happen! 😡

Halloween reminds me of when I started my first tech job. It was a week before Halloween. I arrive for my first day. The front door that’s normally locked is wide open. It’s quiet. There’s caution tape everywhere. I think, “oh no, what happened?!” I debate whether I go inside or go to the lobby and ask security if they’re aware of a possible crime scene upstairs. I cautiously step inside and…everything is business as usual. It was all part of their Halloween decorations. I can laugh about it now, but I had quite a scare. 🎃

Big Brand Company

Wasted 2 days on induction about what to do and how to do.

After 2 days, Reach at workplace and called my line manager (LM). after 2 3 calls, he pick the phone and said please reach to 3.2L5

Now what the heck is this term how the hell I know what means by this magical number. It was never told in the induction that what building name is denoted with.

Called LM again and now LM annoyed at me and said to enter into building and ask for XYZ person ..I asked whom I need to ask..He said ask anybody..

When I enter I ask a security guard there and he was like numb...There are fucking 5000 people in the company.How someone will know by name..Is that guy is superstar or something?

Again called the LM, Now he yelled at me. ..Why you are asking the security guard ..I said he do not allow me to enter so what I need to do..I requst him to please guide me as I am new and nervous here..

Again no luck ..Asked already 4 to 5 people..

Finally one guy who also joined with me, helped me to reach the guy.

LM was actually running late and when he reach, I came near to him 2 greet ans he again shouted with loud voice " What are you doing man"

#firstDay

Security in defense is a joke.

New hire does not have accts set up told him over and over!

He decides to go into a classified area and just try. Common last name with first initial.

Guess what he was able to get in because no one changed the default password!

Yep now someone with an interim clearance got access to a machine that goes from unclass to secret and then top secret!

You know what a fucking good place for 1000s of mp4s, pdfs, doc files, exes and svgs is? Yeah, the bloddy SVN,which mirrors to git.
And how about a ibm websphere install zip with tiny 1.3gb?
And of cause you store your fuckin perl and Shellscripts, that have been written by a plain lunatic and that are responsible for installing the crap in the repo.
What? One repo for one component? Nah, cramp like 150 different projects into on repo.
And the most important scripts have to be kept unversionized ... For reasons.

And this is just the tip of the iceberg of shit.
Btw. websphere ships its own apache2.2 and its own security lib and its own openssl compilation, with ibm java ... Filesystem hierarchy standard? Dafuq? If you want to find something it better be like where is waldo - right, IBM? And command arguements? Man pages, usable documentation, usable deployment? How did any of this ever seem like a good idea to anyone?
Go get a koloscopy with a submarine periscope, IBM.

Companies really need to re-evaluate what they ask as security questions.

If I know your name and your approximate date of birth (to the month) then, here in the UK at least, I have a very good chance of being able to find out your parents names, your mother's maiden name, your address, your parents address (i.e. probably where you grew up and what school you went to), your parents ages, when they got married, etc. - and all from publicly available info, not illegal crap you find on Tor or social media stalking.

This isn't hard to find if you know where to look - the problem is that people think that it's all private, and behave as such - and companies encourage it. The typical "internet safety courses" don't even touch on it, and even more tech savvy people I know often don't have a clue this is possible.

Question

What server monitoring do you use, both for statistics and security?

--------------------
tl;dr ends here

Ideally I would like to have one clean dashboard that shows me all the nodes I have, proxmox already offers a great range of stats - but it is a page per container etc. so not ideal, I thought of having datadoghq, but their per host pricing is huge, since I have more than 5 hosts to track.

whenever i tell my dad about a technology that is going way beyond our imagination and tell him about the consequences of it and how we should worry about that
then he watches some random tv show about internet security/cyber security and various algorithms (very abstract) which are currently changing the world and how we should care about our data and what the consequences of X technology is...
he be like: "oh is that true? that's interesting, how does that work?"
i'm like😑 dad, i already told you about that😩

ever had similar experience?

Deciding whether to stick to being a web developer, or switch to something else

(thinking more like rocket software, or something with security (but maybe sticking with web), or some other cool sh#t

I don't know yet, what I do know is even when I'm creating an erp system, I find it very unsatisfying

"I helped create the software on that rocket"
Or
"that hospital uses the system I've helped to create"

Sounds a lot more satisfying than,
"that company uses my 'warehouse resources manager'/'webshop'/'planning system'

But then again I don't know, I now have a stable job, know what to do and know the language we use.

So I need your advice guys. Our team is in crisis mode right now because of a vendor's attempt to extort money out of us. So for the next 6 months I am going to be taken off development and made to do sysadmin work...which I hate.

There is another team at work that was trying to woo me over to their team, working in security...which I love.

So would it be a dick move to leave my struggling team that is trying to use a hammer as a screwdriver and do what makes me happy? Or should I be a good person and do work that makes me miserable and go home and drink every night instead?

Short angry rant
What the fuck is wrong with the SalesForce Authenticator logic?! How in the hell do you fuck up a simple 2FA system this hard?!!

Login -> Waiting for Notification... nothing... -> Reload Page -> Login -> Waiting for Notification... nothing -> Click "Use Code instead"... nothing happens... -> Reload Page -> "Login -> don't even wait for notification and just pres "Use Code instead"... nothing -> Reload Page -> Notice there's a "Use Code" button on this page as well -> Finally be able to log into the fucking Aloha piece of shit...

How TF is it, that Duo is able to send me a push notification within 1 second and it ALWAYS works... and THIS FUCKING SHIT NEVER FUCKING WORKS THE FIRST TIME AND AT WORST JUST DOESN'T WORK AT ALL!!!!!

Fucking hell.... Don't offer me a push notification service if you don't know how to make one... jesus fucking christ... All of Salesforce security is fucking stupid, but at least the others mostly work, but this retarded piece of crap is making me actively surprised when it works on first try... Maybe it's because I'm on a slow connection, but again Duo Mobile doesn't have this problem and works *instantly*... so what sort of retarded monkey coded the SF one I don't know, but I hope they are making better products now, because this is a disgrace to programming and security

tl;dr. web hosting && a panic attack && security threat

i wasn't sure whether my brother's domain was hosted or not (because it wasnt showing a website and he didnt know any better).
so i decided to host a react-app for it on netlify and pointed the domain's nameservers towards it (a separate security threat at bottom).
all went well and now when you punch in the domain it ..all-behold.. shows a website.

NOW, i remember my brother was using the domain's email which probably means it was hosted, right?. so im panicking because im not sure whether i just deleted all his emails or not because it's 1:15 am and he's asleep.
there is a rant in there somewhere but im in too much of a shock as to how much data i might have just accidentally deleted
.
.
another tl;dr: my domain registrar let me change someone else's settings..
the reason i didnt know his domain settings is that he didnt know his password.
i had bought a couple of domains and was gonna host them on netlify. while i was doing this a bright idea hit me.. "you should finally build a website for your brother for the domain he bought 7 years ago"..
this is where the fun begins.
i sent an email to my registrar to point all nameservers of all domains to my nameservers and just to try out i included my brother's domain into it (i dont own this domain it's not registered by my email), and the next day i get an email telling me they've successfully made all changes.
.
Now tomorrow is monday and i'm going to their office to tell them i found a security flaw and see how long i can stall before actually telling them what it was and how their live's could've been made hell.

This semester, we have a lecture called IT Security by a guy, who absolutely know his subject.
Nevertheless, he wanted to show us that sha256 is broken by an existing collision. (Google that, fellow ranters!)
There are two pdf files by google researchers, that show the caption „SHAttered“ both on different backgrounds, although they give the same SHA-hash.
He then tried to share us these two files by moodle and wondered, why he uploaded the same file twice.
Guess what happened? The moodle backend checks new uploaded files for their ... hash ... and then decides, weather to upload or the file is already existing. So, it did just a new symlink to the old file.
Ironic, that an exercise, that should show us sha collision failures on sha collision 😃

Because I am very interested in cyber security and plan on doing my masters in it security I always try to stay up to date with the latest news and tools. However sometimes its a good idea to ask similar-minded people on how they approach these things, - and maybe I can learn a couple of things. So maybe people like @linuxxx have some advice :D Let's discuss :D

1) What's your goto OS? I currently use Antergos x64 and a Win10 Dualboot. Most likely you guys will recommend Linux, but if so what ditro, and why? I know that people like Snowden use QubesOS. What makes it much better then other distro? Would you use it for everyday tasks or is it overkill? What about Kali or Parrot-OS?

2) Your go-to privacy/security tools? Personally, I am always conencted to a VPN with openvpn (Killswitch on). In my browser (Firefox) I use UBlock and HttpsEverywhere. Used NoScript for a while but had more trouble then actual use with it (blocked too much). Search engine is DDG. All of my data is stored in VeraCrypt containers, so even if the system is compromised nobody is able to access any private data. Passwords are stored in KeePass. What other tools would you recommend?

3) What websites are you browsing for competent news reports in the it security scene? What websites can you recommend to find academic writeups/white papers about certain topics?

4) Google. Yeah a hate-love relationship, but its hard to completely avoid it. I do actually have a Google-Home device (dont kill me), which I use for calender entries, timers, alarms, reminders, and weather updates as well as IOT stuff such as turning my LED lights on and off. I wouldn"t mind switching to an open source solution which is equally good, however so far I couldnt find anything that would a good option. Suggestions?

5) What actions do you take to secure your phone and prevent things such as being tracked/spyed? Personally so far I havent really done much except for installing AdAway on my rooted device aswell as the same Firefox plugins I use on my desktop PC.

6) Are there ways to create mirror images of my entire linux system? Every now and then stuff breaks, that is tedious to fix and reinstalling the system takes a couple of hours. I remember from Windows that software such as Acronis or Paragon can create a full image of your system that you can backup and restore at any point to get a stable, healthy system back (without the need to install everything by hand).

7) Would you encrypt the boot partition of your system, even tho all data is already stored in encrypted containers?

8) Any other advice you can give :P ?

When in an application security talk put on by our cyber security department and one team (not mine) is being chastised for only doing client side validation, another dev asks so at what point can we trust the user? A few people nod and indicate they want an answer, and the speaker, said never, you never trust the user.

I can't believe people can graduate and get a job and keep a development job, especially in a highly government regulated company like where I work

Security : Each time I login, they ask me to type the email address I want my one-time-code emailed to. Really!? What security is provided by letting the user decide where to email the flippin token to?!?!

I really wish I had worked somewhere that was hacked, so as to know how it was done, how it was found out, and what measures were taken, from the inside.

The problem is that I worked at a lot, and big places. We were never successfully attacked or hacked as far as I know. Was our security so good, that nobody succeeded? Or was it so bad, that we didn't even notice?

CORS is shit
Stupid useless shit that protects from nothing. It is harmful mechanism that does nothing but randomly blocks browser from accessing resources - nothing more.

Main idea of CORS is that if server does not send proper header to OPTIONS request, browser will block other requests to that server.

What does stupid cocksuckers that invented CORS, think their retarded shit can protect from?
- If server is malicious, it will send any header required to let you access it.
- If client has malicious intents - he will never use your shit browser to make requests, he will use curl or any ther tool available. Also if server security bases on something as unreliable as http headers it sends to the client - its a shit server, and CORS will not save it.

Can anyone give REAL examples when CORS can really protect from anything?

I have to add an endpoint to integrate an API and I want to vomit when I think about this major security issue they introduce.

What type of prehistoric dumbass thought GET requests with username and password in the query parameters is a good idea to burden your partner with.

got first assignment on my first meet on Network Security. it require to pentest one unsecured specified website. yet they don't tell me shit about anything just try it.
i need to :
1. Footprint
2. Scanning
3. Enumeration
4. Gaining Access (previledges raising?) (bonus)

suppose : <target-website> is x
i've done this:
1. whois x
2. got the ipaddress via :
host x
3. nmap -F ip.of.x

my head is already spinning, i need to know what BASICLY each of what i've done. i only get that 'whois' get the information about that domain, 'host' is used to know the target ip address and nmap to find what are the open ports. i don't know what else should i do. need help :(

Salesforce lightning web components have such bullshit limitations that they claim is because of security but it's just because it's overengineered garbage.

Want to use web components? Nope.

Want to pass in a value to a function in a click listener expression? Nope.

Want to use scss? Nope, compile it to css yourself.

Want to use the fucking document object? Guess what it's overridden except for very specific third party frameworks.

Who in the fuck thought it was a good idea to override the document object? Your app isn't more secure, literally the entire internet uses the document object and it still becomes available in runtime anyway so what the fuck??

LWC is the biggest garbage I've ever seen, you know a framework's a big red flag when there are developers solely for the framework.

There is a new security release coming out that apparently removes some of these nuances (understatement) so there might be some light at the end of the tunnel.

My windows defender has gone out of the window.
Now whenever i open windows security app, it shows a blank page.
There's is no tray process running and I can't find any service too.
I know it's a huge virus attack.
Can anyone suggest some methods to know what is causing this problem?

This has happened once before. That time i used DISM and checked windows files integrity. It replaced corrupted ones and then windows worked fine.

This time i want to know the cause.
I wanna root it out and rip it apart.

When I say I'm in "DevOps" what I really mean is that I'm a full-stack engineer, DBA, system administrator, security engineer, auditor, cloud custodian, cost optimization expert, and everything else that doesn't get its own dedicated staff member here. Pretty much the catch all between developers and customer.

I just said "bye" to all my Whatsapp groups, and finally got rid of that service ! (meaning deleting my account as well, not just uninstalling the app).
It's so hard to make people understand what is happening and what I think about security/privacy... Guess I'll have to wait for people to finally come to Signal or Keybase if they want to reach me more efficiently :)

Asked to do overtime so I do. Everyone has gone home and now it's time for me to go home, so I go to leave the office to find the gate padlocked. I'm stuck. There is a side gate for cars that has a security code but I have no idea what that code is. So I end up waiting around and stalk the cleaners car out of the gate 'sigh'.

Malwares are nasty applications, that can spy on you, use your computer as an attacker or encrypt your files and hold them on ransom.

The reason that malware exists, is because how the file system works. On Windows, everything can access everything. Of course, there are security measures, like needing administrator permissions to edit/delete a file, but they are exploitable.

If the malware is not using an exploit, nothing is there to stop a user from unknowingly clicking the yes button, when an application requests admin rights.

If we want to stop viruses, in the first place, we need to create a new file-sharing system.

Imagine, that every app has a partition, and only that app can access it.

Currently, when you download a Word document, you would go ahead, start up Word, go into the Downloads folder and open the file.

In the new file-sharing system, you would need to click "Send file to Word" in your browser, and the browser would create a copy of the file in a transfer-partition. Then, it would signal to Word, saying "Hey! Here's a file that I sent to you, copy it to your partition please!". After that, Word just copies the file to its own partition, signals "Ok! I'm done!", and then the browser deletes the file from the shared partition.

A little change in the interface, but a huge change in security.

The permission system would be a better UAC. The best way I can describe it is when you install an app on Android. It shows what permission the app wants, and you could choose to install it, or not to.

Replace "install" with "grant" and that's what I imagined.

Of course, there would be blacklisted permissions, that only kernel-level processes have access to, like accessing all of the partitions, modifying applications, etc.

What do you think?

Not a rant but sort of a rant.

Getting REAL fucking tired of the corporate rat race.

Thought Bubble ...

{If I quit this stupid job I could do freelance sites}

Then I realized that I have no idea what skill set it takes to be a freelance developer. I only know my one little corner. Once I commit my code it goes off down the assembly line for others to worry about testing, deployment, hosting, security and other things I have no idea about.

So tell me freelancers, is the grass greener? What additonal skills do you have to have the us enterprise folks would have no idea about?

Or are you making huge bucks where you overcharge for Wix sites that do not suck?

I'm a computer science student who is finishing up a year long internship tomorrow, based in Melbourne Australia. I'm going into my final year now and have been looking into other software engineering jobs to do alongside studies.

I have been fortunate enough to be offered a full-time position, leaving me with the decision of putting studies on hold (temporarily or indefinitely) in order to take this job, or to decline and continue with my studies.

Wondering if anyone has been in a similar situation or can give some insights into having a degree vs real world experience.

Some additional info:

From my internship I have a year of commercial/industry experience from a large multinational company.

I have 6 units left on my degree (4 in semester 1 and 2 in semester 2).

The job I have been offered has growth potential and job security. The salary offered is also higher than what I expected.

Let me know what you all think.

Challenge questions are so goddamn stupid.

Apparently I have an account with a certain online organization though I don't remember setting it up.

So naturally I had no idea of my username or password, so they asked me challenge questions.

It asked me the city of my birth, which is a place with a weird spelling. Because of that weird spelling, I never remember if I'm spelling it right (I was only there as a newborn infant) And I'm also supposed to remember if I capitalized it or not.

I hate challenge questions. And anyone doing any remotely simple research on me shouldn't have trouble learning what city I was born in so it seems to me it's a security vulnerability, nothing more.

And maybe I'm giving things away by saying it asks me that question, but it's a common security question any hacker would anticipate anyways.

Is there a way to sign code for free (or atleast not need to pay over £200 for it)? Im a student and cant really afford much but I have been working on a website and made an electron build for it, however downloading the installer prompts the user to discard it in chrome, then running the installer prompts the user to select do not run in the windows security thingy as its from another computer.

What would be the best way around this if I cant get a certificate for it?

So I went for a "special" interview to a company whose slogan is "experience certainty" (fresher, was hoping to get a role in cyber security/Linux sysadmin). Got shown what the "real" hiring process of an indian consultancy company is...

We were called because we cleared a rank of the coding competition which the company holds on a yearly basis, so its understood that we know how to code.
3 rounds; technical, managerial and HR...

Technical is where I knew that I was signing up for complete bullshit. The interviewer asks me to write and algo to generate a "number pyramid". Finished it in 7 minutes, 6-ish lines of (pseudo) code (which resembled python). As I explained the logic to the guy, he kept giving me this bewildered look, so I asked him what happened. He asks me about the simplest part of the logic, and proceeds to ask even dumber questions...
Ultimately I managed to get through his thick skull and answer some other nontechnical questions. He then asks if I have anything to ask him...
I ask him about what he does.
Him - " I am currently working on a project wherein the client is a big American bank as the technical lead "

Me (interest is cybersec) - "oh, then you must be knowing about the data protection and other security mechanisms (encryption, SSL, etc.)"

Him (bewildered look on face) - "no, I mostly handle the connectivity between the portal and data and the interface."

Me (disappointed) - "so, mostly DB, stuff?"

Him (smug and proud) - "yeup"

Gave him a link to my Github repo. Left the cabin. Proceeded to managerial interview (the stereotypical PM asshats)

Never did I think I'd be happy to not get a job offer...

I just reviewed a pull request with a test case like (pseudo code):

# Test MyService

const mock = createMock(myService.myMethod)
.whenCalledWith("foo")
.returns("bar");
assert(mock.myMethod("foo") === "bar"));

Why though? Why are we testing the mock? What is happening here? This test has no reason of being there instead of a fuzzy feeling that we now have unit test to lure us into a false sense of security.

I asked why we don't do an integration test. Response was: "They are slow."

Well, duh, but at least they would actually test something.

What do you gain by asserting that the mock is working the way you set it up?

>>Server sind für mich "Neuland".<<

I want to switch to a new server with my website. I have a bunch of questions and hope you beautiful people will help me out.

1. I've decided to switch from shared hosting to an virtual server. Therefore I am going to rent the cheapest VS from hetzner.de. is this a good choice?

2. What do I have to care about and what stuff there is to be done in the beginning?

3. The reasons I want to switch are more root accessibility and I want to switch to https. What about that? Is let's encrypt enough?

4. How do I move the server from a to b?

5. What OS should I choose?

6. What about security?

7. Any further advice from experienced people is welcome!

Sry for those noob questions, but I've never been in touch with server work...

Hey, can you install the build? How? Go to Settings → Security → Install from Unknown Sources → Dance under the full moon → Sign a pact with Google. This is what a guy with tremendous luck who seems to manage me says. I am the low life who has sacrificed his ambitions six feet under his questions.

>be me
>watching Clone Hero video
>streamer mentions something about HTML color tags being in a chart's metadata that's displayed properly
>...
>...
>...

>you WHAT

>really

>aight, let's test the clear security hole

*makes 1 note long chart and adds JS to metadata*

*metadata payload triggers when you attempt to play the chart*

FUCKING...

this is dumb.

A thing that I am annoyed that people are getting wrong is security by obscurity.

You have heard of it and being told it is bad. It is so bad that it alone is a counter argument. Let me set you straight:

>>>Security by obscurity is the best security you will ever have<<<

There is an asterisk: It is probably not right for your business. But that is for the end.

Security by obscurity means to hide something away. Most security is based on hiding. You hide your private key or your password or whatever other secret there is. If you had a 2048 long sequence of port knocking, that would be fine, too.. Or it would be fine if it wasn't observable. You could write this down in your documentation and it wouldn't be security by obscurity. It would just be security. Weird, but fine.

The real meat of obscurity is: No one knows that there is someone. The server you port knock looks like a harmless server, but suddenly has an open port to a bad application for an IP, but only if that IP went to 25 other ports first.

In the animal kingdom, there are different survival strategies. One of them is being an apex predator or at least so big and lumbering that no predator wants a piece of you. That's our security. It is upstream security. It is the state.

But what is the rest of the animal kingdom going to do? Well, run away. That works. Not being caught. And those not fast enough? Hide! Just be invisible to the predators. They cannot triple check every leaf and expect to be done with the tree before starving. That's security by obscurity. Or hide in the group. Zebras. Easy to see, hard to track in the group. Look like everyone else.

There is a reason why drug smugglers don't have vaults in the carry-on. Arrive at the customs and just refuse to open the vault. If the vault is good enough. Nope, they lack the upstream security by the state. The state is there enemy, so they need obscurity rather than cryptographic safety.

And so, for a private person, having a port knocking solution or disguising a service as another service is a great idea.

Every cryptography course happily admits that the moment they can catch you physically, cryptography is useless. They also teach you about steganography. But they omit to tell you that obscurity is the second best solution to having a stronger army when you cannot rely on your state as upstream security.

Why did I say, not a good idea for companies?
1. It is self-defeating, since you have to tell it to all employees using it. A shared secret is no secret. And therefore it cannot be documented.
2. It makes working with different servers so much harder if there is a special procedure for all of them to access them. Even if it were documented. (See 1.)
3. You're a company, you are advertising your services. How to hide that you run them?

Do you see how those are not security relevant questions? Those are implementation relevant questions.

Here is an example:
Should you have your admins log into servers as normal users before elevating to root or is that just obscurity? Well, not for security purposes. Because that foothold is so bad, if compromised, it makes little difference. It is for logging purposes, so we have a better server log who logged in. Not only always root. But if our log could differentiate by the used private key, there is no issue with that.

If it is your private stuff, be creative. Hide it. Important skill. And it is not either, or. Encrypt it your backup, then hide it. Port knock, then required an elliptic curve private key to authenticate.

It is a lot of fun, if nothing else. Don't do it with your company. Downsides are too big. Cheaper to hire lawyers if needed.